How can I verify signatures generated by AWS KMS asymmetric keys?

3 minute read

I want to use Key Management Service (AWS KMS) to sign a file. Then, I want to share the file, its signature, and the public key for verification that the signature is valid. I don't want to provide API access for users to access my AWS KMS key.


The following example uses AWS KMS with an ECC_NIST_P256 (secp256r1) asymmetric key pair. When AWS KMS generates a signature file using this key pair, it's created according to NIST FIPS 168-4. An ECDSA digital signature containing (r, s) values is generated as specified in ANS X9.62. Because of the open standard, you can verify this signature using OpenSSL.

To get the signature format for RSA key pairs, follow the instructions to create and manage your AWS KMS keys.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Sign a local file using AWS KMS

After creating the AWS KMS key pair in your account, refer to the key pair using the AWS CLI to sign a file. The response received from the AWS KMS API is encoded in Base64. The following example uses the --query parameter to get the signature value from the response and places it in the sign.b64 file.

[ec2-user@ip-172-31-23-22 ~]$ aws kms sign --key-id arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab --message fileb://message.txt --signing-algorithm ECDSA_SHA_256 --query 'Signature' --output text > sign.b64

Note: You can submit messages up to 4096 bytes. To sign a larger message, generate a hash digest of the message. Then, provide the hash digest in the message parameter. To indicate whether the message is a full message or a digest, use the MessageType parameter. Be sure to take note of the signing algorithm, as this is needed for verifying the signature later.

Because the signature is in Base64 format, you can convert it to binary format using the Linux base64 encoding command similar to the following:

[ec2-user@ip-172-31-23-22 ~]$ base64 -d sign.b64 > sign.bin

To decode Base64 files for Windows OS, run the following command:

certutil -decode C:\Temp\sign.b64 C:\Temp\sign.bin

Verify the AWS KMS signature using OpenSSL

You can now share the sign.b64 signature file. To verify the signature file, you must have the public key. To get the public key, run the AWS CLI command get-public-key similar to the following:

[ec2-user@ip-172-31-23-22 ~]$ aws kms get-public-key --key-id arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab --output text --query 'PublicKey' > KMSPublic.b64

To convert the base64 file to DER encoding with another file named KMSPublic.key, run the following command:

[ec2-user@ip-172-31-23-22 ~]$ base64 -d KMSPublic.b64 > KMSPublic.key

You now have the public key and signature in binary format with the message.txt file. To verify the signature, run the OpenSSL command dgst similar to the following:

[ec2-user@ip-172-31-23-22 ~]$ openssl dgst -sha256 -verify KMSPublic.key -keyform DER -signature sign.bin message.txt
Verified OK

This example output of "Verified OK" indicates that the verification was successful.

If you didn't receive a verification response, make sure that:

  • The OpenSSL signature algorithm is the same one that was used to sign the file.
  • Your files aren't Base64 encoded.

Related information

Cryptographic primitives

AWS KMS concepts

AWS OFFICIALUpdated 2 years ago