Skip to content

Commit

Permalink
KMS: Support 3072 and 4098 key sizes for RSA (#6708)
Browse files Browse the repository at this point in the history
  • Loading branch information
tsugumi-sys authored Aug 21, 2023
1 parent 8535e93 commit 78c518d
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 2 deletions.
14 changes: 14 additions & 0 deletions moto/kms/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,17 @@ def validate_signing_algorithm(


class RSAPrivateKey(AbstractPrivateKey):
# See https://docs.aws.amazon.com/kms/latest/cryptographic-details/crypto-primitives.html
__supported_key_sizes = [2048, 3072, 4096]

def __init__(self, key_size: int):
if key_size not in self.__supported_key_sizes:
raise ValidationException(
(
"1 validation error detected: Value at 'key_size' failed "
"to satisfy constraint: Member must satisfy enum value set: {supported_key_sizes}"
).format(supported_key_sizes=self.__supported_key_sizes)
)
self.key_size = key_size
self.private_key = rsa.generate_private_key(
public_exponent=65537, key_size=self.key_size
Expand Down Expand Up @@ -222,6 +232,10 @@ def generate_private_key(key_spec: str) -> AbstractPrivateKey:
"""Generate a private key to be used on asymmetric sign/verify."""
if key_spec == KeySpec.RSA_2048:
return RSAPrivateKey(key_size=2048)
elif key_spec == KeySpec.RSA_3072:
return RSAPrivateKey(key_size=3072)
elif key_spec == KeySpec.RSA_4096:
return RSAPrivateKey(key_size=4096)
else:
return RSAPrivateKey(key_size=2048)

Expand Down
5 changes: 3 additions & 2 deletions tests/test_kms/test_kms_boto3.py
Original file line number Diff line number Diff line change
Expand Up @@ -1163,11 +1163,12 @@ def test_sign_and_verify_ignoring_grant_tokens():


@mock_kms
def test_sign_and_verify_digest_message_type_RSASSA_PSS_SHA_256():
@pytest.mark.parametrize("key_spec", ["RSA_2048", "RSA_3072", "RSA_4096"])
def test_sign_and_verify_digest_message_type_RSASSA_PSS_SHA_256(key_spec):
client = boto3.client("kms", region_name="us-west-2")

key = client.create_key(
Description="sign-key", KeyUsage="SIGN_VERIFY", KeySpec="RSA_2048"
Description="sign-key", KeyUsage="SIGN_VERIFY", KeySpec=key_spec
)
key_id = key["KeyMetadata"]["KeyId"]

Expand Down
11 changes: 11 additions & 0 deletions tests/test_kms/test_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
AccessDeniedException,
InvalidCiphertextException,
NotFoundException,
ValidationException,
)
from moto.kms.models import Key
from moto.kms.utils import (
Expand All @@ -18,6 +19,7 @@
Ciphertext,
KeySpec,
SigningAlgorithm,
RSAPrivateKey,
)

ENCRYPTION_CONTEXT_VECTORS = [
Expand Down Expand Up @@ -95,6 +97,15 @@ def test_SigningAlgorithm_Enum():
)


def test_RSAPrivateKey_invalid_key_size():
with pytest.raises(ValidationException) as ex:
_ = RSAPrivateKey(key_size=100)
assert (
ex.value.message
== "1 validation error detected: Value at 'key_size' failed to satisfy constraint: Member must satisfy enum value set: [2048, 3072, 4096]"
)


def test_generate_data_key():
test = generate_data_key(123)

Expand Down

0 comments on commit 78c518d

Please sign in to comment.