AWS-KMS signature always changing

Question

I'm currently exploring to generate private keys on kms, I already get the public key, however every time I use KMS.SignRequest with the same message, it generate different signature. was that the expected output? I thought it should be the same?

async function sign(msgHash: Buffer, keyId: string) {
    const params : KMS.SignRequest = {
        KeyId: keyId,
        Message: msgHash,
        // 'ECDSA_SHA_256' is the one compatible with ECC_SECG_P256K1.
        SigningAlgorithm: 'ECDSA_SHA_256',
        MessageType: 'DIGEST'
    };
    // console.debug("params: ",params)
    const res = await kms.sign(params).promise();
    return res;
}

Why do you think it should be the same? ECDSA (like original DSA) is randomized; see step 3 in https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Signature_generation_algorithm . — dave_thompson_085, Jul 13 '22 at 06:05
Hi, @dave_thompson_085 thank you for your comment. another question, meaning, even though the r,s and v are changing every time, I should be able to verify my public key from that right? — Lonewarp, Jul 13 '22 at 06:21
You can verify all valid signatures _with_ the public key plus the input data. You can't directly verify a publickey itself; typically the 'provenance' of a publickey is assured by putting it in a certifciate which is validated, but that's out of the scope of the question you asked. — dave_thompson_085, Jul 13 '22 at 23:36

AWS-KMS signature always changing

0 Answers0