Skip to content

KMS: Add support for RSA_AES_KEY_WRAP_SHA_256 in import key material #12888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 28, 2025
Merged

KMS: Add support for RSA_AES_KEY_WRAP_SHA_256 in import key material #12888

merged 3 commits into from
Jul 28, 2025

Conversation

sannya-singal
Copy link
Contributor

@sannya-singal sannya-singal commented Jul 22, 2025
edited
Loading

Motivation

This PR adds support for the wrapping algorithm RSA_AES_KEY_WRAP_SHA_256 in the ImportKeyMaterial, which raises:

KMSInvalidStateException: An error occurred (KMSInvalidStateException) when calling the ImportKeyMaterial operation: Unsupported padding, requested wrapping algorithm:'RSA_AES_KEY_WRAP_SHA_256'

This algorithm is defined by AWS as a hybrid encryption scheme, that combines encrypting the key material with an AES symmetric key that is generated, and encrypting the AES symmetric key with the public wrapping key and the RSAES_OAEP_SHA_256 wrapping algorithm.

Changes

  • Added support for RSA_AES_KEY_WRAP_SHA_256 in the import_key_material method.
  • Refactored decryption of wrapped key material into a new, centralized helper: _decrypt_wrapped_key_material(...) now handles both RSA-only and hybrid RSA+AES key wrapping formats.
  • Added AWS validated snapshot test: test_import_key_rsa_aes_wrap_sha256 to validate the implementation.

References:

Closes: #10921

@sannya-singal sannya-singal added this to the 4.7 milestone Jul 22, 2025
@sannya-singal sannya-singal self-assigned this Jul 22, 2025
@sannya-singal sannya-singal added the semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases label Jul 22, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 22, 2025
edited
Loading

LocalStack Community integration with Pro

  2 files  ±    0    2 suites  ±0   4m 32s ⏱️ - 1h 41m 37s
708 tests  - 4 221  701 ✅  - 3 451  7 💤  - 770  0 ❌ ±0 
710 runs   - 4 221  701 ✅  - 3 451  9 💤  - 770  0 ❌ ±0 

Results for commit bb01c4a. ± Comparison against base commit 71c610e.

This pull request removes 4223 and adds 2 tests. Note that renamed tests count towards both. 
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_lambda_dynamodb
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_opensearch_crud
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_search_books
tests.aws.scenario.bookstore.test_bookstore.TestBookstoreApplication ‑ test_setup
tests.aws.scenario.kinesis_firehose.test_kinesis_firehose.TestKinesisFirehoseScenario ‑ test_kinesis_firehose_s3
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_destination_sns
tests.aws.scenario.lambda_destination.test_lambda_destination_scenario.TestLambdaDestinationScenario ‑ test_infra
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_prefill_dynamodb_table
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input0-SUCCEEDED]
tests.aws.scenario.loan_broker.test_loan_broker.TestLoanBrokerScenario ‑ test_stepfunctions_input_recipient_list[step_function_input1-SUCCEEDED]
…

tests.aws.services.kms.test_kms.TestKMS ‑ test_import_key_rsa_aes_wrap_sha256
tests.aws.services.s3.test_s3.TestS3 ‑ test_s3_object_expires

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 22, 2025
edited
Loading

Test Results - Preflight, Unit

21 991 tests  +8   20 257 ✅ +8   6m 39s ⏱️ +21s
     1 suites ±0    1 734 💤 ±0 
     1 files   ±0        0 ❌ ±0 

Results for commit bb01c4a. ± Comparison against base commit 71c610e.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 22, 2025
edited
Loading

Test Results (amd64) - Acceptance

7 tests  ±0   5 ✅ ±0   3m 8s ⏱️ ±0s
1 suites ±0   2 💤 ±0 
1 files   ±0   0 ❌ ±0 

Results for commit bb01c4a. ± Comparison against base commit 71c610e.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 22, 2025
edited
Loading

Test Results (amd64) - Integration, Bootstrap

  5 files    5 suites   17m 45s ⏱️
732 tests 725 ✅  7 💤 0 ❌
738 runs  725 ✅ 13 💤 0 ❌

Results for commit bb01c4a.

♻️ This comment has been updated with latest results.

@sannya-singal sannya-singal marked this pull request as ready for review July 22, 2025 09:10
@sannya-singal sannya-singal requested review from k-a-il and silv-io July 22, 2025 09:10
@sannya-singal sannya-singal added the aws:kms AWS Key Management Service label Jul 22, 2025
k-a-il
k-a-il reviewed Jul 25, 2025
View reviewed changes
Copy link
Contributor

@k-a-il k-a-il left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, I have two smaller comments to address but otherwise changes look good 👍

@sannya-singal sannya-singal requested a review from k-a-il July 28, 2025 10:39
@sannya-singal sannya-singal merged commit 0be7798 into main Jul 28, 2025
39 checks passed
@sannya-singal sannya-singal deleted the kms-import-issue branch July 28, 2025 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@k-a-il k-a-il k-a-il approved these changes

@silv-io silv-io Awaiting requested review from silv-io

Assignees

@sannya-singal sannya-singal

Labels
aws:kms AWS Key Management Service semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases
Projects
None yet
Milestone
4.7
Development

Successfully merging this pull request may close these issues.

bug: importKeyMaterial fails with "Unsupported padding, requested wrapping algorithm:'RSA_AES_KEY_WRAP_SHA_256'"
2 participants
@sannya-singal @k-a-il