AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2025-06-28 · Documentation medium

File: cloudhsm/latest/userguide/cloudhsm_cli-crypto-sign-rsa-pkcs.md

Summary

Added --data-type parameter and RFC 8017 compliance note for input data format

Security assessment

Explicitly references cryptographic standard compliance (RFC 8017) and data handling requirements, improving security documentation quality without evidence of patching a vulnerability.

Diff

diff --git a/cloudhsm/latest/userguide/cloudhsm_cli-crypto-sign-rsa-pkcs.md b/cloudhsm/latest/userguide/cloudhsm_cli-crypto-sign-rsa-pkcs.md
index b59b94b5e..a2950e66b 100644
--- a//cloudhsm/latest/userguide/cloudhsm_cli-crypto-sign-rsa-pkcs.md
+++ b//cloudhsm/latest/userguide/cloudhsm_cli-crypto-sign-rsa-pkcs.md
@@ -53,0 +54,2 @@ The following types of users can run this command.
+          --data-type <DATA_TYPE>
+              The type of data passed in, either raw or digest [possible values: raw, digest]
@@ -143,0 +146,16 @@ Specifies the file path to a signed quorum token file to approve operation. Only
+**`<DATA_TYPE>`**
+    
+
+Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed. 
+
+For RSA-PKCS, the data must be passed in DER encoded format as specified in [RFC 8017, Section 9.2](https://www.rfc-editor.org/rfc/rfc8017#section-9.2)
+
+Valid values:
+
+  * raw
+
+  * digest
+
+
+
+