AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2025-06-28 · Documentation medium

File: cloudhsm/latest/userguide/cloudhsm_cli-crypto-verify-rsa-pkcs.md

Summary

Added data-type parameter and RFC 8017 reference for verification data format

Security assessment

Aligns verification process with cryptographic standards and clarifies data format requirements, enhancing security documentation without evidence of vulnerability remediation.

Diff

diff --git a/cloudhsm/latest/userguide/cloudhsm_cli-crypto-verify-rsa-pkcs.md b/cloudhsm/latest/userguide/cloudhsm_cli-crypto-verify-rsa-pkcs.md
index 65e37d760..48017dc0b 100644
--- a//cloudhsm/latest/userguide/cloudhsm_cli-crypto-verify-rsa-pkcs.md
+++ b//cloudhsm/latest/userguide/cloudhsm_cli-crypto-verify-rsa-pkcs.md
@@ -64,0 +65,2 @@ The following types of users can run this command.
+          --data-type <DATA_TYPE>
+              The type of data passed in, either raw or digest [possible values: raw, digest]
@@ -172,0 +175,16 @@ Required: Yes (unless provided through signature path)
+**`<DATA_TYPE>`**
+    
+
+Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed. 
+
+For RSA-PKCS, the data must be passed in DER encoded format as specified in [RFC 8017, Section 9.2](https://www.rfc-editor.org/rfc/rfc8017#section-9.2)
+
+Valid values:
+
+  * raw
+
+  * digest
+
+
+
+