AWS AWSCloudFormation documentation change
Summary
Added clarification about message type requirements for ED25519 signing algorithms
Security assessment
While the change provides important cryptographic implementation details, it documents proper usage rather than addressing a specific security vulnerability. Ensures correct usage of security features but doesn't indicate a security fix.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md index 8b85a3dc6..08d5a172a 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md @@ -232,0 +233,4 @@ AWS KMS supports the following key specs for KMS keys: + * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification only + + * **Note:** For ECC_NIST_EDWARDS25519 KMS keys, the ED25519_SHA_512 signing algorithm requires [`MessageType:RAW`](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType), while ED25519_PH_SHA_512 requires [`MessageType:DIGEST`](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType). These message types cannot be used interchangeably. +