AWS Security ChangesHomeSearch

AWS rolesanywhere documentation change

Service: rolesanywhere · 2025-11-22 · Documentation medium

File: rolesanywhere/latest/userguide/authentication-sign-process.md

Summary

Added ML-DSA algorithms (ML-DSA-44, ML-DSA-65, ML-DSA-87) to supported signing methods and updated algorithm references

Security assessment

The changes document support for new ML-DSA cryptographic algorithms, which are likely related to post-quantum cryptography. This expands security features but does not address an existing vulnerability. The updates enhance security documentation by including newer algorithms.

Diff

diff --git a/rolesanywhere/latest/userguide/authentication-sign-process.md b/rolesanywhere/latest/userguide/authentication-sign-process.md
index 8a85bf844..ca074a0c0 100644
--- a//rolesanywhere/latest/userguide/authentication-sign-process.md
+++ b//rolesanywhere/latest/userguide/authentication-sign-process.md
@@ -9 +9 @@ Task 1: Create a canonical requestTask 2: Create a string to signTask 3: Calcula
-The signing process is identical to SigV4, with the exception of the keys used, the signature algorithm, and the addition of headers related to the X.509 certificate and trust chain. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html), which should be treated as authoritative unless specifically addressed in this user guide.
+The signing process is identical to SigV4, with the exception of the keys used, the signature algorithm, and the addition of headers related to the X.509 certificate and trust chain. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_sigv.html), which should be treated as authoritative unless specifically addressed in this user guide.
@@ -148 +148 @@ The “string to sign” is the actual input to the signing algorithm, and inclu
-  1. The `Algorithm` is a string that indicates how the signature is calculated. It is of the form `AWS4-X509-[AlgorithmId]-[HASH]`, where `AlgorithmId` is either `RSA` or `ECDSA`, and MUST be supported by the key type of the signing certificate's private key. For example, if the signing certificate has an RSA private key, the full algorithm string will be `AWS4-X509-RSA-SHA256`. 
+  1. The `Algorithm` is a string that indicates how the signature is calculated. It must be one of `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA` and MUST be supported by the key type of the signing certificate's private key. For example, if the signing certificate has an RSA private key, the full algorithm string will be `AWS4-X509-RSA-SHA256`. 
@@ -165 +165,9 @@ The “string to sign” is the actual input to the signing algorithm, and inclu
-Here, the SigningAlgorithm refers to a supported signing operation, either SHA256WithRSA or SHA256WithECDSA.
+SigningAlgorithm must be one of the following algorithms
+
+  * SHA256WithRSA
+  * SHA256WithECDSA
+  * ML-DSA-44
+  * ML-DSA-65
+  * ML-DSA-87
+
+
@@ -171 +179 @@ The signature derived from the previous step is added to the HTTP request in the
-  * Algorithm. As described above, instead of `AWS4-HMAC-SHA256`, the algorithm field will have the values of the form `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256`, depending on whether an RSA or Elliptic Curve algorithm is used. This, in turn, is determined by the key bound to the signing certificate.
+  * Algorithm. As described above, instead of `AWS4-HMAC-SHA256`, the algorithm field will have the values of the form `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA` depending on whether an RSA, Elliptic Curve algorithm or ML-DSA is used. This, in turn, is determined by the key bound to the signing certificate.
@@ -184 +192 @@ The signature derived from the previous step is added to the HTTP request in the
-  1. The `Algorithm` is of the form `AWS4-X509-{RSA|ECDSA}-SHA256`. Examples – `AWS4-X509-RSA-SHA256`.
+  1. The `Algorithm` must be one of `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA`.