AWS cli documentation change
Summary
Added warning about double hashing in ED25519_PH_SHA_512 algorithm usage
Security assessment
Added cryptographic implementation detail warning about double hashing. This documents a security-relevant behavior to prevent misuse, but doesn't indicate a vulnerability fix. The warning helps users avoid unintended cryptographic consequences.
Diff
diff --git a/cli/latest/reference/kms/sign.md b/cli/latest/reference/kms/sign.md index d1d91b0f0..209e27395 100644 --- a//cli/latest/reference/kms/sign.md +++ b//cli/latest/reference/kms/sign.md @@ -15 +15 @@ - * [AWS CLI 2.34.37 Command Reference](../../index.html) » + * [AWS CLI 2.34.38 Command Reference](../../index.html) » @@ -181,0 +182,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 +> +> ### Warning +> +> When you specify the ED25519_PH_SHA_512 signing algorithm with `MessageType:DIGEST` , KMS still performs the SHA-512 prehash described in [Step 1 of Section 7.8.1 in FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39) . This means the input is hashed twice: once by you and once by KMS. @@ -503 +507 @@ SigningAlgorithm -> (string) - * [AWS CLI 2.34.37 Command Reference](../../index.html) » + * [AWS CLI 2.34.38 Command Reference](../../index.html) »