AWS cli documentation change
Summary
Added warning about double hashing in ED25519_PH_SHA_512 signing with DIGEST messages
Security assessment
Documents cryptographic behavior of a security feature (signing) to prevent implementation errors, but doesn't address a specific vulnerability. The warning helps avoid potential cryptographic misuse.
Diff
diff --git a/cli/latest/reference/kms/verify.md b/cli/latest/reference/kms/verify.md index 57bc81dc3..e7068be91 100644 --- a//cli/latest/reference/kms/verify.md +++ b//cli/latest/reference/kms/verify.md @@ -15 +15 @@ - * [AWS CLI 2.34.37 Command Reference](../../index.html) » + * [AWS CLI 2.34.38 Command Reference](../../index.html) » @@ -172,0 +173,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20 +> +> ### Warning +> +> When you specify the ED25519_PH_SHA_512 signing algorithm with `MessageType:DIGEST` , KMS still performs the SHA-512 prehash described in [Step 1 of Section 7.8.1 in FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39) . This means the input is hashed twice: once by you and once by KMS. @@ -466 +470 @@ SigningAlgorithm -> (string) - * [AWS CLI 2.34.37 Command Reference](../../index.html) » + * [AWS CLI 2.34.38 Command Reference](../../index.html) »