Skip to content

Commit 54ecdb2

Browse files
committed
test(kms): pre-existing derive e2e must use a real SPKI peer key
kms_derive_shared_secret passed a fake 65-byte EC point as PublicKey; real ECDH requires a valid SubjectPublicKeyInfo, so it now derives against a second KEY_AGREEMENT key's public key (same fix as the unit tests).
1 parent 7cb2c7e commit 54ecdb2

1 file changed

Lines changed: 21 additions & 2 deletions

File tree

  • crates/fakecloud-e2e/tests

crates/fakecloud-e2e/tests/kms.rs

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -390,12 +390,31 @@ async fn kms_derive_shared_secret() {
390390
.unwrap();
391391
let key_id = resp.key_metadata().unwrap().key_id().to_string();
392392

393-
let fake_pub = Blob::new(vec![0x04; 65]); // Fake uncompressed EC point
393+
// Real ECDH requires a valid SubjectPublicKeyInfo for the counterparty;
394+
// use a second KEY_AGREEMENT key's public key.
395+
let peer = client
396+
.create_key()
397+
.key_usage(aws_sdk_kms::types::KeyUsageType::KeyAgreement)
398+
.key_spec(aws_sdk_kms::types::KeySpec::EccNistP256)
399+
.send()
400+
.await
401+
.unwrap();
402+
let peer_id = peer.key_metadata().unwrap().key_id().to_string();
403+
let peer_pub = client
404+
.get_public_key()
405+
.key_id(&peer_id)
406+
.send()
407+
.await
408+
.unwrap()
409+
.public_key()
410+
.unwrap()
411+
.clone();
412+
394413
let result = client
395414
.derive_shared_secret()
396415
.key_id(&key_id)
397416
.key_agreement_algorithm(aws_sdk_kms::types::KeyAgreementAlgorithmSpec::Ecdh)
398-
.public_key(fake_pub)
417+
.public_key(peer_pub)
399418
.send()
400419
.await
401420
.unwrap();

0 commit comments

Comments
 (0)