add overlooked base64 encode to sign request calls

Author: geemus

lib/fog/aws/requests/kms/sign.rb

@@ -7,11 +7,15 @@ class Real
         # Sign
         #
         # ==== Parameters
+        # * identifier<~String>: id, arn, alias name, or alias arn for key to sign with
+        # * message<~String>: base64 encoded message to sign
         #
         # === Returns
+        # * response<~Excon::Response>:
         #
         # ==== See Also
         # https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html
+        #
         def sign(identifier, message, algorithm, options = {})
           request({
             'Action' => 'Sign',
@@ -32,15 +36,17 @@ def sign(identifier, message, algorithm, options = {})
             raise(Excon::Errors.status_error({ expects: 200 }, response))
           end
 
+          data = Base64.decode64(message)
+
           # FIXME: SM2 support?
           sha = "SHA#{algorithm.split('_SHA_').last}"
           signopts = {}
           signopts[:rsa_padding_mode] = 'pss' if algorithm.start_with?('RSASSA_PSS')
 
           signature = if options['MessageType'] == 'DIGEST'
-                        pkey.sign_raw(sha, message, signopts)
+                        pkey.sign_raw(sha, data, signopts)
                       else
-                        pkey.sign(sha, message, signopts)
+                        pkey.sign(sha, data, signopts)
                       end
 
           response.body = {

tests/requests/kms/key_tests.rb

@@ -45,7 +45,12 @@
   end
 
   tests('#sign') do
-    sign_response = Fog::AWS[:kms].sign(key_id, data, 'RSASSA_PKCS1_V1_5_SHA_256', 'MessageType' => 'RAW').body
+    sign_response = Fog::AWS[:kms].sign(
+      key_id,
+      Base64.encode64(data),
+      'RSASSA_PKCS1_V1_5_SHA_256',
+      'MessageType' => 'RAW'
+    ).body
 
     tests('format').data_matches_schema(AWS::KMS::Formats::SIGN) { sign_response }
 
@@ -85,14 +90,24 @@
 
         tests("#sign #{key_spec} #{signing_algorithm} DIGEST").returns(true) do
           hash = OpenSSL::Digest.digest(sha, data)
-          sign_response = Fog::AWS[:kms].sign(key_id, hash, signing_algorithm, 'MessageType' => 'DIGEST').body
+          sign_response = Fog::AWS[:kms].sign(
+            key_id,
+            Base64.encode64(hash),
+            signing_algorithm,
+            'MessageType' => 'DIGEST'
+          ).body
           signature = Base64.decode64(sign_response['Signature'])
 
           pkey.verify_raw(sha, signature, hash, sign_opts)
         end
 
         tests("#sign #{key_spec} #{signing_algorithm} RAW").returns(true) do
-          sign_response = Fog::AWS[:kms].sign(key_id, data, signing_algorithm, 'MessageType' => 'RAW').body
+          sign_response = Fog::AWS[:kms].sign(
+            key_id,
+            Base64.encode64(data),
+            signing_algorithm,
+            'MessageType' => 'RAW'
+          ).body
           signature = Base64.decode64(sign_response['Signature'])
 
           pkey.verify(sha, signature, data, sign_opts)