I have a Go lambda that is able to call the sign and verify API using the SDK successfully. However when I am unable to verify the signature returned from the lambda locally using openssl or the kms verify CLI. This is the local verification process:
Base64 decoding of signature stored in signature.txt to signature.bin ...
Call "openssl enc -base64 -d -in signature.txt -out signature.bin -A"
Extracting public key from certificate to pubkey.pem ...
Call "openssl x509 -inform PEM -in public.cer -noout -pubkey > pubkey.pem"
Verifying content of data.txt with signature stored in signature.bin ...
Call "openssl dgst -SHA256 -verify pubkey.pem -signature signature.bin data.txt"
I have been able to verify that my public key is correct. I am also able to verify locally when I perform the signing through the AWS KMS CLI. Note: when done through the CLI it returns the signature in base64. The SDK returns a byte slice, so I am doing the following to return the base64 encoded string:
encodedSignature := base64.StdEncoding.EncodeToString(signResp.Signature)
This is where I suspect the problem is. Is this the correct way to convert the signature returned from the SDK (see: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/kms#SignOutput)? Once again it works properly if I call aws kms sign via CLI and use the base64 encoded signature that is returned. It does not work when I use the base64 encoded string from the lambda. I'm fairly new to go, so any direction is greatly appreciated.
I have found the resolution. The issue ended up being the newline character inserted by echo into my data.txt file AND my signature file. The "-n" is required so that it does not insert the trailing newline character.
echo -n BASE64SIGNATURE | base64 -D > signature.bin