Problem

The current AWSSigner implementation fails when trying to sign messages larger than 4KB due to AWS KMS API constraints. The AWS KMS Sign API has a hard limit of 4096 bytes when using MessageType="RAW".

Current Implementation Issue

The current implementation in _aws_signer.py always uses MessageType="RAW":

sign_request = self.client.sign(
    KeyId=self.aws_key_id,
    Message=payload,
    MessageType="RAW",  # <-- This causes the 4KB limit
    SigningAlgorithm=self.aws_algo,
)

AWS Documentation

From the AWS KMS Sign API documentation:

Message: Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To sign a larger message, provide a message digest.

MessageType: Tells AWS KMS whether the value of the Message parameter should be hashed as part of the signing algorithm. Use RAW for unhashed messages; use DIGEST for message digests, which are already hashed.

Solution

The signer should:

1. Compute the hash digest locally using the appropriate hash algorithm (derived from the key's scheme)
2. Send only the digest to AWS KMS with MessageType="DIGEST"
3. This approach removes the 4KB message size limit and allows signing of arbitrarily large payloads

Reference Implementation

Both GCPSigner and AzureSigner already implement this pattern correctly:

GCPSigner:

hasher = hashlib.new(self.hash_algorithm)
hasher.update(payload)
digest = {self.hash_algorithm: hasher.digest()}

AzureSigner:

hasher = hashlib.new(self.hash_algorithm)
hasher.update(payload)
digest = hasher.digest()

Proposed Changes

1. Modify AWSSigner.sign() to compute hash locally using SSlibKey.get_hash_algorithm_name()
2. Change MessageType from "RAW" to "DIGEST"
3. Send only the computed digest to AWS KMS

This change would:

• Remove the 4KB payload size limitation
• Align AWS signer behavior with GCP and Azure signers
• Maintain compatibility with existing functionality
• Follow AWS KMS best practices for larger payloads