在 AWS 中使用 ML-DSA

asecuritysite
发布于 13小时前
阅读 60

文章介绍了如何在AWS KMS中使用ML-DSA进行数字签名。首先，在AWS KMS中创建ML-DSA密钥，然后展示如何使用AWS CLI获取公钥并进行签名和验证。此外，文章还提供了Python代码示例，演示了如何使用boto3库在AWS KMS中执行相同的操作，包括密钥的创建、签名及验证。

![](https://img.learnblockchain.cn/2025/06/23/1Vn8_-DI6BPglf-hCXHsnsA.png)

喜欢

## 在 AWS 中使用 ML-DSA

无论喜欢与否，我们都必须将现有的 RSA PSS、ECDSA 和 EdDSA 数字签名方法转移到后量子鲁棒方法，例如 ML-DSA。因此，很高兴看到 AWS 现在在其 KMS 中支持 ML-DSA。目前，ML-DSA 仅在世界上的某些地区可用。在 Python 中，我们可以使用以下代码在 us-west-1 中创建我们的密钥：

```
import boto3

def create_mldsa_key():
    # 创建 ML-DSA 密钥
        kms_client = boto3.client('kms', region_name='us-west-1')

response = kms_client.create_key(KeySpec='ML_DSA_65',KeyUsage='SIGN_VERIFY', Origin='AWS_KMS')

return response['KeyMetadata']['KeyId']

key_id = create_mldsa_key()
print(f'ML-DSA Key ID: {key_id}')
```

如果我们查看我们的 KMS，我们会看到已创建密钥：

![](https://img.learnblockchain.cn/2025/06/23/1ShzZfKj7X1agrsUVIa5cyA.png)

我们可以通过以下方式确定密钥的签名方法：

```
% aws kms describe-key --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
{
    "KeyMetadata": {
        "AWSAccountId": "zzzz",
        "KeyId": "71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
        "Arn": "arn:aws:kms:us-west-1:zzzzz:key/71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
        "CreationDate": "2025-06-21T07:21:18.692000+01:00",
        "Enabled": true,
        "Description": "",
        "KeyUsage": "SIGN_VERIFY",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "ML_DSA_65",
        "KeySpec": "ML_DSA_65",
        "SigningAlgorithms": [\
            "ML_DSA_SHAKE_256"\
        ],
        "MultiRegion": false
    }
}
```

从命令行，我们可以查看公钥：

```
% aws kms get-public-key --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
--output text --query PublicKey
MIIHsjALBglghkgBZQMEAxIDggehAJVHNRXgnDgywwiifTKvsfISqRu/yUexcBYZ/tTWOMNjU6fWyUUKHsZAPFKtXqdA4uQA3h9ILCv1k/gyLb9Lr08V1TGWu0HmonTBMJR90zNp13DQM+heF3eznYhXJ5ijjLpLR1JYx8HOgcGEukBYg2Pnv4V38R5sM8xn+jZuXs98Z7wjS2KZaqxXHNztQTyWA+2zmbWdOCI6z9oFXdAI/aq2mWyqBcTLxyOQ2faleRNRIiRLx/zVq/wh6TP2364RLW0TrYMdai+6yc3mC5wdO+pRSIVjbat7I39kyJ8DqOv+flYLJpfHrImrLB1FJU4s/OUuneXvMT/vImfEJ8EP6zuvsracWy0RsyuGTeyKhqqgz8QmqKjoGTVETH2osk+eU1eOFdJRcikrzYda5LvLLaOU2Y67E/GMlz6SrxD8EFSJ3fr425lCJN/+3o5q7AnEkQB6VDyS/NVRKsM/0qAju1LiEX+UuDUnw3/eprJGU+MVl0xMYpD1cwClVod7nBvULAOjcLfZ1Z7dnW0/PG4LL21a1Fs0KRJ6f83zIDy2NxZRunU5VzAvONlZIsNX7Ntw9TBCc5ezfnqpR9fxSQk0kX30tVGhVWEQySGGWWEEh+W41X2DHHmxKtng07uvEC88aBOdZnTQQyCKccj7C3gcunETIn0gGX5rHobxssvOR4oRUhapl+qHHNwcuNZebF4HJKBmhBwEMxb/AfdFWlkjBhvvZQMUVcYSqv7Ax1e10pbBKevZapVbVIPJcaPWUmvoB4/op7HIRqqtjG4yjVkGqFo0V/dl0pY09zebTvNjw6ylX/71NZbVY6dcTvGkX/ddq0ayfr0nOMqXjMwGIewygjVti6ghyxkBbtBlcja3OYXEfWrn9qcACLm2g7+Eyrm7/rR0syYbEA32Z3o3iFBXTEYjodosxeP9sV0rDhz1l6ySbplblhxLO0LfHOHvyyR7eRe8JGyn6S/PCousH/0Y/eq3wmSsVwRHn7AdtKZvXCR0BPcx1nd00ocFh3jRKNM/elWPv5UwbX3V/D1U5oYqU+4zDu0Hnxocvl6gt5oMCJnm9YEPB6LJlncJyET6hOCOp6yYOAyzq0b96GQoT/4S0r9IkJO1bnqucf1n9RhbM92dAeg/YAGFRFAhMu5T9/uFnEzCO9LZc7R17fZVTIFEWIKtLmEtS5C7OLWI3kPDE/TEwGUlUibRQW65OMAJzeKO5M4EmhfUQk7UMH2ks10xvjaUKJ4LmhX2VVvB2yqv+swxhcR3nK6gdZ3VNLqcyPWzK3tvYCAoMlNlkugpuNIf7FUe0GzOY4K6/uASf1TppxDUnw0dvxK8rR44DrndS4FZxm74Vyt2D5DQI62pOaWsSxmRF9S8YIo+NQu2XhKHwLvv2zMI2W8/sCX6AL2ZpPhlbG46v0+AbdrKSDjMbWQg1MuPwVMIp5coOkw/746h55Ax/v539CVdjdUXqIlw8E2Pd5CrUst1OyMOVhP7e3/+11ADhbCuku+v8Vk4zHSsBDYRNY+y4DtPcyvJOUU4gGSBoG5vDebHuxba2JIsIwF2VMgj4UG6CklC2bsZ9nUjp53f/VVNqemrAXyQEDRfIAjefD6/DQnuvR0aah3EZCfYZqB4kQ/vCxjq+j+Z0e1AN1Mavj8uDt3C+s8YTni5eE9ow4mbpbgFylEmD+Z1EYWxpwGCknuz/2Gvj8D8A5JAmbxOHJ/wNpUQVLrdvnkmtf6YGEkAC6ib+ZdLfV6DKAPVd8WFkg+RRF66M/CltTo6irvYrFytXW0bKybQIuGotXyXAqvvl666lNS7Kn4bIg/NtI3Y0yVQbtQdecBbD8MJX+lHhar/FLKxbXj80rO1V6Onb2gs3GbxFLCPqHzbA82A1V7annnQJKWrkfadVo5ZpY6kWAE1VJyGThkXIGwe/pgv/AyXSyZuxfpgWfwVG/ohxXFcoa6OKBqOnnxITBjHVL5ts5wxfFKlaCSxOYzR0WO5Iv5Xo+uAYdeVBWRhOvUReEd+seGpT2qmk2mkXETOihY3F5/CosFVRnYGt9WIz37nHNpEF4j4+GAPXTbe0/66fz3hxUmLpa4wMmShjkCF741RDG8zqH3iBX1QiwLxZZtQiwFKvzDdc+DcE7du2oBzJRNI1H4njeGI0uEo87DrXG0CnhySMOxX0CXr3I792xSMxwr7rzh2R8MAjq/fj6fTgQnL0r+frT6CSy8iiaoo39oOybw24WaS/NmLfO4jSWjb0O/kKnP2UlNm7NkzKZiXWH/20GNHz9X2MlLI2YemZ3OsOebqSP5Ler/K9ODtz3xDjLVbFxbhCwRbvU9FcHyoB3PzLBUIebqTBD77Mj47zCerO7XNBhoe34Vb3Z3kP7TIRXS6ovXKzHj6J3nChtFVpSdlmt5lN3ifnL4DWNBwDjS9t8FW53hQ78OOOU0gTtLFCoHgJ1H66WO0WvyIKFA5lZvC60rFq9n1flma1JFW1FAhh21uB9UxIA+0bkKph5vxXriPFaQkfO7RlfpWH087ybCDcFe+Ke4fFU5fMLheh0/C5iO+6umsIDefrECQ9jsE1+51i5fkjnr2ulOfg3JOBYz0B5h+C+x7AuSGlH2pXsP
```

我们还可以导出为 DER 格式：

```
aws kms get-public-key --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
   --output text --query PublicKey | base64 -d > public_key.der
```

然后使用 OpenSSL 提取公钥：

```
% openssl pkey -pubin -inform der -in public_key.der -out pubkey.pem

% type pubkey.pem
-----BEGIN PUBLIC KEY-----
MIIHsjALBglghkgBZQMEAxIDggehAJVHNRXgnDgywwiifTKvsfISqRu/yUexcBYZ
/tTWOMNjU6fWyUUNCh7GQDxSrV6nQOLkAN4fSCwr9ZP4Mi2/S69PFdUxlrtB5qJ0
wTCUfdMzaddw0DPoXhd3s52IVyeYo4y6S0dSWMfBzoHBhLpAWINj57+Fd/EebDPM
Z/o2bl7PfGe8I0timWqsVxzc7UE8lgPts5m1nTgiOs/aBV3QCP2qtplsqgXEy8cj
kNn2pXkTUSIkS8f81av8Iekz9t+uES1tE62DHWovusnN5gucHTvqUUiFY22reyN/
ZMifA6jr/n5WCyaXx6yJqywdRSVOLPzlLp3l7zE/7yJnxCfBD+s7r7K2nFstEbMr
hk3sioaqoM/EJqio6Bk1REx9qLJPnlNXjhXSUXIpK82HWuS7yy2jlNmOuxPxjJc+
kq8Q/BBUid36+NuZQiTf/t6OauwJxJEAelQ8kvzVUSrDP9KgI7tS4hF/lLg1J8N/
3qayRlPjFZdMTGKQ9XMApVaHe5wb1CwDo3C32dWe3Z1tPzxuCy9tWtRbNCkSen/N
8yA8tjcWUbp1OVcwLzjZWSLDV+zbcPUwQnOXs356qUfX8UkJNJF99LVRoVVhEMkh
hllhBIfluNV9gxx5sSrZ4NO7rxAvPGgTnWZ00EMginHI+wt4HLpxEyJ9IBl+ax6G
8bLLzkeKEVIWqZfqhxzcHLjWXmxeBySgZoQcBDMW/wH3RVpZIwYb72UDFFXGEqr+
wMdXtdKWwSnr2WqVW1SDyXGj1lJr6AeP6KexyEaqrYxuMo1ZBqhaNFf3ZdKWNPc3
m07zY8OspV/+9TWW1WOnXE7xpF/3XatGsn69JzjKl4zMBiHsMoI1bYuoIcsZAW7Q
ZXI2tzmFxH1q5/anAAi5toO/hMq5u/60dLMmGxAN9md6N4hQV0xGI6HaLMXj/bFd
Kw4c9Zeskm6ZW5YcSztC3xzh78ske3kXvCRsp+kvzw0Ki6wf/Rj96rfCZKxXBEef
sB20pm9cJHQE9zHWd3TShwWHeNEo0z96VY+/lTBtfdX8PVTmhipT7jMO7QefGhy+
XqC3mgwImeb1gQ8HosmWdwnIRPqE4I6nrJg4DLOrRv3oZChP/hLSv0iQk7Vueq5x
/Wf1GFsz3Z0B6D9gAYVEUCEy7lP3+4WcTMI70tlztHXt9lVMgURYgq0uYS1LkLs4
tYjeQ8MT9MTAZSVSJtFBbrk4wAnN4o7kzgSaF9RCTtQwfaSzXTG+NpQonguaFfZV
W8HbKq/6zDGFxHecrqB1ndU0upzI9bMre29gICgyU2WS6Cm40h/sVR7QbM5jgrr+
4BJ/VOmnENSfDR2/ErytHjgOud1LgVnGbvhXK3YPkNAjrak5paxLGZEX1Lxgij41
C7ZeEofAu+/bMwjZbz+wJfoAvZmk+GVsbjq/T4Bt2spIOMxtZCDUy4/BUwinlyg6
TD/vjqHnkDH+/nf0JV2N1ReoiXDwTY93kKtSy3U7Iw5WE/t7f/7XUAOFsK6S76/x
WTjMdKwENhE1j7LgO09zK8k5RTiAZIGgbm8N5se7FtrYkiwjAXZUyCPhQboNCklC
2bsZ9nUjp53f/VVNqemrAXyQEDRfIAjefD6/DQnuvR0aah3EZCfYZqB4kQ/vCxjq
+j+Z0e1AN1Mavj8uDt3C+s8YTni5eE9ow4mbpbgFylEmD+Z1EYWxpwGCknuz/2Gv
j8D8A5JAmbxOHJ/wNpUQVLrdvnkmtf6YGEkAC6ib+ZdLfV6DKAPVd8WFkg+RRF66
M/CltTo6irvYrFytXW0bKybQIuGotXyXAqvvl666lNS7Kn4bIg/NtI3Y0yVQbtQd
ecBbD8MJX+lHhar/FLKxbXj80rO1V6Onb2gs3GbxFLCPqHzbA82A1V7annnQJKWr
kfadVo5ZpY6kWAE1VJyGThkXIGwe/pgv/AyXSyZuxfpgWfwVG/ohxXFcoa6OKBqO
nnxITBjHVL5ts5wxfFKlaCSxOYzR0WO5Iv5Xo+uAYdeVBWRhOvUReEd+seGpT2qm
k2mkXETOihY3F5/CosFVRnYGt9WIz37nHNpEF4j4+GAPXTbe0/66fz3hxUmLpa4w
MmShjkCF741RDG8zqH3iBX1QiwLxZZtQiwFKvzDdc+DcE7du2oBzJRNI1H4njeGI
0uEo87DrXG0CnhySMOxX0CXr3I792xSMxw0K+684dkfDAI6v34+n04EJy9K/n60+
gksvIomqKN/aDsm8NuFmkvzZi3zuI0lo29Dv5Cpz9lJTZuzZMymYl1h/9tBjR8/V
9jJSyNmHpmdzrDnm6kj+S3q/yvTg7c98Q4y1WxcW4QsEW71PRXB8qAdz8ywVCHm6
kwQ++zI+O8wnqzu1zQYaHt+FW92d5D+0yEV0uqL1ysx4+id5wobRVaUnZZreZTd4
n5y+A1jQcA40vbfBVud4UO/DjjlNIE7SxQ0KgeAnUfrpY7Ra/IgoUDmVm8LrSsWr
2fV+WZrUkVbUUCGHbW4H1TEgD7RuQqmHm/FeuI8VpCR87tGV+lYfTzvJsINwV74p
7h8VTl8wuF6HT8LmI77q6awgN5+sQJD2OwTX7nWLl+SOeva6U5+Dck4FjPQHmH4L
7HsC5IaU
-----END PUBLIC KEY-----
```

现在，我们可以使用 ML-DSA-SHAKE-256 进行签名：

```
% aws kms sign  --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
 --message fileb://1.txt --signing-algorithm ML_DSA_SHAKE_256
 --query Signature > 1.out
``````
% type 1.out
IisxODFmOWVQQzBBREdtc0h6WFR6ZW5DSUxCOUk5UGoxbE1PcXlkc0IrZW1iTlJhTzNpSlM5
dlZlOVNLSGYzRElkbmFVNEo3czJ6MGozZmwvVWtRY0VrYWtKK2tWaXg3NEhYQkZDdXNhWE5Z
KytYc2ZZY1RFUHl3NUZscEg3cHVIYnZNaG1NMkFtS08vcXcvT0ZNbzdkaHc4SUxqajlXWW1l
MW9WVnMwd1JIclNOdTNXa0tYcVJnTDNvMFFhZzFyaXY5Q1orcFo2Vko2U3AwZ0ZseUt3WEpz
aERwTit6cmtGV3VwT1VpY1JhNjZpSXVIMklHdndIeDFoK3QrZGMwTzlJZmhNZnRwUnUrZnF4
N2gwcjhBaEVvMUdneXhsN1pIcC9EUmNOWld0UFlYVWpWc3JabW1rTmc3eHFtRTNEaG9lMUFF
L1lKTTRFeVZrTy9aVjVuYlgyNjBRTTZra0xIaEdtNXozdk55K3VlYlM1d3dlcnhYQmJILzVK
ZFhLT0xLd3phNHdSNzVINXovSGVCcmR4YjVkbXZXZEVQUmRrSWl6TENkbTNLZkhQcDh5bE44
QUxOR0dZVTBGTHBReHNtU3FXbWo0SE5JYTVsSzA5Z3lOVExoMlhLOVRmMnlRTExIQ0g1ajB5
Mm1iMTlQUVpmRlozblE1UWJER0tLNlV2OVBFZW0wcUJIL2hzVk82Z3drOUdPZG8veUowVUpi
WHNpRXpMaVVGMU5oeFdZY0Z6aFM4Q2dOWXF3WUhzOGp6Z05OdGlCakc2N0UyRlJRcXNXeWxB
RS90L2pTdThwUTU4cWxkdkJVNFhJeDEwUjBVMDNja2ZxeUVPMVd5SXVzRTJlRVg0d3dOVTBS
OXI4Z3RJWThmSEJ5Z1laMHorN2FvSVNpQ1krQ1VrRDVEM28wZlh3VGdJSnVZaHFRUy9vRk9R
NlROVWJkT1dmTVBsakx3VUZrdStlbGFoSFE0TWRTNkIrcWhCL1hMaEZNV25vamU0Q0xHYTdi
Mzh4eWU5MzZFNjZzbkliSUxGRnlIM0I0TkVCY3ZHbHpaMXdSeWZqQjBNRFBLOXNWMUFIb2xs
VFN1MGlwbXNtajlTMldDR0ZRYnhtbzNkWHZuZSs3cTd3bkpNT0xMRko0aktUdHdMOVpnRVd6
M1pjN3B5OVFTdjhhQUdNR01XNDR0SElkcHhkQnlBNGx2dE1XNW1jSXJWYjZ2cUhkbzEyd0pj
VVZEZFA0MnhXbFNSdnRQZDdZNW5iUnVNQ2REaHUxWUFocGVqWWJRQnByZURxTkZ4RUw0cmlZ
WUlYUi8yZXBXOFl3OThMWnlzZm9wQmc1eTNsUURtSGVYdmFHeisvQUxPWTFaMnFGQVlMcWUy
eHZ3dlYvTVgvUVNTTStZdTdKNHJJaVd4ZWtUL0R1VFh5cmxMVlFNNm0yQVpob1cwKzFQdm8v
ZzREVG9KUm5QNlgyUDJxdXVSSDNrYW1xWStzM3VUNFQ4TG14TE5CTTVGTmwvS3dVZEhaZHlz
MDYwZUxUU0F2UEhRUW5RRVZXRWpLYTFwdUVDTUZ2d0FaT1pidHdIUHI3NTY2QkJjaHBZclZ3
R3p0VE1EN3NzVjdNZU9rNERCc2JrNmRBSEdrQ1RsNXM0M2VjOWpuWGt6eVNnZmhSQWVEcU1I
WlVZUXdST05FbWVUS25saWErbnlXUndrN29JekplUUxKOE1MNVNHeE1CUjV1TWJaMnI2RUxI
UmVDeXUxUVRPOWlYT0lWZ2cyNGdFcXRVa0xoMmpGWmtjdEdaaTVQWjI1MVBsczdhSHBMb0JY
enZ0OEVoWVF1VjJYRFpNVGljbUtsZlJaOTRpcHYxVTBoay9GZE9qRDg3NHY5bjM0UVRGS3pV
OEY3bUxkdG5TWkJ6bk1sQ1BuMjQzTmRLeDE0eVBwbHV1SW5JSGNhSkdxUCt0SFRrRWNZMUZR
OFFESlA2NGY1alJCT0I0T0hhaFZ4NUd5TU9STVkxZ0ptT0kvUDc3dGRvTC9UV1VOTnZvMFZ3
SzRPY2ZBVnlvcTJGYm1qaFowOVEvMXlFNEd5QXR1c0oyYk5wNFpwcmZ1KzRBenJBREVDTWZl
VGVvWWRQR09CVWRaQ09XR3NqbUZMZWdZWWtZdis0T0tPVllZWm9sbmVvM1JPWFZQMjlXMkVC
a2wzeTRaTG53cjh5VW11Y0dTeGNwcDBJZmJWSjNkV29ueHYrZ0YzNnJJZ2I1NWxGNXFvbkU2
b2NKc2pkMFM0SU1ibVhHMHhzWTJJYkRWWHAxSmlCak9sZ01iK2ZwbHJjS3JHRDBoS2pmclEz
bmFCZUY4RDQ1T3pyZENkZjhQN2JNMFRJOTNPaW5zaG9iR0FQOVlTdTVacWlNaDZpZDBJWW1u
VENYVHRORGh4ZEM0NSszZVNMYTd2OXF4bzhuQlJEZzlNai9QdXJ6MENadW5VZk5IRC8yRnh0
QXRTT2xUKy9BNUkzSVA5YXJQSUN5UnBQck5TeldWK0d3ZG5DblBaYnhBNHRGamYvR0xIRVBn
R0FLOVpIYkxMM25xT3NWSnk1bUdpanF3anExbEdkZVVVa2tITDlyWjdURmhkWnVWVklHUTEr
b1JmQUtsa240L2tYSy8wTHF6Q0E0N09qamR5OEp1Y0U1dXJkN3cwUE1mQnVqT2F5TjlEa3da
QVp3VGtGS1pYVjNhc3VLWXpNbnRBcGUzSjFTVEpIWUQwNkJsdlJNMUFEeGlNOStERm5ZYXpt
V1BQTUxKZVJ4ODVJNG1CVm5Ha052VTR1WGNoTlZDSmczaGZBbFVQTXc0NjNweE5QaisvSkxV
QjB6NUJrdkFJZXAxWTJmbDZNVFNIZVBzcm10MWZ5YVhsYVdhNzdIM2htR1Rwdmt0WGxmTGVO
eS9VNkt2STV0cFNNN1FQc0ZabnhTZUIyVDhzOHJHSDFNRmtOSXVjRFRaTFpkQmFnYTg3Tlh3
OUZPSDR6TitxdVRSMytJU0h3VUx2R20rUFo5aDFzTENXM1FLNlFpcHdEaTJiOW4vU045NUpG
cUxmbXlzTngzUzAzS0xTVjFOaVpHM1EzVE9iM2Fwa3FOTG82MlArbkZwYnNvNUoxKzhFb3FS
UzRERi9rL3VwWWtiaFR6MWZtb1l1dnY2bldScXQ0R00rNVRVc2VpeDJDalJDdG1kaUNObUQ1
eW4rRzBxcGNmOEZuQ2ZyVzk2RTlWOUhyYTNIZU1YOUhINERIc0I1eEt6cGxFUTlNZGhYakNQ
TExuKytiWWc2SEtGaGtkaWE2ODNqZERXWVByRm9QM2hqK1pnZDY0eUxhNHdaK2taTWVHKzFL
clo2Skp6Z3QwamZLNTJ3RVIrNmJQekNBMGRLZmR3aXZ2THZYREtUZi93Z2JmR0FqM2pHbFlF
WXlyeXRDb1VvNmdsMGkyZmp4d29OajZ1SDA5MVloaU5XaUNMcTZsTWdxN3JmcFRJYlFpdmxG
SVJSa2V0blNudXpWTThocW1SU2JHWC90QnhOR3B4a3c5dWFwdCtDMHRQVmNYenVWVERVd1JR
QmsrZ3BnYU5EbW96dDd2enIrdXUxSmo2N3FDNGRFeFUvaUxqZWt6U2xkSXMzVk9Pc3hSalBY
cXF4WDFGVG1Hc3RnUFJyeW5XNUZxTCtUU082V3BEWE9VbGlWRzUrdXZYWGFTWFVWWklVdCtk
cEhISC9WaU5lc09IUytyOFJXODBPOFI1R3lFY1p2SjlWcnMxblpwZlI3d1RPUHV5NXZpQ1Fr
N0hkS25qSHA1MFd4SWsyUUNwaDZ6R05ZSkViVGd5bkt6SFdUWGcwYVZRSzJmN2VMVGROY3pu
YkxQQTQ4eDJWVDFEQkJHaURpbVZxOGl2VkhsWE1KSlJvdlF4N09kU3pWWmZ5YWo0REdkaVpT
S0d4NFI4bU1wZ0M4c2I3SjRndFh4eWp4Uk5xR0M5cERkc09jVDZ6R0ZwbXlEQ0VqRm40Uk1H
d1FRdkk1V09xZ0NhL2FkaFdSdWQ3V1Fuc0t4RkcwMkk4QWp4c3VjUll2dEFtVURwNkVETnhB
VnJpL2Q3UjB1TDE3L1ZYcVR4bGRVWmJqWVFwaG1sVDFxS0l1azN0d0pPQU9IcVZ3Tkc4UEl0
eGFjS2lUWGJ2dEFJcW9sWlNNc3M0dE1RZnF3Tml4dGh4dWoxb3FLV0x5V0o4U2kxeC9GZWlB
c1I3d2t3Q2lRWFJOUHVYRDl3YWpvTzFwZ0xkcE1yUld4TjBPSStKVm1iL1AvOXVqL1JxZ2o0
VjBqVWpTVlEvUDBFWHJ3VmYwY1M0a3p2Z212V2JvQzVqWnJOSmEvRzB3SW9mZ1o5RzVtUG5B
TzMwYkQ4N29yYnhkcmhFUXk5cEJ6VE5QWFJqT2psbFlpS3BVSnF0S0dTSjJ3ek5QY0lDa0Yy
d0t6VklGOU01QzR6WFBKdmh4ZGh3K0V0clhvMmFhWlI0aThnVWxEQW5hRmZIN0NGb0c0dldw
NGxrUElEZVNnQllxekxvbVpTN0tPajgvUzZwZE1Jek9vQkFRN1lqMWU0V2xWQ0dDM0pOM0dK
R2c0Q3I3aFVyd0VvYkhyWW5Xb0JkYk1rWDQ3OXd5R3NraU9qVlVqUUtXb0JmY2pBNThpdm1i
VnZtL2J6R3JCNU5yNlJxNWRyMW1pY3hTVEZxNXFUaHpsWmRQdm1JZE81V1VVZkd5eGtyeGRX
V1c0R2t2K3VWaXQ3a0Zucm04QWF2V2hRZm5WZW5lSVlGR2VOS2FpU3ZUNWcwM2lTNDlzV2lV
RzlPSnpqQ1d3c3Z3dm96d2pEVU90a05wM2VwbkRjZlR3eU94cWpxN2JvR0J6a3F4SFFiQjV5
U1p1ak1pYnFTdGtuNXZYSDl3K1g3bWJ1Z0t4c3g1T000a09rZzV5eG9pT0tlcW5VcVp6UE5r
V2c9PQo=
```

接下来，我们可以使用以下命令解码 Base64 格式：

```
% base64 -d 1.out > 1.sig

% type 1.sig
q6 ╦s;°1ì&tê»H }V╧6Q╞Ö÷±¬Pobápg▒▀⌠φ+àßûº<<⌐╬║∙] à≈OVê°╟0xΓ╛÷*│AV─╪_H∩_⌠p÷┤Rÿ≤M┌╕╪
                                                                                 ≤,²{▐*QZQmòOA#╜ëEC░|=\
¿π┤7U
    >b9░▓i±R│C∙.yÉåIXδ|▄?T
                          4Æ≡╩╘╛
```

然后我们可以使用以下命令进行校验：

```
% aws kms verify  --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
  --message fileb://1.txt --signature fileb://1.sig
  --signing-algorithm ML_DSA_SHAKE_256
```

我们可以使用的签名算法有：`RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA and ML_DSA_SHAKE_256.`

所以，现在让我们用 Python 尝试一下：

```
import base64
import binascii
import boto3
from botocore.exceptions import ClientError

AWS_REGION = 'us-west-1'

def enable_kms_key(key_ID):
    try:
        response = kms_client.enable_key(KeyId=key_ID)

except ClientError:
        print('KMS Key not working') # KMS 密钥无法工作
        raise
    else:
        return response

def sign(msg, alias):
    try:
        sig = kms_client.sign(KeyId=alias,SigningAlgorithm='ML_DSA_SHAKE_256',
             Message=bytes(msg, encoding='utf8'),
        )
    except ClientError:
        print('Problem with encryption.') # 加密出现问题
        raise
    else:
        return base64.b64encode(sig["Signature"])

def verify(msg, ciphertext, alias):
    try:
        plain_text = kms_client.verify(KeyId=alias,SigningAlgorithm='ML_DSA_SHAKE_256',
             Message=bytes(msg, encoding='utf8'),
             Signature=bytes(base64.b64decode(ciphertext)))
    except ClientError:
        print('Problem with decryption.') # 解密出现问题
        raise
    else:
        return plain_text['SignatureValid']

kms_client = boto3.client("kms", region_name=AWS_REGION)

KEY_ID = '71ed4d4e-b4f0-45f7-8645-6b9c847e9a57'
kms = enable_kms_key(KEY_ID)
print(f'Public Key KMS ID {KEY_ID} ')
msg='Hello'
print(f"Plaintext: {msg}")

sig=sign(msg,KEY_ID)
print(f"Signature {sig}")
val=verify(msg,sig,KEY_ID)
print(f"Verified: {val}")
```

一个示例运行结果如下：

```
Public Key KMS ID 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
Plaintext: Hello
Signature b'Fd2j9UniAggWpXL8gHoaBh9vhB06Lc9zgtplO5FaB+RzenJgOPVtdSDax0JSP+Fec41csLhdH2gVOLLSoTaNcC0ONTlbvfqDtEbEfPMxY5w23ckx8Z0EMxqjQVnTqWpzZKuQGGcicd0wqThKxTpjT9F0o8nEoRekFsvbD65xCmIRTuo3VZpysE8SKTKSpbbvbyVKS6YGt9nk9rgMQbzO4lmLvrNMWeX5e6V6k569600pZUcDZCcZ3zvjI82qbGJcrfs3VjUa/TCUQCpPa0Jqs3Vd2u3KsL3Qntw83e5kxPy+cbvxySyvFamYUjq5tHkZAIkmX04zm1v4GoDTarA96k9FBvftoGZKEfzdjd29QnNneNt1Pxe9KaFI9P8kMcsrXRbsG1gZhb+mk6/pWJLNpaL7nmWmNDTOqHZ3g1ITQx8I7EY/LqqvyBfSVd4SNa6tGOf4iTT4a0ECfnlO8C/CPE1PqaSK6w8G6b3jJkiIa6oDujXb5YyG5BvpMbonmrAojUbnKx96onhKMfE87CYsSh3QdMCS1qinv1HrF3y8JJun7kMiTSG6JJeVvfA++oYDJ+T+XkXhW14MqVvcVcx8zMp1GqgzkwsWPIP0vabnTGLoV/fgysOiPr0wczgHNZHQPISdKY+xskvNnSugwIUu6vmpjJbkzxBYDiaoD1KB7p3AFAE7gzBB22aPj+xhN1QLkM/BoNhJKP8leyNxalUe3eU+nB7xa4gBwPwCf9NntM+R9I2UhSUyTyC5SH3C2kuDNEZzrIysIswtfm9Mf74v5h6uI9BqDZ/zxF+bNsrdaMIYc1dfQDrzoG5xlO2AneSt8LGRqIbDviHKARhGhzujgWTfvkxGOfBhKU/3vaSEQIcpLwDDbjx2GH8tavOZk3DIhLLIRQAmfwUMl+wqzhVwrjD+TvCLz0N+TwjlPfETELWe3cGQg59MDNzaXM5n5bkHe6n6jCuLzuBNJCsn4Vab03RJmyVQqN+1rm90B1r8uxCPQgSh0nyJuVr68+WKjRaqAeyC1KavtoDBPPEEV6krdqC0WiWsGGoyL0RWZ1xZ4yfanM5D0royLUbOjD4ZMUlchtPMFhpg8d1aYND9h6r6K8PbK94l2eLPsVh47fUmAzqi1+a1yFoO0Q2z3WGd8oKpMek68FLB8ciMRI9aRPD3PHlTkQI37MBtFIqlpacf1IxBtDKePKwPdOPZa5fcrYzPlpKIfwRe7gOkPUZ38BzZ0coh3pAMCd0E3x3FLpaKX7rmiqwkoof+aSBEdG5OSai6e+x2Tzn0ADUR68gRs3SYjWFDNbmOPRC46LkGH2qwjwOOVp5l7ZkbMK4bdieHtxpSUR78BxMLznwIJKStMiE1JY6X6rnBWkn19Av7nGaSfeuLXKBj3u0YqQFGCyw40V0mka94TUdmkxEK7qrlk4tU+c049yUM/fzOpDQazBh45B5VPDN6UF5jPsksHTdXVIbCmj7LGQINInqdMYgJqoWdFrveMOOzZyQo9QhxdxGDTFSt+AqnlwJJewpNRPmkMCUghwuTnSrcNhSZoZmo6GKqmeZkc12Ig1aG+Q0w76Hyg3TvLUk++MuXAKbSVglWyG7pJgIIa10Jz/s+7Bj0dsyYnWhNE28jnOIw1o/Nd0W15U8qaVeMv8FEKp8QokhioqE2ZLdHGUGpTWpZ2hEBgmEvQreKKWT2CRWhdJ4+uNQPYYjFDkvTzesjgTrAej9n5pPlgIv4xtWbqU3Yn447sHGvSXEX+w1BJO4uwcfXKBs3WiLlp1bDTHxnOnB3bg/PN2d9m8ufcNtta0rRRSEmvW7k5/rqF7QqHhBDDthawAVQubjQA0oRVfRhQQ+EaMVnDZSXnDQJW8vtBzMA5kVAJNFmNnZ0FL8gx4H0FJ807ZJa7QGuWNhvhgU6+pnCiTOmCbPvpTW7e7xsFnB87j+ZVbh1Gagym4nXUk6JWjzh29/bylyiNwLgJUaCQ2XImh/KN5Eug3aBeT56gz2HWNDG9xLrQl0Jn/6j/W8iyJxqhNRYuP4bpxvY4jWhMXOeHA/WcYegjwEEaf54M/zA83L0l3uqelEeQl/sG0pSLUyr3GzyvFzge/SjYydEASmmLjOud2rCZVqETEY98lR5zQSC5xCkQFVQglDBabJoMHpo4AggI/LSk7ODjUdO/ES/I378LYVLSNqPyv/3EvLjO0uSaaA7zv/FJjPU8cLiEgn3cjBOHgOCc4VLxmtr4GVr2g2jzzdOPmvbwFQom3e7zwOV7S8fBNJP9OQJl2Qi8vZ5bnnaJS7uPu4+ycf0a6qqKtM5r+ex3NKryssSKzYOhWTooYJaDpctv0Gyp5oKDjis0yHBfh6YnkjCgWcP4R9+jnaIcYLgjiaAWMMFbETGJtX7N2YcHf5041zzSGNEwnN9uoyS1bKOAWoh0w1npwOyLe0URE2I7ggWWLNOoIkmzjXWN0Yxf9ivG1aFOh0UCJAgLIvPikU/z9yCxc5OAyWHLuviBCTqHPiFrdUs4cyO7lTr4hg7D4LP5uPigwxOAdzz1bNUzsWE2Pk263ORS1HKoxh01S2K5X41Fs8CaDygFii/BRMNsx0IPVo2U8lf0GX6rU5HC9MKxPEid6WH92tohdmuox7Z0iNggDUoQjOmRRXydY3T7WcO1hItLJaTpRxSzAEKCxXoDCtQTxdXW2PmnVCWMX5C8K/8d2h8rTFPsY7BAqdvDu/hN0QiALBEVL+iOV/wfYVgOgu5H5gJEasA5ylytdFZK8xovUbUOJqKWveRSqx6RKAl'
Verified: True
```

如果我们运行在 Linux 中，我们会得到：
```
$ aws kms sign --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57 --message fileb://1.txt --signing-algorithm ML_DSA_SHAKE_256 --query Signature --output text | base64 -d > 1.sig

$ aws kms verify  --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57  --message fileb://1.txt --message-type RAW --signing-algorithm ML_DSA_SHAKE_256 --signature fileb://1.sig
```json
{
    "KeyId": "arn:aws:kms:us-west-1:103269750866:key/71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
    "SignatureValid": true,
    "SigningAlgorithm": "ML_DSA_SHAKE_256"
}
```

感谢 Mark Tehrani 提供 PowerShell 版本:

```
PS > Install-Module -Name Base64 -RequiredVersion 1.0.4
PS > $sig = aws kms sign --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
     --message fileb://1.txt
     --message-type RAW
     --signing-algorithm ML_DSA_SHAKE_256
     --query Signature --output text
PS > $bytes = [System.Convert]::FromBase64String($sig)
PS > aws kms verify  --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
     --message fileb://1.txt
     --message-type RAW
     --signing-algorithm ML_DSA_SHAKE_256
     --signature fileb://1.bin
PS > Set-Content -LiteralPath "1.bin" -Value $bytes -Encoding Byte
PS > aws kms verify  --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
     --message fileb://1.txt
     --message-type RAW
     --signing-algorithm ML_DSA_SHAKE_256
     --signature fileb://1.bin
```json
{
    "KeyId": "arn:aws:kms:us-west-1:103269750866:key/71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
    "SignatureValid": true,
    "SigningAlgorithm": "ML_DSA_SHAKE_256"
}
```

就是这样。如果你想尝试 RSA 和 ECSDA，它们在这里：

[**AWS：公钥签名 (RSA)** \\
\\
**在数字签名中，我们使用我们的私钥对消息进行签名，然后使用我们的公钥完成签名证明……**\\
\\
asecuritysite.com](https://asecuritysite.com/aws/lab09?source=post_page-----3c3644b78d03---------------------------------------)

和：

[**AWS：公钥签名** \\
\\
**在数字签名中，我们使用我们的私钥对消息进行签名，然后使用我们的公钥完成签名证明……**\\
\\
asecuritysite.com](https://asecuritysite.com/aws/lab05?source=post_page-----3c3644b78d03---------------------------------------)

>- 原文链接： [medium.com/asecuritysite...](https://medium.com/asecuritysite-when-bob-met-alice/using-ml-dsa-in-aws-3c3644b78d03)
>- 登链社区 AI 助手，为大家转译优秀英文文章，如有翻译不通的地方，还请包涵～

喜欢

在 AWS 中使用 ML-DSA

import boto3

def create_mldsa_key():
    # 创建 ML-DSA 密钥
        kms_client = boto3.client('kms', region_name='us-west-1')

        response = kms_client.create_key(KeySpec='ML_DSA_65',KeyUsage='SIGN_VERIFY', Origin='AWS_KMS')

        return response['KeyMetadata']['KeyId']

key_id = create_mldsa_key()
print(f'ML-DSA Key ID: {key_id}')

如果我们查看我们的 KMS，我们会看到已创建密钥：

我们可以通过以下方式确定密钥的签名方法：

% aws kms describe-key --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
{
    "KeyMetadata": {
        "AWSAccountId": "zzzz",
        "KeyId": "71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
        "Arn": "arn:aws:kms:us-west-1:zzzzz:key/71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
        "CreationDate": "2025-06-21T07:21:18.692000+01:00",
        "Enabled": true,
        "Description": "",
        "KeyUsage": "SIGN_VERIFY",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "ML_DSA_65",
        "KeySpec": "ML_DSA_65",
        "SigningAlgorithms": [\
            "ML_DSA_SHAKE_256"\
        ],
        "MultiRegion": false
    }
}

从命令行，我们可以查看公钥：

% aws kms get-public-key --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
--output text --query PublicKey
MIIHsjALBglghkgBZQMEAxIDggehAJVHNRXgnDgywwiifTKvsfISqRu/yUexcBYZ/tTWOMNjU6fWyUUKHsZAPFKtXqdA4uQA3h9ILCv1k/gyLb9Lr08V1TGWu0HmonTBMJR90zNp13DQM+heF3eznYhXJ5ijjLpLR1JYx8HOgcGEukBYg2Pnv4V38R5sM8xn+jZuXs98Z7wjS2KZaqxXHNztQTyWA+2zmbWdOCI6z9oFXdAI/aq2mWyqBcTLxyOQ2faleRNRIiRLx/zVq/wh6TP2364RLW0TrYMdai+6yc3mC5wdO+pRSIVjbat7I39kyJ8DqOv+flYLJpfHrImrLB1FJU4s/OUuneXvMT/vImfEJ8EP6zuvsracWy0RsyuGTeyKhqqgz8QmqKjoGTVETH2osk+eU1eOFdJRcikrzYda5LvLLaOU2Y67E/GMlz6SrxD8EFSJ3fr425lCJN/+3o5q7AnEkQB6VDyS/NVRKsM/0qAju1LiEX+UuDUnw3/eprJGU+MVl0xMYpD1cwClVod7nBvULAOjcLfZ1Z7dnW0/PG4LL21a1Fs0KRJ6f83zIDy2NxZRunU5VzAvONlZIsNX7Ntw9TBCc5ezfnqpR9fxSQk0kX30tVGhVWEQySGGWWEEh+W41X2DHHmxKtng07uvEC88aBOdZnTQQyCKccj7C3gcunETIn0gGX5rHobxssvOR4oRUhapl+qHHNwcuNZebF4HJKBmhBwEMxb/AfdFWlkjBhvvZQMUVcYSqv7Ax1e10pbBKevZapVbVIPJcaPWUmvoB4/op7HIRqqtjG4yjVkGqFo0V/dl0pY09zebTvNjw6ylX/71NZbVY6dcTvGkX/ddq0ayfr0nOMqXjMwGIewygjVti6ghyxkBbtBlcja3OYXEfWrn9qcACLm2g7+Eyrm7/rR0syYbEA32Z3o3iFBXTEYjodosxeP9sV0rDhz1l6ySbplblhxLO0LfHOHvyyR7eRe8JGyn6S/PCousH/0Y/eq3wmSsVwRHn7AdtKZvXCR0BPcx1nd00ocFh3jRKNM/elWPv5UwbX3V/D1U5oYqU+4zDu0Hnxocvl6gt5oMCJnm9YEPB6LJlncJyET6hOCOp6yYOAyzq0b96GQoT/4S0r9IkJO1bnqucf1n9RhbM92dAeg/YAGFRFAhMu5T9/uFnEzCO9LZc7R17fZVTIFEWIKtLmEtS5C7OLWI3kPDE/TEwGUlUibRQW65OMAJzeKO5M4EmhfUQk7UMH2ks10xvjaUKJ4LmhX2VVvB2yqv+swxhcR3nK6gdZ3VNLqcyPWzK3tvYCAoMlNlkugpuNIf7FUe0GzOY4K6/uASf1TppxDUnw0dvxK8rR44DrndS4FZxm74Vyt2D5DQI62pOaWsSxmRF9S8YIo+NQu2XhKHwLvv2zMI2W8/sCX6AL2ZpPhlbG46v0+AbdrKSDjMbWQg1MuPwVMIp5coOkw/746h55Ax/v539CVdjdUXqIlw8E2Pd5CrUst1OyMOVhP7e3/+11ADhbCuku+v8Vk4zHSsBDYRNY+y4DtPcyvJOUU4gGSBoG5vDebHuxba2JIsIwF2VMgj4UG6CklC2bsZ9nUjp53f/VVNqemrAXyQEDRfIAjefD6/DQnuvR0aah3EZCfYZqB4kQ/vCxjq+j+Z0e1AN1Mavj8uDt3C+s8YTni5eE9ow4mbpbgFylEmD+Z1EYWxpwGCknuz/2Gvj8D8A5JAmbxOHJ/wNpUQVLrdvnkmtf6YGEkAC6ib+ZdLfV6DKAPVd8WFkg+RRF66M/CltTo6irvYrFytXW0bKybQIuGotXyXAqvvl666lNS7Kn4bIg/NtI3Y0yVQbtQdecBbD8MJX+lHhar/FLKxbXj80rO1V6Onb2gs3GbxFLCPqHzbA82A1V7annnQJKWrkfadVo5ZpY6kWAE1VJyGThkXIGwe/pgv/AyXSyZuxfpgWfwVG/ohxXFcoa6OKBqOnnxITBjHVL5ts5wxfFKlaCSxOYzR0WO5Iv5Xo+uAYdeVBWRhOvUReEd+seGpT2qmk2mkXETOihY3F5/CosFVRnYGt9WIz37nHNpEF4j4+GAPXTbe0/66fz3hxUmLpa4wMmShjkCF741RDG8zqH3iBX1QiwLxZZtQiwFKvzDdc+DcE7du2oBzJRNI1H4njeGI0uEo87DrXG0CnhySMOxX0CXr3I792xSMxwr7rzh2R8MAjq/fj6fTgQnL0r+frT6CSy8iiaoo39oOybw24WaS/NmLfO4jSWjb0O/kKnP2UlNm7NkzKZiXWH/20GNHz9X2MlLI2YemZ3OsOebqSP5Ler/K9ODtz3xDjLVbFxbhCwRbvU9FcHyoB3PzLBUIebqTBD77Mj47zCerO7XNBhoe34Vb3Z3kP7TIRXS6ovXKzHj6J3nChtFVpSdlmt5lN3ifnL4DWNBwDjS9t8FW53hQ78OOOU0gTtLFCoHgJ1H66WO0WvyIKFA5lZvC60rFq9n1flma1JFW1FAhh21uB9UxIA+0bkKph5vxXriPFaQkfO7RlfpWH087ybCDcFe+Ke4fFU5fMLheh0/C5iO+6umsIDefrECQ9jsE1+51i5fkjnr2ulOfg3JOBYz0B5h+C+x7AuSGlH2pXsP

我们还可以导出为 DER 格式：

aws kms get-public-key --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
   --output text --query PublicKey | base64 -d > public_key.der

然后使用 OpenSSL 提取公钥：

% openssl pkey -pubin -inform der -in public_key.der -out pubkey.pem

% type pubkey.pem
-----BEGIN PUBLIC KEY-----
MIIHsjALBglghkgBZQMEAxIDggehAJVHNRXgnDgywwiifTKvsfISqRu/yUexcBYZ
/tTWOMNjU6fWyUUNCh7GQDxSrV6nQOLkAN4fSCwr9ZP4Mi2/S69PFdUxlrtB5qJ0
wTCUfdMzaddw0DPoXhd3s52IVyeYo4y6S0dSWMfBzoHBhLpAWINj57+Fd/EebDPM
Z/o2bl7PfGe8I0timWqsVxzc7UE8lgPts5m1nTgiOs/aBV3QCP2qtplsqgXEy8cj
kNn2pXkTUSIkS8f81av8Iekz9t+uES1tE62DHWovusnN5gucHTvqUUiFY22reyN/
ZMifA6jr/n5WCyaXx6yJqywdRSVOLPzlLp3l7zE/7yJnxCfBD+s7r7K2nFstEbMr
hk3sioaqoM/EJqio6Bk1REx9qLJPnlNXjhXSUXIpK82HWuS7yy2jlNmOuxPxjJc+
kq8Q/BBUid36+NuZQiTf/t6OauwJxJEAelQ8kvzVUSrDP9KgI7tS4hF/lLg1J8N/
3qayRlPjFZdMTGKQ9XMApVaHe5wb1CwDo3C32dWe3Z1tPzxuCy9tWtRbNCkSen/N
8yA8tjcWUbp1OVcwLzjZWSLDV+zbcPUwQnOXs356qUfX8UkJNJF99LVRoVVhEMkh
hllhBIfluNV9gxx5sSrZ4NO7rxAvPGgTnWZ00EMginHI+wt4HLpxEyJ9IBl+ax6G
8bLLzkeKEVIWqZfqhxzcHLjWXmxeBySgZoQcBDMW/wH3RVpZIwYb72UDFFXGEqr+
wMdXtdKWwSnr2WqVW1SDyXGj1lJr6AeP6KexyEaqrYxuMo1ZBqhaNFf3ZdKWNPc3
m07zY8OspV/+9TWW1WOnXE7xpF/3XatGsn69JzjKl4zMBiHsMoI1bYuoIcsZAW7Q
ZXI2tzmFxH1q5/anAAi5toO/hMq5u/60dLMmGxAN9md6N4hQV0xGI6HaLMXj/bFd
Kw4c9Zeskm6ZW5YcSztC3xzh78ske3kXvCRsp+kvzw0Ki6wf/Rj96rfCZKxXBEef
sB20pm9cJHQE9zHWd3TShwWHeNEo0z96VY+/lTBtfdX8PVTmhipT7jMO7QefGhy+
XqC3mgwImeb1gQ8HosmWdwnIRPqE4I6nrJg4DLOrRv3oZChP/hLSv0iQk7Vueq5x
/Wf1GFsz3Z0B6D9gAYVEUCEy7lP3+4WcTMI70tlztHXt9lVMgURYgq0uYS1LkLs4
tYjeQ8MT9MTAZSVSJtFBbrk4wAnN4o7kzgSaF9RCTtQwfaSzXTG+NpQonguaFfZV
W8HbKq/6zDGFxHecrqB1ndU0upzI9bMre29gICgyU2WS6Cm40h/sVR7QbM5jgrr+
4BJ/VOmnENSfDR2/ErytHjgOud1LgVnGbvhXK3YPkNAjrak5paxLGZEX1Lxgij41
C7ZeEofAu+/bMwjZbz+wJfoAvZmk+GVsbjq/T4Bt2spIOMxtZCDUy4/BUwinlyg6
TD/vjqHnkDH+/nf0JV2N1ReoiXDwTY93kKtSy3U7Iw5WE/t7f/7XUAOFsK6S76/x
WTjMdKwENhE1j7LgO09zK8k5RTiAZIGgbm8N5se7FtrYkiwjAXZUyCPhQboNCklC
2bsZ9nUjp53f/VVNqemrAXyQEDRfIAjefD6/DQnuvR0aah3EZCfYZqB4kQ/vCxjq
+j+Z0e1AN1Mavj8uDt3C+s8YTni5eE9ow4mbpbgFylEmD+Z1EYWxpwGCknuz/2Gv
j8D8A5JAmbxOHJ/wNpUQVLrdvnkmtf6YGEkAC6ib+ZdLfV6DKAPVd8WFkg+RRF66
M/CltTo6irvYrFytXW0bKybQIuGotXyXAqvvl666lNS7Kn4bIg/NtI3Y0yVQbtQd
ecBbD8MJX+lHhar/FLKxbXj80rO1V6Onb2gs3GbxFLCPqHzbA82A1V7annnQJKWr
kfadVo5ZpY6kWAE1VJyGThkXIGwe/pgv/AyXSyZuxfpgWfwVG/ohxXFcoa6OKBqO
nnxITBjHVL5ts5wxfFKlaCSxOYzR0WO5Iv5Xo+uAYdeVBWRhOvUReEd+seGpT2qm
k2mkXETOihY3F5/CosFVRnYGt9WIz37nHNpEF4j4+GAPXTbe0/66fz3hxUmLpa4w
MmShjkCF741RDG8zqH3iBX1QiwLxZZtQiwFKvzDdc+DcE7du2oBzJRNI1H4njeGI
0uEo87DrXG0CnhySMOxX0CXr3I792xSMxw0K+684dkfDAI6v34+n04EJy9K/n60+
gksvIomqKN/aDsm8NuFmkvzZi3zuI0lo29Dv5Cpz9lJTZuzZMymYl1h/9tBjR8/V
9jJSyNmHpmdzrDnm6kj+S3q/yvTg7c98Q4y1WxcW4QsEW71PRXB8qAdz8ywVCHm6
kwQ++zI+O8wnqzu1zQYaHt+FW92d5D+0yEV0uqL1ysx4+id5wobRVaUnZZreZTd4
n5y+A1jQcA40vbfBVud4UO/DjjlNIE7SxQ0KgeAnUfrpY7Ra/IgoUDmVm8LrSsWr
2fV+WZrUkVbUUCGHbW4H1TEgD7RuQqmHm/FeuI8VpCR87tGV+lYfTzvJsINwV74p
7h8VTl8wuF6HT8LmI77q6awgN5+sQJD2OwTX7nWLl+SOeva6U5+Dck4FjPQHmH4L
7HsC5IaU
-----END PUBLIC KEY-----

现在，我们可以使用 ML-DSA-SHAKE-256 进行签名：

% aws kms sign  --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
 --message fileb://1.txt --signing-algorithm ML_DSA_SHAKE_256
 --query Signature > 1.out

% type 1.out IisxODFmOWVQQzBBREdtc0h6WFR6ZW5DSUxCOUk5UGoxbE1PcXlkc0IrZW1iTlJhTzNpSlM5 dlZlOVNLSGYzRElkbmFVNEo3czJ6MGozZmwvVWtRY0VrYWtKK2tWaXg3NEhYQkZDdXNhWE5Z KytYc2ZZY1RFUHl3NUZscEg3cHVIYnZNaG1NMkFtS08vcXcvT0ZNbzdkaHc4SUxqajlXWW1l MW9WVnMwd1JIclNOdTNXa0tYcVJnTDNvMFFhZzFyaXY5Q1orcFo2Vko2U3AwZ0ZseUt3WEpz aERwTit6cmtGV3VwT1VpY1JhNjZpSXVIMklHdndIeDFoK3QrZGMwTzlJZmhNZnRwUnUrZnF4 N2gwcjhBaEVvMUdneXhsN1pIcC9EUmNOWld0UFlYVWpWc3JabW1rTmc3eHFtRTNEaG9lMUFF L1lKTTRFeVZrTy9aVjVuYlgyNjBRTTZra0xIaEdtNXozdk55K3VlYlM1d3dlcnhYQmJILzVK ZFhLT0xLd3phNHdSNzVINXovSGVCcmR4YjVkbXZXZEVQUmRrSWl6TENkbTNLZkhQcDh5bE44 QUxOR0dZVTBGTHBReHNtU3FXbWo0SE5JYTVsSzA5Z3lOVExoMlhLOVRmMnlRTExIQ0g1ajB5 Mm1iMTlQUVpmRlozblE1UWJER0tLNlV2OVBFZW0wcUJIL2hzVk82Z3drOUdPZG8veUowVUpi WHNpRXpMaVVGMU5oeFdZY0Z6aFM4Q2dOWXF3WUhzOGp6Z05OdGlCakc2N0UyRlJRcXNXeWxB RS90L2pTdThwUTU4cWxkdkJVNFhJeDEwUjBVMDNja2ZxeUVPMVd5SXVzRTJlRVg0d3dOVTBS OXI4Z3RJWThmSEJ5Z1laMHorN2FvSVNpQ1krQ1VrRDVEM28wZlh3VGdJSnVZaHFRUy9vRk9R NlROVWJkT1dmTVBsakx3VUZrdStlbGFoSFE0TWRTNkIrcWhCL1hMaEZNV25vamU0Q0xHYTdi Mzh4eWU5MzZFNjZzbkliSUxGRnlIM0I0TkVCY3ZHbHpaMXdSeWZqQjBNRFBLOXNWMUFIb2xs VFN1MGlwbXNtajlTMldDR0ZRYnhtbzNkWHZuZSs3cTd3bkpNT0xMRko0aktUdHdMOVpnRVd6 M1pjN3B5OVFTdjhhQUdNR01XNDR0SElkcHhkQnlBNGx2dE1XNW1jSXJWYjZ2cUhkbzEyd0pj VVZEZFA0MnhXbFNSdnRQZDdZNW5iUnVNQ2REaHUxWUFocGVqWWJRQnByZURxTkZ4RUw0cmlZ WUlYUi8yZXBXOFl3OThMWnlzZm9wQmc1eTNsUURtSGVYdmFHeisvQUxPWTFaMnFGQVlMcWUy eHZ3dlYvTVgvUVNTTStZdTdKNHJJaVd4ZWtUL0R1VFh5cmxMVlFNNm0yQVpob1cwKzFQdm8v ZzREVG9KUm5QNlgyUDJxdXVSSDNrYW1xWStzM3VUNFQ4TG14TE5CTTVGTmwvS3dVZEhaZHlz MDYwZUxUU0F2UEhRUW5RRVZXRWpLYTFwdUVDTUZ2d0FaT1pidHdIUHI3NTY2QkJjaHBZclZ3 R3p0VE1EN3NzVjdNZU9rNERCc2JrNmRBSEdrQ1RsNXM0M2VjOWpuWGt6eVNnZmhSQWVEcU1I WlVZUXdST05FbWVUS25saWErbnlXUndrN29JekplUUxKOE1MNVNHeE1CUjV1TWJaMnI2RUxI UmVDeXUxUVRPOWlYT0lWZ2cyNGdFcXRVa0xoMmpGWmtjdEdaaTVQWjI1MVBsczdhSHBMb0JY enZ0OEVoWVF1VjJYRFpNVGljbUtsZlJaOTRpcHYxVTBoay9GZE9qRDg3NHY5bjM0UVRGS3pV OEY3bUxkdG5TWkJ6bk1sQ1BuMjQzTmRLeDE0eVBwbHV1SW5JSGNhSkdxUCt0SFRrRWNZMUZR OFFESlA2NGY1alJCT0I0T0hhaFZ4NUd5TU9STVkxZ0ptT0kvUDc3dGRvTC9UV1VOTnZvMFZ3 SzRPY2ZBVnlvcTJGYm1qaFowOVEvMXlFNEd5QXR1c0oyYk5wNFpwcmZ1KzRBenJBREVDTWZl VGVvWWRQR09CVWRaQ09XR3NqbUZMZWdZWWtZdis0T0tPVllZWm9sbmVvM1JPWFZQMjlXMkVC a2wzeTRaTG53cjh5VW11Y0dTeGNwcDBJZmJWSjNkV29ueHYrZ0YzNnJJZ2I1NWxGNXFvbkU2 b2NKc2pkMFM0SU1ibVhHMHhzWTJJYkRWWHAxSmlCak9sZ01iK2ZwbHJjS3JHRDBoS2pmclEz bmFCZUY4RDQ1T3pyZENkZjhQN2JNMFRJOTNPaW5zaG9iR0FQOVlTdTVacWlNaDZpZDBJWW1u VENYVHRORGh4ZEM0NSszZVNMYTd2OXF4bzhuQlJEZzlNai9QdXJ6MENadW5VZk5IRC8yRnh0 QXRTT2xUKy9BNUkzSVA5YXJQSUN5UnBQck5TeldWK0d3ZG5DblBaYnhBNHRGamYvR0xIRVBn R0FLOVpIYkxMM25xT3NWSnk1bUdpanF3anExbEdkZVVVa2tITDlyWjdURmhkWnVWVklHUTEr b1JmQUtsa240L2tYSy8wTHF6Q0E0N09qamR5OEp1Y0U1dXJkN3cwUE1mQnVqT2F5TjlEa3da QVp3VGtGS1pYVjNhc3VLWXpNbnRBcGUzSjFTVEpIWUQwNkJsdlJNMUFEeGlNOStERm5ZYXpt V1BQTUxKZVJ4ODVJNG1CVm5Ha052VTR1WGNoTlZDSmczaGZBbFVQTXc0NjNweE5QaisvSkxV QjB6NUJrdkFJZXAxWTJmbDZNVFNIZVBzcm10MWZ5YVhsYVdhNzdIM2htR1Rwdmt0WGxmTGVO eS9VNkt2STV0cFNNN1FQc0ZabnhTZUIyVDhzOHJHSDFNRmtOSXVjRFRaTFpkQmFnYTg3Tlh3 OUZPSDR6TitxdVRSMytJU0h3VUx2R20rUFo5aDFzTENXM1FLNlFpcHdEaTJiOW4vU045NUpG cUxmbXlzTngzUzAzS0xTVjFOaVpHM1EzVE9iM2Fwa3FOTG82MlArbkZwYnNvNUoxKzhFb3FS UzRERi9rL3VwWWtiaFR6MWZtb1l1dnY2bldScXQ0R00rNVRVc2VpeDJDalJDdG1kaUNObUQ1 eW4rRzBxcGNmOEZuQ2ZyVzk2RTlWOUhyYTNIZU1YOUhINERIc0I1eEt6cGxFUTlNZGhYakNQ TExuKytiWWc2SEtGaGtkaWE2ODNqZERXWVByRm9QM2hqK1pnZDY0eUxhNHdaK2taTWVHKzFL clo2Skp6Z3QwamZLNTJ3RVIrNmJQekNBMGRLZmR3aXZ2THZYREtUZi93Z2JmR0FqM2pHbFlF WXlyeXRDb1VvNmdsMGkyZmp4d29OajZ1SDA5MVloaU5XaUNMcTZsTWdxN3JmcFRJYlFpdmxG SVJSa2V0blNudXpWTThocW1SU2JHWC90QnhOR3B4a3c5dWFwdCtDMHRQVmNYenVWVERVd1JR QmsrZ3BnYU5EbW96dDd2enIrdXUxSmo2N3FDNGRFeFUvaUxqZWt6U2xkSXMzVk9Pc3hSalBY cXF4WDFGVG1Hc3RnUFJyeW5XNUZxTCtUU082V3BEWE9VbGlWRzUrdXZYWGFTWFVWWklVdCtk cEhISC9WaU5lc09IUytyOFJXODBPOFI1R3lFY1p2SjlWcnMxblpwZlI3d1RPUHV5NXZpQ1Fr N0hkS25qSHA1MFd4SWsyUUNwaDZ6R05ZSkViVGd5bkt6SFdUWGcwYVZRSzJmN2VMVGROY3pu YkxQQTQ4eDJWVDFEQkJHaURpbVZxOGl2VkhsWE1KSlJvdlF4N09kU3pWWmZ5YWo0REdkaVpT S0d4NFI4bU1wZ0M4c2I3SjRndFh4eWp4Uk5xR0M5cERkc09jVDZ6R0ZwbXlEQ0VqRm40Uk1H d1FRdkk1V09xZ0NhL2FkaFdSdWQ3V1Fuc0t4RkcwMkk4QWp4c3VjUll2dEFtVURwNkVETnhB VnJpL2Q3UjB1TDE3L1ZYcVR4bGRVWmJqWVFwaG1sVDFxS0l1azN0d0pPQU9IcVZ3Tkc4UEl0 eGFjS2lUWGJ2dEFJcW9sWlNNc3M0dE1RZnF3Tml4dGh4dWoxb3FLV0x5V0o4U2kxeC9GZWlB c1I3d2t3Q2lRWFJOUHVYRDl3YWpvTzFwZ0xkcE1yUld4TjBPSStKVm1iL1AvOXVqL1JxZ2o0 VjBqVWpTVlEvUDBFWHJ3VmYwY1M0a3p2Z212V2JvQzVqWnJOSmEvRzB3SW9mZ1o5RzVtUG5B TzMwYkQ4N29yYnhkcmhFUXk5cEJ6VE5QWFJqT2psbFlpS3BVSnF0S0dTSjJ3ek5QY0lDa0Yy d0t6VklGOU01QzR6WFBKdmh4ZGh3K0V0clhvMmFhWlI0aThnVWxEQW5hRmZIN0NGb0c0dldw NGxrUElEZVNnQllxekxvbVpTN0tPajgvUzZwZE1Jek9vQkFRN1lqMWU0V2xWQ0dDM0pOM0dK R2c0Q3I3aFVyd0VvYkhyWW5Xb0JkYk1rWDQ3OXd5R3NraU9qVlVqUUtXb0JmY2pBNThpdm1i VnZtL2J6R3JCNU5yNlJxNWRyMW1pY3hTVEZxNXFUaHpsWmRQdm1JZE81V1VVZkd5eGtyeGRX V1c0R2t2K3VWaXQ3a0Zucm04QWF2V2hRZm5WZW5lSVlGR2VOS2FpU3ZUNWcwM2lTNDlzV2lV RzlPSnpqQ1d3c3Z3dm96d2pEVU90a05wM2VwbkRjZlR3eU94cWpxN2JvR0J6a3F4SFFiQjV5 U1p1ak1pYnFTdGtuNXZYSDl3K1g3bWJ1Z0t4c3g1T000a09rZzV5eG9pT0tlcW5VcVp6UE5r V2c9PQo=


接下来，我们可以使用以下命令解码 Base64 格式：

% base64 -d 1.out > 1.sig

% type 1.sig q6 ╦s;°1ì&tê»H }V╧6Q╞Ö÷±¬Pobápg▒▀⌠φ+àßûº<<⌐╬║∙] à≈OVê°╟0xΓ╛÷│AV─╪H∩⌠p÷┤Rÿ≤M┌╕╪ ≤,²{▐QZQmòOA#╜ëEC░|=\ ¿π┤7U

b9░▓i±R│C∙.yÉåIXδ|▄?T 4Æ≡╩╘╛

然后我们可以使用以下命令进行校验：

% aws kms verify  --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
  --message fileb://1.txt --signature fileb://1.sig
  --signing-algorithm ML_DSA_SHAKE_256

我们可以使用的签名算法有：RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SM2DSA and ML_DSA_SHAKE_256.

所以，现在让我们用 Python 尝试一下：

import base64
import binascii
import boto3
from botocore.exceptions import ClientError

AWS_REGION = 'us-west-1'

def enable_kms_key(key_ID):
    try:
        response = kms_client.enable_key(KeyId=key_ID)

    except ClientError:
        print('KMS Key not working') # KMS 密钥无法工作
        raise
    else:
        return response

def sign(msg, alias):
    try:
        sig = kms_client.sign(KeyId=alias,SigningAlgorithm='ML_DSA_SHAKE_256',
             Message=bytes(msg, encoding='utf8'),
        )
    except ClientError:
        print('Problem with encryption.') # 加密出现问题
        raise
    else:
        return base64.b64encode(sig["Signature"])

def verify(msg, ciphertext, alias):
    try:
        plain_text = kms_client.verify(KeyId=alias,SigningAlgorithm='ML_DSA_SHAKE_256',
             Message=bytes(msg, encoding='utf8'),
             Signature=bytes(base64.b64decode(ciphertext)))
    except ClientError:
        print('Problem with decryption.') # 解密出现问题
        raise
    else:
        return plain_text['SignatureValid']

kms_client = boto3.client("kms", region_name=AWS_REGION)

KEY_ID = '71ed4d4e-b4f0-45f7-8645-6b9c847e9a57'
kms = enable_kms_key(KEY_ID)
print(f'Public Key KMS ID {KEY_ID} ')
msg='Hello'
print(f"Plaintext: {msg}")

sig=sign(msg,KEY_ID)
print(f"Signature {sig}")
val=verify(msg,sig,KEY_ID)
print(f"Verified: {val}")

一个示例运行结果如下：

Public Key KMS ID 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
Plaintext: Hello
Signature b'Fd2j9UniAggWpXL8gHoaBh9vhB06Lc9zgtplO5FaB+RzenJgOPVtdSDax0JSP+Fec41csLhdH2gVOLLSoTaNcC0ONTlbvfqDtEbEfPMxY5w23ckx8Z0EMxqjQVnTqWpzZKuQGGcicd0wqThKxTpjT9F0o8nEoRekFsvbD65xCmIRTuo3VZpysE8SKTKSpbbvbyVKS6YGt9nk9rgMQbzO4lmLvrNMWeX5e6V6k569600pZUcDZCcZ3zvjI82qbGJcrfs3VjUa/TCUQCpPa0Jqs3Vd2u3KsL3Qntw83e5kxPy+cbvxySyvFamYUjq5tHkZAIkmX04zm1v4GoDTarA96k9FBvftoGZKEfzdjd29QnNneNt1Pxe9KaFI9P8kMcsrXRbsG1gZhb+mk6/pWJLNpaL7nmWmNDTOqHZ3g1ITQx8I7EY/LqqvyBfSVd4SNa6tGOf4iTT4a0ECfnlO8C/CPE1PqaSK6w8G6b3jJkiIa6oDujXb5YyG5BvpMbonmrAojUbnKx96onhKMfE87CYsSh3QdMCS1qinv1HrF3y8JJun7kMiTSG6JJeVvfA++oYDJ+T+XkXhW14MqVvcVcx8zMp1GqgzkwsWPIP0vabnTGLoV/fgysOiPr0wczgHNZHQPISdKY+xskvNnSugwIUu6vmpjJbkzxBYDiaoD1KB7p3AFAE7gzBB22aPj+xhN1QLkM/BoNhJKP8leyNxalUe3eU+nB7xa4gBwPwCf9NntM+R9I2UhSUyTyC5SH3C2kuDNEZzrIysIswtfm9Mf74v5h6uI9BqDZ/zxF+bNsrdaMIYc1dfQDrzoG5xlO2AneSt8LGRqIbDviHKARhGhzujgWTfvkxGOfBhKU/3vaSEQIcpLwDDbjx2GH8tavOZk3DIhLLIRQAmfwUMl+wqzhVwrjD+TvCLz0N+TwjlPfETELWe3cGQg59MDNzaXM5n5bkHe6n6jCuLzuBNJCsn4Vab03RJmyVQqN+1rm90B1r8uxCPQgSh0nyJuVr68+WKjRaqAeyC1KavtoDBPPEEV6krdqC0WiWsGGoyL0RWZ1xZ4yfanM5D0royLUbOjD4ZMUlchtPMFhpg8d1aYND9h6r6K8PbK94l2eLPsVh47fUmAzqi1+a1yFoO0Q2z3WGd8oKpMek68FLB8ciMRI9aRPD3PHlTkQI37MBtFIqlpacf1IxBtDKePKwPdOPZa5fcrYzPlpKIfwRe7gOkPUZ38BzZ0coh3pAMCd0E3x3FLpaKX7rmiqwkoof+aSBEdG5OSai6e+x2Tzn0ADUR68gRs3SYjWFDNbmOPRC46LkGH2qwjwOOVp5l7ZkbMK4bdieHtxpSUR78BxMLznwIJKStMiE1JY6X6rnBWkn19Av7nGaSfeuLXKBj3u0YqQFGCyw40V0mka94TUdmkxEK7qrlk4tU+c049yUM/fzOpDQazBh45B5VPDN6UF5jPsksHTdXVIbCmj7LGQINInqdMYgJqoWdFrveMOOzZyQo9QhxdxGDTFSt+AqnlwJJewpNRPmkMCUghwuTnSrcNhSZoZmo6GKqmeZkc12Ig1aG+Q0w76Hyg3TvLUk++MuXAKbSVglWyG7pJgIIa10Jz/s+7Bj0dsyYnWhNE28jnOIw1o/Nd0W15U8qaVeMv8FEKp8QokhioqE2ZLdHGUGpTWpZ2hEBgmEvQreKKWT2CRWhdJ4+uNQPYYjFDkvTzesjgTrAej9n5pPlgIv4xtWbqU3Yn447sHGvSXEX+w1BJO4uwcfXKBs3WiLlp1bDTHxnOnB3bg/PN2d9m8ufcNtta0rRRSEmvW7k5/rqF7QqHhBDDthawAVQubjQA0oRVfRhQQ+EaMVnDZSXnDQJW8vtBzMA5kVAJNFmNnZ0FL8gx4H0FJ807ZJa7QGuWNhvhgU6+pnCiTOmCbPvpTW7e7xsFnB87j+ZVbh1Gagym4nXUk6JWjzh29/bylyiNwLgJUaCQ2XImh/KN5Eug3aBeT56gz2HWNDG9xLrQl0Jn/6j/W8iyJxqhNRYuP4bpxvY4jWhMXOeHA/WcYegjwEEaf54M/zA83L0l3uqelEeQl/sG0pSLUyr3GzyvFzge/SjYydEASmmLjOud2rCZVqETEY98lR5zQSC5xCkQFVQglDBabJoMHpo4AggI/LSk7ODjUdO/ES/I378LYVLSNqPyv/3EvLjO0uSaaA7zv/FJjPU8cLiEgn3cjBOHgOCc4VLxmtr4GVr2g2jzzdOPmvbwFQom3e7zwOV7S8fBNJP9OQJl2Qi8vZ5bnnaJS7uPu4+ycf0a6qqKtM5r+ex3NKryssSKzYOhWTooYJaDpctv0Gyp5oKDjis0yHBfh6YnkjCgWcP4R9+jnaIcYLgjiaAWMMFbETGJtX7N2YcHf5041zzSGNEwnN9uoyS1bKOAWoh0w1npwOyLe0URE2I7ggWWLNOoIkmzjXWN0Yxf9ivG1aFOh0UCJAgLIvPikU/z9yCxc5OAyWHLuviBCTqHPiFrdUs4cyO7lTr4hg7D4LP5uPigwxOAdzz1bNUzsWE2Pk263ORS1HKoxh01S2K5X41Fs8CaDygFii/BRMNsx0IPVo2U8lf0GX6rU5HC9MKxPEid6WH92tohdmuox7Z0iNggDUoQjOmRRXydY3T7WcO1hItLJaTpRxSzAEKCxXoDCtQTxdXW2PmnVCWMX5C8K/8d2h8rTFPsY7BAqdvDu/hN0QiALBEVL+iOV/wfYVgOgu5H5gJEasA5ylytdFZK8xovUbUOJqKWveRSqx6RKAl'
Verified: True

如果我们运行在 Linux 中，我们会得到：

$ aws kms sign --key-id 71ed4d4e-b4f0-45f7-8645-6b9c847e9a57 --message fileb://1.txt --signing-algorithm ML_DSA_SHAKE_256 --query Signature --output text | base64 -d > 1.sig

$ aws kms verify  --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57  --message fileb://1.txt --message-type RAW --signing-algorithm ML_DSA_SHAKE_256 --signature fileb://1.sig
```json
{
    "KeyId": "arn:aws:kms:us-west-1:103269750866:key/71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
    "SignatureValid": true,
    "SigningAlgorithm": "ML_DSA_SHAKE_256"
}

感谢 Mark Tehrani 提供 PowerShell 版本:

PS > Install-Module -Name Base64 -RequiredVersion 1.0.4
PS > $sig = aws kms sign --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
     --message fileb://1.txt
     --message-type RAW
     --signing-algorithm ML_DSA_SHAKE_256
     --query Signature --output text
PS > $bytes = [System.Convert]::FromBase64String($sig)
PS > aws kms verify  --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
     --message fileb://1.txt
     --message-type RAW
     --signing-algorithm ML_DSA_SHAKE_256
     --signature fileb://1.bin
PS > Set-Content -LiteralPath "1.bin" -Value $bytes -Encoding Byte
PS > aws kms verify  --key-id  71ed4d4e-b4f0-45f7-8645-6b9c847e9a57
     --message fileb://1.txt
     --message-type RAW
     --signing-algorithm ML_DSA_SHAKE_256
     --signature fileb://1.bin
```json
{
    "KeyId": "arn:aws:kms:us-west-1:103269750866:key/71ed4d4e-b4f0-45f7-8645-6b9c847e9a57",
    "SignatureValid": true,
    "SigningAlgorithm": "ML_DSA_SHAKE_256"
}

就是这样。如果你想尝试 RSA 和 ECSDA，它们在这里：

AWS：公钥签名 (RSA) \ \ 在数字签名中，我们使用我们的私钥对消息进行签名，然后使用我们的公钥完成签名证明……\ \ asecuritysite.com

和：

AWS：公钥签名 \ \ 在数字签名中，我们使用我们的私钥对消息进行签名，然后使用我们的公钥完成签名证明……\ \ asecuritysite.com

原文链接： medium.com/asecuritysite...

登链社区 AI 助手，为大家转译优秀英文文章，如有翻译不通的地方，还请包涵～

本文参与登链社区写作激励计划，好文好收益，欢迎正在阅读的你也加入。

在 AWS 中使用 ML-DSA

在 AWS 中使用 ML-DSA

0 条评论

文章目录