in kmsp11/operation/rsassa_raw_pkcs1.cc [92:129]
absl::Status RsaRawPkcs1Signer::Sign(KmsClient* client,
absl::Span<const uint8_t> data,
absl::Span<uint8_t> signature) {
size_t key_byte_length = RSA_size(key_.get());
constexpr size_t kRsaPkcs1OverheadBytes = 11;
// I don't know how we'd end up with a <11-byte key, but for completeness, and
// to avoid unsigned underflow...
CHECK_GE(key_byte_length, kRsaPkcs1OverheadBytes);
size_t max_data_byte_length = key_byte_length - kRsaPkcs1OverheadBytes;
if (data.size() > max_data_byte_length) {
return NewInvalidArgumentError(
absl::StrFormat("data length (%d bytes) exceeds maximum allowed "
"for a %d-bit key (%d bytes)",
data.size(), RSA_bits(key_.get()),
max_data_byte_length),
CKR_DATA_LEN_RANGE, SOURCE_LOCATION);
}
if (signature.size() != signature_length()) {
return NewInternalError(
absl::StrFormat(
"provided signature buffer has incorrect size (got %d, want %d)",
signature.size(), signature_length()),
SOURCE_LOCATION);
}
kms_v1::AsymmetricSignRequest req;
req.set_name(std::string(object_->kms_key_name()));
req.set_data(
std::string(reinterpret_cast<const char*>(data.data()), data.size()));
ASSIGN_OR_RETURN(kms_v1::AsymmetricSignResponse resp,
client->AsymmetricSign(req));
std::copy(resp.signature().begin(), resp.signature().end(),
signature.begin());
return absl::OkStatus();
}