I've been given a 64 byte secret to be used with HMAC_SHA_256. I can readily use this secret to generate a hash in Java as per below
SecretKeySpec keyspec = new SecretKeySpec(secret, "HmacSHA256");
Mac sha256 = (Mac) Mac.getInstance("HmacSHA256").clone();
sha256.init(keyspec);
sha256.doFinal(prehash.getBytes())
I would like to outsource this logic to KMS, and import this 64 byte Key Material into KMS. However I get the InvalidCiphertextException error. Based on my research, it appears KMS only supports a 32 Byte key for HMAC_SHA_256.
However, the spec (and example Java code implementing the spec) supports arbitrary key sizes, it will simply sha256 anything larger than the block size of 64 bytes.
I want to understand why this restriction exists in KMS, unless I've missed something
For brevity, attempting to run the following aws kms commands
aws kms get-parameters-for-import \
--key-id XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX \
--wrapping-algorithm RSAES_OAEP_SHA_256 \
--wrapping-key-spec RSA_4096 > import.json
cat import.json | jq -r .PublicKey | openssl enc -d -base64 -A -out WrappingPublicKey.bin
cat import.json | jq -r .ImportToken | openssl enc -d -base64 -A -out ImportToken.bin
openssl rand -out PlaintextKeyMaterial.bin 64 #Note that 32 works, 64 does not
openssl pkeyutl \
-encrypt \
-in PlaintextKeyMaterial.bin \
-out EncryptedKeyMaterial.bin \
-inkey WrappingPublicKey.bin \
-keyform DER \
-pubin \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha256 \
-pkeyopt rsa_mgf1_md:sha256
aws kms import-key-material --key-id XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX \
--encrypted-key-material fileb://EncryptedKeyMaterial.bin \
--import-token fileb://ImportToken.bin \
--expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE