From cae08bff80429727082065f870febdfeb4c433c5 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Fri, 19 Feb 2021 11:28:35 -0800
Subject: [PATCH] Validate that the signer can get the public key.

---
 kms/cloudkms/cloudkms.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kms/cloudkms/cloudkms.go b/kms/cloudkms/cloudkms.go
index cc533702..83bd167c 100644
--- a/kms/cloudkms/cloudkms.go
+++ b/kms/cloudkms/cloudkms.go
@@ -141,6 +141,17 @@ func (k *CloudKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer,
 		return nil, errors.New("signing key cannot be empty")
 	}
 
+	// Validate that the key exists
+	ctx, cancel := defaultContext()
+	defer cancel()
+
+	_, err := k.client.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{
+		Name: req.SigningKey,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "cloudKMS GetPublicKey failed")
+	}
+
 	return NewSigner(k.client, req.SigningKey), nil
 }