All Products
Search

This Product

    Key Management Service:Sign data and verify digital signatures

    Document Center

    Key Management Service:Sign data and verify digital signatures

    Last Updated:Jun 15, 2023

    You can use the private key of an asymmetric customer master key (CMK) to sign messages or other information. Private keys are strictly protected. Only a trusted user can use a private key to sign data. The public key that matches the private key can be used to verify the generated signature.

    Signing and verification provide the following benefits:

    • Verify data integrity. If the data does not match its signature, the data may be tampered with.

    • Verify message authenticity. If a message does not match its signature, the message sender does not hold the private key.

    • Provide non-repudiation for signatures. If the data matches its signature, the signer cannot deny this signature.

    Sample code

    Note

    The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using the AccessKey pair to perform operations is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. We recommend that you do not save the AccessKey ID and AccessKey secret in your project code. Otherwise, the AccessKey pair may be leaked and the security of all resources within your account may be compromised.

    In this example, the AccessKey pair is saved in ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to implement identity authentication. For more information about how to configure authentication information, see Credentials. 

    /**
 *
 * Sample code for signing and verification
 */
public class DigestMessageSignatureVerifySample {
    private static final String ASYM_CMK_ARN = "<acs:kms:RegionId:UserId:key/CmkId>";
    private static final String KEY_VERSION_ID = "<KEY_VERSION_ID>";
    // accessKeyId accessKeySecret
    private static final String ACCESS_KEY_ID = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
    private static final String ACCESS_KEY_SECRET = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
    private static final byte[] MESSAGE_TEXT = "this is test.".getBytes();

    public static void main(String[] args) {
        // Configure Alibaba Cloud access parameters. 
        AliyunConfig config = new AliyunConfig();
        config.withAccessKey(ACCESS_KEY_ID, ACCESS_KEY_SECRET);

        // Create an SDK and pass in the Alibaba Cloud access parameters. 
        AliyunCrypto aliyunCrypto = new AliyunCrypto(config);

         // Configure a provider. 
        KmsAsymmetricKeyProvider provider = new KmsAsymmetricKeyProvider(ASYM_CMK_ARN, KEY_VERSION_ID, SignatureAlgorithm.RSA_PKCS1_SHA_256);

        // Use the original message. 
        byte[] signature = aliyunCrypto.sign(provider, MESSAGE_TEXT, ContentType.MESSAGE).getResult();
        Boolean isOk = aliyunCrypto.verify(provider, MESSAGE_TEXT, signature, ContentType.MESSAGE);
        System.out.println(isOk);

        // Use the message digest. 
        byte[] sha256Digest = provider.getDigest(MESSAGE_TEXT);
        signature = aliyunCrypto.sign(provider, sha256Digest, ContentType.DIGEST).getResult();
        isOk = aliyunCrypto.verify(provider, sha256Digest, signature, ContentType.DIGEST);
        System.out.println(isOk);
    }
}
    Note

    For the complete sample code, see alibabacloud-encryption-sdk-java-examples-signVerify.