All Products
Search

This Product

    Key Management Service:Sample code for signing and verification

    Document Center

    Key Management Service:Sample code for signing and verification

    Last Updated:Feb 13, 2025

    After initializing the KMS instance SDK client, you can use it to call the Sign and Verify APIs for signing and verification. This topic provides code examples for this.

    Complete example

    package main

import (
	"fmt"
	"github.com/alibabacloud-go/tea/tea"
	dedicatedkmsopenapi "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi"
	dedicatedkmsopenapiutil "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi-util"
	dedicatedkmssdk "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/sdk"
	"io/ioutil"
)

// The signature context may be stored.
type SignatureContext struct {
	KeyId     string
	Signature []byte
	// Use default algorithm value,if the value is not set.
	Algorithm   string
	MessageType string
}

func main() {
	// ID or alias of the KMS instance signature key.
	keyId := "<KEY_ID>"
	// Data digest or preprocessed data to be signed
	//digest := sha256.Sum256([]byte("message"))
	message := "<MESSAGE>"
	// Type of data to be signed, RAW - raw data to be signed, DIGEST - digest of the data to be signed
	//messageType := "DIGEST"
	messageType := "RAW"

	// Create DKMS Client object.
	client := getDkmsClientByClientKeyContent()
	//client := getDkmsClientByClientKeyFile()

	signatureCtx := signSample(client, keyId, []byte(message), messageType)
	verifyResult := verifySample(client, []byte(message), signatureCtx)
	fmt.Println(verifyResult)
}

// Signing example.
func signSample(client *dedicatedkmssdk.Client, keyId string, message []byte, messageType string) *SignatureContext {
	signRequest := &dedicatedkmssdk.SignRequest{
		KeyId:       tea.String(keyId),
		Message:     message,
		MessageType: tea.String(messageType),
	}
	// Verify the server certificate.
	ca, err := ioutil.ReadFile("path/to/caCert.pem")
	if err != nil {
		panic(err)
	}
	runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
		Verify: tea.String(string(ca)),
	}
	// Or, ignore the certificate.
	//runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
	//	IgnoreSSL: tea.Bool(true),
	//}
	// Call the signing API for signing.
	signResponse, err := client.SignWithOptions(signRequest, runtimeOptions)
	if err != nil {
		panic(err)
	}

	// Key ID.
	_keyId := tea.StringValue(signResponse.KeyId)
	// Signature value.
	_signature := signResponse.Signature
	// Message type.
	_messageType := tea.StringValue(signResponse.MessageType)
	// Signature algorithm.
	_algorithm := tea.StringValue(signResponse.Algorithm)

	fmt.Println("KeyId:", _keyId)
	fmt.Println("Signature:", _signature)
	fmt.Println("MessageType:", _messageType)
	fmt.Println("RequestId:", tea.StringValue(signResponse.RequestId))

	return &SignatureContext{
		KeyId:       _keyId,
		Signature:   _signature,
		MessageType: messageType,
		Algorithm:   _algorithm,
	}
}

// Signature verification example.
func verifySample(client *dedicatedkmssdk.Client, message []byte, ctx *SignatureContext) (_value bool) {
	verifyRequest := &dedicatedkmssdk.VerifyRequest{
		KeyId:       tea.String(ctx.KeyId),
		Message:     message,
		MessageType: tea.String(ctx.MessageType),
		Signature:   ctx.Signature,
		Algorithm:   tea.String(ctx.Algorithm),
	}
	// Verify the server certificate.
	ca, err := ioutil.ReadFile("path/to/caCert.pem")
	if err != nil {
		panic(err)
	}
	runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
		Verify: tea.String(string(ca)),
	}
	// Or, ignore the certificate.
	//runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
	//	IgnoreSSL: tea.Bool(true),
	//}
	// Call the signature verification API for signature verification.
	verifyResponse, err := client.VerifyWithOptions(verifyRequest, runtimeOptions)
	if err != nil {
		panic(err)
	}

	// Signature verification result.
	_value = tea.BoolValue(verifyResponse.Value)
	// Message type.
	_messageType := verifyResponse.MessageType

	fmt.Println("KeyId:", tea.StringValue(verifyResponse.KeyId))
	fmt.Println("Value:", _value)
	fmt.Println("MessageType:", tea.StringValue(_messageType))
	fmt.Println("RequestId:", tea.StringValue(verifyResponse.RequestId))

	return tea.BoolValue(verifyResponse.Value)
}

// Create the SDK client object for the KMS instance using the ClientKey content.
func getDkmsClientByClientKeyContent() *dedicatedkmssdk.Client {
	// Create the SDK client configuration for the KMS instance.
	config := &dedicatedkmsopenapi.Config{
	        // Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
		Protocol: tea.String("https"),
		// Replace with the content of the ClientKey file.
		ClientKeyContent: tea.String("<CLIENT_KEY_CONTENT>"),
		// Replace with the encryption password entered when creating the ClientKey.
		Password: tea.String("<CLIENT_KEY_PASSWORD>"),
		// Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
		Endpoint: tea.String("<ENDPOINT>"),
	}
	// Create the SDK client object for the KMS instance.
	client, err := dedicatedkmssdk.NewClient(config)
	if err != nil {
		// Handle exceptions
		panic(err)
	}
	return client
}

// Create the SDK client object for the KMS instance using the ClientKey file path.
func getDkmsClientByClientKeyFile() *dedicatedkmssdk.Client {
	// Create the DKMS Client configuration.
	config := &dedicatedkmsopenapi.Config{
		// Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
		Protocol: tea.String("https"),
		// Replace with the path of the ClientKey file.
		ClientKeyFile: tea.String("<CLIENT_KEY_FILE>"),
		// Replace with the encryption password entered when creating the ClientKey.
		Password: tea.String("<CLIENT_KEY_PASSWORD>"),
                 // Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
		Endpoint: tea.String("<ENDPOINT>"),
	}
	// Create the SDK client object for the KMS instance.
	client, err := dedicatedkmssdk.NewClient(config)
	if err != nil {
		// Handle exceptions.
		panic(err)
	}
	return client
}

    Example walkthrough

    Initialize client

    You can create a KMS instance SDK client object using either ClientKey content or a ClientKey file path.

    import (
    dedicatedkmsopenapi "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi"
    dedicatedkmssdk "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/sdk"
  "github.com/alibabacloud-go/tea/tea"
)

// Use ClientKey content to create a KMS instance SDK client object.
func getDkmsClientByClientKeyContent() *dedicatedkmssdk.Client {
	// Create KMS instance SDK client configuration.
	config := &dedicatedkmsopenapi.Config{
	        // Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
		Protocol: tea.String("https"),
		// Replace with the content of the ClientKey file.
		ClientKeyContent: tea.String("<CLIENT_KEY_CONTENT>"),
		// Replace with the encryption password entered when creating the ClientKey.
		Password: tea.String("<CLIENT_KEY_PASSWORD>"),
		// Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
		Endpoint: tea.String("<ENDPOINT>"),
	}
	// Create a KMS instance SDK client object.
	client, err := dedicatedkmssdk.NewClient(config)
	if err != nil {
		// Abnormal handling.
		panic(err)
	}
	return client
}

// Use ClientKey file path to create a KMS instance SDK client object.
func getDkmsClientByClientKeyFile() *dedicatedkmssdk.Client {
	// Create DKMS client configuration.
	config := &dedicatedkmsopenapi.Config{
		// Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
		Protocol: tea.String("https"),
		// Replace with the path of the ClientKey file.
		ClientKeyFile: tea.String("<CLIENT_KEY_FILE>"),
		// Replace with the encryption password entered when creating the ClientKey.
		Password: tea.String("<CLIENT_KEY_PASSWORD>"),
                 // Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
		Endpoint: tea.String("ENDPOINT"),
	}
	// Create a KMS instance SDK client object.
	client, err := dedicatedkmssdk.NewClient(config)
	if err != nil {
		// Abnormal handling.
		panic(err)
	}
	return client
}

    Call the Sign API to perform digital signing using an asymmetric key

    // Signing example
func signSample(client *dedicatedkmssdk.Client, keyId string, message []byte, messageType string) *SignatureContext {
	signRequest := &dedicatedkmssdk.SignRequest{
		KeyId:       tea.String(keyId),
		Message:     message,
		MessageType: tea.String(messageType),
	}
	// Verify the server certificate.
	ca, err := ioutil.ReadFile("path/to/caCert.pem")
	if err != nil {
		panic(err)
	}
	runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
		Verify: tea.String(string(ca)),
	}
	// Or, ignore the certificate.
	//runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
	//	IgnoreSSL: tea.Bool(true),
	//}
	// Call the signing API for signing.
	signResponse, err := client.SignWithOptions(signRequest, runtimeOptions)
	if err != nil {
		panic(err)
	}

	// Key ID.
	_keyId := tea.StringValue(signResponse.KeyId)
	// Signature value.
	_signature := signResponse.Signature
	// Message type.
	_messageType := tea.StringValue(signResponse.MessageType)
	// Signature algorithm.
	_algorithm := tea.StringValue(signResponse.Algorithm)

	fmt.Println("KeyId:", _keyId)
	fmt.Println("Signature:", _signature)
	fmt.Println("MessageType:", _messageType)
	fmt.Println("RequestId:", tea.StringValue(signResponse.RequestId))

	return &SignatureContext{
		KeyId:       _keyId,
		Signature:   _signature,
		MessageType: messageType,
		Algorithm:   _algorithm,
	}
}

    Call the Verify API to verify the digital signature using an asymmetric key

    // Signature verification example.
func verifySample(client *dedicatedkmssdk.Client, message []byte, ctx *SignatureContext) (_value bool) {
	verifyRequest := &dedicatedkmssdk.VerifyRequest{
		KeyId:       tea.String(ctx.KeyId),
		Message:     message,
		MessageType: tea.String(ctx.MessageType),
		Signature:   ctx.Signature,
		Algorithm:   tea.String(ctx.Algorithm),
	}
	// Verify the server certificate.
	ca, err := ioutil.ReadFile("path/to/caCert.pem")
	if err != nil {
		panic(err)
	}
	runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
		Verify: tea.String(string(ca)),
	}
	// Or, ignore the certificate.
	//runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
	//	IgnoreSSL: tea.Bool(true),
	//}
	// Call the signature verification API for signature verification.
	verifyResponse, err := client.VerifyWithOptions(verifyRequest, runtimeOptions)
	if err != nil {
		panic(err)
	}

	// Signature verification result.
	_value = tea.BoolValue(verifyResponse.Value)
	// Message type
	_messageType := verifyResponse.MessageType

	fmt.Println("KeyId:", tea.StringValue(verifyResponse.KeyId))
	fmt.Println("Value:", _value)
	fmt.Println("MessageType:", tea.StringValue(_messageType))
	fmt.Println("RequestId:", tea.StringValue(verifyResponse.RequestId))

	return tea.BoolValue(verifyResponse.Value)
}