Sign - Key Management Service - Alibaba Cloud Documentation Center

Signs an asymmetric key.

Usage notes

The following table describes the signature algorithms for different types of customer master keys (CMKs).


CMK type	Signature algorithm	Description
RSA_2048 RSA_3072 RSA_4096	RSA_PSS_SHA_256 (default value)	RSASSA-PSS using SHA-256 and MGF1 with SHA-256
RSA_2048 RSA_3072 RSA_4096	RSA_PKCS1_SHA_256	RSASSA-PKCS1-v1_5 using SHA-256
EC_P256 EC_P256K	ECDSA_SHA_256 (default value)	ECDSA on the P-256 Curve(secp256r1) with a SHA-256 digest
EC_SM2	SM2DSA (default value)	SM2 elliptic curve public key encryption algorithm

Request message definition

message SignRequest {
     string KeyId = 1;
     string Algorithm = 2;
     bytes Message = 3;
     string MessageType = 4;
}

Request parameters


Parameter	Type	Required	Example	Description
KeyId	string	Yes	1234abcd-12ab-34cd-56ef-12345678****	The ID of the customer master key (CMK). The ID must be globally unique. You can also set this parameter to an alias that is bound to the CMK.
Algorithm	string	Yes	RSAES_OAEP_SHA_256	The signature algorithm. Valid values: RSA_PSS_SHA_256 RSA_PKCS1_SHA_256 ECDSA_SHA_256 SM2DSA
MessageType	string	Yes	RAW	The message type. Valid values: RAW: the raw data. This is the default value. DIGEST: the message digest of the raw data. Key Management Service (KMS) does not process the message digest of the raw data. KMS directly uses the private key to sign data.
Message	bytes	Yes	Binary data	The message to sign. The MessageType parameter is set to RAW: The hash algorithm that is specified by the Algorithm parameter is used to generate a digest for the raw data, and the digest is signed. The MessageType parameter is set to DIGEST: The digest can be up to 32 bytes in length.

Response message definition

message SignResponse {
     string KeyId = 1;
     bytes Signature = 2;
     string RequestId = 3;
     string Algorithm = 4;
     string MessageType = 5;
}

Response parameters


Parameter	Type	Example	Description
Signature	bytes	Binary data	The calculated signature value.
KeyId	string	1234abcd-12ab-34cd-56ef-12345678****	The ID of the CMK. The ID must be globally unique. If the KeyId parameter is set to an alias of the CMK, the ID of the CMK to which the alias is bound is returned.
Algorithm	string	RSAES_OAEP_SHA_256	The signature algorithm.
MessageType	string	RAW	The type of the message.
RequestId	string	475f1620-b9d3-4d35-b5c6-3fbdd941423d	The ID of the request.

Error codes

For more information about error codes, see Common error codes.