Verifies a digital signature by using an asymmetric key.

Usage notes

The following table describes the signature algorithms for different types of customer master keys (CMKs).

CMK typeSignature algorithmDescription
  • RSA_2048
  • RSA_3072
  • RSA_4096
RSA_PSS_SHA_256 (default value)RSASSA-PSS using SHA-256 and MGF1 with SHA-256
RSA_PKCS1_SHA_256RSASSA-PKCS1-v1_5 using SHA-256
  • EC_P256
  • EC_P256K
ECDSA_SHA_256 (default value)ECDSA on the P-256 Curve(secp256r1) with a SHA-256 digest
EC_SM2SM2DSA (default value)SM2 elliptic curve public key encryption algorithm

Request message definition

message VerifyRequest {
     string KeyId = 1;
     bytes Signature = 2;
     string Algorithm = 3;
     bytes Message = 4;
     string MessageType = 5;

Request parameters

KeyIdstringYes1234abcd-12ab-34cd-56ef-12345678****The ID of the customer master key (CMK). The ID must be globally unique. You can also set this parameter to an alias that is bound to the CMK.
Algorithm stringYesRSAES_OAEP_SHA_256The signature algorithm. Valid values:
  • RSA_PSS_SHA_256
  • RSA_PKCS1_SHA_256
  • ECDSA_SHA_256
  • SM2DSA
Note The signature algorithm must be consistent with the algorithm that is returned by calling the Sign operation.
MessageTypestringYes RAWThe message type. Valid values:
  • RAW: the raw data. This is the default value.
  • DIGEST: the message digest of the raw data. Key Management Service (KMS) does not process the message digest of the raw data. KMS directly uses the private key to sign data.
MessagebytesYesBinary dataThe message to sign.
  • The MessageType parameter is set to RAW: The hash algorithm that is specified by the Algorithm parameter is used to generate a digest for the raw data, and the digest is signed.
  • The MessageType parameter is set to DIGEST: The digest can be up to 32 bytes in length.
SignaturebytesYesBinary dataThe signature value to be verified.

Response message definition

message VerifyResponse {
     string KeyId = 1;
     bool Value = 2;
     string RequestId = 3;
     string Algorithm = 4;
     string MessageType = 5;

Response parameters

ValuebooltrueIndicates whether the signature passed the verification. Valid values:
  • true: The signature passed the verification.
  • false: The signature verification failed.
KeyIdstring1234abcd-12ab-34cd-56ef-12345678****The ID of the CMK. The ID must be globally unique. If the KeyId parameter is set to an alias of the CMK, the ID of the CMK to which the alias is bound is returned.
AlgorithmstringRSAES_OAEP_SHA_256The signature algorithm.
MessageTypestringRAWThe type of the message.
RequestIdstring475f1620-b9d3-4d35-b5c6-3fbdd941423dThe ID of the request.

Error codes

For more information about error codes, see Common error codes.