Checks whether a signature file was produced from a specific message file using a particular key pair. The command compares the signature against the message file using a public key and a signing mechanism, confirming or denying the cryptographic relationship between them. Signing mechanisms are represented by integers; see Signature algorithms.
Important
Before running this command, start key_mgmt_tool and log in to the HSM as a Crypto User (CU).
Syntax
verify -f <message-file>
-s <signature-file>
-k <public-key-handle>
-m <signature-mechanism>Important
Enter parameters in the order shown in the syntax.
Parameters
| Parameter | Description | Required |
|---|---|---|
-f | The message file to verify against. | Yes |
-s | The signature file to verify. | Yes |
-k | The handle of the public key believed to have been used to sign the file. The public key must belong to the same key pair as the private key used for signing. | Yes |
-m | An integer that identifies the signing mechanism. See Signature algorithms. | Yes |
Signature algorithms
| Signing mechanism | Integer value |
|---|---|
SHA1_RSA_PKCS | 0 |
SHA256_RSA_PKCS | 1 |
SHA384_RSA_PKCS | 2 |
SHA512_RSA_PKCS | 3 |
SHA224_RSA_PKCS | 4 |
SHA1_RSA_PKCS_PSS | 5 |
SHA256_RSA_PKCS_PSS | 6 |
SHA384_RSA_PKCS_PSS | 7 |
SHA512_RSA_PKCS_PSS | 8 |
SHA224_RSA_PKCS_PSS | 9 |
ECDSA_SHA1 | 15 |
ECDSA_SHA224 | 16 |
ECDSA_SHA256 | 17 |
ECDSA_SHA384 | 18 |
ECDSA_SHA512 | 19 |
Examples
Verify a valid signature
This example signs messageFile using private key 8 and the SHA256_RSA_PKCS mechanism (-m 1), then verifies the signature using the corresponding public key 7. Public key 7 and private key 8 belong to the same asymmetric key pair.
Command: sign -f messageFile -k 8 -out signedFile -m 1
Signature creation successful
signature is written to file signedFile
Cfm3Sign: sign returned: 0x00 : HSM Return: SUCCESS
Command: verify -f messageFile -s signedFile -k 7 -m 1
Signature verification successful
Cfm3Verify returned: 0x00 : HSM Return: SUCCESS