The following self-contained script runs the full sign-and-verify cycle. Replace the placeholder values before running.
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
use AlibabaCloud\Dkms\Gcs\OpenApi\Util\Models\RuntimeOptions;
use AlibabaCloud\Dkms\Gcs\Sdk\Client as AlibabaCloudDkmsGcsSdkClient;
use AlibabaCloud\Dkms\Gcs\OpenApi\Models\Config as AlibabaCloudDkmsGcsOpenApiConfig;
use AlibabaCloud\Dkms\Gcs\Sdk\Models\SignRequest;
use AlibabaCloud\Dkms\Gcs\Sdk\Models\VerifyRequest;
use AlibabaCloud\Tea\Utils\Utils as AlibabaCloudTeaUtils;
// Alternatively, specify the path to the ClientKey file obtained from KMS application management.
// $clientKeyFile = '<CLIENT_KEY_FILE_PATH>';
// ClientKey content from KMS application management.
$clientKeyContent = '<CLIENT_KEY_CONTENT>';
// Password set when creating the ClientKey. Retrieved from an environment variable
// to avoid embedding credentials in source code.
$password = getenv('<CLIENT_KEY_PASSWORD>');
// VPC address of your KMS instance.
// Format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
$endpoint = '<DKMS_INSTANCE_SERVICE_ADDRESS>';
// ID of the asymmetric CMK to use for signing.
$keyId = '<ASYMMETRIC_CMK_ID>';
// Signing algorithm. Must match the key type.
// Supported values depend on the key spec (for example, RSA_PKCS1_SHA_256 for RSA keys).
$algorithm = '<SIGN_ALGORITHM>';
// Data to sign.
$message = '<MESSAGE_DATA>';
// Message type:
// RAW - pass the raw message; KMS computes the digest internally.
// DIGEST - pass a pre-computed message digest (hash) to skip rehashing.
$messageType = 'RAW';
$client = getDkmsGcsSdkClient();
if (is_null($client)) exit(1);
signVerifySample();
/**
* Runs a complete sign-and-verify cycle.
*/
function signVerifySample(): void
{
global $client, $keyId, $message, $messageType, $algorithm;
$signatureCtx = signSample($client, $keyId, $message, $messageType, $algorithm);
if ($signatureCtx !== null) {
$verified = verifySample($client, $message, $signatureCtx);
if (!$verified) {
echo 'verify failed' . PHP_EOL;
} else {
echo 'signVerifySample success' . PHP_EOL;
}
}
}
/**
* Signs a message using the Sign API.
*
* @param AlibabaCloudDkmsGcsSdkClient $client
* @param string $keyId ID of the asymmetric CMK.
* @param string $message Data to sign.
* @param string $messageType RAW or DIGEST.
* @param string $algorithm Signing algorithm.
* @return SignatureContext|null Returns null if signing fails.
*/
function signSample($client, $keyId, $message, $messageType, $algorithm): ?SignatureContext
{
$signRequest = new SignRequest();
$signRequest->keyId = $keyId;
$signRequest->algorithm = $algorithm;
$signRequest->message = AlibabaCloudTeaUtils::toBytes($message);
$signRequest->messageType = $messageType;
$runtimeOptions = new RuntimeOptions();
// Uncomment to skip SSL certificate verification (not recommended for production).
// $runtimeOptions->ignoreSSL = true;
try {
$signResponse = $client->signWithOptions($signRequest, $runtimeOptions);
var_dump($signResponse->toMap());
return new SignatureContext([
'keyId' => $signResponse->keyId,
'signature' => $signResponse->signature,
'messageType' => $signResponse->messageType,
'algorithm' => $signResponse->algorithm,
]);
} catch (Exception $error) {
if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
var_dump($error->getErrorInfo());
}
var_dump($error->getMessage());
var_dump($error->getTraceAsString());
}
return null;
}
/**
* Verifies a signature using the Verify API.
*
* @param AlibabaCloudDkmsGcsSdkClient $client
* @param string $message Original message (must match what was signed).
* @param SignatureContext $ctx Context returned by signSample().
* @return bool true if the signature is valid, false otherwise.
*/
function verifySample($client, $message, $ctx): bool
{
$verifyRequest = new VerifyRequest();
$verifyRequest->keyId = $ctx->keyId;
$verifyRequest->signature = $ctx->signature;
$verifyRequest->message = AlibabaCloudTeaUtils::toBytes($message);
$verifyRequest->messageType = $ctx->messageType;
$verifyRequest->algorithm = $ctx->algorithm;
$runtimeOptions = new RuntimeOptions();
// Uncomment to skip SSL certificate verification (not recommended for production).
// $runtimeOptions->ignoreSSL = true;
try {
$verifyResponse = $client->verifyWithOptions($verifyRequest, $runtimeOptions);
var_dump($verifyResponse->toMap());
return (bool) $verifyResponse->value;
} catch (Exception $error) {
if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
var_dump($error->getErrorInfo());
}
var_dump($error->getMessage());
var_dump($error->getTraceAsString());
}
return false;
}
/**
* Builds the KMS instance SDK client.
*
* @return AlibabaCloudDkmsGcsSdkClient
*/
function getDkmsGcsSdkClient(): AlibabaCloudDkmsGcsSdkClient
{
global $clientKeyContent, $password, $endpoint;
$config = new AlibabaCloudDkmsGcsOpenApiConfig();
// KMS instance service requires HTTPS.
$config->protocol = 'https';
$config->clientKeyContent = $clientKeyContent;
$config->password = $password;
$config->endpoint = $endpoint;
// Path to the CA certificate of your KMS instance.
$config->caFilePath = 'path/to/caCert.pem';
return new AlibabaCloudDkmsGcsSdkClient($config);
}
/**
* Holds the output fields from a Sign API call.
* Pass this object directly to verifySample() to ensure the key ID,
* algorithm, and message type are consistent between signing and verification.
*/
class SignatureContext
{
public function __construct($config = [])
{
foreach ($config as $k => $v) {
$this->{$k} = $v;
}
}
/** @var string */
public $keyId;
/** @var int[] Raw signature bytes. */
public $signature;
/** @var string RAW or DIGEST. */
public $messageType;
/**
* @var string Signing algorithm. If not set, the key's default algorithm is used.
*/
public $algorithm;
}
Placeholder reference
| Placeholder | Description | Example |
|---|
<CLIENT_KEY_CONTENT> | Content of the ClientKey file from KMS application management | {"KeyId":"...","PrivateKeyData":"..."} |
<CLIENT_KEY_PASSWORD> | Environment variable name that holds the ClientKey password | KMS_CLIENT_KEY_PASSWORD |
<DKMS_INSTANCE_SERVICE_ADDRESS> | VPC endpoint of your KMS instance | kst-hzz123.cryptoservice.kms.aliyuncs.com |
<ASYMMETRIC_CMK_ID> | ID of the asymmetric CMK in KMS | key-hzz456abc |
<SIGN_ALGORITHM> | Signing algorithm matching the key spec | RSA_PKCS1_SHA_256 |
<MESSAGE_DATA> | Data to sign | hello world |