Memverifikasi tanda tangan digital menggunakan kunci publik CMK asimetris.
Deskripsi operasi
Precautions
-
For information about the access policy required for a RAM user or RAM role to call this API operation, see Resource Access Management.
-
This operation can be called through a shared gateway or a dedicated gateway. For more information, see Alibaba Cloud SDK.
-
Shared gateway: You can access KMS over the Internet or through a VPC. To access KMS over the Internet, you must enable the public endpoint. For more information, see Access KMS instances over the Internet.
-
Dedicated gateway: You can access KMS using the private endpoint of KMS (
<YOUR_KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com).
-
QPS limits
-
If you use a shared gateway, the queries per second (QPS) limit for this operation is 200 for a single user. If you exceed this limit, API calls are throttled, which may impact your business. We recommend that you manage your call frequency to stay within the QPS limit.
-
If you use a dedicated gateway, the QPS limit for this operation for a single user is determined by the computing performance specifications of your KMS instance. For more information, see Performance metrics.
Description
This operation supports only asymmetric keys for which the Usage parameter is set to SIGN/VERIFY. The following table lists the supported signature algorithms.
| KeySpec | Algorithm | Description |
| RSA_2048 | RSA_PSS_SHA_256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |
| RSA_2048 | RSA_PKCS1_SHA_256 | RSASSA-PKCS1-v1_5 using SHA-256 |
| RSA_3072 | RSA_PSS_SHA_256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |
| RSA_3072 | RSA_PKCS1_SHA_256 | RSASSA-PKCS1-v1_5 using SHA-256 |
| EC_P256 | ECDSA_SHA_256 | ECDSA on the P-256 Curve(secp256r1) with a SHA-256 digest |
| EC_P256K | ECDSA_SHA_256 | ECDSA on the P-256K Curve(secp256k1) with a SHA-256 digest |
| EC_SM2 | SM2DSA | SM2 elliptic curve digital signature algorithm |
In accordance with the GBT32918 standard, when an SM2 signature is calculated, the value of the Digest parameter is not the SM3 hash value of the original message. Instead, the value is the SM3 hash value of the result generated by concatenating Z(A) and M. In this formula, M is the original message to be signed, and Z(A) is the hash value of user A as defined in GBT32918.
This topic provides an example of how to use an asymmetric key with the key ID `5c438b18-05be-40ad-b6c2-3be6752c****` and the key version ID `2ab1a983-7072-4bbc-a582-584b5bd8****` to verify the signature `M2CceNZH00ZgL9ED/ZHFp21YRAvYeZHknJUc207OCZ0N9wNn9As4z2bON3FF3je+1Nu+2+/8Zj50HpMTpzYpMp2R93cYmACCmhaYoKydxylbyGzJR8y9likZRCrkD38lRoS40aBBvv/6iRKzQuo9EGYVcel36cMNg00VmYNBy3pa1rwg3gA4l3cy6kjayZja1WGPkVhrVKsrJMdbpl0ApLjXKuD8rw1n1XLCwCUEL5eLPljTZaAveqdOFQOiZnZEGI27qIiZe7I1fN8tcz6anS/gTM7xRKE++5egEvRWlTQQTJeApnPSiUPA+8ZykNdelQsOQh5SrGoyI4A5pq****==` for the digest `ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuyjfzw=` using the RSA_PSS_SHA_256 signature algorithm.
Coba sekarang
Test
RAM authorization
Parameter permintaan
|
Parameter |
Type |
Required |
Description |
Example |
| KeyId |
string |
Yes |
ID Unik Global (GUID) customer master key (CMK). Catatan
Anda juga dapat menentukan alias yang terikat ke CMK. Untuk informasi lebih lanjut, lihat Ikhtisar alias. |
5c438b18-05be-40ad-b6c2-3be6752c**** |
| KeyVersionId |
string |
Yes |
ID versi kunci. ID harus berupa ID Unik Global (GUID) versi kunci. |
2ab1a983-7072-4bbc-a582-584b5bd8**** |
| Algorithm |
string |
Yes |
Algoritma tanda tangan. |
RSA_PSS_SHA_256 |
| Digest |
string |
Yes |
Digest yang dihasilkan menggunakan algoritma hash yang sesuai dengan nilai Algorithm untuk melakukan hash pada Paket asli. Catatan
Nilai ini dienkode Base64. |
ZOyIygCyaOW6GjVnihtTFtIS9PNmskdyMlNKiuy****= |
| Value |
string |
Yes |
Nilai tanda tangan yang akan diverifikasi. Catatan
Nilai ini dienkode Base64. |
M2CceNZH00ZgL9ED/ZHFp21YRAvYeZHknJUc207OCZ0N9wNn9As4z2bON3FF3je+1Nu+2+/8Zj50HpMTpzYpMp2R93cYmACCmhaYoKydxylbyGzJR8y9likZRCrkD38lRoS40aBBvv/6iRKzQuo9EGYVcel36cMNg00VmYNBy3pa1rwg3gA4l3cy6kjayZja1WGPkVhrVKsrJMdbpl0ApLjXKuD8rw1n1XLCwCUEL5eLPljTZaAveqdOFQOiZnZEGI27qIiZe7I1fN8tcz6anS/gTM7xRKE++5egEvRWlTQQTJeApnPSiUPA+8ZykNdelQsOQh5SrGoyI4A5pq****== |
| DryRun |
string |
No |
Apakah akan menjalankan dry run.
Dry run digunakan untuk menguji panggilan API dan memverifikasi apakah Anda memiliki izin untuk mengakses Sumber daya yang ditentukan dan apakah parameter permintaan valid. Jika Anda menjalankan dry run, KMS selalu mengembalikan tanggapan gagal yang menunjukkan penyebab kegagalan. Penyebab kegagalan berikut disertakan:
|
false |
Elemen respons
|
Element |
Type |
Description |
Example |
|
object |
|||
| KeyVersionId |
string |
The ID of the key version that is used for signature verification. |
2ab1a983-7072-4bbc-a582-584b5bd8**** |
| KeyId |
string |
The GUID of the CMK. Catatan
If you use an alias of the CMK in the request, the ID of the CMK is returned. |
5c438b18-05be-40ad-b6c2-3be6752c**** |
| Value |
boolean |
Indicates whether the signature is valid. |
true |
| RequestId |
string |
The ID of the request, which is a unique identifier generated by Alibaba Cloud for the request. You can use the ID to troubleshoot issues. |
475f1620-b9d3-4d35-b5c6-3fbdd941423d |
Contoh
Respons sukses
JSONformat
{
"KeyVersionId": "2ab1a983-7072-4bbc-a582-584b5bd8****",
"KeyId": "5c438b18-05be-40ad-b6c2-3be6752c****",
"Value": true,
"RequestId": "475f1620-b9d3-4d35-b5c6-3fbdd941423d"
}Kode kesalahan
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | InvalidParameter | The specified parameter is not valid. | An invalid value is specified for the parameter. |
| 404 | Forbidden.AliasNotFound | The specified Alias is not found. | The error message returned because the specified alias does not exist. |
| 404 | Forbidden.KeyNotFound | The specified Key is not found. | The error message returned because the specified CMK does not exist. |
| 404 | InvalidAccessKeyId.NotFound | The Access Key ID provided does not exist in our records. |
Lihat Error Codes untuk daftar lengkap.
Catatan rilis
Lihat Release Notes untuk daftar lengkap.