すべてのプロダクト
Search

このプロダクト

    Key Management Service:署名検証の例

    ドキュメントセンター

    Key Management Service:署名検証の例

    最終更新日:Jan 06, 2025

    KMSインスタンスSDKクライアントが初期化されると、デジタル署名の作成と検証のためにSignおよびVerifyインターフェイスを呼び出すために使用できます。 このトピックでは、両方のプロセスのコードサンプルを示します。

    完全なコード例

    Signインターフェイスを呼び出して、非対称キーでデジタル署名を実行します。Verifyインターフェイスを呼び出して、非対称キーを使用して署名の有効性を確認します。

    ソースコードGitHubリンク: Sha256AsymmetricSignVerifySample.java

    署名および署名検証の完全なコード例

    package com.aliyun.dkms.gcs.sdk.example;

import com.aliyun.dkms.gcs.openapi.models.Config;
import com.aliyun.dkms.gcs.openapi.util.models.RuntimeOptions;
import com.aliyun.dkms.gcs.sdk.Client;
import com.aliyun.dkms.gcs.sdk.models.SignRequest;
import com.aliyun.dkms.gcs.sdk.models.SignResponse;
import com.aliyun.dkms.gcs.sdk.models.VerifyRequest;
import com.aliyun.dkms.gcs.sdk.models.VerifyResponse;
import com.aliyun.tea.TeaException;

import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;

/**
 * KMS Sha256 asymmetric signature verification example
 */
public class Sha256AsymmetricSignVerifySample {
    // KMS instance client object
    private static Client client = null;

    public static void main(String[] args) {

        try {
            // Construct KMS instance client object
            initClient();

            // Use KMS instance for signature and signature verification
            asymmetricSignVerify();

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * Construct KMS instance client object
     *
     * @throws Exception
     */
    public static void initClient() throws Exception {
        // Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
        Config config = new Config();
        config.setProtocol("https");
    
        // Client Key.
        config.setClientKeyFile("<CLIENT_KEY_FILE>");
     
         // Client Key password.
        config.setPassword("<PASSWORD>");
       
         // Set the endpoint to <your KMS Instance Id>.cryptoservice.kms.aliyuncs.com.
        config.setEndpoint("<ENDPOINT>");
        
        // The CA certificate of the KMS instance. You can specify the path to the CA certificate file or enter the content of the CA certificate.
        config.setCaFilePath("<PATH_TO_CA_CERTIFICATE>");
        // Alternatively, set it to the CA certificate content of the KMS instance
        //config.setCa("<CA_CERTIFICATE_CONTENT");
        client = new Client(config);
        
    }

    /**
     * Use KMS instance for signature and signature verification
     *
     * @throws Exception
     */
    public static void asymmetricSignVerify() throws Exception {
        String keyId = "<KEY_ID>";
        String algorithm = "<ALGORITHM>";
        String message = "<MESSAGE>";
        // Data type to be signed, RAW-original message, DIGEST-summary
        String messageType = "DIGEST";

        // Use KMS to sign the message
        final SignContext signContext = asymmetricSign(keyId, algorithm, message, messageType);
        // Use KMS to verify the message signature
        asymmetricVerify(signContext, message);
    }

    /**
     * Use KMS to sign the message
     *
     * @param keyId
     * @param algorithm
     * @param message
     * @param messageType
     * @return
     * @throws Exception
     */
    public static SignContext asymmetricSign(String keyId, String algorithm, String message, String messageType) throws Exception {

        SignRequest signRequest = new SignRequest();
        signRequest.setKeyId(keyId);
        signRequest.setAlgorithm(algorithm);
        signRequest.setMessage(getDigest(message));
        signRequest.setMessageType(messageType);
        try {
            // If you need to ignore the server certificate, you can use the commented code here to call
            //RuntimeOptions runtimeOptions = new RuntimeOptions();
            //runtimeOptions.setIgnoreSSL(true);
            //SignResponse signResponse = client.signWithOptions(signRequest, runtimeOptions);
            SignResponse signResponse = client.sign(signRequest);
            // Signature value
            byte[] signature = signResponse.getSignature();
            System.out.println("================sign================");
            System.out.printf("KeyId: %s%n", signResponse.getKeyId());
            System.out.printf("Signature: %s%n", Arrays.toString(signature));
            System.out.println("================sign================");
            return new SignContext(signResponse.getKeyId(), signResponse.getSignature(), signResponse.getAlgorithm(), signResponse.getMessageType());
        } catch (TeaException e) {
            System.out.printf("Code: %s%n", ((TeaException) e).getCode());
            System.out.printf("Message: %s%n", ((TeaException) e).getMessage());
            System.out.printf("HttpCode: %s%n", ((TeaException) e).getData().get("httpCode"));
            System.out.printf("HostId: %s%n", ((TeaException) e).getData().get("hostId"));
            System.out.printf("RequestId: %s%n", ((TeaException) e).getData().get("requestId"));
            e.printStackTrace();
            throw new RuntimeException(e);
        } catch (Exception e) {
            System.out.printf("sign errMsg: %s%n", e.getMessage());
            e.printStackTrace();
            throw new RuntimeException(e);
        }
    }

    /**
     * Use KMS to verify the message signature
     *
     * @param signContext
     * @throws Exception
     */
    public static void asymmetricVerify(final SignContext signContext, String message) throws Exception {
        VerifyRequest verifyRequest = new VerifyRequest();
        verifyRequest.setKeyId(signContext.getKeyId());
        verifyRequest.setAlgorithm(signContext.getAlgorithm());
        verifyRequest.setMessage(getDigest(message));
        verifyRequest.setMessageType(signContext.getMessageType());
        verifyRequest.setSignature(signContext.getSignature());
        try {
            // If you need to ignore the server certificate, you can use the commented code here to call
            //RuntimeOptions runtimeOptions = new RuntimeOptions();
            //runtimeOptions.setIgnoreSSL(true);
            //VerifyResponse verifyResponse = client.verifyWithOptions(verifyRequest, runtimeOptions);
            VerifyResponse verifyResponse = client.verify(verifyRequest);
            System.out.println("================verify================");
            System.out.printf("KeyId: %s%n", verifyResponse.getKeyId());
            System.out.printf("Value: %s%n", verifyResponse.getValue());
            System.out.println("================verify================");
        } catch (TeaException e) {
            System.out.printf("Code: %s%n", ((TeaException) e).getCode());
            System.out.printf("Message: %s%n", ((TeaException) e).getMessage());
            System.out.printf("HttpCode: %s%n", ((TeaException) e).getData().get("httpCode"));
            System.out.printf("HostId: %s%n", ((TeaException) e).getData().get("hostId"));
            System.out.printf("RequestId: %s%n", ((TeaException) e).getData().get("requestId"));
            e.printStackTrace();
        } catch (Exception e) {
            System.out.printf("verify errMsg: %s%n", e.getMessage());
            e.printStackTrace();
        }
    }

    private static byte[] getDigest(String message) throws Exception {
        MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
        return sha256.digest(message.getBytes(StandardCharsets.UTF_8));
    }

    /**
     * The sign context may be stored.
     */
    static class SignContext implements Serializable {
        public String keyId;
        public byte[] signature;
        /**
         * Use default algorithm value, if the value is not set.
         */
        public String algorithm;
        public String messageType;

        public SignContext() {
        }

        public SignContext(String keyId, byte[] signature, String algorithm, String messageType) {
            this.keyId = keyId;
            this.signature = signature;
            this.algorithm = algorithm;
            this.messageType = messageType;
        }

        public String getKeyId() {
            return keyId;
        }

        public void setKeyId(String keyId) {
            this.keyId = keyId;
        }

        public byte[] getSignature() {
            return signature;
        }

        public void setSignature(byte[] signature) {
            this.signature = signature;
        }

        public String getAlgorithm() {
            return algorithm;
        }

        public void setAlgorithm(String algorithm) {
            this.algorithm = algorithm;
        }

        public String getMessageType() {
            return messageType;
        }

        public void setMessageType(String messageType) {
            this.messageType = messageType;
        }
    }
}

    コード例分析

    クライアントの初期化

    詳細については、「クライアントの初期化」をご参照ください。

    import com.aliyun.dkms.gcs.openapi.models.Config;
import com.aliyun.dkms.gcs.sdk.Client;

                           
 public static void initClient() throws Exception {

        // The connection protocol. Set the value to https. The KMS instance service only allows access through the HTTPS protocol.
        Config config = new Config();
        config.setProtocol("https");
    
        // Client key.
        config.setClientKeyFile("<CLIENT_KEY_FILE>");
     
         // Client key security token.
        config.setPassword("<PASSWORD>");
       
         // The endpoint of your KMS instance. Set the value in the following format: <ID of your KMS instance >.cryptoservice.kms.aliyuncs.com.
        config.setEndpoint("<ENDPOINT>");
        
        // The certificate authority (CA) certificate of the KMS instance. You can specify the path to the CA certificate file or enter the content of the CA certificate.
        config.setCaFilePath("<CA_CERTIFICATE_PATH>");
        // Alternatively, set the content of the CA certificate of the KMS instance
        //config.setCa("<CA_CERTIFICATE_CONTENT");
        client = new Client(config);
    }

    Signインターフェイスを呼び出して、非対称キーを使用してデジタル署名を実行する

        /**
     * Use KMS to sign the message
     *
     * @param keyId
     * @param algorithm
     * @param message
     * @param messageType
     * @return
     * @throws Exception
     */
    
    public static SignContext asymmetricSign(String keyId, String algorithm, String message, String messageType) throws Exception {

        SignRequest signRequest = new SignRequest();
        signRequest.setKeyId(keyId);
        signRequest.setAlgorithm(algorithm);
        signRequest.setMessage(getDigest(message));
        signRequest.setMessageType(messageType);
        try {
            // If you need to ignore the server certificate, you can use the commented code here to call
            //RuntimeOptions runtimeOptions = new RuntimeOptions();
            //runtimeOptions.setIgnoreSSL(true);
            //SignResponse signResponse = client.signWithOptions(signRequest, runtimeOptions);
            SignResponse signResponse = client.sign(signRequest);
            // Signature value
            byte[] signature = signResponse.getSignature();
            System.out.println("================sign================");
            System.out.printf("KeyId: %s%n", signResponse.getKeyId());
            System.out.printf("Signature: %s%n", Arrays.toString(signature));
            System.out.println("================sign================");
            return new SignContext(signResponse.getKeyId(), signResponse.getSignature(), signResponse.getAlgorithm(), signResponse.getMessageType());
        } catch (TeaException e) {
            System.out.printf("Code: %s%n", ((TeaException) e).getCode());
            System.out.printf("Message: %s%n", ((TeaException) e).getMessage());
            System.out.printf("HttpCode: %s%n", ((TeaException) e).getData().get("httpCode"));
            System.out.printf("HostId: %s%n", ((TeaException) e).getData().get("hostId"));
            System.out.printf("RequestId: %s%n", ((TeaException) e).getData().get("requestId"));
            e.printStackTrace();
            throw new RuntimeException(e);
        } catch (Exception e) {
            System.out.printf("sign errMsg: %s%n", e.getMessage());
            e.printStackTrace();
            throw new RuntimeException(e);
        }
    }

    Verifyインターフェイスを呼び出して、非対称キーを使用してデジタル署名を検証する

    KMSの署名作成および検証プロセスは、関連するアルゴリズム標準に準拠しています。 したがって、Verifyインターフェイスを使用するだけでなく、KMSから公開鍵を取得し、他の暗号ライブラリでデジタル署名を検証することもできます。

    /**
     * Use KMS to verify the message signature
     *
     * @param signContext
     * @throws Exception
     */

    public static void asymmetricVerify(final SignContext signContext, String message) throws Exception {
        VerifyRequest verifyRequest = new VerifyRequest();
        verifyRequest.setKeyId(signContext.getKeyId());
        verifyRequest.setAlgorithm(signContext.getAlgorithm());
        verifyRequest.setMessage(getDigest(message));
        verifyRequest.setMessageType(signContext.getMessageType());
        verifyRequest.setSignature(signContext.getSignature());
        try {
            // If you need to ignore the server certificate, you can use the commented code here to call
            //RuntimeOptions runtimeOptions = new RuntimeOptions();
            //runtimeOptions.setIgnoreSSL(true);
            //VerifyResponse verifyResponse = client.verifyWithOptions(verifyRequest, runtimeOptions);
            VerifyResponse verifyResponse = client.verify(verifyRequest);
            System.out.println("================verify================");
            System.out.printf("KeyId: %s%n", verifyResponse.getKeyId());
            System.out.printf("Value: %s%n", verifyResponse.getValue());
            System.out.println("================verify================");
        } catch (TeaException e) {
            System.out.printf("Code: %s%n", ((TeaException) e).getCode());
            System.out.printf("Message: %s%n", ((TeaException) e).getMessage());
            System.out.printf("HttpCode: %s%n", ((TeaException) e).getData().get("httpCode"));
            System.out.printf("HostId: %s%n", ((TeaException) e).getData().get("hostId"));
            System.out.printf("RequestId: %s%n", ((TeaException) e).getData().get("requestId"));
            e.printStackTrace();
        } catch (Exception e) {
            System.out.printf("verify errMsg: %s%n", e.getMessage());
            e.printStackTrace();
        }
    }