Sign
Creates a digital signature for a message or message digest using an asymmetric KMS key.
Description
The `Sign` operation uses the private key in an asymmetric KMS key to generate a digital signature for a message or message digest. To verify the signature, use the `Verify` operation or use the public key downloaded from QKMS to verify the signature outside of QKMS.
note
- The KMS key must be asymmetric and its `KeyUsage` must be `SIGN_VERIFY`.
- The maximum message size is 4096 bytes.
- The message can be a message digest or a raw message.
- The signing algorithm must be compatible with the key spec of the KMS key.
Request Syntax
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.Sign
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Message": "SGVsbG8gV29ybGQ=",
"MessageType": "RAW",
"SigningAlgorithm": "RSASSA_PSS_SHA_256"
}
Values in italics indicate user input and should be replaced with actual values.
Request Parameters
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.Sign" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | Identifies the asymmetric KMS key to use for signing. This must be the ID or ARN of an asymmetric KMS key with a KeyUsage of SIGN_VERIFY. | Yes | string |
| Message | The message to be signed. The message can be up to 4096 bytes. | Yes | blob |
| MessageType | Specifies the type of the message. Valid values are RAW or DIGEST. | No | string |
| SigningAlgorithm | The signing algorithm to use. Valid values depend on the key spec of the KMS key. | Yes | string |
| GrantTokens | A list of grant tokens. Use grant tokens when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. | No | array |
Examples
Example 1: Sign a message using RSA
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.Sign
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Message": "SGVsbG8gV29ybGQ=",
"MessageType": "RAW",
"SigningAlgorithm": "RSASSA_PSS_SHA_256"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyId": "arn:verenc:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Signature": "Base64-encoded signature",
"SigningAlgorithm": "RSASSA_PSS_SHA_256"
}
Values in italics indicate variable response values.
Example 2: Sign a message digest using ECC
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.Sign
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Message": "Base64-encoded message digest",
"MessageType": "DIGEST",
"SigningAlgorithm": "ECDSA_SHA_384"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyId": "arn:verenc:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Signature": "Base64-encoded signature",
"SigningAlgorithm": "ECDSA_SHA_384"
}
Values in italics indicate variable response values.
Response Syntax
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"KeyId": "string",
"Signature": "blob",
"SigningAlgorithm": "string"
}
Values in italics indicate variable response values.
Response Elements
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | The Amazon Resource Name (ARN) of the asymmetric KMS key that was used to sign the message. | No | String |
| Signature | The cryptographic signature that was generated for the message. | No | String |
| SigningAlgorithm | The signing algorithm that was used to generate the signature. | No | String |
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| DisabledException | The request was rejected because the specified KMS key is disabled. |
| InvalidKeyUsageException | The request was rejected because the specified KeyId value cannot be used for this operation. |
| KeyUnavailableException | The request was rejected because the specified KMS key was not available. |
| KMSInternalException | The request was rejected because an internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
Permissions
To use the `Sign` operation, you must have the following permissions:
- `kms:Sign` on the KMS key (specified in the policy)
Try It Out
Test Sign
Create a digital signature for a message or message digest.
Coming Soon
This feature is currently under development and will be available soon.