crypto sign ecdsa - AWS CloudHSM
User typeRequirementsSyntaxExampleArgumentsRelated topics

crypto sign ecdsa

The crypto sign ecdsa command generates a signature using an EC private key and the ECDSA signing mechanism.

To use the crypto sign ecdsa command, you must first have an EC private key in your AWS CloudHSM cluster. You can generate an EC private key using the key generate-asymmetric-pair ec command with the sign attribute set to true.

Note

Signatures can be verified in AWS CloudHSM with crypto verify subcommands.

User type

The following types of users can run this command.

  • Crypto users (CUs)

Requirements

  • To run this command, you must be logged in as a CU.

Syntax

aws-cloudhsm > help crypto sign ecdsa
Sign with the ECDSA mechanism

Usage: crypto sign ecdsa --key-filter [<KEY_FILTER>>...] --hash-function <HASH_FUNCTION> <--data-path <DATA_PATH>|--data <DATA>>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --key-filter [<KEY_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
      --hash-function <HASH_FUNCTION>
          [possible values: sha1, sha224, sha256, sha384, sha512]
      --data-path <DATA_PATH>
          The path to the file containing the data to be signed
      --data <DATA>
          Base64 Encoded data to be signed
  -h, --help
          Print help

Example

These examples show how to use crypto sign ecdsa to generate a signature using the ECDSA signing mechanism and SHA256 hash function. This command uses a private key in the HSM.

Example: Generate a signature for base 64 encoded data
aws-cloudhsm > crypto sign ecdsa --key-filter attr.label=ec-private --hash-function sha256 --data YWJjMTIz
{
  "error_code": 0,
  "data": {
    "key-reference": "0x00000000007808dd",
    "signature": "4zki+FzjhP7Z/KqoQvh4ueMAxQQVp7FQguZ2wOS3Q5bzk+Hc5irV5iTkuxQbropPttVFZ8V6FgR2fz+sPegwCw=="
  }
}
Example: Generate a signature for a data file
aws-cloudhsm > crypto sign ecdsa --key-filter attr.label=ec-private --hash-function sha256 --data-path data.txt
{
  "error_code": 0,
  "data": {
    "key-reference": "0x00000000007808dd",
    "signature": "4zki+FzjhP7Z/KqoQvh4ueMAxQQVp7FQguZ2wOS3Q5bzk+Hc5irV5iTkuxQbropPttVFZ8V6FgR2fz+sPegwCw=="
  }
}

Arguments

<CLUSTER_ID>

The ID of the cluster to run this operation on.

Required: If multiple clusters have been configured.

<DATA>

Base64 encoded data to be signed.

Required: Yes (unless provided through data path)

<DATA_PATH>

Specifies the location of the data to be signed.

Required: Yes (unless provided through data path)

<HASH_FUNCTION>

Specifies the hash function.

Valid values:

  • sha1

  • sha224

  • sha256

  • sha384

  • sha512

Required: Yes

<KEY_FILTER>

Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key.

For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.

Required: Yes

Related topics