AWS CloudHSM
User Guide

verify

The verify command in key_mgmt_util confirms whether or not a file has been signed by a given key. To do so, the verify command compares a signed file against a source file and analyzes whether they are cryptographically related based on a given public key and signing mechanism. Files can be signed in AWS CloudHSM with the sign operation.

Signing mechanisms are represented by the integers listed in the parameters section.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).

Syntax

verify -h verify -f <message-file> -s <signature-file> -k <public-key-handle> -m <signature-mechanism>

Example

These examples show how to use verify to check whether a certain public key was used to sign a given file.

Example : Successfully Verify a File Signature

This command attempts to verify whether a file named hardwarCert.crt was signed by public key 262276 using the SHA256_RSA_PKCS signing mechanism to produce the hardwareCertSigned signed file. Because the given parameters represent a true signing relationship, the command returns a success message.

Command: verify -f hardwareCert.crt -s hardwareCertSigned -k 262276 -m 1 Signature verification successful Cfm3Verify returned: 0x00 : HSM Return: SUCCESS

Example : Prove False Signing Relationship

This command verifies whether a file named hardwareCert.crt was signed by public key 262276 using the SHA256_RSA_PKCS signing mechanism to produce the userCertSigned signed file. Because the given parameters do not make up a true signing relationship, the command returns an error message.

Command: verify -f hardwarecert.crt -s usercertsigned -k 262276 -m 1 Cfm3Verify rturned: 0x1b CSP Error: ERR_BAD_PKCS_DATA

Parameters

This command takes the following parameters.

-f

The name of the origin message file.

Required: Yes

-s

The name of the signed file.

Require: Yes

-k

The handle of the public key that is thought to be used to sign the file.

Required: Yes

-m

An integer that represents the proposed signing mechanism that is used to sign the file. The possible mechanisms correspond to the follow integers:

Signing Mechanism

Corresponding Integer

SHA1_RSA_PKCS

0

SHA256_RSA_PKCS

1

SHA384_RSA_PKCS

2

SHA512_RSA_PKCS

3

SHA224_RSA_PKCS

4

SHA1_RSA_PKCS_PSS

5

SHA256_RSA_PKCS_PSS

6

SHA384_RSA_PKCS_PSS

7

SHA512_RSA_PKCS_PSS

8

SHA224_RSA_PKCS_PSS

9

ECDSA_SHA1

15

ECDSA_SHA224

16

ECDSA_SHA256

17

ECDSA_SHA384

18

ECDSA_SHA512

19

Required: Yes

Related Topics