Verify the signature of a file using AWS CloudHSMKMU - AWS CloudHSM
SyntaxExampleParametersRelated topics

Verify the signature of a file using AWS CloudHSMKMU

Use the verify command in the AWS CloudHSM key_mgmt_util to confirm whether or not a file has been signed by a given key. To do so, the verify command compares a signed file against a source file and analyzes whether they are cryptographically related based on a given public key and signing mechanism. Files can be signed in AWS CloudHSM with the sign operation.

Signing mechanisms are represented by the integers listed in the parameters section.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).

Syntax

verify -h

verify -f <message-file>
       -s <signature-file>
       -k <public-key-handle>
       -m <signature-mechanism>

Example

These examples show how to use verify to check whether a certain public key was used to sign a given file.

Example : Verify a file signature

This command attempts to verify whether a file named hardwarCert.crt was signed by public key 262276 using the SHA256_RSA_PKCS signing mechanism to produce the hardwareCertSigned signed file. Because the given parameters represent a true signing relationship, the command returns a success message.

Command: verify -f hardwareCert.crt -s hardwareCertSigned -k 262276 -m 1

Signature verification successful

Cfm3Verify returned: 0x00 : HSM Return: SUCCESS
Example : Prove false signing relationship

This command verifies whether a file named hardwareCert.crt was signed by public key 262276 using the SHA256_RSA_PKCS signing mechanism to produce the userCertSigned signed file. Because the given parameters do not make up a true signing relationship, the command returns an error message.

Command: verify -f hardwarecert.crt -s usercertsigned -k 262276 -m 1
Cfm3Verify returned: 0x1b

CSP Error: ERR_BAD_PKCS_DATA

Parameters

This command takes the following parameters.

-f

The name of the origin message file.

Required: Yes

-s

The name of the signed file.

Require: Yes

-k

The handle of the public key that is thought to be used to sign the file.

Required: Yes

-m

An integer that represents the proposed signing mechanism that is used to sign the file. The possible mechanisms correspond to the follow integers:

Signing Mechanism

Corresponding Integer

SHA1_RSA_PKCS

0

SHA256_RSA_PKCS

1

SHA384_RSA_PKCS

2

SHA512_RSA_PKCS

3

SHA224_RSA_PKCS

4

SHA1_RSA_PKCS_PSS

5

SHA256_RSA_PKCS_PSS

6

SHA384_RSA_PKCS_PSS

7

SHA512_RSA_PKCS_PSS

8

SHA224_RSA_PKCS_PSS

9

ECDSA_SHA1

15

ECDSA_SHA224

16

ECDSA_SHA256

17

ECDSA_SHA384

18

ECDSA_SHA512

19

Required: Yes

Related topics