AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Test-KMSSignature-Message <Byte[]>-GrantToken <String[]>-KeyId <String>-MessageType <MessageType>-Signature <Byte[]>-SigningAlgorithm <SigningAlgorithmSpec>-Select <String>-PassThru <SwitchParameter>
SignatureValid
field in the response is True
. If the signature verification fails, the Verify
operation fails with an KMSInvalidSignatureException
exception.
A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
To verify a digital signature, you can use the Verify
operation. Specify the same asymmetric KMS key, message, and signing algorithm that were used to produce the signature.
You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the GetPublicKey operation to download the public key in the asymmetric KMS key and then use the public key to verify the signature outside of KMS. The advantage of using the Verify
operation is that it is performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key to verify signatures.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide. Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId
parameter. Required permissions: kms:Verify (key policy) Related operations: Sign Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | GrantTokens |
"alias/"
. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.For example:1234abcd-12ab-34cd-56ef-1234567890ab
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
alias/ExampleAlias
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
Required? | True |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
MessageType
parameter with a value of DIGEST
.If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.The cmdlet will automatically convert the supplied parameter of type string, string[], System.IO.FileInfo or System.IO.Stream to byte[] before supplying it to the service. Required? | True |
Position? | 1 |
Accept pipeline input? | True (ByValue, ByPropertyName) |
Message
parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST
.DIGEST
value only when the value of the Message
parameter is a message digest. If you use the DIGEST
value with a raw message, the security of the verification operation can be compromised.Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Sign
operation generated.The cmdlet will automatically convert the supplied parameter of type string, string[], System.IO.FileInfo or System.IO.Stream to byte[] before supplying it to the service. Required? | True |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | True |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | AK |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByValue, ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByValue, ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | AWSProfilesLocation, ProfilesLocation |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | StoredCredentials, AWSProfileName |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | RegionToCall |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | SK, SecretAccessKey |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | ST |
AWS Tools for PowerShell: 2.x.y.z