Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/kms/docs/create-validate-signatures below:

Creating and validating digital signatures | Cloud KMS

Stay organized with collections Save and categorize content based on your preferences.

This topic provides information about creating and validating digital signatures based on asymmetric keys.

A digital signature is created using the private key portion of an asymmetric key. The signature is validated using the public key portion of the same asymmetric key.

• When creating digital signatures, you must use a key that has the key purpose of ASYMMETRIC_SIGN. When you create the key, use ASYMMETRIC_SIGN.

• To validate a signature, you need to know the full algorithm that was used when creating the key. For command-line instructions below that use the openssl command, you need to pass this information to those commands.

• Grant the cloudkms.cryptoKeyVersions.useToSign permission on the asymmetric key to the user or service that will perform the signing. You can learn about permissions in Cloud Key Management Service at Permissions and roles.

• If you are going to validate a signature, grant cloudkms.cryptoKeyVersions.viewPublicKey permission on the asymmetric key to the user or service that will download the public key to use for validation.

• If you are going to use the command line, install OpenSSL if you do not already have it. If you use Cloud Shell, OpenSSL is already installed.

The input provided for AsymmetricSign requests can be passed through the data field or the digest field. These fields cannot be both specified at the same time. There are some algorithms that require the data field, such as raw algorithms and signing with a Cloud External Key Manager key.

"Raw" algorithms, identified by the RSA_SIGN_RAW_ prefix, are a variant of PKCS #1 signing that omits encoding into a DigestInfo. In the variant:

• A digest is computed over the message that will be signed.
• PKCS #1 padding is applied to the digest directly.
• A signature of the padded digest is computed, using the RSA private key.

To use these algorithms:

• The raw data needs to be provided (instead of a digest) as part of the data field.
• The data has a length limit of 11 bytes fewer than the RSA key size. For example, PKCS #1 with a 2048-bit RSA key can sign at most 245 bytes.
• Grant the cloudkms.expertRawPKCS1 role to the appropriate user or service. You can learn about permissions in Cloud Key Management Service at Permissions and roles.

By using raw algorithms, you can also sign a digest type for which a predefined algorithm is not available. For example, you can use an RSA_SIGN_RAW_2048 key to sign a SHA-512 PKCS #1 DigestInfo structure that you already computed externally. This process creates the same results as a standard RSA_SIGN_PKCS1_2048_SHA512 algorithm.

Our ECDSA signing algorithms have the general format:

EC_SIGN_ELLIPTIC_CURVE_[DIGEST_ALGORITHM]

DIGEST_ALGORITHM has the value SHA256, SHA384, or SHA512. Because the hash is performed before you create the signature, these signing algorithms can also be used with digests other than SHA, such as Keccak. To use a Keccak digest, provide a Keccak hash value and use the SHA digest algorithm with the same length. For example, you can use a KECCAK256 digest in a request with the EC_SIGN_P256_SHA256 algorithm.

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms asymmetric-sign \
    --version key-version \
    --key key \
    --keyring key-ring \
    --location location \
    --digest-algorithm digest-algorithm \
    --input-file input-file \
    --signature-file signature-file

Replace key-version with the version of the key to to use for signing. Replace key with the key name. Replace key-ring with the name of the key ring where the key is located. Replace location with the Cloud KMS location the key ring. Replace digest-algorithm with the algorithm to use. Omit digest-algorithm to send input-file to Cloud KMS to sign. Replace input-file and signature-file with the local paths for the file to sign and the signature file.

For information on all flags and possible values, run the command with the --help flag.

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.

Use the CryptoKeyVersions.asymmetricSign method to perform the signing. The response from this method contains the base64-encoded signature.

Tip: You can base64-encode or decode data using the base64 command on Linux or macOS, or the Base64.exe command on Windows. Programming and scripting languages typically include libraries for base64-encoding. For command-line examples, see Base64 Encoding in the Cloud Vision API documentation.

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms keys versions get-public-key key-version \
    --key key \
    --keyring key-ring \
    --location location \
    --output-file output-file

Replace key-version with the key version. Replace key with the name of the key. Replace key-ring with the name of the key ring where the key is located. Replace location with the Cloud KMS location for the key ring. Replace output-file with the file path to save the public key on the local system.

For information on all flags and possible values, run the command with the --help flag.

The OpenSSL commands to validate the signature depend on what signature type was created. For example, to validate a SHA-256 elliptic curve signature using OpenSSL, you must specify -sha256. To validate a SHA-384 elliptical curve signature, you must specify -sha384.

openssl dgst \
    -sha256 \
    -verify public-key-file \
    -signature signature-file \
    message-file

Replace the variables with your own values:

• public-key-file. Path to a file that contains the public key (e.g. "./my-key.pub").

• signature-file. Path to a file that contains the signature to verify (e.g. "./my-data.sig").

• message-file. Path to a file that contains the message (e.g. "./my-data.txt").

If the signature is valid, the command outputs the string Verified OK.

For information on all flags and possible values, run the command with the help subcommand.

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.

Use the CryptoKeyVersions.getPublicKey method to retrieve the public key, and then use the commands shown for the command-line example to validate the signature.

To use Cloud KMS on the command line, first Install or upgrade to the latest version of Google Cloud CLI.

gcloud kms keys versions get-public-key key-version \
    --key key \
    --keyring key-ring \
    --location location \
    --output-file output-file

Replace key-version with the key version. Replace key with the name of the key. Replace key-ring with the name of the key ring where the key is located. Replace location with the Cloud KMS location for the key ring. Replace output-file with the path to save the public key on the local system.

For information on all flags and possible values, run the command with the --help flag.

The OpenSSL commands to validate the signature depend on what signature type was created. For example, to validate a SHA-256 RSA signature with PSS padding, you must specify -sha256 and -sigopt rsa_padding_mode:pss. To validate a SHA-512 RSA signature with PSS padding, you must specify -sha512 and -sigopt rsa_padding_mode:pss.

openssl dgst \
    -sha256 \
    -sigopt rsa_padding_mode:pss \
    -sigopt rsa_pss_saltlen:-1 \
    -verify public-key-file \
    -signature signature-file \
    message-file

Replace the variables with your own values:

• public-key-file. Path to a file that contains the public key (e.g. "./my-key.pub").

• signature-file. Path to a file that contains the signature to verify (e.g. "./my-data.sig").

• message-file. Path to a file that contains the message (e.g. "./my-data.txt").

If the signature is valid, the command outputs the string Verified OK.

For information on all flags and possible values, run the command with the help subcommand.

To run this code, first set up a C# development environment and install the Cloud KMS C# SDK.

To run this code, first set up a Go development environment and install the Cloud KMS Go SDK.

To run this code, first set up a Java development environment and install the Cloud KMS Java SDK.

To run this code, first set up a Node.js development environment and install the Cloud KMS Node.js SDK.

To run this code, first learn about using PHP on Google Cloud and install the Cloud KMS PHP SDK.

To run this code, first set up a Python development environment and install the Cloud KMS Python SDK.

To run this code, first set up a Ruby development environment and install the Cloud KMS Ruby SDK.

These examples use curl as an HTTP client to demonstrate using the API. For more information about access control, see Accessing the Cloud KMS API.

Use the CryptoKeyVersions.getPublicKey method to retrieve the public key, and then use the commands shown for the command-line example to validate the signature.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4