# The crypto verify category in CloudHSM CLI In the CloudHSM CLI, **crypto verify** is a parent category for a group of commands that, when combined with the parent category, confirms whether a file has been signed by a given key. **crypto verify** has the following subcommands: + [crypto verify ecdsa](cloudhsm_cli-crypto-verify-ecdsa.md) + [crypto verify ed25519ph](cloudhsm_cli-crypto-verify-ed25519ph.md) + [crypto verify rsa-pkcs](cloudhsm_cli-crypto-verify-rsa-pkcs.md) + [crypto verify rsa-pkcs-pss](cloudhsm_cli-crypto-verify-rsa-pkcs-pss.md) The **crypto verify** command compares a signed file against a source file and analyzes whether they are cryptographically related based on a given public key and signing mechanism. **Note** Files can be signed in AWS CloudHSM with the [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) operation. # Verify a signature signed with the ECDSA mechanism in CloudHSM CLI Use the **crypto verify ecdsa** command in CloudHSM CLI to complete the following operations: + Confirm a file has been signed in the HSM by a given public key. + Verify the signature was generated using the ECDSA signing mechanism. + Compare a signed file against a source file and determine whether the two are cryptographically related based on a given ecdsa public key and signing mechanism. + The ECDSA verification function expects the signature in the format `r||s`, where the r and s components are concatenated as raw binary data. To use the **crypto verify ecdsa** command, you must first have an EC public key in your AWS CloudHSM cluster. You can import an EC public key using the [Import a PEM format key with CloudHSM CLI](cloudhsm_cli-key-import-pem.md) command with the `verify` attribute set to `true`. **Note** You can generate a signature in CloudHSM CLI with [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands. ## User type The following types of users can run this command. + Crypto users (CUs) ## Requirements + To run this command, you must be logged in as a CU. ## Syntax ``` aws-cloudhsm > help crypto verify ecdsa Verify with the ECDSA mechanism Usage: crypto verify ecdsa --key-filter [...] --hash-function <--data-path |--data > <--signature-path |--signature > Options: --cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --key-filter [...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key --hash-function [possible values: sha1, sha224, sha256, sha384, sha512] --data-path The path to the file containing the data to be verified --data Base64 encoded data to be verified --signature-path The path to where the signature is located --signature Base64 encoded signature to be verified --data-type The type of data passed in, either raw or digest [possible values: raw, digest] -h, --help Print help ``` ## Example These examples show how to use **crypto verify ecdsa** to verify a signature that was generated using the ECDSA signing mechanism and `SHA256` hash function. This command uses a public key in the HSM. **Example: Verify a Base64 encoded signature with Base64 encoded data** ``` aws-cloudhsm > crypto verify ecdsa --hash-function sha256 --key-filter attr.label=ec-public --data YWJjMTIz --signature 4zki+FzjhP7Z/KqoQvh4ueMAxQQVp7FQguZ2wOS3Q5bzk+Hc5irV5iTkuxQbropPttVFZ8V6FgR2fz+sPegwCw== { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Verify a signature file with a data file** ``` aws-cloudhsm > crypto verify ecdsa --hash-function sha256 --key-filter attr.label=ec-public --data-path data.txt --signature-path signature-file { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Prove false signing relationship** This command verifies whether the data located at `/home/data` was signed by a public key with the label `ecdsa-public` using the ECDSA signing mechanism to produce the signature located in `/home/signature`. Because the given arguments do not make up a true signing relationship, the command returns an error message. ``` aws-cloudhsm > crypto verify ecdsa --hash-function sha256 --key-filter attr.label=ec-public --data aW52YWxpZA== --signature +ogk7M7S3iTqFg3SndJfd91dZFr5Qo6YixJl8JwcvqqVgsVuO6o+VKvTRjz0/V05kf3JJbBLr87Q+wLWcMAJfA== { "error_code": 1, "data": "Signature verification failed" } ``` ## Arguments ****** The ID of the cluster to run this operation on. Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md) ****** Base64 encoded data to be signed. Required: Yes (unless provided through data path) ****** Specifies the location of the data to be signed. Required: Yes (unless provided through data path) ****** Specifies the hash function. Valid values: + sha1 + sha224 + sha256 + sha384 + sha512 Required: Yes ****** Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key. For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI. Required: Yes ****** Base64 encoded signature. Required: Yes (unless provided through signature path) ****** Specifies the location of the signature. Required: Yes (unless provided through signature path) ****** Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed. Valid values: + raw + digest ## Related topics + [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) + [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) # Verify a signature signed with the HashEdDSA mechanism in CloudHSM CLI **Important** HashEdDSA signature verification operations are only supported on hsm2m.medium instances in non-FIPS mode. Use the **crypto verify ed25519ph** command in CloudHSM CLI to complete the following operations: + Verify signatures of data or files using a given Ed25519 public key. + Confirm the signature was generated using the HashEdDSA signing mechanism. For additional information on HashEdDSA, see [NIST SP 186-5, Section 7.8](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf). To use the **crypto verify ed25519ph** command, you must first have an Ed25519 public key in your AWS CloudHSM cluster. You can generate an Ed25519 key pair using the [Generate an asymmetric EC key pair with CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair-ec.md) command with the `curve` parameter set to `ed25519` and the `verify` attribute set to `true`, or import an Ed25519 public key using the [Import a PEM format key with CloudHSM CLI](cloudhsm_cli-key-import-pem.md) command with the `verify` attribute set to `true`. **Note** You can generate a signature in CloudHSM CLI with [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands. ## User type The following types of users can run this command. + Crypto users (CUs) ## Requirements + To run this command, you must be logged in as a CU. + HashEdDSA signature verification operations are only supported on hsm2m.medium instances in non-FIPS mode. ## Syntax ``` aws-cloudhsm > help crypto verify ed25519ph Verify with the Ed25519ph mechanism Usage: crypto verify ed25519ph [OPTIONS] --key-filter [...] --data-type --hash-function <--data-path |--data > <--signature-path |--signature > Options: --cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --key-filter [...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key --data-path The path to the file containing the data to be verified --data Base64 encoded data to be verified --signature-path The path to where the signature is located --signature Base64 encoded signature to be verified --data-type The type of data passed in, either raw or digest [possible values: raw, digest] --hash-function Hash function [possible values: sha512] -h, --help Print help ``` ## Example These examples show how to use **crypto verify ed25519ph** to verify a signature that was generated using the Ed25519ph signing mechanism and `sha512` hash function. This command uses an Ed25519 public key in the HSM. **Example: Verify a Base64 encoded signature with Base64 encoded data** ``` aws-cloudhsm > crypto verify ed25519ph \ --hash-function sha512 \ --key-filter attr.label=ed25519-public \ --data-type raw \ --data YWJj \ --signature mKcCIvC4Ehqp0w+BPWg/gJ5GK0acf/h2OUmbuU5trkEx+FBCRjwqNVogA9BirfWqoQuMYeY2Biqq0RwqJgg0Bg== { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Verify a signature file with a data file** ``` aws-cloudhsm > crypto verify ed25519ph \ --hash-function sha512 \ --key-filter attr.label=ed25519-public \ --data-type raw \ --data-path data.txt \ --signature-path signature-file { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` ## Arguments ****** The ID of the cluster to run this operation on. Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md) ****** Base64 encoded data to be verified. Required: Yes (unless provided through data path) ****** Specifies the location of the data to be verified. Required: Yes (unless provided through data parameter) ****** Specifies the hash function. Ed25519ph only supports SHA512. Valid values: + sha512 Required: Yes ****** Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key. For a listing of supported CloudHSM CLI key attributes, see [Key attributes for CloudHSM CLI](cloudhsm_cli-key-attributes.md). Required: Yes ****** Base64 encoded signature. Required: Yes (unless provided through signature path) ****** Specifies the location of the signature. Required: Yes (unless provided through signature parameter) ****** Specifies whether the value of the data parameter should be hashed as part of the verification algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed. Valid values: + raw + digest Required: Yes ## Related topics + [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) + [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) + [Generate a signature with the HashEdDSA mechanism in CloudHSM CLI](cloudhsm_cli-crypto-sign-ed25519ph.md) # Verify a signature signed with the RSA-PKCS mechanism in CloudHSM CLI Use the **crypto verify rsa-pkcs** command in CloudHSM CLI complete the following operations: + Confirm a file has been signed in the HSM by a given public key. + Verify the signature was generated using the `RSA-PKCS` signing mechanism. + Compare a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism. To use the **crypto verify rsa-pkcs** command, you must first have an RSA public key in your AWS CloudHSM cluster. **Note** You can generate a signature using the CloudHSM CLI with the [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands. ## User type The following types of users can run this command. + Crypto users (CUs) ## Requirements + To run this command, you must be logged in as a CU. ## Syntax ``` aws-cloudhsm > help crypto verify rsa-pkcs Verify with the RSA-PKCS mechanism Usage: crypto verify rsa-pkcs --key-filter [...] --hash-function <--data-path |--data > <--signature-path |--signature > Options: --cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --key-filter [...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key --hash-function [possible values: sha1, sha224, sha256, sha384, sha512] --data-path The path to the file containing the data to be verified --data Base64 encoded data to be verified --signature-path The path to where the signature is located --signature Base64 encoded signature to be verified --data-type The type of data passed in, either raw or digest [possible values: raw, digest] -h, --help Print help ``` ## Example These examples show how to use **crypto verify rsa-pkcs** to verify a signature that was generated using the RSA-PKCS signing mechanism and `SHA256` hash function. This command uses a public key in the HSM. **Example: Verify a Base64 encoded signature with Base64 encoded data** ``` aws-cloudhsm > crypto verify rsa-pkcs --hash-function sha256 --key-filter attr.label=rsa-public --data YWJjMTIz --signature XJ7mRyHnDRYrDWTQuuNb+5mhoXx7VTsPMjgOQW4iMN7E42eNHj2Q0oovMmBdHUEH0F4HYG8FBJOBhvGuM8J/z6y41GbowVpUT6WzjnIQs79K9i7i6oR1TYjLnIS3r/zkimuXcS8/ZxyDzru+GO9BUT9FFU/of9cvu4Oyn6a5+IXuCbKNQs19uASuFARUTZ0a0Ny1CB1MulxUpqGTmI91J6evlP7k/2khwDmJ5E8FEar5/Cvbn9t21p3Uj561ngTXrYbIZ2KHpef9jQh/cEIvFLG61sexJjQi8EdTxeDA+I3ITO0qrvvESvA9+Sj7kdG2ceIicFS8/8LwyxiIC31UHQ== { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Verify a signature file with a data file** ``` aws-cloudhsm > crypto verify rsa-pkcs --hash-function sha256 --key-filter attr.label=rsa-public --data-path data.txt --signature-path signature-file { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Prove false signing relationship** This command verifies whether the invalid data was signed by a public key with the label `rsa-public` using the RSAPKCS signing mechanism to produce the signature located in `/home/signature`. Because the given arguments do not make up a true signing relationship, the command returns an error message. ``` aws-cloudhsm > crypto verify rsa-pkcs --hash-function sha256 --key-filter attr.label=rsa-public --data aW52YWxpZA== --signature XJ7mRyHnDRYrDWTQuuNb+5mhoXx7VTsPMjgOQW4iMN7E42eNHj2Q0oovMmBdHUEH0F4HYG8FBJOBhvGuM8J/z6y41GbowVpUT6WzjnIQs79K9i7i6oR1TYjLnIS3r/zkimuXcS8/ZxyDzru+GO9BUT9FFU/of9cvu4Oyn6a5+IXuCbKNQs19uASuFARUTZ0a0Ny1CB1MulxUpqGTmI91J6evlP7k/2khwDmJ5E8FEar5/Cvbn9t21p3Uj561ngTXrYbIZ2KHpef9jQh/cEIvFLG61sexJjQi8EdTxeDA+I3ITO0qrvvESvA9+Sj7kdG2ceIicFS8/8LwyxiIC31UHQ== { "error_code": 1, "data": "Signature verification failed" } ``` ## Arguments ****** The ID of the cluster to run this operation on. Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md) ****** Base64 encoded data to be signed. Required: Yes (unless provided through data path) ****** Specifies the location of the data to be signed. Required: Yes (unless provided through data path) ****** Specifies the hash function. Valid values: + sha1 + sha224 + sha256 + sha384 + sha512 Required: Yes ****** Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key. For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI. Required: Yes ****** Base64 encoded signature. Required: Yes (unless provided through signature path) ****** Specifies the location of the signature. Required: Yes (unless provided through signature path) ****** Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed. For RSA-PKCS, the data must be passed in DER encoded format as specified in [RFC 8017, Section 9.2](https://www.rfc-editor.org/rfc/rfc8017#section-9.2) Valid values: + raw + digest ## Related topics + [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) + [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) # Verify a signature signed with the RSA-PKCS-PSS mechanism in CloudHSM CLI Use the **crypto sign rsa-pkcs-pss** command in CloudHSM CLI to complete the following operations. + Confirm a file has been signed in the HSM by a given public key. + Verify the signature was generated using the RSA-PKCS-PSS signing mechanism. + Compare a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism. To use the **crypto verify rsa-pkcs-pss** command, you must first have an RSA public key in your AWS CloudHSM cluster. You can import an RSA public key using the key import pem command ADD UNWRAP LINK HERE) with the `verify` attribute set to `true`. **Note** You can generate a signature using the CloudHSM CLI with the [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands. ## User type The following types of users can run this command. + Crypto users (CUs) ## Requirements + To run this command, you must be logged in as a CU. ## Syntax ``` aws-cloudhsm > help crypto verify rsa-pkcs-pss Verify with the RSA-PKCS-PSS mechanism Usage: crypto verify rsa-pkcs-pss --key-filter [...] --hash-function --mgf --salt-length >SALT_LENGTH< <--data-path |--data <--signature-path |--signature > Options: --cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --key-filter [...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key --hash-function [possible values: sha1, sha224, sha256, sha384, sha512] --data-path The path to the file containing the data to be verified --data Base64 encoded data to be verified --signature-path The path to where the signature is located --signature Base64 encoded signature to be verified --data-type The type of data passed in, either raw or digest [possible values: raw, digest] --mgf The mask generation function [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512] --salt-length The salt length -h, --help Print help ``` ## Example These examples show how to use **crypto verify rsa-pkcs-pss** to verify a signature that was generated using the RSA-PKCS-PSS signing mechanism and `SHA256` hash function. This command uses a public key in the HSM. **Example: Verify a Base64 encoded signature with Base64 encoded data** ``` aws-cloudhsm > crypto verify rsa-pkcs-pss --key-filter attr.label=rsa-public --hash-function sha256 --data YWJjMTIz --salt-length 10 --mgf mgf1-sha256 --signature H/z1rYVMzNAa31K4amE5MTiwGxDdCTgQXCJXRBKVOVm7ZuyI0fGE4sT/BUN+977mQEV2TqtWpTsiF2IpwGM1VfSBRt7h/g4o6YERm1tTQLl7q+AJ7uGGK37zCsWQrAo7Vy8NzPShxekePo/ZegrB1aHWN1fE8H3IPUKqLuMDI9o1Jq6kM986ExS7YmeOIclcZkyykTWqHLQVL2C3+A2bHJZBqRcM5XoIpk8HkPypjpN+m4FNUds30GAemoOMl6asSrEJSthaZWV53OBsDOqzA8Rt8JdhXS+GZp3vNLdL1OTBELDPweXVgAu4dBX0FOvpw/gg6sNvuaDK4YOBv2fqKg== { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Verify a signature file with a data file** ``` aws-cloudhsm > crypto verify rsa-pkcs-pss --key-filter attr.label=rsa-public --hash-function sha256 --data-path data.txt --salt-length 10 --mgf mgf1-sha256 --signature signature-file { "error_code": 0, "data": { "message": "Signature verified successfully" } } ``` **Example: Prove false signing relationship** This command verifies whether the invalid data was signed by a public key with the label `rsa-public` using the RSAPKCSPSS signing mechanism to produce the signature located in `/home/signature`. Because the given arguments do not make up a true signing relationship, the command returns an error message. ``` aws-cloudhsm > crypto verify rsa-pkcs-pss --key-filter attr.label=rsa-public --hash-function sha256 --data aW52YWxpZA== --salt-length 10 --mgf mgf1-sha256 --signature H/z1rYVMzNAa31K4amE5MTiwGxDdCTgQXCJXRBKVOVm7ZuyI0fGE4sT/BUN+977mQEV2TqtWpTsiF2IpwGM1VfSBRt7h/g4o6YERm1tTQLl7q+AJ7uGGK37zCsWQrAo7Vy8NzPShxekePo/ZegrB1aHWN1fE8H3IPUKqLuMDI9o1Jq6kM986ExS7YmeOIclcZkyykTWqHLQVL2C3+A2bHJZBqRcM5XoIpk8HkPypjpN+m4FNUds30GAemoOMl6asSrEJSthaZWV53OBsDOqzA8Rt8JdhXS+GZp3vNLdL1OTBELDPweXVgAu4dBX0FOvpw/gg6sNvuaDK4YOBv2fqKg== { "error_code": 1, "data": "Signature verification failed" } ``` ## Arguments ****** The ID of the cluster to run this operation on. Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md) ****** Base64 encoded data to be signed. Required: Yes (unless provided through data path) ****** Specifies the location of the data to be signed. Required: Yes (unless provided through data path) ****** Specifies the hash function. Valid values: + sha1 + sha224 + sha256 + sha384 + sha512 Required: Yes ****** Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key. For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI. Required: Yes ****** Specifies the mask generation function. The mask generation function hash function must match the signing mechanism hash function. Valid values: + mgf1-sha1 + mgf1-sha224 + mgf1-sha256 + mgf1-sha384 + mgf1-sha512 Required: Yes ****** Base64 encoded signature. Required: Yes (unless provided through signature path) ****** Specifies the location of the signature. Required: Yes (unless provided through signature path) ****** Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed. Valid values: + raw + digest ## Related topics + [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) + [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)