Navigation Guide
You are on a Command (operation) page with structural examples. Use the navigation breadcrumb if you would like to return to the Client landing page.

VerifyCommand

Verifies a digital signature that was generated by the Sign operation.

Verification confirms that an authorized user signed the message with the specified KMS key and signing algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the SignatureValid field in the response is True. If the signature verification fails, the Verify operation fails with an KMSInvalidSignatureException exception.

A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.

To use the Verify operation, specify the same asymmetric KMS key, message, and signing algorithm that were used to produce the signature. The message type does not need to be the same as the one used for signing, but it must indicate whether the value of the Message parameter should be hashed as part of the verification process.

You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the GetPublicKey operation to download the public key in the asymmetric KMS key and then use the public key to verify the signature outside of KMS. The advantage of using the Verify operation is that it is performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key to verify signatures.

To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the distinguishing ID. By default, KMS uses 1234567812345678 as the distinguishing ID. For more information, see Offline verification with SM2 key pairs .

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:Verify (key policy)

Related operations: Sign

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency .

Example Syntax

Use a bare-bones client and the command you need to make an API call.

import { KMSClient, VerifyCommand } from "@aws-sdk/client-kms"; // ES Modules import
// const { KMSClient, VerifyCommand } = require("@aws-sdk/client-kms"); // CommonJS import
const client = new KMSClient(config);
const input = { // VerifyRequest
  KeyId: "STRING_VALUE", // required
  Message: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")   // required
  MessageType: "RAW" || "DIGEST",
  Signature: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")   // required
  SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA", // required
  GrantTokens: [ // GrantTokenList
    "STRING_VALUE",
  ],
  DryRun: true || false,
};
const command = new VerifyCommand(input);
const response = await client.send(command);
// { // VerifyResponse
//   KeyId: "STRING_VALUE",
//   SignatureValid: true || false,
//   SigningAlgorithm: "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA",
// };

Example Usage

Loading code editorLoading code editor

VerifyCommand Input

See VerifyCommandInput for more details

Parameter	Type	Description
`KeyId` Required	`string \| undefined`	Identifies the asymmetric KMS key that will be used to verify the signature. This must be the same KMS key that was used to generate the signature. If you specify a different KMS key, the signature verification fails. To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with `"alias/"`. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN. For example: Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab` Key ARN: `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` Alias name: `alias/ExampleAlias` Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias` To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.
`Message` Required	`Uint8Array \| undefined`	Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the `MessageType` parameter with a value of `DIGEST`. If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.
`Signature` Required	`Uint8Array \| undefined`	The signature that the `Sign` operation generated.
`SigningAlgorithm` Required	`SigningAlgorithmSpec \| undefined`	The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.
`DryRun`	`boolean \| undefined`	Checks if your request will succeed. `DryRun` is an optional parameter. To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
`GrantTokens`	`string[] \| undefined`	A list of grant tokens. Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
`MessageType`	`MessageType \| undefined`	Tells KMS whether the value of the `Message` parameter should be hashed as part of the signing algorithm. Use `RAW` for unhashed messages; use `DIGEST` for message digests, which are already hashed. When the value of `MessageType` is `RAW`, KMS uses the standard signing algorithm, which begins with a hash function. When the value is `DIGEST`, KMS skips the hashing step in the signing algorithm. Use the `DIGEST` value only when the value of the `Message` parameter is a message digest. If you use the `DIGEST` value with an unhashed message, the security of the verification operation can be compromised. When the value of `MessageType`is `DIGEST`, the length of the `Message` value must match the length of hashed messages for the specified signing algorithm. You can submit a message digest and omit the `MessageType` or specify `RAW` so the digest is hashed again while signing. However, if the signed message is hashed once while signing, but twice while verifying, verification fails, even when the message hasn't changed. The hashing algorithm in that `Verify` uses is based on the `SigningAlgorithm` value. Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm. Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm. Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm. SM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs .

VerifyCommand Output

See VerifyCommandOutput for details

Parameter	Type	Description
`$metadata` Required	`ResponseMetadata`	Metadata pertaining to this request.
`KeyId`	`string \| undefined`	The Amazon Resource Name (key ARN ) of the asymmetric KMS key that was used to verify the signature.
`SignatureValid`	`boolean \| undefined`	A Boolean value that indicates whether the signature was verified. A value of `True` indicates that the `Signature` was produced by signing the `Message` with the specified `KeyID` and `SigningAlgorithm.` If the signature is not verified, the `Verify` operation fails with a `KMSInvalidSignatureException` exception.
`SigningAlgorithm`	`SigningAlgorithmSpec \| undefined`	The signing algorithm that was used to verify the signature.

Throws

Name	Fault	Details
DependencyTimeoutException	server	The system timed out while trying to fulfill the request. You can retry the request.
DisabledException	client	The request was rejected because the specified KMS key is not enabled.
DryRunOperationException	client	The request was rejected because the DryRun parameter was specified.
InvalidGrantTokenException	client	The request was rejected because the specified grant token is not valid.
InvalidKeyUsageException	client	The request was rejected for one of the following reasons: The `KeyUsage` value of the KMS key is incompatible with the API operation. The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key `(KeySpec`). For encrypting, decrypting, re-encrypting, and generating data keys, the `KeyUsage` must be `ENCRYPT_DECRYPT`. For signing and verifying messages, the `KeyUsage` must be `SIGN_VERIFY`. For generating and verifying message authentication codes (MACs), the `KeyUsage` must be `GENERATE_VERIFY_MAC`. For deriving key agreement secrets, the `KeyUsage` must be `KEY_AGREEMENT`. To find the `KeyUsage` of a KMS key, use the DescribeKey operation. To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.
KeyUnavailableException	server	The request was rejected because the specified KMS key was not available. You can retry the request.
KMSInternalException	server	The request was rejected because an internal exception occurred. The request can be retried.
KMSInvalidSignatureException	client	The request was rejected because the signature verification failed. Signature verification fails when it cannot confirm that signature was produced by signing the specified message with the specified KMS key and signing algorithm.
KMSInvalidStateException	client	The request was rejected because the state of the specified resource is not valid for this request. This exceptions means one of the following: The key state of the KMS key is not compatible with the operation. To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide . For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.
NotFoundException	client	The request was rejected because the specified entity or resource could not be found.
KMSServiceException		Base exception class for all service exceptions from KMS service.

Getting Started

References