Use Sign with an AWS SDK or CLI
The following code examples show how to use Sign.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:
- CLI
-
- AWS CLI
-
Example 1: To generate a digital signature for a message
The following
signexample generates a cryptographic signature for a short message. The output of the command includes a base-64 encodedSignaturefield that you can verify by using theverifycommand.You must specify a message to sign and a signing algorithm that your asymmetric KMS key supports. To get the signing algorithms for your KMS key, use the
describe-keycommand.In AWS CLI 2.0, the value of the
messageparameter must be Base64-encoded. Or, you can save the message in a file and use thefileb://prefix, which tells the AWS CLI to read binary data from the file.Before running this command, replace the example key ID with a valid key ID from your AWS account. The key ID must represent an asymmetric KMS key with a key usage of SIGN_VERIFY.
msg=(echo 'Hello World' | base64) aws kms sign \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://UnsignedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256Output:
{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Signature": "ABCDEFhpyVYyTxbafE74ccSvEJLJr3zuoV1Hfymz4qv+/fxmxNLA7SE1SiF8lHw80fKZZ3bJ...", "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" }For more information about using asymmetric KMS keys in AWS KMS, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide.
Example 2: To save a digital signature in a file (Linux and macOs)
The following
signexample generates a cryptographic signature for a short message stored in a local file. The command also gets theSignatureproperty from the response, Base64-decodes it and saves it in the ExampleSignature file. You can use the signature file in averifycommand that verifies the signature.The
signcommand requires a Base64-encoded message and a signing algorithm that your asymmetric KMS key supports. To get the signing algorithms that your KMS key supports, use thedescribe-keycommand.Before running this command, replace the example key ID with a valid key ID from your AWS account. The key ID must represent an asymmetric KMS key with a key usage of SIGN_VERIFY.
echo 'hello world' | base64 > EncodedMessage aws kms sign \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://EncodedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 \ --output text \ --query Signature | base64 --decode > ExampleSignatureThis command produces no output. This example extracts the
Signatureproperty of the output and saves it in a file.For more information about using asymmetric KMS keys in AWS KMS, see Asymmetric keys in AWS KMS in the AWS Key Management Service Developer Guide.
-
For API details, see Sign
in AWS CLI Command Reference.
-
- Java
-
- SDK for Java 2.x
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. /** * Asynchronously signs and verifies data using AWS KMS. * * <p>The method performs the following steps: * <ol> * <li>Creates an AWS KMS key with the specified key spec, key usage, and origin.</li> * <li>Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.</li> * <li>Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.</li> * </ol> * * @return a {@link CompletableFuture} that completes with the result of the signature verification, * {@code true} if the signature is valid, {@code false} otherwise. * @throws KmsException if any error occurs during the KMS operations. * @throws RuntimeException if an unexpected error occurs. */ public CompletableFuture<Boolean> signVerifyDataAsync() { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest createKeyRequest = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) .keyUsage(KeyUsageType.SIGN_VERIFY) .origin(OriginType.AWS_KMS) .build(); return getAsyncClient().createKey(createKeyRequest) .thenCompose(createKeyResponse -> { String keyId = createKeyResponse.keyMetadata().keyId(); SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId) .message(messageBytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().sign(signRequest) .thenCompose(signResponse -> { byte[] signedBytes = signResponse.signature().asByteArray(); VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().verify(verifyRequest) .thenApply(verifyResponse -> { return (boolean) verifyResponse.signatureValid(); }); }); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to sign or verify data", throwable); }); }-
For API details, see Sign in AWS SDK for Java 2.x API Reference.
-
- PHP
-
- SDK for PHP
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. /*** * @param string $keyId * @param string $message * @param string $algorithm * @return Result */ public function sign(string $keyId, string $message, string $algorithm) { try { return $this->client->sign([ 'KeyId' => $keyId, 'Message' => $message, 'SigningAlgorithm' => $algorithm, ]); }catch(KmsException $caught){ echo "There was a problem signing the data: {$caught->getAwsErrorMessage()}\n"; throw $caught; } }-
For API details, see Sign in AWS SDK for PHP API Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def sign(self, key_id: str, message: str) -> str: """ Signs a message with a key. :param key_id: The ARN or ID of the key to use for signing. :param message: The message to sign. :return: The signature of the message. """ try: return self.kms_client.sign( KeyId=key_id, Message=message.encode(), SigningAlgorithm="RSASSA_PSS_SHA_256", )["Signature"] except ClientError as err: logger.error( "Couldn't sign your message. Here's why: %s", err.response["Error"]["Message"], ) raise-
For API details, see Sign in AWS SDK for Python (Boto3) API Reference.
-
For a complete list of AWS SDK developer guides and code examples, see Using this service with an AWS SDK. This topic also includes information about getting started and details about previous SDK versions.
