com.amazonaws.services.kms.model

Class VerifyRequest

java.lang.Object

com.amazonaws.AmazonWebServiceRequest

com.amazonaws.services.kms.model.VerifyRequest

All Implemented Interfaces:

java.io.Serializable, java.lang.Cloneable

public class VerifyRequest
extends AmazonWebServiceRequest
implements java.io.Serializable

Verifies a digital signature that was generated by the Sign operation.

Verification confirms that an authorized user signed the message with the specified CMK and signing algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the SignatureValid field in the response is True. If the signature verification fails, the Verify operation fails with an KMSInvalidSignatureException exception.

A digital signature is generated by using the private key in an asymmetric CMK. The signature is verified by using the public key in the same asymmetric CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.

To verify a digital signature, you can use the Verify operation. Specify the same asymmetric CMK, message, and signing algorithm that were used to produce the signature.

You can also verify the digital signature by using the public key of the CMK outside of AWS KMS. Use the GetPublicKey operation to download the public key in the asymmetric CMK and then use the public key to verify the signature outside of AWS KMS. The advantage of using the Verify operation is that it is performed within AWS KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in AWS CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the CMK to verify signatures.

The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:Verify (key policy)

Related operations: Sign

See Also:

Serialized Form

Constructor Summary

Constructors

Constructor and Description
VerifyRequest()

Method Summary

Modifier and Type	Method and Description
boolean	equals(java.lang.Object obj)
java.util.List<java.lang.String>	getGrantTokens() A list of grant tokens.
java.lang.String	getKeyId() Identifies the asymmetric CMK that will be used to verify the signature.
java.nio.ByteBuffer	getMessage() Specifies the message that was signed.
java.lang.String	getMessageType() Tells AWS KMS whether the value of the Message parameter is a message or message digest.
java.nio.ByteBuffer	getSignature() The signature that the Sign operation generated.
java.lang.String	getSigningAlgorithm() The signing algorithm that was used to sign the message.
int	hashCode()
void	setGrantTokens(java.util.Collection<java.lang.String> grantTokens) A list of grant tokens.
void	setKeyId(java.lang.String keyId) Identifies the asymmetric CMK that will be used to verify the signature.
void	setMessage(java.nio.ByteBuffer message) Specifies the message that was signed.
void	setMessageType(MessageType messageType) Tells AWS KMS whether the value of the Message parameter is a message or message digest.
void	setMessageType(java.lang.String messageType) Tells AWS KMS whether the value of the Message parameter is a message or message digest.
void	setSignature(java.nio.ByteBuffer signature) The signature that the Sign operation generated.
void	setSigningAlgorithm(SigningAlgorithmSpec signingAlgorithm) The signing algorithm that was used to sign the message.
void	setSigningAlgorithm(java.lang.String signingAlgorithm) The signing algorithm that was used to sign the message.
java.lang.String	toString() Returns a string representation of this object; useful for testing and debugging.
VerifyRequest	withGrantTokens(java.util.Collection<java.lang.String> grantTokens) A list of grant tokens.
VerifyRequest	withGrantTokens(java.lang.String... grantTokens) A list of grant tokens.
VerifyRequest	withKeyId(java.lang.String keyId) Identifies the asymmetric CMK that will be used to verify the signature.
VerifyRequest	withMessage(java.nio.ByteBuffer message) Specifies the message that was signed.
VerifyRequest	withMessageType(MessageType messageType) Tells AWS KMS whether the value of the Message parameter is a message or message digest.
VerifyRequest	withMessageType(java.lang.String messageType) Tells AWS KMS whether the value of the Message parameter is a message or message digest.
VerifyRequest	withSignature(java.nio.ByteBuffer signature) The signature that the Sign operation generated.
VerifyRequest	withSigningAlgorithm(SigningAlgorithmSpec signingAlgorithm) The signing algorithm that was used to sign the message.
VerifyRequest	withSigningAlgorithm(java.lang.String signingAlgorithm) The signing algorithm that was used to sign the message.

Methods inherited from class com.amazonaws.AmazonWebServiceRequest

clone, getCloneRoot, getCloneSource, getGeneralProgressListener, getRequestClientOptions, getRequestCredentials, getRequestMetricCollector, setGeneralProgressListener, setRequestCredentials, setRequestMetricCollector, withGeneralProgressListener, withRequestMetricCollector

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

VerifyRequest

public VerifyRequest()

Method Detail

getKeyId

public java.lang.String getKeyId()

Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Constraints:
Length: 1 - 2048

Returns:

Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

setKeyId

public void setKeyId(java.lang.String keyId)

Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Constraints:
Length: 1 - 2048

Parameters:

keyId -

Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

withKeyId

public VerifyRequest withKeyId(java.lang.String keyId)

Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 2048

Parameters:

keyId -

Identifies the asymmetric CMK that will be used to verify the signature. This must be the same CMK that was used to generate the signature. If you specify a different CMK, the signature verification fails.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Returns:

A reference to this updated object so that method calls can be chained together.

getMessage

public java.nio.ByteBuffer getMessage()

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.

Constraints:
Length: 1 - 4096

Returns:

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.

setMessage

public void setMessage(java.nio.ByteBuffer message)

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.

Constraints:
Length: 1 - 4096

Parameters:

message -

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.

withMessage

public VerifyRequest withMessage(java.nio.ByteBuffer message)

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 4096

Parameters:

message -

Specifies the message that was signed. You can submit a raw message of up to 4096 bytes, or a hash digest of the message. If you submit a digest, use the MessageType parameter with a value of DIGEST.

If the message specified here is different from the message that was signed, the signature verification fails. A message and its hash digest are considered to be the same message.

Returns:

A reference to this updated object so that method calls can be chained together.

getMessageType

public java.lang.String getMessageType()

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Constraints:
Allowed Values: RAW, DIGEST

Returns:

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

See Also:

MessageType

setMessageType

public void setMessageType(java.lang.String messageType)

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Constraints:
Allowed Values: RAW, DIGEST

Parameters:

messageType -

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

See Also:

MessageType

withMessageType

public VerifyRequest withMessageType(java.lang.String messageType)

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: RAW, DIGEST

Parameters:

messageType -

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

MessageType

setMessageType

public void setMessageType(MessageType messageType)

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Constraints:
Allowed Values: RAW, DIGEST

Parameters:

messageType -

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

See Also:

MessageType

withMessageType

public VerifyRequest withMessageType(MessageType messageType)

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: RAW, DIGEST

Parameters:

messageType -

Tells AWS KMS whether the value of the Message parameter is a message or message digest. The default value, RAW, indicates a message. To indicate a message digest, enter DIGEST.

Use the DIGEST value only when the value of the Message parameter is a message digest. If you use the DIGEST value with a raw message, the security of the verification operation can be compromised.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

MessageType

getSignature

public java.nio.ByteBuffer getSignature()

The signature that the Sign operation generated.

Constraints:
Length: 1 - 6144

Returns:

The signature that the Sign operation generated.

setSignature

public void setSignature(java.nio.ByteBuffer signature)

The signature that the Sign operation generated.

Constraints:
Length: 1 - 6144

Parameters:

signature -

The signature that the Sign operation generated.

withSignature

public VerifyRequest withSignature(java.nio.ByteBuffer signature)

The signature that the Sign operation generated.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Length: 1 - 6144

Parameters:

signature -

The signature that the Sign operation generated.

Returns:

A reference to this updated object so that method calls can be chained together.

getSigningAlgorithm

public java.lang.String getSigningAlgorithm()

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Constraints:
Allowed Values: RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512

Returns:

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

See Also:

SigningAlgorithmSpec

setSigningAlgorithm

public void setSigningAlgorithm(java.lang.String signingAlgorithm)

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Constraints:
Allowed Values: RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512

Parameters:

signingAlgorithm -

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

See Also:

SigningAlgorithmSpec

withSigningAlgorithm

public VerifyRequest withSigningAlgorithm(java.lang.String signingAlgorithm)

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512

Parameters:

signingAlgorithm -

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

SigningAlgorithmSpec

setSigningAlgorithm

public void setSigningAlgorithm(SigningAlgorithmSpec signingAlgorithm)

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Constraints:
Allowed Values: RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512

Parameters:

signingAlgorithm -

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

See Also:

SigningAlgorithmSpec

withSigningAlgorithm

public VerifyRequest withSigningAlgorithm(SigningAlgorithmSpec signingAlgorithm)

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Returns a reference to this object so that method calls can be chained together.

Constraints:
Allowed Values: RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512

Parameters:

signingAlgorithm -

The signing algorithm that was used to sign the message. If you submit a different algorithm, the signature verification fails.

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

SigningAlgorithmSpec

getGrantTokens

public java.util.List<java.lang.String> getGrantTokens()

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

setGrantTokens

public void setGrantTokens(java.util.Collection<java.lang.String> grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

withGrantTokens

public VerifyRequest withGrantTokens(java.lang.String... grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

withGrantTokens

public VerifyRequest withGrantTokens(java.util.Collection<java.lang.String> grantTokens)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns a reference to this object so that method calls can be chained together.

Parameters:

grantTokens -

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Returns:

A reference to this updated object so that method calls can be chained together.

toString

public java.lang.String toString()

Returns a string representation of this object; useful for testing and debugging.

Overrides:

toString in class java.lang.Object

Returns:

A string representation of this object.

See Also:

Object.toString()

hashCode

public int hashCode()

Overrides:

hashCode in class java.lang.Object

equals

public boolean equals(java.lang.Object obj)

Overrides:

equals in class java.lang.Object