SM2 Signature Verification

Product Overview

Features

Product Strengths

Use Cases

Concepts

Product Introduction

Billing Overview

Purchase Method

Payment Overdue

Purchase Guide

Getting Started

Creating a Key

Viewing keys

Editing Key

Enabling/Disabling Key

Key Rotation

Encryption and Decryption

Deleting Key

Key Management

Overview

Managing Sub-account

Creating Access Control Policy

Access Control

Operations Logged by CloudAudit

Viewing Audit Logs

Audit

Console Guide

Operation Overview

Creating Key

Viewing Key

Asymmetric key decryption

 TCCLI Management Guide 

Encrypting/Decrypting Sensitive Data

 Envelope Encryption/Decryption

Symmetrical Encryption and Decryption

Asymmetric Data Encryption and Decryption

Asymmetric Signature Verification

Asymmetric Encryption and Decryption

Post-Quantum Cryptography Practice In KMS

Operation Guide

 Importing External Key

Implementing Exponential Backoff to Deal with Service Frequency

Practical Tutorial

History

Introduction

API Category

Request Structure

Common Params

Signature v3

Signature

Responses

Making API Requests

UpdateKeyDescription

UpdateAlias

ReEncrypt

ListKeys

ListKeyDetail

GetServiceStatus

GetKeyRotationStatus

GenerateDataKey

Encrypt

EnableKeys

EnableKeyRotation

EnableKey

DisableKeys

DisableKeyRotation

DisableKey

DescribeKeys

DescribeKey

Decrypt

CreateKey

ScheduleKeyDeletion

ImportKeyMaterial

GetParametersForImport

GenerateRandom

DeleteImportedKeyMaterial

CancelKeyDeletion

ListAlgorithms

UnbindCloudResource

BindCloudResource

GetRegions

CancelKeyArchive

ArchiveKey

PostQuantumCryptoEncrypt

PostQuantumCryptoDecrypt

Key APIs

GetPublicKey

AsymmetricSm2Decrypt

AsymmetricRsaDecrypt

VerifyByAsymmetricKey

SignByAsymmetricKey

PostQuantumCryptoVerify

PostQuantumCryptoSign

Asymmetric Key APIs

Data Types

Error Codes

API documentation

Service Level Agreement

FAQs

General

FAQS

Privacy Policy

Data Processing And Security Agreement

KMS Policy

Contact Us

Glossary

Key Management Service

This document describes how to use the SM2 signature verification algorithm.

Step 1: Creating an asymmetric signature key

To use the signature feature, the correct key purpose 

https://intl.cloud.tencent.com/document/product/1030/32199

tccli kms CreateKey --Alias test --KeyUsage ASYMMETRIC_SIGN_VERIFY_SM2

        "KeyId": "22d79428-61d9-11ea-a3c8-525400******",

        "KeyUsage": "ASYMMETRIC_SIGN_VERIFY_SM2",

        "RequestId": "0e3c62db-a408-406a-af27-dd5ced******"

tccli kms GetPublicKey  --KeyId 22d79428-61d9-11ea-a3c8-525400******

        "RequestId": "408fa858-cd6d-4011-b8a0-653805******",

        "PublicKey":  "MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEFLlge0vtct949CwtadHODzisgXJahujq+PvM***************bBs/f3axWbvgvHx8Jmqw==",

        "PublicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEFLlge0vtct949CwtadHODzisgXJa\nhujq+PvM***************bBs/f3axWbvgvHx8Jmqw==\n-----END PUBLIC KEY-----\n"

 into the PEM format and save it in the file 

MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEFLlge0vtct949CwtadHODzisgXJa

hujq+PvM***************bBs/f3axWbvgvHx8Jmqw==

-----END PUBLIC KEY-----" > public_key.pem

https://console.tencentcloud.com/kms2/index

 on the left sidebar, click a key ID/name in the key list to view the key information, and download the public asymmetric key.

 If there are any invisible characters such as line breaks in the generated content, you need to truncate the file (

If the message to be generated a signature for is not longer than 4,096 bytes, you can skip this step to 

If the message to be generated a signature for is longer than 4,096 bytes, you need to calculate a message abstract locally first.
Use GmSSL to calculate the message abstract for 

gmssl sm2utl -dgst -in ./test_verify.txt -pubin -inkey ./public_key.pem -id 1234567812345678 > digest.bin

Step 5: Calling the KMS signature API to generate a signature

https://intl.cloud.tencent.com/document/product/1030/39509

Base64-encode the original message or message abstract before signature calculation.

gmssl enc -e -base64 -A -in digest.bin -out encoded.base64

gmssl enc -e -base64 -A -in test_verify.txt -out encoded.base64

// Generate the signature for the message abstract using the content of the file `encoded.base64` as the `Message` parameter of `SignByAsymmetricKey`.

tccli kms SignByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400****** --Algorithm SM2DSA --Message "qJQj83hSyOuU7Tn0SRReGCk4yuuVWaeZ44BP******==" --MessageType DIGEST

// Generate the signature for the Base64-encoded original message

tccli kms SignByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400****** --Algorithm SM2DSA --Message "dG***Ao=" --MessageType RAW

            "Signature": "U7Tn0SRReGCk4yuuVWaeZ4******",

            "RequestId": "408fa858-cd6d-4011-b8a0-653805******"

echo "U7Tn0SRReGCk4yuuVWaeZ4******" | base64 -d > signContent.bin

Call the KMS signature verification API to verify the signature (

// Verify the Base64-encoded original message

tccli kms VerifyByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400****** --SignatureValue "U7Tn0SRReGCk4yuuVWaeZ4******" --Message "dG***Ao=" --Algorithm SM2DSA --MessageType RAW

// Verify the message abstract (verify the signature for the message abstract using the content of the file `encoded.base64` mentioned in step 4 as the `Message` parameter of `VerifyByAsymmetricKey`).

tccli kms VerifyByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400****** --SignatureValue "U7Tn0SRReGCk4yuuVWaeZ4******" --Message "QUuAcNFr1Jl5+3GDbCxU7te7Uekq+oTxZ**********=" --Algorithm SM2DSA --MessageType DIGEST

 used in the signature API call should be the same as those of the signature verification API call.

          "RequestId": "6758cbf5-5e21-4c37-a2cf-8d47f5******"

Verify the signature locally using the KMS public key and signature content.
  Request:

gmssl  sm2utl -verify -in ./test_verify.txt -sigfile ./signContent.bin -pubin -inkey ./public_key.pem -id 1234567812345678

tencent cloud