Help & Documentation>实践教程>Key Management Service>Asymmetric Signature Verification>SM2 Signature Verification

SM2 Signature Verification

Last updated: 2023-08-24 11:45:49

On this page:

This document describes how to use the SM2 signature verification algorithm.

Instructions

Step 1: Creating an asymmetric signature key

Note
When creating a customer master key (CMK) in Key Management Service (KMS) by calling the Create CMK API, you must provide the correct key usage parameter, KeyUsage=ASYMMETRIC_SIGN_VERIFY_SM2, to enable the signature functionality.
Request:
tccli kms CreateKey --Alias test --KeyUsage ASYMMETRIC_SIGN_VERIFY_SM2
Returned result:
{
    "Response": {
        "KeyId": "22d79428-61d9-11ea-a3c8-525400**",
        "Alias": "test",
        "CreateTime": 1583739580,
        "Description": "",
        "KeyState": "Enabled",
        "KeyUsage": "ASYMMETRIC_SIGN_VERIFY_SM2",
        "TagCode": 0,
        "TagMsg": "",
        "RequestId": "0e3c62db-a408-406a-af27-dd5ced**"
    }
}

Step 2: Downloading the public key

Request:
tccli kms GetPublicKey  --KeyId 22d79428-61d9-11ea-a3c8-525400**
Returned result:
{
    "Response": {
        "RequestId": "408fa858-cd6d-4011-b8a0-653805**",
        "KeyId": "22d79428-61d9-11ea-a3c8-525400**",
        "PublicKey":  "MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEFLlge0vtct949CwtadHODzisgXJahujq+PvM***bBs/f3axWbvgvHx8Jmqw==",
        "PublicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEFLlge0vtct949CwtadHODzisgXJa\nhujq+PvM***bBs/f3axWbvgvHx8Jmqw==\n-----END PUBLIC KEY-----\n"
    }
}
Convert the public key PublicKeyPem into the PEM format and save it in the file public_key.pem:
echo "-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEFLlge0vtct949CwtadHODzisgXJa
hujq+PvM***bBs/f3axWbvgvHx8Jmqw==
-----END PUBLIC KEY-----" > public_key.pem
Note
Additionally, you can log in to the KMS Console, click User Key > Key ID/Key Name to access the key information page, and directly download the asymmetric public key.

Step 3: Creating the plaintext information file

Create a testing plaintext file:
echo "test" > test_verify.txt
Note
When the generated file content contains invisible characters (such as newline characters), you need to perform a truncate operation on the file (truncate -s -1 test_verify.txt) to ensure signature accuracy.

Step 4: Calculating the message abstract

If the length of the message to be signed does not exceed 4,096 bytes, you can skip this step and proceed directly to Step 5.
If the message to be generated a signature for is longer than 4,096 bytes, you need to calculate a message abstract locally first. Use GmSSL to calculate the message abstract for test_verity.txt:
gmssl sm2utl -dgst -in ./test_verify.txt -pubin -inkey ./public_key.pem -id 1234567812345678 > digest.bin

Step 5: Calling the KMS signature API to generate a signature

Call the KMS SignByAsymmetricKey API to calculate the signature.
1. Base64-encode the original message or message abstract before signature calculation.
// Base64-encode the message abstract
gmssl enc -e -base64 -A -in digest.bin -out encoded.base64
// Base64-encode the original message
gmssl enc -e -base64 -A -in test_verify.txt -out encoded.base64
2. Calculate the signature. Request:
// Generate the signature for the message abstract using the content of the file encoded.base64 as the Message parameter of SignByAsymmetricKey.
tccli kms SignByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400** --Algorithm SM2DSA --Message "qJQj83hSyOuU7Tn0SRReGCk4yuuVWaeZ44BP**==" --MessageType DIGEST

// Generate the signature for the Base64-encoded original message
tccli kms SignByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400* --Algorithm SM2DSA --Message "dG**Ao=" --MessageType RAW
Returned result:
{
        "Response": {
            "Signature": "U7Tn0SRReGCk4yuuVWaeZ4**",
            "RequestId": "408fa858-cd6d-4011-b8a0-653805**"
        }
}
Save the signature content (Signature) into a file named signContent.sign:
echo "U7Tn0SRReGCk4yuuVWaeZ4**" | base64 -d > signContent.bin

Step 6: Verifying the signature

Call the KMS signature verification API to verify the signature (recommended). Request:
// Verify the Base64-encoded original message
tccli kms VerifyByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400** --SignatureValue "U7Tn0SRReGCk4yuuVWaeZ4*" --Message "dG**Ao=" --Algorithm SM2DSA --MessageType RAW
// Verify the message abstract (verify the signature for the message abstract using the content of the file encoded.base64 mentioned in step 4 as the Message parameter of VerifyByAsymmetricKey).
tccli kms VerifyByAsymmetricKey --KeyId 22d79428-61d9-11ea-a3c8-525400** --SignatureValue "U7Tn0SRReGCk4yuuVWaeZ4**" --Message "QUuAcNFr1Jl5+3GDbCxU7te7Uekq+oTxZ**=" --Algorithm SM2DSA --MessageType DIGEST
Note
The value of the parameter Message and MessageType used in the signature API call should be the same as those of the signature verification API call.
Returned result:
{
    "Response": {
          "SignatureValid": true,
          "RequestId": "6758cbf5-5e21-4c37-a2cf-8d47f5**"
    }
}
Verify the signature locally using the KMS public key and signature content. Request:
gmssl  sm2utl -verify -in ./test_verify.txt -sigfile ./signContent.bin -pubin -inkey ./public_key.pem -id 1234567812345678
Returned result:
Signature Verification Successful

中国站 - English