使用KMS密钥进行签名验签_密钥管理服务(KMS)-阿里云帮助中心

初始化KMS实例SDK客户端后，您可以通过客户端调用Sign和Verify接口进行签名验签。本文介绍签名验签的代码示例。

完整代码示例

调用Sign接口使用非对称密钥进行数字签名，调用Verify接口使用非对称密钥验证数字签名。

Python 2版本源码github地址：sign_verify_sample.py

Python 3版本源码github地址：sign_verify_sample.py

本文以Python 3版本为例介绍。

签名验签完整代码示例

# -*- coding: utf-8 -*-
import os

from openapi.models import Config
from openapi_util.models import RuntimeOptions
from sdk.client import Client
from sdk.models import SignRequest, VerifyRequest

config = Config()
# 连接协议请设置为"https"。KMS实例服务仅允许通过HTTPS协议访问。
config.protocol = "https"
# Client Key。
config.client_key_file = "<your-client-key-file>"
# Client Key解密口令。
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# 设置endpoint为<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
config.endpoint = "<your-endpoint>"
client = Client(config)


class SignContext(object):
    """The sign context may be stored."""

    def __init__(self, key_id, message_type, signature, algorithm):
        self.key_id = key_id
        self.message_type = message_type
        self.signature = signature
        # algorithm不设置时，会使用默认值
        self.algorithm = algorithm


def sign(key_id, message, message_type, algorithm):
    request = SignRequest()
    request.key_id = key_id
    request.message = message
    request.message_type = message_type
    request.algorithm = algorithm
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.sign_with_options(request, runtime_options)
    print(resp)
    return SignContext(resp.key_id, resp.message_type, resp.signature, resp.algorithm)


def verify(context, message):
    request = VerifyRequest()
    request.key_id = context.key_id
    request.message_type = context.message_type
    request.signature = context.signature
    request.algorithm = context.algorithm
    request.message = message
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.verify_with_options(request, runtime_options)
    print(resp)


key_id = "<your-key-id>"
algorithm = "<your-algorithm>"
message = "<your-message>".encode("utf-8")
# RAW-原始消息，DIGEST-摘要
message_type = "RAW"
context = sign(key_id, message, message_type, algorithm)
verify(context, message)

代码示例解析

初始化客户端

关于初始化客户端的详细介绍，请参见初始化客户端。

# -*- coding: utf-8 -*-
from openapi.models import Config
from sdk.client import Client

config = Config()
# 连接协议请设置为"https"。KMS实例服务仅允许通过HTTPS协议访问。
config.protocol = "https"

# Client Key。
config.client_key_file = "<your-client-key-file>"

# Client Key解密口令。
config.password = os.getenv('CLIENT_KEY_PASSWORD')

# 设置endpoint为<your KMS Instance Id>.cryptoservice.kms.aliyuncs.com。
config.endpoint = "<your-endpoint>"
client = Client(config)

调用Sign接口使用非对称密钥进行数字签名

def sign(key_id, message, message_type, algorithm):
    request = SignRequest()
    request.key_id = key_id
    request.message = message
    request.message_type = message_type
    request.algorithm = algorithm
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.sign_with_options(request, runtime_options)
    print(resp)
    return SignContext(resp.key_id, resp.message_type, resp.signature, resp.algorithm)

调用Verify接口使用非对称密钥验证数字签名

def verify(context, message):
    request = VerifyRequest()
    request.key_id = context.key_id
    request.message_type = context.message_type
    request.signature = context.signature
    request.algorithm = context.algorithm
    request.message = message
    runtime_options = RuntimeOptions()
    # 忽略服务端证书
    # runtime_options.ignore_ssl = True
    # verify表示实例CA证书的路径
    runtime_options.verify = "<your-ca-certificate-file-path>"
    resp = client.verify_with_options(request, runtime_options)
    print(resp)