/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the kms-2014-11-01.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.KeyManagementService.Model
{
///
/// Container for the parameters to the Verify operation.
/// Verifies a digital signature that was generated by the Sign operation.
///
///
///
/// Verification confirms that an authorized user signed the message with the specified
/// KMS key and signing algorithm, and the message hasn't changed since it was signed.
/// If the signature is verified, the value of the SignatureValid field in
/// the response is True. If the signature verification fails, the Verify
/// operation fails with an KMSInvalidSignatureException exception.
///
///
///
/// A digital signature is generated by using the private key in an asymmetric KMS key.
/// The signature is verified by using the public key in the same asymmetric KMS key.
/// For information about asymmetric KMS keys, see Asymmetric
/// KMS keys in the Key Management Service Developer Guide.
///
///
///
/// To use the Verify operation, specify the same asymmetric KMS key, message,
/// and signing algorithm that were used to produce the signature. The message type does
/// not need to be the same as the one used for signing, but it must indicate whether
/// the value of the Message parameter should be hashed as part of the verification
/// process.
///
///
///
/// You can also verify the digital signature by using the public key of the KMS key outside
/// of KMS. Use the GetPublicKey operation to download the public key in the asymmetric
/// KMS key and then use the public key to verify the signature outside of KMS. The advantage
/// of using the Verify operation is that it is performed within KMS. As
/// a result, it's easy to call, the operation is performed within the FIPS boundary,
/// it is logged in CloudTrail, and you can use key policy and IAM policy to determine
/// who is authorized to use the KMS key to verify signatures.
///
///
///
/// To verify a signature outside of KMS with an SM2 public key (China Regions only),
/// you must specify the distinguishing ID. By default, KMS uses 1234567812345678
/// as the distinguishing ID. For more information, see Offline
/// verification with SM2 key pairs.
///
///
///
/// The KMS key that you use for this operation must be in a compatible key state. For
/// details, see Key
/// states of KMS keys in the Key Management Service Developer Guide.
///
///
///
/// Cross-account use: Yes. To perform this operation with a KMS key in a different
/// Amazon Web Services account, specify the key ARN or alias ARN in the value of the
/// KeyId parameter.
///
///
///
/// Required permissions: kms:Verify
/// (key policy)
///
///
///
/// Related operations: Sign
///
///
public partial class VerifyRequest : AmazonKeyManagementServiceRequest
{
private bool? _dryRun;
private List _grantTokens = new List();
private string _keyId;
private MemoryStream _message;
private MessageType _messageType;
private MemoryStream _signature;
private SigningAlgorithmSpec _signingAlgorithm;
///
/// Gets and sets the property DryRun.
///
/// Checks if your request will succeed. DryRun is an optional parameter.
///
///
///
///
/// To learn more about how to use this parameter, see Testing
/// your KMS API calls in the Key Management Service Developer Guide.
///
///
public bool DryRun
{
get { return this._dryRun.GetValueOrDefault(); }
set { this._dryRun = value; }
}
// Check to see if DryRun property is set
internal bool IsSetDryRun()
{
return this._dryRun.HasValue;
}
///
/// Gets and sets the property GrantTokens.
///
/// A list of grant tokens.
///
///
///
/// Use a grant token when your permission to call this operation comes from a new grant
/// that has not yet achieved eventual consistency. For more information, see Grant
/// token and Using
/// a grant token in the Key Management Service Developer Guide.
///
///
[AWSProperty(Min=0, Max=10)]
public List GrantTokens
{
get { return this._grantTokens; }
set { this._grantTokens = value; }
}
// Check to see if GrantTokens property is set
internal bool IsSetGrantTokens()
{
return this._grantTokens != null && this._grantTokens.Count > 0;
}
///
/// Gets and sets the property KeyId.
///
/// Identifies the asymmetric KMS key that will be used to verify the signature. This
/// must be the same KMS key that was used to generate the signature. If you specify a
/// different KMS key, the signature verification fails.
///
///
///
/// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using
/// an alias name, prefix it with "alias/". To specify a KMS key in a different
/// Amazon Web Services account, you must use the key ARN or alias ARN.
///
///
///
/// For example:
///
/// -
///
/// Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
///
/// -
///
/// Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
///
///
/// -
///
/// Alias name:
alias/ExampleAlias
///
/// -
///
/// Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
///
///
///
/// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
/// To get the alias name and alias ARN, use ListAliases.
///
///
[AWSProperty(Required=true, Min=1, Max=2048)]
public string KeyId
{
get { return this._keyId; }
set { this._keyId = value; }
}
// Check to see if KeyId property is set
internal bool IsSetKeyId()
{
return this._keyId != null;
}
///
/// Gets and sets the property Message.
///
/// Specifies the message that was signed. You can submit a raw message of up to 4096
/// bytes, or a hash digest of the message. If you submit a digest, use the MessageType
/// parameter with a value of DIGEST.
///
///
///
/// If the message specified here is different from the message that was signed, the signature
/// verification fails. A message and its hash digest are considered to be the same message.
///
///
[AWSProperty(Required=true, Sensitive=true, Min=1, Max=4096)]
public MemoryStream Message
{
get { return this._message; }
set { this._message = value; }
}
// Check to see if Message property is set
internal bool IsSetMessage()
{
return this._message != null;
}
///
/// Gets and sets the property MessageType.
///
/// Tells KMS whether the value of the Message parameter should be hashed
/// as part of the signing algorithm. Use RAW for unhashed messages; use
/// DIGEST for message digests, which are already hashed.
///
///
///
/// When the value of MessageType is RAW, KMS uses the standard
/// signing algorithm, which begins with a hash function. When the value is DIGEST,
/// KMS skips the hashing step in the signing algorithm.
///
///
///
/// Use the DIGEST value only when the value of the Message
/// parameter is a message digest. If you use the DIGEST value with an unhashed
/// message, the security of the verification operation can be compromised.
///
///
///
/// When the value of MessageTypeis DIGEST, the length of the
/// Message value must match the length of hashed messages for the specified
/// signing algorithm.
///
///
///
/// You can submit a message digest and omit the MessageType or specify RAW
/// so the digest is hashed again while signing. However, if the signed message is hashed
/// once while signing, but twice while verifying, verification fails, even when the message
/// hasn't changed.
///
///
///
/// The hashing algorithm in that Verify uses is based on the SigningAlgorithm
/// value.
///
/// -
///
/// Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
///
///
-
///
/// Signing algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
///
///
-
///
/// Signing algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
///
///
-
///
/// SM2DSA uses the SM3 hashing algorithm. For details, see Offline
/// verification with SM2 key pairs.
///
///
///
public MessageType MessageType
{
get { return this._messageType; }
set { this._messageType = value; }
}
// Check to see if MessageType property is set
internal bool IsSetMessageType()
{
return this._messageType != null;
}
///
/// Gets and sets the property Signature.
///
/// The signature that the Sign operation generated.
///
///
[AWSProperty(Required=true, Min=1, Max=6144)]
public MemoryStream Signature
{
get { return this._signature; }
set { this._signature = value; }
}
// Check to see if Signature property is set
internal bool IsSetSignature()
{
return this._signature != null;
}
///
/// Gets and sets the property SigningAlgorithm.
///
/// The signing algorithm that was used to sign the message. If you submit a different
/// algorithm, the signature verification fails.
///
///
[AWSProperty(Required=true)]
public SigningAlgorithmSpec SigningAlgorithm
{
get { return this._signingAlgorithm; }
set { this._signingAlgorithm = value; }
}
// Check to see if SigningAlgorithm property is set
internal bool IsSetSigningAlgorithm()
{
return this._signingAlgorithm != null;
}
}
}