Method: cryptoKeyVersions.asymmetricSign

Full name: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricSign

Signs data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from cryptoKeyVersions.getPublicKey.

HTTP request

POST https://cloudkms.googleapis.com/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters
name

string

Required. The resource name of the CryptoKeyVersion to use for signing.

Authorization requires the following IAM permission on the specified resource name:

  • cloudkms.cryptoKeyVersions.useToSign

Request body

The request body contains data with the following structure:

JSON representation
{
  "digest": {
    object (Digest)
  },
  "digestCrc32c": string,
  "data": string,
  "dataCrc32c": string
}
Fields
digest

object (Digest)

Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's algorithm.

This field may not be supplied if AsymmetricSignRequest.data is supplied.

digestCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the AsymmetricSignRequest.digest. If specified, KeyManagementService will verify the integrity of the received AsymmetricSignRequest.digest using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricSignRequest.digest) is equal to AsymmetricSignRequest.digest_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

data

string (bytes format)

Optional. The data to sign. It can't be supplied if AsymmetricSignRequest.digest is supplied.

A base64-encoded string.

dataCrc32c

string (Int64Value format)

Optional. An optional CRC32C checksum of the AsymmetricSignRequest.data. If specified, KeyManagementService will verify the integrity of the received AsymmetricSignRequest.data using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(AsymmetricSignRequest.data) is equal to AsymmetricSignRequest.data_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Response body

Response message for KeyManagementService.AsymmetricSign.

If successful, the response body contains data with the following structure:

JSON representation
{
  "signature": string,
  "signatureCrc32c": string,
  "verifiedDigestCrc32c": boolean,
  "name": string,
  "verifiedDataCrc32c": boolean,
  "protectionLevel": enum (ProtectionLevel)
}
Fields
signature

string (bytes format)

The created signature.

A base64-encoded string.

signatureCrc32c

string (Int64Value format)

Integrity verification field. A CRC32C checksum of the returned AsymmetricSignResponse.signature. An integrity check of AsymmetricSignResponse.signature can be performed by computing the CRC32C checksum of AsymmetricSignResponse.signature and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

verifiedDigestCrc32c

boolean

Integrity verification field. A flag indicating whether AsymmetricSignRequest.digest_crc32c was received by KeyManagementService and used for the integrity verification of the digest. A false value of this field indicates either that AsymmetricSignRequest.digest_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set AsymmetricSignRequest.digest_crc32c but this field is still false, discard the response and perform a limited number of retries.

name

string

The resource name of the CryptoKeyVersion used for signing. Check this field to verify that the intended resource was used for signing.

verifiedDataCrc32c

boolean

Integrity verification field. A flag indicating whether AsymmetricSignRequest.data_crc32c was received by KeyManagementService and used for the integrity verification of the data. A false value of this field indicates either that AsymmetricSignRequest.data_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set AsymmetricSignRequest.data_crc32c but this field is still false, discard the response and perform a limited number of retries.

protectionLevel

enum (ProtectionLevel)

The ProtectionLevel of the CryptoKeyVersion used for signing.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloudkms
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Digest

A Digest holds a cryptographic message digest.

JSON representation
{

  // Union field digest can be only one of the following:
  "sha256": string,
  "sha384": string,
  "sha512": string
  // End of list of possible types for union field digest.
}
Fields
Union field digest. Required. The message digest. digest can be only one of the following:
sha256

string (bytes format)

A message digest produced with the SHA-256 algorithm.

A base64-encoded string.

sha384

string (bytes format)

A message digest produced with the SHA-384 algorithm.

A base64-encoded string.

sha512

string (bytes format)

A message digest produced with the SHA-512 algorithm.

A base64-encoded string.