Method: cryptoKeyVersions.asymmetricSign

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
Digest
- JSON representation
Try it!

Full name: projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricSign

Signs data using a CryptoKeyVersion with CryptoKey.purpose ASYMMETRIC_SIGN, producing a signature that can be verified with the public key retrieved from cryptoKeyVersions.getPublicKey.

HTTP request

Choose a location:

The URLs use gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The resource name of the `CryptoKeyVersion` to use for signing. Authorization requires the following IAM permission on the specified resource `name`: `cloudkms.cryptoKeyVersions.useToSign`

name

string

Required. The resource name of the CryptoKeyVersion to use for signing.

Authorization requires the following IAM permission on the specified resource name:

cloudkms.cryptoKeyVersions.useToSign

Request body

The request body contains data with the following structure:

JSON representation
{ "digest": { object (`Digest`) }, "digestCrc32c": string, "data": string, "dataCrc32c": string }

Fields
`digest`	`object (Digest)` Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's `algorithm`. This field may not be supplied if `AsymmetricSignRequest.data` is supplied.
`digestCrc32c`	`string (Int64Value format)` Optional. An optional CRC32C checksum of the `AsymmetricSignRequest.digest`. If specified, `KeyManagementService` will verify the integrity of the received `AsymmetricSignRequest.digest` using this checksum. `KeyManagementService` will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(`AsymmetricSignRequest.digest`) is equal to `AsymmetricSignRequest.digest_crc32c`, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`data`	`string (bytes format)` Optional. The data to sign. It can't be supplied if `AsymmetricSignRequest.digest` is supplied. A base64-encoded string.
`dataCrc32c`	`string (Int64Value format)` Optional. An optional CRC32C checksum of the `AsymmetricSignRequest.data`. If specified, `KeyManagementService` will verify the integrity of the received `AsymmetricSignRequest.data` using this checksum. `KeyManagementService` will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(`AsymmetricSignRequest.data`) is equal to `AsymmetricSignRequest.data_crc32c`, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.

Response body

Response message for KeyManagementService.AsymmetricSign.

If successful, the response body contains data with the following structure:

JSON representation
{ "signature": string, "signatureCrc32c": string, "verifiedDigestCrc32c": boolean, "name": string, "verifiedDataCrc32c": boolean, "protectionLevel": enum (`ProtectionLevel`) }

Fields
`signature`	`string (bytes format)` The created signature. A base64-encoded string.
`signatureCrc32c`	`string (Int64Value format)` Integrity verification field. A CRC32C checksum of the returned `AsymmetricSignResponse.signature`. An integrity check of `AsymmetricSignResponse.signature` can be performed by computing the CRC32C checksum of `AsymmetricSignResponse.signature` and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.
`verifiedDigestCrc32c`	`boolean` Integrity verification field. A flag indicating whether `AsymmetricSignRequest.digest_crc32c` was received by `KeyManagementService` and used for the integrity verification of the `digest`. A false value of this field indicates either that `AsymmetricSignRequest.digest_crc32c` was left unset or that it was not delivered to `KeyManagementService`. If you've set `AsymmetricSignRequest.digest_crc32c` but this field is still false, discard the response and perform a limited number of retries.
`name`	`string` The resource name of the `CryptoKeyVersion` used for signing. Check this field to verify that the intended resource was used for signing.
`verifiedDataCrc32c`	`boolean` Integrity verification field. A flag indicating whether `AsymmetricSignRequest.data_crc32c` was received by `KeyManagementService` and used for the integrity verification of the `data`. A false value of this field indicates either that `AsymmetricSignRequest.data_crc32c` was left unset or that it was not delivered to `KeyManagementService`. If you've set `AsymmetricSignRequest.data_crc32c` but this field is still false, discard the response and perform a limited number of retries.
`protectionLevel`	`enum (ProtectionLevel)` The `ProtectionLevel` of the `CryptoKeyVersion` used for signing.

Authorization scopes

Requires one of the following OAuth scopes:

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Digest

A Digest holds a cryptographic message digest.

JSON representation
{ // Union field `digest` can be only one of the following: "sha256": string, "sha384": string, "sha512": string // End of list of possible types for union field `digest`. }

Fields
Union field `digest`. Required. The message digest. `digest` can be only one of the following:
`sha256`	`string (bytes format)` A message digest produced with the SHA-256 algorithm. A base64-encoded string.
`sha384`	`string (bytes format)` A message digest produced with the SHA-384 algorithm. A base64-encoded string.
`sha512`	`string (bytes format)` A message digest produced with the SHA-512 algorithm. A base64-encoded string.