GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
KMS_CRYPTO(1) OCI CLI Command Reference KMS_CRYPTO(1)

kms_crypto -

Operations for performing data encryption, decryption and generation of data encryption keys.

  • decrypt
  • encrypt
  • generate-data-encryption-key
  • key
export

signed-data
sign

verified-data
verify


  • Description
  • Usage
  • Required Parameters
  • Optional Parameters
  • Global Parameters
  • Examples

Decrypts data using the given DecryptDataDetails <https://docs.cloud.oracle.com/api/#/en/key/latest/datatypes/DecryptDataDetails> resource.

The top level –endpoint parameter must be supplied for this operation.

oci kms crypto decrypt [OPTIONS]


--ciphertext [text]

The encrypted data to decrypt.

--key-id [text]

The OCID of the key used to encrypt the ciphertext.

--associated-data [complex type]

Information that can be used to provide an encryption context for the encrypted data. The length of the string representation of the associated data must be fewer than 4096 characters. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

--encryption-algorithm [text]

The encryption algorithm to use to encrypt or decrypt data with a customer-managed key. AES_256_GCM indicates that the key is a symmetric key that uses the Advanced Encryption Standard (AES) algorithm and that the mode of encryption is the Galois/Counter Mode (GCM). RSA_OAEP_SHA_1 indicates that the key is an asymmetric key that uses the RSA encryption algorithm and uses Optimal Asymmetric Encryption Padding (OAEP). RSA_OAEP_SHA_256 indicates that the key is an asymmetric key that uses the RSA encryption algorithm with a SHA-256 hash and uses OAEP.

Accepted values are:

AES_256_GCM, RSA_OAEP_SHA_1, RSA_OAEP_SHA_256


--from-json [text]

Provide input to this command as a JSON document from a file using the file://path-to/file syntax.

The --generate-full-command-json-input option can be used to generate a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, e.g. compartment-id –> compartmentId), while the values of the keys need to be populated by the user before using the sample file as an input to this command. For any command option that accepts multiple values, the value of the key can be a JSON array.

Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

For examples on usage of this option, please see our “using CLI with advanced JSON options” link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliusing.htm#AdvancedJSONOptions

--key-version-id [text]

The OCID of the key version used to encrypt the ciphertext.

--logging-context [complex type]

Information that provides context for audit logging. You can provide this additional data as key-value pairs to include in audit logs when audit logging is enabled. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

Use oci --help for help on global parameters.

--auth-purpose, --auth, --cert-bundle, --cli-auto-prompt, --cli-rc-file, --config-file, --debug, --defaults-file, --endpoint, --generate-full-command-json-input, --generate-param-json-input, --help, --latest-version, --max-retries, --no-retry, --opc-client-request-id, --opc-request-id, --output, --profile, --query, --raw-output, --region, --release-info, --request-id, --version, -?, -d, -h, -i, -v

Copy and paste the following example into a JSON file, replacing the example parameters with your own. 

    oci kms management key create --generate-param-json-input key-shape > key-shape.json


Copy the following CLI commands into a file named example.sh. Run the command by typing “bash example.sh” and replacing the example parameters with your own.

Please note this sample will only work in the POSIX-compliant bash-like shell. You need to set up the OCI configuration <https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#configfile> and appropriate security policies <https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm> before trying the examples.

    export compartment_id=<substitute-value-of-compartment_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-compartment-id
    export display_name=<substitute-value-of-display_name> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-display-name
    export ciphertext=<substitute-value-of-ciphertext> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/decrypt.html#cmdoption-ciphertext
    key_id=$(oci kms management key create --compartment-id $compartment_id --display-name $display_name --endpoint https://region.domain.com --key-shape file://key-shape.json --query data.id --raw-output)
    oci kms crypto decrypt --ciphertext $ciphertext --endpoint https://region.domain.com --key-id $key_id


  • Description
  • Usage
  • Required Parameters
  • Optional Parameters
  • Global Parameters
  • Examples

Encrypts data using the given EncryptDataDetails <https://docs.cloud.oracle.com/api/#/en/key/latest/datatypes/EncryptDataDetails> resource. Plaintext included in the example request is a base64-encoded value of a UTF-8 string.

The top level –endpoint parameter must be supplied for this operation.

oci kms crypto encrypt [OPTIONS]


--key-id [text]

The OCID of the key to encrypt with.

--plaintext [text]

The plaintext data to encrypt.

--associated-data [complex type]

Information that can be used to provide an encryption context for the encrypted data. The length of the string representation of the associated data must be fewer than 4096 characters. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

--encryption-algorithm [text]

The encryption algorithm to use to encrypt and decrypt data with a customer-managed key. AES_256_GCM indicates that the key is a symmetric key that uses the Advanced Encryption Standard (AES) algorithm and that the mode of encryption is the Galois/Counter Mode (GCM). RSA_OAEP_SHA_1 indicates that the key is an asymmetric key that uses the RSA encryption algorithm and uses Optimal Asymmetric Encryption Padding (OAEP). RSA_OAEP_SHA_256 indicates that the key is an asymmetric key that uses the RSA encryption algorithm with a SHA-256 hash and uses OAEP.

Accepted values are:

AES_256_GCM, RSA_OAEP_SHA_1, RSA_OAEP_SHA_256


--from-json [text]

Provide input to this command as a JSON document from a file using the file://path-to/file syntax.

The --generate-full-command-json-input option can be used to generate a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, e.g. compartment-id –> compartmentId), while the values of the keys need to be populated by the user before using the sample file as an input to this command. For any command option that accepts multiple values, the value of the key can be a JSON array.

Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

For examples on usage of this option, please see our “using CLI with advanced JSON options” link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliusing.htm#AdvancedJSONOptions

--key-version-id [text]

The OCID of the key version used to encrypt the ciphertext.

--logging-context [complex type]

Information that provides context for audit logging. You can provide this additional data as key-value pairs to include in the audit logs when audit logging is enabled. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

Use oci --help for help on global parameters.

--auth-purpose, --auth, --cert-bundle, --cli-auto-prompt, --cli-rc-file, --config-file, --debug, --defaults-file, --endpoint, --generate-full-command-json-input, --generate-param-json-input, --help, --latest-version, --max-retries, --no-retry, --opc-client-request-id, --opc-request-id, --output, --profile, --query, --raw-output, --region, --release-info, --request-id, --version, -?, -d, -h, -i, -v

Copy and paste the following example into a JSON file, replacing the example parameters with your own. 

    oci kms management key create --generate-param-json-input key-shape > key-shape.json


Copy the following CLI commands into a file named example.sh. Run the command by typing “bash example.sh” and replacing the example parameters with your own.

Please note this sample will only work in the POSIX-compliant bash-like shell. You need to set up the OCI configuration <https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#configfile> and appropriate security policies <https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm> before trying the examples.

    export compartment_id=<substitute-value-of-compartment_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-compartment-id
    export display_name=<substitute-value-of-display_name> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-display-name
    export plaintext=<substitute-value-of-plaintext> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/encrypt.html#cmdoption-plaintext
    key_id=$(oci kms management key create --compartment-id $compartment_id --display-name $display_name --endpoint https://region.domain.com --key-shape file://key-shape.json --query data.id --raw-output)
    oci kms crypto encrypt --endpoint https://region.domain.com --key-id $key_id --plaintext $plaintext


  • Description
  • Usage
  • Required Parameters
  • Optional Parameters
  • Global Parameters
  • Examples

Generates a key that you can use to encrypt or decrypt data.

The top level –endpoint parameter must be supplied for this operation.

oci kms crypto generate-data-encryption-key [OPTIONS]


--include-plaintext-key [boolean]

If true, the generated key is also returned unencrypted.

--key-id [text]

The OCID of the master encryption key to encrypt the generated data encryption key with.

--key-shape [complex type]

This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

--associated-data [complex type]

Information that can be used to provide an encryption context for the encrypted data. The length of the string representation of the associated data must be fewer than 4096 characters. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

--from-json [text]

Provide input to this command as a JSON document from a file using the file://path-to/file syntax.

The --generate-full-command-json-input option can be used to generate a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, e.g. compartment-id –> compartmentId), while the values of the keys need to be populated by the user before using the sample file as an input to this command. For any command option that accepts multiple values, the value of the key can be a JSON array.

Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

For examples on usage of this option, please see our “using CLI with advanced JSON options” link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliusing.htm#AdvancedJSONOptions

--logging-context [complex type]

Information that provides context for audit logging. You can provide this additional data by formatting it as key-value pairs to include in audit logs when audit logging is enabled. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

Use oci --help for help on global parameters.

--auth-purpose, --auth, --cert-bundle, --cli-auto-prompt, --cli-rc-file, --config-file, --debug, --defaults-file, --endpoint, --generate-full-command-json-input, --generate-param-json-input, --help, --latest-version, --max-retries, --no-retry, --opc-client-request-id, --opc-request-id, --output, --profile, --query, --raw-output, --region, --release-info, --request-id, --version, -?, -d, -h, -i, -v

Copy and paste the following example into a JSON file, replacing the example parameters with your own. 

    oci kms management key create --generate-param-json-input key-shape > key-shape.json
    oci kms crypto generate-data-encryption-key --generate-param-json-input key-shape > key-shape.json


Copy the following CLI commands into a file named example.sh. Run the command by typing “bash example.sh” and replacing the example parameters with your own.

Please note this sample will only work in the POSIX-compliant bash-like shell. You need to set up the OCI configuration <https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#configfile> and appropriate security policies <https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm> before trying the examples.

    export compartment_id=<substitute-value-of-compartment_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-compartment-id
    export display_name=<substitute-value-of-display_name> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-display-name
    export include_plaintext_key=<substitute-value-of-include_plaintext_key> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/generate-data-encryption-key.html#cmdoption-include-plaintext-key
    key_id=$(oci kms management key create --compartment-id $compartment_id --display-name $display_name --endpoint https://region.domain.com --key-shape file://key-shape.json --query data.id --raw-output)
    oci kms crypto generate-data-encryption-key --endpoint https://region.domain.com --include-plaintext-key $include_plaintext_key --key-id $key_id --key-shape file://key-shape.json


The response to a request to export key material.

export

  • Description
  • Usage
  • Required Parameters
  • Optional Parameters
  • Global Parameters
  • Examples

Exports a specific version of a master encryption key according to the details of the request. For their protection, keys that you create and store on a hardware security module (HSM) can never leave the HSM. You can only export keys stored on the server. For export, the key version is encrypted by an RSA public key that you provide.

The top level –endpoint parameter must be supplied for this operation.

oci kms crypto key export [OPTIONS]


--algorithm [text]

The encryption algorithm to use to encrypt exportable key material from a software-backed key. Specifying RSA_OAEP_AES_SHA256 invokes the RSA AES key wrap mechanism, which generates a temporary AES key. The temporary AES key is wrapped by the RSA public wrapping key provided along with the request, creating a wrapped temporary AES key. The temporary AES key is also used to wrap the exportable key material. The wrapped temporary AES key and the wrapped exportable key material are concatenated, producing concatenated blob output that jointly represents them. Specifying RSA_OAEP_SHA256 means that the software key is wrapped by the RSA public wrapping key provided along with the request.

Accepted values are:

RSA_OAEP_AES_SHA256, RSA_OAEP_SHA256


--key-id [text]

The OCID of the master encryption key associated with the key version you want to export.

--public-key [text]

The PEM format of the 2048-bit, 3072-bit, or 4096-bit RSA wrapping key in your possession that you want to use to encrypt the key.

--from-json [text]

Provide input to this command as a JSON document from a file using the file://path-to/file syntax.

The --generate-full-command-json-input option can be used to generate a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, e.g. compartment-id –> compartmentId), while the values of the keys need to be populated by the user before using the sample file as an input to this command. For any command option that accepts multiple values, the value of the key can be a JSON array.

Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

For examples on usage of this option, please see our “using CLI with advanced JSON options” link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliusing.htm#AdvancedJSONOptions

--key-version-id [text]

The OCID of the specific key version to export. If not specified, the service exports the current key version.

--logging-context [complex type]

Information that provides context for audit logging. You can provide this additional data as key-value pairs to include in the audit logs when audit logging is enabled. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

Use oci --help for help on global parameters.

--auth-purpose, --auth, --cert-bundle, --cli-auto-prompt, --cli-rc-file, --config-file, --debug, --defaults-file, --endpoint, --generate-full-command-json-input, --generate-param-json-input, --help, --latest-version, --max-retries, --no-retry, --opc-client-request-id, --opc-request-id, --output, --profile, --query, --raw-output, --region, --release-info, --request-id, --version, -?, -d, -h, -i, -v

Copy and paste the following example into a JSON file, replacing the example parameters with your own. 

    oci kms management key create --generate-param-json-input key-shape > key-shape.json


Copy the following CLI commands into a file named example.sh. Run the command by typing “bash example.sh” and replacing the example parameters with your own.

Please note this sample will only work in the POSIX-compliant bash-like shell. You need to set up the OCI configuration <https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#configfile> and appropriate security policies <https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm> before trying the examples.

    export compartment_id=<substitute-value-of-compartment_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-compartment-id
    export display_name=<substitute-value-of-display_name> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-display-name
    export algorithm=<substitute-value-of-algorithm> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/key/export.html#cmdoption-algorithm
    export public_key=<substitute-value-of-public_key> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/key/export.html#cmdoption-public-key
    key_id=$(oci kms management key create --compartment-id $compartment_id --display-name $display_name --endpoint https://region.domain.com --key-shape file://key-shape.json --query data.id --raw-output)
    oci kms crypto key export --algorithm $algorithm --key-id $key_id --public-key $public_key


sign

  • Description
  • Usage
  • Required Parameters
  • Optional Parameters
  • Global Parameters
  • Examples

Creates a digital signature for a message or message digest by using the private key of a public-private key pair, also known as an asymmetric key. To verify the generated signature, you can use the Verify <https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/verified-data/verify.html> operation. Or, if you want to validate the signature outside of the service, you can do so by using the public key of the same asymmetric key.

The top level –endpoint parameter must be supplied for this operation.

oci kms crypto signed-data sign [OPTIONS]


--key-id [text]

The OCID of the key used to sign the message.

--message [text]

The base64-encoded binary data object denoting the message or message digest to sign. You can have a message up to 4096 bytes in size. To sign a larger message, provide the message digest.

--signing-algorithm [text]

The algorithm to use to sign the message or message digest. For RSA keys, supported signature schemes include PKCS #1 and RSASSA-PSS, along with different hashing algorithms. For ECDSA keys, ECDSA is the supported signature scheme with different hashing algorithms. When you pass a message digest for signing, ensure that you specify the same hashing algorithm as used when creating the message digest.

Accepted values are:

ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SHA_224_RSA_PKCS1_V1_5, SHA_224_RSA_PKCS_PSS, SHA_256_RSA_PKCS1_V1_5, SHA_256_RSA_PKCS_PSS, SHA_384_RSA_PKCS1_V1_5, SHA_384_RSA_PKCS_PSS, SHA_512_RSA_PKCS1_V1_5, SHA_512_RSA_PKCS_PSS


--from-json [text]

Provide input to this command as a JSON document from a file using the file://path-to/file syntax.

The --generate-full-command-json-input option can be used to generate a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, e.g. compartment-id –> compartmentId), while the values of the keys need to be populated by the user before using the sample file as an input to this command. For any command option that accepts multiple values, the value of the key can be a JSON array.

Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

For examples on usage of this option, please see our “using CLI with advanced JSON options” link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliusing.htm#AdvancedJSONOptions

--key-version-id [text]

The OCID of the key version used to sign the message.

--message-type [text]

Denotes whether the value of the message parameter is a raw message or a message digest. The default value, RAW, indicates a message. To indicate a message digest, use DIGEST.

Accepted values are:

DIGEST, RAW


Use oci --help for help on global parameters.

--auth-purpose, --auth, --cert-bundle, --cli-auto-prompt, --cli-rc-file, --config-file, --debug, --defaults-file, --endpoint, --generate-full-command-json-input, --generate-param-json-input, --help, --latest-version, --max-retries, --no-retry, --opc-client-request-id, --opc-request-id, --output, --profile, --query, --raw-output, --region, --release-info, --request-id, --version, -?, -d, -h, -i, -v

Copy and paste the following example into a JSON file, replacing the example parameters with your own. 

    oci kms management key create --generate-param-json-input key-shape > key-shape.json


Copy the following CLI commands into a file named example.sh. Run the command by typing “bash example.sh” and replacing the example parameters with your own.

Please note this sample will only work in the POSIX-compliant bash-like shell. You need to set up the OCI configuration <https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#configfile> and appropriate security policies <https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm> before trying the examples.

    export compartment_id=<substitute-value-of-compartment_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-compartment-id
    export display_name=<substitute-value-of-display_name> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-display-name
    export message=<substitute-value-of-message> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/signed-data/sign.html#cmdoption-message
    export signing_algorithm=<substitute-value-of-signing_algorithm> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/signed-data/sign.html#cmdoption-signing-algorithm
    key_id=$(oci kms management key create --compartment-id $compartment_id --display-name $display_name --endpoint https://region.domain.com --key-shape file://key-shape.json --query data.id --raw-output)
    oci kms crypto signed-data sign --key-id $key_id --message $message --signing-algorithm $signing_algorithm


verify

  • Description
  • Usage
  • Required Parameters
  • Optional Parameters
  • Global Parameters
  • Examples

Verifies a digital signature that was generated by the Sign <https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/signed-data/sign.html> operation by using the public key of the same asymmetric key that was used to sign the data. If you want to validate the digital signature outside of the service, you can do so by using the public key of the asymmetric key.

The top level –endpoint parameter must be supplied for this operation.

oci kms crypto verified-data verify [OPTIONS]


--key-id [text]

The OCID of the key used to sign the message.

--key-version-id [text]

The OCID of the key version used to sign the message.

--message [text]

The base64-encoded binary data object denoting the message or message digest to sign. You can have a message up to 4096 bytes in size. To sign a larger message, provide the message digest.

--signature [text]

The base64-encoded binary data object denoting the cryptographic signature generated for the message.

--signing-algorithm [text]

The algorithm to use to sign the message or message digest. For RSA keys, supported signature schemes include PKCS #1 and RSASSA-PSS, along with different hashing algorithms. For ECDSA keys, ECDSA is the supported signature scheme with different hashing algorithms. When you pass a message digest for signing, ensure that you specify the same hashing algorithm as used when creating the message digest.

Accepted values are:

ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512, SHA_224_RSA_PKCS1_V1_5, SHA_224_RSA_PKCS_PSS, SHA_256_RSA_PKCS1_V1_5, SHA_256_RSA_PKCS_PSS, SHA_384_RSA_PKCS1_V1_5, SHA_384_RSA_PKCS_PSS, SHA_512_RSA_PKCS1_V1_5, SHA_512_RSA_PKCS_PSS


--from-json [text]

Provide input to this command as a JSON document from a file using the file://path-to/file syntax.

The --generate-full-command-json-input option can be used to generate a sample json file to be used with this command option. The key names are pre-populated and match the command option names (converted to camelCase format, e.g. compartment-id –> compartmentId), while the values of the keys need to be populated by the user before using the sample file as an input to this command. For any command option that accepts multiple values, the value of the key can be a JSON array.

Options can still be provided on the command line. If an option exists in both the JSON document and the command line then the command line specified value will be used.

For examples on usage of this option, please see our “using CLI with advanced JSON options” link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliusing.htm#AdvancedJSONOptions

--message-type [text]

Denotes whether the value of the message parameter is a raw message or a message digest. The default value, RAW, indicates a message. To indicate a message digest, use DIGEST.

Accepted values are:

DIGEST, RAW


Use oci --help for help on global parameters.

--auth-purpose, --auth, --cert-bundle, --cli-auto-prompt, --cli-rc-file, --config-file, --debug, --defaults-file, --endpoint, --generate-full-command-json-input, --generate-param-json-input, --help, --latest-version, --max-retries, --no-retry, --opc-client-request-id, --opc-request-id, --output, --profile, --query, --raw-output, --region, --release-info, --request-id, --version, -?, -d, -h, -i, -v

Copy and paste the following example into a JSON file, replacing the example parameters with your own. 

    oci kms management key create --generate-param-json-input key-shape > key-shape.json


Copy the following CLI commands into a file named example.sh. Run the command by typing “bash example.sh” and replacing the example parameters with your own.

Please note this sample will only work in the POSIX-compliant bash-like shell. You need to set up the OCI configuration <https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliinstall.htm#configfile> and appropriate security policies <https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm> before trying the examples.

    export compartment_id=<substitute-value-of-compartment_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-compartment-id
    export display_name=<substitute-value-of-display_name> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key/create.html#cmdoption-display-name
    export key_id=<substitute-value-of-key_id> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/management/key-version/create.html#cmdoption-key-id
    export message=<substitute-value-of-message> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/verified-data/verify.html#cmdoption-message
    export signature=<substitute-value-of-signature> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/verified-data/verify.html#cmdoption-signature
    export signing_algorithm=<substitute-value-of-signing_algorithm> # https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/kms/crypto/verified-data/verify.html#cmdoption-signing-algorithm
    key_id=$(oci kms management key create --compartment-id $compartment_id --display-name $display_name --endpoint https://region.domain.com --key-shape file://key-shape.json --query data.id --raw-output)
    key_version_id=$(oci kms management key-version create --key-id $key_id --query data.id --raw-output)
    oci kms crypto verified-data verify --key-id $key_id --key-version-id $key_version_id --message $message --signature $signature --signing-algorithm $signing_algorithm


Oracle

2016, 2022, Oracle
May 17, 2022 3.9.1
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.