Verifies a digital signature using a CMK.
This method verifies a digital signature using the CMK specified by KeyId and the given Algorithm. The message data is taken from the the specified InputFile or the InputData property. The digital signature data is taken from the specified OutputFile or the OutputData property. If the signature is successfully verified, this method returns , otherwise it returns .
The value passed for the KeyId parameter must be the Id or ARN of a CMK, or the name or ARN of an alias, in the current Region. If an ARN is provided, it can be for a CMK or alias in another account so long as the appropriate permissions are in place.
The Algorithm parameter specifies which algorithm was used to sign the data. Possible values are:
The IsDigest parameter specifies whether the data whose signature is being verified is the original message () or a message digest (). When a message digest is supplied, keep in mind that it must be the exact same digest that was used at signing time, regardless of whether it has been recomputed.
Note that, as with the Sign method, a maximum of 4096 bytes of message data can be sent to the server. If IsDigest is , and more than 4096 bytes of message data are provided, the class will automatically compute an appropriate message digest and send it instead. In such cases, the computed digest is made available via the MessageDigest configuration setting.
This method will fail if any of the following are true regarding the specified CMK:
- Its State is anything other than aksEnabled (0).
- It is symmetric (see KeySpec).
- It is for encryption/decryption instead of signing/verification (see ForSigning).
- It is an AWS-managed CMK (see AWSManaged).