Sign with a private key. The key must be asymmetric and have the `SIGN` key operation enabled.

  • Published on Jun 2, 2025
  • 1 minute(s) read
Prev Next
Post
/crypto/v1/sign

Note: Signing prehashed data with LMS keys

When creating an LMS signature, the first step is to hash the message with a prefix that is unknown to the caller (see RFC8554, algorithm 3). As the caller cannot precompute this value, DSM follows different semantics for prehashed data. Namely, when the hash field is used, DSM will check the length of the digest and then feed it as raw data for the LMS signature generation.

Consequently, if you hash your data using an algorithm such as SHA256 and then supply this digest to the LMS signing API (putting prehashed data in the hash field), DSM interprets the provided digest as raw data, and verification of the signature should be conducted accordingly.

Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Body parameters
Expand All
object
key
OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required
Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
hash_alg
string
Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]
hash
string (byte)
data
string (byte)
mode
OneOf
object
OneOf
RsaSignaturePaddingVariantPss
object (RsaSignaturePaddingVariantPss)
PSS
object Required
mgf
OneOf
MgfVariantMgf1
object (MgfVariantMgf1)
mgf1
object Required
hash
string Required
Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]
RsaSignaturePaddingVariantPkcs1V15
object (RsaSignaturePaddingVariantPkcs1V15)
PKCS1_V15
object Required
deterministic_signature
boolean | null
context
string (byte)
Responses
2XX

Success result

object
kid
string (uuid) | null
signature
string (byte)