方法:privatekeysign
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
解封装封装的私钥,然后对客户端提供的摘要进行签名。
HTTP 请求
POST https://KACLS_URL/privatekeysign
将 KACLS_URL
替换为密钥访问控制列表服务 (KACLS) 网址。
路径参数
无。
请求正文
请求正文中包含结构如下的数据:
JSON 表示法 |
{
"authentication": string,
"authorization": string,
"algorithm": string,
"digest": string,
"rsa_pss_salt_length": integer,
"reason": string,
"wrapped_private_key": string
}
|
字段 |
authentication |
string
由身份提供方 (IdP) 颁发的 JWT,用于声明用户身份。请参阅身份验证令牌。
|
authorization |
string
一个 JWT,用于断言用户有权为 resource_name 解封装密钥。请参阅授权令牌。
|
algorithm |
string
在信封加密中用于加密数据加密密钥 (DEK) 的算法。
|
digest |
string
Base64 编码的消息摘要。DER 编码 SignedAttributes 的摘要。此值未填充。大小上限:128 字节
|
rsa_pss_salt_length |
integer
(可选)如果签名算法为 RSASSA-PSS,则要使用的盐长度。如果签名算法不是 RSASSA-PSS,则忽略此字段。
|
reason |
string (UTF-8)
一个传递 JSON 字符串,用于提供有关操作的其他背景信息。提供的 JSON 应先经过清理,然后再显示。大小上限:1 KB。
|
wrapped_private_key |
string
采用 base64 编码的封装私钥。大小上限:8 KB。
私钥或封装的私钥的格式取决于密钥访问控制列表服务 (KACLS) 的实现。在客户端和 Gmail 端,此数据会被视为不透明的 blob。
|
响应正文
如果成功,此方法将返回一个 base64 编码的签名。
如果操作失败,则会返回结构化错误回复。
JSON 表示法 |
{
"signature": string
}
|
字段 |
signature |
string
base64 编码的签名。
|
示例
此示例提供了 privatekeysign
方法的请求和响应示例。
请求
{
"wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
"digest": "EOBc7nc+7JdIDeb0DVTHriBAbo/dfHFZJgeUhOyo67o=",
"authorization": "eyJhbGciOi...",
"authentication": "eyJhbGciOi...",
"algorithm": "SHA256withRSA",
"reason": "sign"
}
响应
{
"signature": "LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ=="
}
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-04。
[null,null,["最后更新时间 (UTC):2025-08-04。"],[[["\u003cp\u003eUnwraps a wrapped private key and uses it to sign a provided digest.\u003c/p\u003e\n"],["\u003cp\u003eRequires authentication and authorization tokens for security.\u003c/p\u003e\n"],["\u003cp\u003eAccepts the signing algorithm, digest, salt length (for RSASSA-PSS), reason, and the wrapped private key in the request body.\u003c/p\u003e\n"],["\u003cp\u003eReturns a base64-encoded signature upon successful operation.\u003c/p\u003e\n"],["\u003cp\u003eProvides a structured error reply if the operation fails.\u003c/p\u003e\n"]]],["The `privatekeysign` method unwraps a private key and signs a client-provided digest. It requires a POST request to the `/privatekeysign` endpoint with a JSON body. The body includes `authentication`, `authorization`, `algorithm`, `digest`, `rsa_pss_salt_length` (optional), `reason`, and the `wrapped_private_key`. Upon success, a JSON response containing a base64-encoded `signature` is returned; otherwise, a structured error reply is returned.\n"],null,["# Method: privatekeysign\n\nUnwraps a wrapped private key and then signs the digest provided by the client.\n\n### HTTP request\n\n`POST https://`\u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e`/privatekeysign`\n\nReplace \u003cvar translate=\"no\"\u003eKACLS_URL\u003c/var\u003e with the Key Access Control List\nService (KACLS) URL.\n\n### Path parameters\n\nNone.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n| JSON representation ||\n|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|\n| ``` { \"authentication\": string, \"authorization\": string, \"algorithm\": string, \"digest\": string, \"rsa_pss_salt_length\": integer, \"reason\": string, \"wrapped_private_key\": string } ``` |\n\n| Fields ||\n|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `authentication` | `string` A JWT issued by the identity provider (IdP) asserting who the user is. See [authentication tokens](/workspace/cse/reference/authentication-tokens). |\n| `authorization` | `string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See [authorization tokens](/workspace/cse/reference/authorization-tokens). |\n| `algorithm` | `string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption. |\n| `digest` | `string` Base64-encoded message digest. The digest of the DER encoded `SignedAttributes`. This value is unpadded. Max size: 128B |\n| `rsa_pss_salt_length` | `integer` (Optional) The salt length to use, if the signature algorithm is RSASSA-PSS. If the signature algorithm is not RSASSA-PSS, this field is ignored. |\n| `reason` | `string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB. |\n| `wrapped_private_key` | `string` The base64-encoded wrapped private key. Max size: 8 KB. The format of the private key or the wrapped private key is up to the Key Access Control List Service (KACLS) implementation. On the client and on the Gmail side, this is treated as an opaque blob. |\n\n### Response body\n\nIf successful, this method returns a base64-encoded signature.\n\nIf the operation fails, a\n[structured error reply](/workspace/cse/reference/structured-errors)\nis returned.\n\n| JSON representation ||\n|---------------------------------|---|\n| ``` { \"signature\": string } ``` |\n\n| Fields ||\n|-------------|--------------------------------------|\n| `signature` | `string` A base64-encoded signature. |\n\n### Example\n\nThis example provides a sample request and response for the `privatekeysign`\nmethod.\n\n#### Request\n\n {\n \"wrapped_private_key\": \"wHrlNOTI9mU6PBdqiq7EQA...\",\n \"digest\": \"EOBc7nc+7JdIDeb0DVTHriBAbo/dfHFZJgeUhOyo67o=\",\n \"authorization\": \"eyJhbGciOi...\",\n \"authentication\": \"eyJhbGciOi...\",\n \"algorithm\": \"SHA256withRSA\",\n \"reason\": \"sign\"\n }\n\n#### Response\n\n {\n \"signature\": \"LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ==\"\n }"]]