Method: privatekeysign

Unwraps a wrapped private key and then signs the digest provided by the client.

HTTP request

POST https://BASE_URL/privatekeysign

Replace BASE_URL with the base URL.

Path parameters

None.

Request body

The request body contains data with the following structure:

JSON representation
{ "authentication": string, "authorization": string, "algorithm": string, "digest": string, "rsa_pss_salt_length": integer, "reason": string, "wrapped_private_key": string }

Fields
`authentication`	`string` A JWT issued by the identity provider (IdP) asserting who the user is. See authentication tokens.
`authorization`	`string` A JWT asserting that the user is allowed to unwrap a key for `resource_name`. See authorization tokens.
`algorithm`	`string` The algorithm that was used to encrypt the Data Encryption Key (DEK) in envelope encryption.
`digest`	`string` Base64-encoded message digest. The digest of the DER encoded `SignedAttributes`. This value is unpadded. Max size: 128B
`rsa_pss_salt_length`	`integer` (Optional) The salt length to use, if the signature algorithm is RSASSA-PSS. If the signature algorithm is not RSASSA-PSS, this field is ignored.
`reason`	`string (UTF-8)` A passthrough JSON string providing additional context about the operation. The JSON provided should be sanitized before being displayed. Max size: 1 KB.
`wrapped_private_key`	`string` The base64-encoded wrapped private key. Max size: 8 KB. The format of the private key or the wrapped private key is up to the Key Access Control List Service (KACLS) implementation. On the client and on the Gmail side, this is treated as an opaque blob.

Response body

If successful, this method returns a base64-encoded signature.

If the operation fails, a structured error reply is returned.

JSON representation
{ "signature": string }

Fields

Fields
`signature`	`string` A base64-encoded signature.

signature

string

A base64-encoded signature.

Example

This example provides a sample request and response for the privatekeysign method.

Request

{
  "wrapped_private_key": "wHrlNOTI9mU6PBdqiq7EQA...",
  "digest": "EOBc7nc+7JdIDeb0DVTHriBAbo/dfHFZJgeUhOyo67o=",
  "authorization": "eyJhbGciOi...",
  "authentication": "eyJhbGciOi...",
  "algorithm": "SHA256withRSA",
  "reason": "sign"
}

Response

{
  "signature": "LpyCSy5ddy82PIp/87JKaMF4Jmt1KdrbfT1iqpB7uhVd3OwZiu+oq8kxIzB7Lr0iX4aOcxM6HiUyMrGP2PG8x0HkpykbUKQxBVcfm6SLdsqigT9ho5RYw20M6ZXNWVRetFSleKex4SRilTRny38e2ju/lUy0KDaCt1hDUT89nLZ1wsO3D1F3xk8J7clXv5fe7GPRd1ojo82Ny0iyVO7y7h1lh2PACHUFXOMzsdURYFCnxhKAsadccCxpCxKh5x8p78PdoenwY1tnT3/X4O/4LAGfT4fo98Frxy/xtI49WDRNZi6fsL6BQT4vS/WFkybBX9tXaenCqlRBDyZSFhatPQ=="
}