Search in sources :

Example 11 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-kms by googleapis.

the class SnippetsIT method testVerifyAsymmetricEc.

@Test
public void testVerifyAsymmetricEc() throws IOException, GeneralSecurityException {
    String message = "my message";
    byte[] signature;
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        CryptoKeyVersionName versionName = CryptoKeyVersionName.of(PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_SIGN_EC_KEY_ID, "1");
        MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
        byte[] hash = sha256.digest(message.getBytes(StandardCharsets.UTF_8));
        Digest digest = Digest.newBuilder().setSha256(ByteString.copyFrom(hash)).build();
        signature = client.asymmetricSign(versionName, digest).getSignature().toByteArray();
    }
    new VerifyAsymmetricEc().verifyAsymmetricEc(PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_SIGN_EC_KEY_ID, "1", message, signature);
    assertThat(stdOut.toString()).contains("Signature");
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) Digest(com.google.cloud.kms.v1.Digest) MessageDigest(java.security.MessageDigest) ByteString(com.google.protobuf.ByteString) MessageDigest(java.security.MessageDigest) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient) Test(org.junit.Test)

Example 12 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-kms by googleapis.

the class SignAsymmetric method signAsymmetric.

// Get the public key associated with an asymmetric key.
public void signAsymmetric(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String message) throws IOException, GeneralSecurityException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the key version name from the project, location, key ring, key,
        // and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Convert the message into bytes. Cryptographic plaintexts and
        // ciphertexts are always byte arrays.
        byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);
        // Calculate the digest.
        MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
        byte[] hash = sha256.digest(plaintext);
        // Build the digest object.
        Digest digest = Digest.newBuilder().setSha256(ByteString.copyFrom(hash)).build();
        // Sign the digest.
        AsymmetricSignResponse result = client.asymmetricSign(keyVersionName, digest);
        // Get the signature.
        byte[] signature = result.getSignature().toByteArray();
        System.out.printf("Signature %s%n", signature);
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) MessageDigest(java.security.MessageDigest) Digest(com.google.cloud.kms.v1.Digest) AsymmetricSignResponse(com.google.cloud.kms.v1.AsymmetricSignResponse) MessageDigest(java.security.MessageDigest) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Example 13 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-kms by googleapis.

the class SignMac method signMac.

// Sign data with a given mac key.
public void signMac(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String data) throws IOException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the key version name from the project, location, key ring, key,
        // and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Generate an HMAC of the data.
        MacSignResponse response = client.macSign(keyVersionName, ByteString.copyFromUtf8(data));
        // The data comes back as raw bytes, which may include non-printable
        // characters. This base64-encodes the result so it can be printed below.
        String encodedSignature = Base64.getEncoder().encodeToString(response.getMac().toByteArray());
        System.out.printf("Signature: %s%n", encodedSignature);
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) MacSignResponse(com.google.cloud.kms.v1.MacSignResponse) ByteString(com.google.protobuf.ByteString) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Example 14 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-kms by googleapis.

the class VerifyAsymmetricEc method verifyAsymmetricEc.

// Verify the signature of a message signed with an RSA key.
public void verifyAsymmetricEc(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String message, byte[] signature) throws IOException, GeneralSecurityException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the name from the project, location, and key ring, key, and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Convert the message into bytes. Cryptographic plaintexts and
        // ciphertexts are always byte arrays.
        byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);
        // Get the public key.
        PublicKey publicKey = client.getPublicKey(keyVersionName);
        // Convert the public PEM key to a DER key (see helper below).
        byte[] derKey = convertPemToDer(publicKey.getPem());
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
        java.security.PublicKey ecKey = KeyFactory.getInstance("EC").generatePublic(keySpec);
        // Verify the 'RSA_SIGN_PKCS1_2048_SHA256' signature.
        // For other key algorithms:
        // http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Signature
        Signature ecVerify = Signature.getInstance("SHA256withECDSA");
        ecVerify.initVerify(ecKey);
        ecVerify.update(plaintext);
        // Verify the signature.
        boolean verified = ecVerify.verify(signature);
        System.out.printf("Signature verified: %s", verified);
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) PublicKey(com.google.cloud.kms.v1.PublicKey) Signature(java.security.Signature) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Example 15 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-kms by googleapis.

the class VerifyAsymmetricRsa method verifyAsymmetricRsa.

// Verify the signature of a message signed with an RSA key.
public void verifyAsymmetricRsa(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String message, byte[] signature) throws IOException, GeneralSecurityException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the name from the project, location, and key ring, key, and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Convert the message into bytes. Cryptographic plaintexts and
        // ciphertexts are always byte arrays.
        byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);
        // Get the public key.
        PublicKey publicKey = client.getPublicKey(keyVersionName);
        // Convert the public PEM key to a DER key (see helper below).
        byte[] derKey = convertPemToDer(publicKey.getPem());
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
        java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
        // Verify the 'RSA_SIGN_PKCS1_2048_SHA256' signature.
        // For other key algorithms:
        // http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Signature
        Signature rsaVerify = Signature.getInstance("SHA256withRSA");
        rsaVerify.initVerify(rsaKey);
        rsaVerify.update(plaintext);
        // Verify the signature.
        boolean verified = rsaVerify.verify(signature);
        System.out.printf("Signature verified: %s", verified);
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) PublicKey(com.google.cloud.kms.v1.PublicKey) Signature(java.security.Signature) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Aggregations

CryptoKeyVersionName (com.google.cloud.kms.v1.CryptoKeyVersionName)37 KeyManagementServiceClient (com.google.cloud.kms.v1.KeyManagementServiceClient)37 CryptoKeyVersion (com.google.cloud.kms.v1.CryptoKeyVersion)13 PublicKey (com.google.cloud.kms.v1.PublicKey)11 ByteString (com.google.protobuf.ByteString)9 X509EncodedKeySpec (java.security.spec.X509EncodedKeySpec)8 Digest (com.google.cloud.kms.v1.Digest)7 Test (org.junit.Test)7 MessageDigest (java.security.MessageDigest)6 FieldMask (com.google.protobuf.FieldMask)4 Signature (java.security.Signature)4 Cipher (javax.crypto.Cipher)4 OAEPParameterSpec (javax.crypto.spec.OAEPParameterSpec)4 AsymmetricDecryptResponse (com.google.cloud.kms.v1.AsymmetricDecryptResponse)3 AsymmetricSignResponse (com.google.cloud.kms.v1.AsymmetricSignResponse)3 IOException (java.io.IOException)3 KeyOperationAttestation (com.google.cloud.kms.v1.KeyOperationAttestation)2 MacSignResponse (com.google.cloud.kms.v1.MacSignResponse)2 AsymmetricDecryptRequest (com.google.cloud.kms.v1.AsymmetricDecryptRequest)1 AsymmetricSignRequest (com.google.cloud.kms.v1.AsymmetricSignRequest)1