use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.
the class SignAsymmetric method signAsymmetric.
// Get the public key associated with an asymmetric key.
public void signAsymmetric(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String message) throws IOException, GeneralSecurityException {
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the key version name from the project, location, key ring, key,
// and key version.
CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
// Convert the message into bytes. Cryptographic plaintexts and
// ciphertexts are always byte arrays.
byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);
// Calculate the digest.
MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
byte[] hash = sha256.digest(plaintext);
// Build the digest object.
Digest digest = Digest.newBuilder().setSha256(ByteString.copyFrom(hash)).build();
// Optional, but recommended: compute digest's CRC32C. See helper below.
long digestCrc32c = getCrc32cAsLong(hash);
// Sign the digest.
AsymmetricSignRequest request = AsymmetricSignRequest.newBuilder().setName(keyVersionName.toString()).setDigest(digest).setDigestCrc32C(Int64Value.newBuilder().setValue(digestCrc32c).build()).build();
AsymmetricSignResponse response = client.asymmetricSign(request);
// https://cloud.google.com/kms/docs/data-integrity-guidelines
if (!response.getVerifiedDigestCrc32C()) {
throw new IOException("AsymmetricSign: request to server corrupted");
}
// See helper below.
if (!crcMatches(response.getSignatureCrc32C().getValue(), response.getSignature().toByteArray())) {
throw new IOException("AsymmetricSign: response from server corrupted");
}
// Get the signature.
byte[] signature = response.getSignature().toByteArray();
System.out.printf("Signature %s%n", signature);
}
}
use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.
the class VerifyAsymmetricEc method verifyAsymmetricEc.
// Verify the signature of a message signed with an RSA key.
public void verifyAsymmetricEc(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String message, byte[] signature) throws IOException, GeneralSecurityException {
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the name from the project, location, and key ring, key, and key version.
CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
// Convert the message into bytes. Cryptographic plaintexts and
// ciphertexts are always byte arrays.
byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);
// Get the public key.
PublicKey publicKey = client.getPublicKey(keyVersionName);
// Convert the public PEM key to a DER key (see helper below).
byte[] derKey = convertPemToDer(publicKey.getPem());
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
java.security.PublicKey ecKey = KeyFactory.getInstance("EC").generatePublic(keySpec);
// Verify the 'RSA_SIGN_PKCS1_2048_SHA256' signature.
// For other key algorithms:
// http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Signature
Signature ecVerify = Signature.getInstance("SHA256withECDSA");
ecVerify.initVerify(ecKey);
ecVerify.update(plaintext);
// Verify the signature.
boolean verified = ecVerify.verify(signature);
System.out.printf("Signature verified: %s", verified);
}
}
use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.
the class VerifyAsymmetricRsa method verifyAsymmetricRsa.
// Verify the signature of a message signed with an RSA key.
public void verifyAsymmetricRsa(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String message, byte[] signature) throws IOException, GeneralSecurityException {
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the name from the project, location, and key ring, key, and key version.
CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
// Convert the message into bytes. Cryptographic plaintexts and
// ciphertexts are always byte arrays.
byte[] plaintext = message.getBytes(StandardCharsets.UTF_8);
// Get the public key.
PublicKey publicKey = client.getPublicKey(keyVersionName);
// Convert the public PEM key to a DER key (see helper below).
byte[] derKey = convertPemToDer(publicKey.getPem());
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
// Verify the 'RSA_SIGN_PKCS1_2048_SHA256' signature.
// For other key algorithms:
// http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Signature
Signature rsaVerify = Signature.getInstance("SHA256withRSA");
rsaVerify.initVerify(rsaKey);
rsaVerify.update(plaintext);
// Verify the signature.
boolean verified = rsaVerify.verify(signature);
System.out.printf("Signature verified: %s", verified);
}
}
use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.
the class SnippetsIT method testDecryptAsymmetric.
@Test
public void testDecryptAsymmetric() throws IOException, GeneralSecurityException {
String plaintext = "my message";
byte[] ciphertext;
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_DECRYPT_KEY_ID, "1");
PublicKey publicKey = client.getPublicKey(keyVersionName);
byte[] derKey = convertPemToDer(publicKey.getPem());
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams);
ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8));
}
new DecryptAsymmetric().decryptAsymmetric(PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_DECRYPT_KEY_ID, "1", ciphertext);
assertThat(stdOut.toString()).contains("my message");
}
use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.
the class SnippetsIT method testVerifyAsymmetricEc.
@Test
public void testVerifyAsymmetricEc() throws IOException, GeneralSecurityException {
String message = "my message";
byte[] signature;
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
CryptoKeyVersionName versionName = CryptoKeyVersionName.of(PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_SIGN_EC_KEY_ID, "1");
MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
byte[] hash = sha256.digest(message.getBytes(StandardCharsets.UTF_8));
Digest digest = Digest.newBuilder().setSha256(ByteString.copyFrom(hash)).build();
signature = client.asymmetricSign(versionName, digest).getSignature().toByteArray();
}
new VerifyAsymmetricEc().verifyAsymmetricEc(PROJECT_ID, LOCATION_ID, KEY_RING_ID, ASYMMETRIC_SIGN_EC_KEY_ID, "1", message, signature);
assertThat(stdOut.toString()).contains("Signature");
}
Aggregations