Search in sources :

Example 26 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.

the class DecryptAsymmetric method decryptAsymmetric.

// Decrypt data that was encrypted using the public key component of the given
// key version.
public void decryptAsymmetric(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, byte[] ciphertext) throws IOException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the key version name from the project, location, key ring, key,
        // and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Optional, but recommended: compute ciphertext's CRC32C. See helpers below.
        long ciphertextCrc32c = getCrc32cAsLong(ciphertext);
        // Decrypt the ciphertext.
        AsymmetricDecryptRequest request = AsymmetricDecryptRequest.newBuilder().setName(keyVersionName.toString()).setCiphertext(ByteString.copyFrom(ciphertext)).setCiphertextCrc32C(Int64Value.newBuilder().setValue(ciphertextCrc32c).build()).build();
        AsymmetricDecryptResponse response = client.asymmetricDecrypt(request);
        // https://cloud.google.com/kms/docs/data-integrity-guidelines
        if (!response.getVerifiedCiphertextCrc32C()) {
            throw new IOException("AsymmetricDecrypt: request to server corrupted");
        }
        if (!crcMatches(response.getPlaintextCrc32C().getValue(), response.getPlaintext().toByteArray())) {
            throw new IOException("AsymmetricDecrypt: response from server corrupted");
        }
        System.out.printf("Plaintext: %s%n", response.getPlaintext().toStringUtf8());
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) AsymmetricDecryptRequest(com.google.cloud.kms.v1.AsymmetricDecryptRequest) AsymmetricDecryptResponse(com.google.cloud.kms.v1.AsymmetricDecryptResponse) IOException(java.io.IOException) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Example 27 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.

the class DisableKeyVersion method disableKeyVersion.

// Disable a key version from use.
public void disableKeyVersion(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId) throws IOException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the key version name from the project, location, key ring, key,
        // and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Build the updated key version, setting it to disbaled.
        CryptoKeyVersion keyVersion = CryptoKeyVersion.newBuilder().setName(keyVersionName.toString()).setState(CryptoKeyVersionState.DISABLED).build();
        // Create a field mask of updated values.
        FieldMask fieldMask = FieldMaskUtil.fromString("state");
        // Destroy the key version.
        CryptoKeyVersion response = client.updateCryptoKeyVersion(keyVersion, fieldMask);
        System.out.printf("Disabled key version: %s%n", response.getName());
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) CryptoKeyVersion(com.google.cloud.kms.v1.CryptoKeyVersion) FieldMask(com.google.protobuf.FieldMask) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Example 28 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.

the class EncryptAsymmetric method encryptAsymmetric.

// Encrypt data that was encrypted using the public key component of the given
// key version.
public void encryptAsymmetric(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId, String plaintext) throws IOException, GeneralSecurityException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the key version name from the project, location, key ring, key,
        // and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Get the public key.
        PublicKey publicKey = client.getPublicKey(keyVersionName);
        // Convert the public PEM key to a DER key (see helper below).
        byte[] derKey = convertPemToDer(publicKey.getPem());
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);
        java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
        // Encrypt plaintext for the 'RSA_DECRYPT_OAEP_2048_SHA256' key.
        // For other key algorithms:
        // https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
        Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
        OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
        cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams);
        byte[] ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8));
        System.out.printf("Ciphertext: %s%n", ciphertext);
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) PublicKey(com.google.cloud.kms.v1.PublicKey) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) Cipher(javax.crypto.Cipher) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient) OAEPParameterSpec(javax.crypto.spec.OAEPParameterSpec)

Example 29 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-docs-samples by GoogleCloudPlatform.

the class GetPublicKey method getPublicKey.

// Get the public key associated with an asymmetric key.
public void getPublicKey(String projectId, String locationId, String keyRingId, String keyId, String keyVersionId) throws IOException, GeneralSecurityException {
    // safely clean up any remaining background resources.
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        // Build the key version name from the project, location, key ring, key,
        // and key version.
        CryptoKeyVersionName keyVersionName = CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
        // Get the public key.
        PublicKey publicKey = client.getPublicKey(keyVersionName);
        // https://cloud.google.com/kms/docs/data-integrity-guidelines
        if (!publicKey.getName().equals(keyVersionName.toString())) {
            throw new IOException("GetPublicKey: request to server corrupted");
        }
        // See helper below.
        if (!crcMatches(publicKey.getPemCrc32C().getValue(), publicKey.getPemBytes().toByteArray())) {
            throw new IOException("GetPublicKey: response from server corrupted");
        }
        System.out.printf("Public key: %s%n", publicKey.getPem());
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) PublicKey(com.google.cloud.kms.v1.PublicKey) IOException(java.io.IOException) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient)

Example 30 with CryptoKeyVersionName

use of com.google.cloud.kms.v1.CryptoKeyVersionName in project java-kms by googleapis.

the class SnippetsIT method verifyMac.

@Test
public void verifyMac() throws IOException, GeneralSecurityException {
    String data = "my data";
    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
        CryptoKeyVersionName versionName = CryptoKeyVersionName.of(PROJECT_ID, LOCATION_ID, KEY_RING_ID, MAC_KEY_ID, "1");
        MacSignResponse response = client.macSign(versionName, ByteString.copyFromUtf8(data));
        new VerifyMac().verifyMac(PROJECT_ID, LOCATION_ID, KEY_RING_ID, MAC_KEY_ID, "1", data, response.getMac().toByteArray());
        assertThat(stdOut.toString()).contains("Success: true");
    }
}
Also used : CryptoKeyVersionName(com.google.cloud.kms.v1.CryptoKeyVersionName) MacSignResponse(com.google.cloud.kms.v1.MacSignResponse) ByteString(com.google.protobuf.ByteString) KeyManagementServiceClient(com.google.cloud.kms.v1.KeyManagementServiceClient) Test(org.junit.Test)

Aggregations

CryptoKeyVersionName (com.google.cloud.kms.v1.CryptoKeyVersionName)37 KeyManagementServiceClient (com.google.cloud.kms.v1.KeyManagementServiceClient)37 CryptoKeyVersion (com.google.cloud.kms.v1.CryptoKeyVersion)13 PublicKey (com.google.cloud.kms.v1.PublicKey)11 ByteString (com.google.protobuf.ByteString)9 X509EncodedKeySpec (java.security.spec.X509EncodedKeySpec)8 Digest (com.google.cloud.kms.v1.Digest)7 Test (org.junit.Test)7 MessageDigest (java.security.MessageDigest)6 FieldMask (com.google.protobuf.FieldMask)4 Signature (java.security.Signature)4 Cipher (javax.crypto.Cipher)4 OAEPParameterSpec (javax.crypto.spec.OAEPParameterSpec)4 AsymmetricDecryptResponse (com.google.cloud.kms.v1.AsymmetricDecryptResponse)3 AsymmetricSignResponse (com.google.cloud.kms.v1.AsymmetricSignResponse)3 IOException (java.io.IOException)3 KeyOperationAttestation (com.google.cloud.kms.v1.KeyOperationAttestation)2 MacSignResponse (com.google.cloud.kms.v1.MacSignResponse)2 AsymmetricDecryptRequest (com.google.cloud.kms.v1.AsymmetricDecryptRequest)1 AsymmetricSignRequest (com.google.cloud.kms.v1.AsymmetricSignRequest)1