Skip to content

Commit c70bdcd

Browse files
authored
kms: add attestation and rotation schedule sample (GoogleCloudPlatform#2784)
1 parent b7350bd commit c70bdcd

File tree

4 files changed

+174
-1
lines changed

4 files changed

+174
-1
lines changed
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
/*
2+
* Copyright 2020 Google LLC
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package kms;
18+
19+
// [START kms_get_key_version_attestation]
20+
import com.google.cloud.kms.v1.CryptoKeyVersion;
21+
import com.google.cloud.kms.v1.CryptoKeyVersionName;
22+
import com.google.cloud.kms.v1.KeyManagementServiceClient;
23+
import com.google.cloud.kms.v1.KeyOperationAttestation;
24+
import java.io.IOException;
25+
import java.util.Base64;
26+
27+
public class GetKeyVersionAttestation {
28+
29+
public void getKeyVersionAttestation() throws IOException {
30+
// TODO(developer): Replace these variables before running the sample.
31+
String projectId = "your-project-id";
32+
String locationId = "us-east1";
33+
String keyRingId = "my-key-ring";
34+
String keyId = "my-key";
35+
String keyVersionId = "123";
36+
getKeyVersionAttestation(projectId, locationId, keyRingId, keyId, keyVersionId);
37+
}
38+
39+
// Get the attestations for a key version
40+
public void getKeyVersionAttestation(
41+
String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
42+
throws IOException {
43+
// Initialize client that will be used to send requests. This client only
44+
// needs to be created once, and can be reused for multiple requests. After
45+
// completing all of your requests, call the "close" method on the client to
46+
// safely clean up any remaining background resources.
47+
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
48+
// Build the name from the project, location, key ring, and keyId.
49+
CryptoKeyVersionName keyVersionName =
50+
CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
51+
52+
// Get the key version.
53+
CryptoKeyVersion keyVersion = client.getCryptoKeyVersion(keyVersionName);
54+
55+
// Only HSM keys have an attestation. For other key types, the attestion
56+
// will be nil.
57+
if (!keyVersion.hasAttestation()) {
58+
System.out.println("no attestation");
59+
return;
60+
}
61+
62+
// Print the attestation, base64-encoded.
63+
KeyOperationAttestation attestation = keyVersion.getAttestation();
64+
String format = attestation.getFormat().toString();
65+
byte[] content = attestation.getContent().toByteArray();
66+
System.out.printf("%s: %s", format, Base64.getEncoder().encodeToString(content));
67+
}
68+
}
69+
}
70+
// [END kms_get_key_version_attestation]

kms/src/main/java/kms/UpdateKeyRemoveLabels.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ public void updateKeyRemoveLabels(
5050
CryptoKey key = CryptoKey.newBuilder().setName(cryptoKeyName.toString()).build();
5151

5252
// Construct the field mask.
53-
FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");
53+
FieldMask fieldMask = FieldMaskUtil.fromString("labels");
5454

5555
// Create the key.
5656
CryptoKey createdKey = client.updateCryptoKey(key, fieldMask);
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
/*
2+
* Copyright 2020 Google LLC
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package kms;
18+
19+
// [START kms_update_key_remove_rotation_schedule]
20+
import com.google.cloud.kms.v1.CryptoKey;
21+
import com.google.cloud.kms.v1.CryptoKeyName;
22+
import com.google.cloud.kms.v1.KeyManagementServiceClient;
23+
import com.google.protobuf.FieldMask;
24+
import com.google.protobuf.util.FieldMaskUtil;
25+
import java.io.IOException;
26+
27+
public class UpdateKeyRemoveRotation {
28+
29+
public void updateKeyRemoveRotation() throws IOException {
30+
// TODO(developer): Replace these variables before running the sample.
31+
String projectId = "your-project-id";
32+
String locationId = "us-east1";
33+
String keyRingId = "my-key-ring";
34+
String keyId = "my-key";
35+
updateKeyRemoveRotation(projectId, locationId, keyRingId, keyId);
36+
}
37+
38+
// Update a key to remove all labels.
39+
public void updateKeyRemoveRotation(
40+
String projectId, String locationId, String keyRingId, String keyId) throws IOException {
41+
// Initialize client that will be used to send requests. This client only
42+
// needs to be created once, and can be reused for multiple requests. After
43+
// completing all of your requests, call the "close" method on the client to
44+
// safely clean up any remaining background resources.
45+
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
46+
// Build the name from the project, location, key ring, and keyId.
47+
CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);
48+
49+
// Build an empty key with no labels.
50+
CryptoKey key =
51+
CryptoKey.newBuilder()
52+
.setName(cryptoKeyName.toString())
53+
.clearRotationPeriod()
54+
.clearNextRotationTime()
55+
.build();
56+
57+
// Construct the field mask.
58+
FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");
59+
60+
// Create the key.
61+
CryptoKey createdKey = client.updateCryptoKey(key, fieldMask);
62+
System.out.printf("Updated key %s%n", createdKey.getName());
63+
}
64+
}
65+
}
66+
// [END kms_update_key_remove_rotation_schedule]

kms/src/test/java/kms/SnippetsIT.java

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
import com.google.cloud.kms.v1.KeyRingName;
3434
import com.google.cloud.kms.v1.ListCryptoKeyVersionsRequest;
3535
import com.google.cloud.kms.v1.LocationName;
36+
import com.google.cloud.kms.v1.ProtectionLevel;
3637
import com.google.cloud.kms.v1.PublicKey;
3738
import com.google.common.base.Strings;
3839
import com.google.protobuf.ByteString;
@@ -74,6 +75,7 @@ public class SnippetsIT {
7475
private static String ASYMMETRIC_DECRYPT_KEY_ID;
7576
private static String ASYMMETRIC_SIGN_EC_KEY_ID;
7677
private static String ASYMMETRIC_SIGN_RSA_KEY_ID;
78+
private static String HSM_KEY_ID;
7779
private static String SYMMETRIC_KEY_ID;
7880

7981
private ByteArrayOutputStream stdOut;
@@ -94,6 +96,9 @@ public static void beforeAll() throws IOException {
9496
ASYMMETRIC_SIGN_RSA_KEY_ID = getRandomId();
9597
createAsymmetricSignRsaKey(ASYMMETRIC_SIGN_RSA_KEY_ID);
9698

99+
HSM_KEY_ID = getRandomId();
100+
createHsmKey(HSM_KEY_ID);
101+
97102
SYMMETRIC_KEY_ID = getRandomId();
98103
createSymmetricKey(SYMMETRIC_KEY_ID);
99104
}
@@ -208,6 +213,24 @@ private static CryptoKey createAsymmetricSignRsaKey(String keyId) throws IOExcep
208213
}
209214
}
210215

216+
private static CryptoKey createHsmKey(String keyId) throws IOException {
217+
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
218+
CryptoKey key =
219+
CryptoKey.newBuilder()
220+
.setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
221+
.setVersionTemplate(
222+
CryptoKeyVersionTemplate.newBuilder()
223+
.setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION)
224+
.setProtectionLevel(ProtectionLevel.HSM)
225+
.build())
226+
.putLabels("foo", "bar")
227+
.putLabels("zip", "zap")
228+
.build();
229+
CryptoKey createdKey = client.createCryptoKey(getKeyRingName(), keyId, key);
230+
return createdKey;
231+
}
232+
}
233+
211234
private static CryptoKey createSymmetricKey(String keyId) throws IOException {
212235
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
213236
CryptoKey key =
@@ -409,6 +432,13 @@ public void testEncryptSymmetric() throws IOException {
409432
assertThat(stdOut.toString()).contains("Ciphertext");
410433
}
411434

435+
@Test
436+
public void testGetKeyVersionAttestation() throws IOException {
437+
new GetKeyVersionAttestation()
438+
.getKeyVersionAttestation(PROJECT_ID, LOCATION_ID, KEY_RING_ID, HSM_KEY_ID, "1");
439+
assertThat(stdOut.toString()).contains("CAVIUM");
440+
}
441+
412442
@Test
413443
public void testGetKeyLabels() throws IOException {
414444
new GetKeyLabels().getKeyLabels(PROJECT_ID, LOCATION_ID, KEY_RING_ID, SYMMETRIC_KEY_ID);
@@ -466,6 +496,13 @@ public void testUpdateKeyRemoveLabels() throws IOException {
466496
assertThat(stdOut.toString()).contains("Updated key");
467497
}
468498

499+
@Test
500+
public void testUpdateKeyRemoveRotation() throws IOException {
501+
new UpdateKeyRemoveRotation()
502+
.updateKeyRemoveRotation(PROJECT_ID, LOCATION_ID, KEY_RING_ID, SYMMETRIC_KEY_ID);
503+
assertThat(stdOut.toString()).contains("Updated key");
504+
}
505+
469506
@Test
470507
public void testUpdateKeySetPrimary() throws IOException {
471508
new UpdateKeySetPrimary()

0 commit comments

Comments
 (0)