Add Java docs samples for KMS key import.

bdhess · bdhess · commit 7cd3a07672a4 · 2022-11-17T19:04:55.000Z
diff --git a/kms/pom.xml b/kms/pom.xml
@@ -42,6 +42,11 @@
       <groupId>com.google.cloud</groupId>
       <artifactId>google-cloud-kms</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.google.crypto.tink</groupId>
+      <artifactId>tink</artifactId>
+      <version>1.7.0</version>
+    </dependency>
     <!-- [START_EXCLUDE] -->
     <dependency>
       <groupId>com.google.protobuf</groupId>
diff --git a/kms/src/main/java/kms/CheckStateImportJob.java b/kms/src/main/java/kms/CheckStateImportJob.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_check_state_import_job]
+import com.google.cloud.kms.v1.ImportJob;
+import com.google.cloud.kms.v1.ImportJobName;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import java.io.IOException;
+
+public class CheckStateImportJob {
+
+  public void checkStateImportJob() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String importJobId = "my-import-job";
+    checkStateImportJob(projectId, locationId, keyRingId, importJobId);
+  }
+
+  // Check the state of an import job in Cloud KMS.
+  public void checkStateImportJob(String projectId, String locationId,
+                                  String keyRingId, String importJobId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client =
+             KeyManagementServiceClient.create()) {
+      // Build the parent name from the project, location, and key ring.
+      ImportJobName importJobName =
+          ImportJobName.of(projectId, locationId, keyRingId, importJobId);
+
+      // Retrieve the state of an existing import job.
+      ImportJob importJob = client.getImportJob(importJobName);
+      System.out.printf("Current state of import job %s: %s%n",
+                        importJob.getName(), importJob.getState());
+    }
+  }
+}
+// [END kms_check_state_import_job]
diff --git a/kms/src/main/java/kms/CheckStateImportedKey.java b/kms/src/main/java/kms/CheckStateImportedKey.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_check_state_imported_key]
+import com.google.cloud.kms.v1.CryptoKeyVersion;
+import com.google.cloud.kms.v1.CryptoKeyVersionName;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import java.io.IOException;
+
+public class CheckStateImportedKey {
+
+  public void checkStateImportedKey() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String cryptoKeyId = "my-crypto-key";
+    String cryptoKeyVersionId = "1";
+    checkStateImportedKey(projectId, locationId, keyRingId, cryptoKeyId,
+                          cryptoKeyVersionId);
+  }
+
+  // Check the state of an imported key in Cloud KMS.
+  public void checkStateImportedKey(String projectId, String locationId,
+                                    String keyRingId, String cryptoKeyId,
+                                    String cryptoKeyVersionId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client =
+             KeyManagementServiceClient.create()) {
+      // Build the version name from its path components.
+      CryptoKeyVersionName versionName = CryptoKeyVersionName.of(
+          projectId, locationId, keyRingId, cryptoKeyId, cryptoKeyVersionId);
+
+      // Retrieve the state of an existing version.
+      CryptoKeyVersion version = client.getCryptoKeyVersion(versionName);
+      System.out.printf("Current state of crypto key version %s: %s%n",
+                        version.getName(), version.getState());
+    }
+  }
+}
+// [END kms_check_state_imported_key]
diff --git a/kms/src/main/java/kms/CreateImportJob.java b/kms/src/main/java/kms/CreateImportJob.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_create_import_job]
+import com.google.cloud.kms.v1.ImportJob;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.cloud.kms.v1.KeyRingName;
+import com.google.cloud.kms.v1.ProtectionLevel;
+import com.google.cloud.kms.v1.ImportJob.ImportMethod;
+
+import java.io.IOException;
+
+public class CreateImportJob {
+
+  public void createImportJob() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String id = "my-import-job";
+    createImportJob(projectId, locationId, keyRingId, id);
+  }
+
+  // Create a new import job.
+  public void createImportJob(String projectId, String locationId,
+      String keyRingId, String id) throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the parent name from the project, location, and key ring.
+      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);
+
+      // Build the import job to create, with parameters.
+      ImportJob importJob = ImportJob
+          .newBuilder()
+          // See allowed values and their descriptions at
+          // https://cloud.google.com/kms/docs/algorithms#protection_levels
+          .setProtectionLevel(ProtectionLevel.HSM)
+          // See allowed values and their descriptions at
+          // https://cloud.google.com/kms/docs/key-wrapping#import_methods
+          .setImportMethod(ImportMethod.RSA_OAEP_3072_SHA1_AES_256)
+          .build();
+
+      // Create the import job.
+      ImportJob createdImportJob = client.createImportJob(keyRingName, id, importJob);
+      System.out.printf("Created import job %s%n", createdImportJob.getName());
+    }
+  }
+}
+// [END kms_create_import_job]
diff --git a/kms/src/main/java/kms/CreateKeyForImport.java b/kms/src/main/java/kms/CreateKeyForImport.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_create_key_for_import]
+import com.google.cloud.kms.v1.CreateCryptoKeyRequest;
+import com.google.cloud.kms.v1.CryptoKey;
+import com.google.cloud.kms.v1.CryptoKeyVersionTemplate;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.cloud.kms.v1.KeyRingName;
+import com.google.cloud.kms.v1.ProtectionLevel;
+import com.google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose;
+import com.google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm;
+
+import java.io.IOException;
+
+public class CreateKeyForImport {
+
+  public void createKeyForImport() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String id = "my-import-key";
+    createKeyForImport(projectId, locationId, keyRingId, id);
+  }
+
+  // Create a new crypto key to hold imported key versions.
+  public void createKeyForImport(String projectId, String locationId,
+      String keyRingId, String id)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the parent name from the project, location, and key ring.
+      KeyRingName keyRingName = KeyRingName.of(projectId, locationId, keyRingId);
+
+      // Create the crypto key.
+      CryptoKey createdKey = client.createCryptoKey(
+          CreateCryptoKeyRequest.newBuilder()
+              .setParent(keyRingName.toString())
+              .setCryptoKeyId(id)
+              .setCryptoKey(CryptoKey.newBuilder()
+                  .setPurpose(CryptoKeyPurpose.ASYMMETRIC_SIGN)
+                  .setVersionTemplate(
+                      CryptoKeyVersionTemplate.newBuilder()
+                          .setProtectionLevel(ProtectionLevel.HSM)
+                          .setAlgorithm(CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256))
+                  // Ensure that only imported versions may be
+                  // added to this key.
+                  .setImportOnly(true))
+              .setSkipInitialVersionCreation(true)
+              .build());
+
+      System.out.printf("Created crypto key %s%n", createdKey.getName());
+    }
+  }
+}
+// [END kms_create_crypto_key]
diff --git a/kms/src/main/java/kms/ImportManuallyWrappedKey.java b/kms/src/main/java/kms/ImportManuallyWrappedKey.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_import_manually_wrapped_key]
+import com.google.cloud.kms.v1.CryptoKeyName;
+import com.google.cloud.kms.v1.CryptoKeyVersion;
+import com.google.cloud.kms.v1.ImportCryptoKeyVersionRequest;
+import com.google.cloud.kms.v1.ImportJob;
+import com.google.cloud.kms.v1.ImportJobName;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.crypto.tink.subtle.Kwp;
+import com.google.protobuf.ByteString;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Arrays;
+import java.util.Base64;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.OAEPParameterSpec;
+import javax.crypto.spec.PSource;
+
+public class ImportManuallyWrappedKey {
+
+    public void importManuallyWrappedKey() throws GeneralSecurityException, IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        String projectId = "your-project-id";
+        String locationId = "us-east1";
+        String keyRingId = "my-key-ring";
+        String cryptoKeyId = "my-crypto-key";
+        String importJobId = "my-import-job";
+        importManuallyWrappedKey(projectId, locationId, keyRingId, cryptoKeyId,
+                importJobId);
+    }
+
+    // Generates and imports local key material into Cloud KMS.
+    public void importManuallyWrappedKey(String projectId, String locationId,
+            String keyRingId, String cryptoKeyId,
+            String importJobId) throws GeneralSecurityException, IOException {
+
+        // Generate a new ECDSA keypair, and format the private key as PKCS #8 DER.
+        KeyPairGenerator generator = KeyPairGenerator.getInstance("EC");
+        generator.initialize(new ECGenParameterSpec("secp256r1"));
+        KeyPair kp = generator.generateKeyPair();
+        byte[] privateBytes = kp.getPrivate().getEncoded();
+
+        // Initialize client that will be used to send requests. This client only
+        // needs to be created once, and can be reused for multiple requests. After
+        // completing all of your requests, call the "close" method on the client to
+        // safely clean up any remaining background resources.
+        try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+            // Build the crypto key and import job names from the project, location,
+            // key ring, and ID.
+            CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, cryptoKeyId);
+            ImportJobName importJobName = ImportJobName.of(projectId, locationId, keyRingId, importJobId);
+
+            // Generate a temporary 32-byte key for AES-KWP and wrap the key material.
+            byte[] kwpKey = new byte[32];
+            new SecureRandom().nextBytes(kwpKey);
+            Kwp kwp = new Kwp(kwpKey);
+            byte[] wrappedTargetKey = kwp.wrap(privateBytes);
+
+            // Retrieve the public key from the import job.
+            ImportJob importJob = client.getImportJob(importJobName);
+            String publicKeyStr = importJob.getPublicKey().getPem();
+            // Manually convert PEM to DER. :-(
+            publicKeyStr = publicKeyStr.replace("-----BEGIN PUBLIC KEY-----", "");
+            publicKeyStr = publicKeyStr.replace("-----END PUBLIC KEY-----", "");
+            publicKeyStr = publicKeyStr.replaceAll("\n", "");
+            byte[] publicKeyBytes = Base64.getDecoder().decode(publicKeyStr);
+            PublicKey publicKey = KeyFactory.getInstance("RSA").generatePublic(
+                    new X509EncodedKeySpec(publicKeyBytes));
+
+            // Wrap the KWP key using the import job key.
+            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
+            cipher.init(Cipher.ENCRYPT_MODE, publicKey,
+                    new OAEPParameterSpec("SHA-1", "MGF1",
+                            MGF1ParameterSpec.SHA1,
+                            PSource.PSpecified.DEFAULT));
+            byte[] wrappedWrappingKey = cipher.doFinal(kwpKey);
+
+            // Concatenate the wrapped KWP key and the wrapped target key.
+            ByteString combinedWrappedKeys = ByteString.copyFrom(wrappedWrappingKey)
+                    .concat(ByteString.copyFrom(wrappedTargetKey));
+
+            // Import the wrapped key material.
+            CryptoKeyVersion version = client.importCryptoKeyVersion(
+                    ImportCryptoKeyVersionRequest.newBuilder()
+                            .setParent(cryptoKeyName.toString())
+                            .setImportJob(importJobName.toString())
+                            .setAlgorithm(CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256)
+                            .setRsaAesWrappedKey(combinedWrappedKeys)
+                            .build());
+
+            System.out.printf("Imported: %s%n", version.getName());
+        }
+    }
+}
+// [END kms_import_manually_wrapped_key]
diff --git a/kms/src/test/java/kms/SnippetsIT.java b/kms/src/test/java/kms/SnippetsIT.java
