From d81f1be2a97bfcd940daee2c3f004f7de632fb58 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 21 Sep 2018 14:01:38 -0700 Subject: [PATCH 01/11] added region tag for imports --- kms/src/main/java/com/example/Asymmetric.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index d4989b27ee2..0f9b2c68578 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -16,6 +16,7 @@ package com.example; +// [START kms_get_asymmetric_public] import com.google.api.client.googleapis.auth.oauth2.GoogleCredential; import com.google.api.client.http.HttpTransport; import com.google.api.client.http.javanet.NetHttpTransport; @@ -52,6 +53,7 @@ import javax.crypto.NoSuchPaddingException; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.io.pem.PemReader; +// [END kms_get_asymmetric_public] @SuppressWarnings("checkstyle:abbreviationaswordinname") public class Asymmetric { From a7242b9bf34690547ab25b576b3566366ac47747 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 21 Sep 2018 14:55:38 -0700 Subject: [PATCH 02/11] use byte[] instead of String for plaintext and ciphertext --- kms/src/main/java/com/example/Asymmetric.java | 28 +++++++++---------- .../test/java/com/example/AsymmetricIT.java | 19 +++++++++---- 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index 0f9b2c68578..2e638b3c7a4 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -88,7 +88,7 @@ public static PublicKey getAsymmetricPublicKey(CloudKMS client, String keyPath) * Decrypt a given ciphertext using an 'RSA_DECRYPT_OAEP_2048_SHA256' private key * stored on Cloud KMS */ - public static String decryptRSA(String ciphertext, CloudKMS client, String keyPath) + public static byte[] decryptRSA(byte[] ciphertext, CloudKMS client, String keyPath) throws IOException { AsymmetricDecryptRequest request = new AsymmetricDecryptRequest().setCiphertext(ciphertext); AsymmetricDecryptResponse response = client.projects() @@ -98,16 +98,16 @@ public static String decryptRSA(String ciphertext, CloudKMS client, String keyPa .cryptoKeyVersions() .asymmetricDecrypt(keyPath, request) .execute(); - return new String(response.decodePlaintext()); + return response.decodePlaintext(); } // [END kms_decrypt_rsa] // [START kms_encrypt_rsa] /** - * Encrypt message locally using an 'RSA_DECRYPT_OAEP_2048_SHA256' public key + * Encrypt data locally using an 'RSA_DECRYPT_OAEP_2048_SHA256' public key * retrieved from Cloud KMS */ - public static String encryptRSA(String message, CloudKMS client, String keyPath) + public static byte[] encryptRSA(byte[] plaintext, CloudKMS client, String keyPath) throws IOException, IllegalBlockSizeException, NoSuchPaddingException, InvalidKeySpecException, NoSuchProviderException, BadPaddingException, NoSuchAlgorithmException, InvalidKeyException { @@ -116,20 +116,18 @@ public static String encryptRSA(String message, CloudKMS client, String keyPath) Cipher cipher = Cipher.getInstance("RSA/NONE/OAEPWITHSHA256ANDMGF1PADDING", "BC"); cipher.init(Cipher.ENCRYPT_MODE, rsaKey); - byte[] ciphertext = cipher.doFinal(message.getBytes(StandardCharsets.UTF_8)); - return Base64.getEncoder().encodeToString(ciphertext); + return cipher.doFinal(plaintext); } // [END kms_encrypt_rsa] // [START kms_sign_asymmetric] /** Create a signature for a message using a private key stored on Cloud KMS */ - public static String signAsymmetric(String message, CloudKMS client, String keyPath) + public static String signAsymmetric(byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException { - byte[] msgBytes = message.getBytes(StandardCharsets.UTF_8); Digest digest = new Digest(); // Note: some key algorithms will require a different hash function // For example, EC_SIGN_P384_SHA384 requires SHA-384 - digest.encodeSha256(MessageDigest.getInstance("SHA-256").digest(msgBytes)); + digest.encodeSha256(MessageDigest.getInstance("SHA-256").digest(message)); AsymmetricSignRequest signRequest = new AsymmetricSignRequest(); signRequest.setDigest(digest); @@ -148,9 +146,9 @@ public static String signAsymmetric(String message, CloudKMS client, String keyP // [START kms_verify_signature_rsa] /** * Verify the validity of an 'RSA_SIGN_PSS_2048_SHA256' signature for the - * specified plaintext message + * specified message */ - public static boolean verifySignatureRSA(String signature, String message, CloudKMS client, + public static boolean verifySignatureRSA(String signature, byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, SignatureException, NoSuchProviderException, InvalidKeyException { Security.addProvider(new BouncyCastleProvider()); @@ -159,7 +157,7 @@ public static boolean verifySignatureRSA(String signature, String message, Cloud Signature rsaVerify = Signature.getInstance("SHA256withRSA/PSS"); rsaVerify.initVerify(rsaKey); - rsaVerify.update(message.getBytes(StandardCharsets.UTF_8)); + rsaVerify.update(message); byte[] sigBytes = Base64.getMimeDecoder().decode(signature); return rsaVerify.verify(sigBytes); } @@ -168,9 +166,9 @@ public static boolean verifySignatureRSA(String signature, String message, Cloud // [START kms_verify_signature_ec] /** * Verify the validity of an 'EC_SIGN_P256_SHA256' signature for the - * specified plaintext message + * specified message */ - public static boolean verifySignatureEC(String signature, String message, CloudKMS client, + public static boolean verifySignatureEC(String signature, byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, SignatureException, NoSuchProviderException, InvalidKeyException { Security.addProvider(new BouncyCastleProvider()); @@ -179,7 +177,7 @@ public static boolean verifySignatureEC(String signature, String message, CloudK Signature ecVerify = Signature.getInstance("SHA256withECDSA", "BC"); ecVerify.initVerify(ecKey); - ecVerify.update(message.getBytes(StandardCharsets.UTF_8)); + ecVerify.update(message); byte[] sigBytes = Base64.getMimeDecoder().decode(signature); return ecVerify.verify(sigBytes); } diff --git a/kms/src/test/java/com/example/AsymmetricIT.java b/kms/src/test/java/com/example/AsymmetricIT.java index 0a991e6ec0c..29cd52cceeb 100644 --- a/kms/src/test/java/com/example/AsymmetricIT.java +++ b/kms/src/test/java/com/example/AsymmetricIT.java @@ -56,6 +56,7 @@ public class AsymmetricIT { private static final String parent = "projects/" + projectId + "/locations/global"; private static final String keyRing = "kms-asymmetric-sample"; private static final String message = "test message 123"; + private static final byte[] message_bytes = message.getBytes(StandardCharsets.UTF_8); private static final String rsaDecryptId = "rsa-decrypt"; private static final String rsaSignId = "rsa-sign"; @@ -136,11 +137,13 @@ public void testGetPublicKey() throws Exception { @Test public void testRSAEncryptDecrypt() throws Exception { - String ciphertext = Asymmetric.encryptRSA(message, client, rsaDecrypt); + byte[] cipherbytes = Asymmetric.encryptRSA(message_bytes, client, rsaDecrypt); + String ciphertext = Base64.getEncoder().encodeToString(cipherbytes); assertEquals("incorrect RSA ciphertext length.", 344, ciphertext.length()); assertEquals("incorrect ciphertext final character.", '=', ciphertext.charAt(343)); - String plaintext = Asymmetric.decryptRSA(ciphertext, client, rsaDecrypt); + bytes[] plainbytes = Asymmetric.decryptRSA(cipherbytes, client, rsaDecrypt); + String plaintext = new String(plainbytes); assertEquals("decryption failed.", message, plaintext); } @@ -150,9 +153,11 @@ public void testRSASignVerify() throws Exception { assertEquals("invalid ciphertext length", 344, sig.length()); assertEquals("incorrect ciphertext final character.", '=', sig.charAt(343)); - boolean success = Asymmetric.verifySignatureRSA(sig, message, client, rsaSign); + boolean success = Asymmetric.verifySignatureRSA(sig, message_bytes, client, rsaSign); assertTrue("RSA verification failed.", success); - boolean shouldFail = Asymmetric.verifySignatureRSA(sig, message + ".", client, rsaSign); + String changed = message + "."; + byte[] changed_bytes = changed.getBytes(StandardCharsets.UTF_8); + boolean shouldFail = Asymmetric.verifySignatureRSA(sig, changed_bytes, client, rsaSign); assertFalse("RSA verification failed.", shouldFail); } @@ -161,9 +166,11 @@ public void testECSignVerify() throws Exception { String sig = Asymmetric.signAsymmetric(message, client, ecSign); assertTrue("invalid ciphertext length", sig.length() > 50 && sig.length() < 300); - boolean success = Asymmetric.verifySignatureEC(sig, message, client, ecSign); + boolean success = Asymmetric.verifySignatureEC(sig, message_bytes, client, ecSign); assertTrue("RSA verification failed.", success); - boolean shouldFail = Asymmetric.verifySignatureEC(sig, message + ".", client, ecSign); + String changed = message + "."; + byte[] changed_bytes = changed.getBytes(StandardCharsets.UTF_8); + boolean shouldFail = Asymmetric.verifySignatureEC(sig, changed_bytes, client, ecSign); assertFalse("RSA verification failed.", shouldFail); } From 0a2d41f98576b696aaeed48b12a2286a87d535a9 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 21 Sep 2018 15:06:09 -0700 Subject: [PATCH 03/11] fixed DecryptRequest method --- kms/src/main/java/com/example/Asymmetric.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index 2e638b3c7a4..7c7c5bf86a3 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -90,7 +90,7 @@ public static PublicKey getAsymmetricPublicKey(CloudKMS client, String keyPath) */ public static byte[] decryptRSA(byte[] ciphertext, CloudKMS client, String keyPath) throws IOException { - AsymmetricDecryptRequest request = new AsymmetricDecryptRequest().setCiphertext(ciphertext); + AsymmetricDecryptRequest request = new AsymmetricDecryptRequest().encodeCiphertext(ciphertext); AsymmetricDecryptResponse response = client.projects() .locations() .keyRings() From c0fa68a2d7c1c868fa5293569bba02dc31de40b1 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 21 Sep 2018 15:14:28 -0700 Subject: [PATCH 04/11] fixed imports --- kms/src/test/java/com/example/AsymmetricIT.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kms/src/test/java/com/example/AsymmetricIT.java b/kms/src/test/java/com/example/AsymmetricIT.java index 29cd52cceeb..cba5fa11a93 100644 --- a/kms/src/test/java/com/example/AsymmetricIT.java +++ b/kms/src/test/java/com/example/AsymmetricIT.java @@ -31,10 +31,12 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.PrintStream; +import java.nio.charset.StandardCharsets; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; +import java.util.Base64; import java.util.UUID; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -142,7 +144,7 @@ public void testRSAEncryptDecrypt() throws Exception { assertEquals("incorrect RSA ciphertext length.", 344, ciphertext.length()); assertEquals("incorrect ciphertext final character.", '=', ciphertext.charAt(343)); - bytes[] plainbytes = Asymmetric.decryptRSA(cipherbytes, client, rsaDecrypt); + byte[] plainbytes = Asymmetric.decryptRSA(cipherbytes, client, rsaDecrypt); String plaintext = new String(plainbytes); assertEquals("decryption failed.", message, plaintext); } From 42b104513a709ac91768c72c05a019df3600d5fb Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 21 Sep 2018 15:24:42 -0700 Subject: [PATCH 05/11] fixed string->byte[] in tests --- kms/src/test/java/com/example/AsymmetricIT.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kms/src/test/java/com/example/AsymmetricIT.java b/kms/src/test/java/com/example/AsymmetricIT.java index cba5fa11a93..ed1e9bf6268 100644 --- a/kms/src/test/java/com/example/AsymmetricIT.java +++ b/kms/src/test/java/com/example/AsymmetricIT.java @@ -151,7 +151,7 @@ public void testRSAEncryptDecrypt() throws Exception { @Test public void testRSASignVerify() throws Exception { - String sig = Asymmetric.signAsymmetric(message, client, rsaSign); + String sig = Asymmetric.signAsymmetric(message_bytes, client, rsaSign); assertEquals("invalid ciphertext length", 344, sig.length()); assertEquals("incorrect ciphertext final character.", '=', sig.charAt(343)); @@ -165,7 +165,7 @@ public void testRSASignVerify() throws Exception { @Test public void testECSignVerify() throws Exception { - String sig = Asymmetric.signAsymmetric(message, client, ecSign); + String sig = Asymmetric.signAsymmetric(message_bytes, client, ecSign); assertTrue("invalid ciphertext length", sig.length() > 50 && sig.length() < 300); boolean success = Asymmetric.verifySignatureEC(sig, message_bytes, client, ecSign); From 9ad4c7d2902abac837f5e381ca721df04046f3d3 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 21 Sep 2018 15:30:22 -0700 Subject: [PATCH 06/11] checkstyle fix --- kms/src/test/java/com/example/AsymmetricIT.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kms/src/test/java/com/example/AsymmetricIT.java b/kms/src/test/java/com/example/AsymmetricIT.java index ed1e9bf6268..380ddb1ddd2 100644 --- a/kms/src/test/java/com/example/AsymmetricIT.java +++ b/kms/src/test/java/com/example/AsymmetricIT.java @@ -158,8 +158,8 @@ public void testRSASignVerify() throws Exception { boolean success = Asymmetric.verifySignatureRSA(sig, message_bytes, client, rsaSign); assertTrue("RSA verification failed.", success); String changed = message + "."; - byte[] changed_bytes = changed.getBytes(StandardCharsets.UTF_8); - boolean shouldFail = Asymmetric.verifySignatureRSA(sig, changed_bytes, client, rsaSign); + byte[] changedBytes = changed.getBytes(StandardCharsets.UTF_8); + boolean shouldFail = Asymmetric.verifySignatureRSA(sig, changedBytes, client, rsaSign); assertFalse("RSA verification failed.", shouldFail); } @@ -171,8 +171,8 @@ public void testECSignVerify() throws Exception { boolean success = Asymmetric.verifySignatureEC(sig, message_bytes, client, ecSign); assertTrue("RSA verification failed.", success); String changed = message + "."; - byte[] changed_bytes = changed.getBytes(StandardCharsets.UTF_8); - boolean shouldFail = Asymmetric.verifySignatureEC(sig, changed_bytes, client, ecSign); + byte[] changedBytes = changed.getBytes(StandardCharsets.UTF_8); + boolean shouldFail = Asymmetric.verifySignatureEC(sig, changedBytes, client, ecSign); assertFalse("RSA verification failed.", shouldFail); } From 62c65ba6c811ec45443956e274c47f523990b8db Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Thu, 27 Sep 2018 12:31:44 -0700 Subject: [PATCH 07/11] removed unneeded test --- kms/src/test/java/com/example/AsymmetricIT.java | 1 - 1 file changed, 1 deletion(-) diff --git a/kms/src/test/java/com/example/AsymmetricIT.java b/kms/src/test/java/com/example/AsymmetricIT.java index 380ddb1ddd2..4f1701a95d1 100644 --- a/kms/src/test/java/com/example/AsymmetricIT.java +++ b/kms/src/test/java/com/example/AsymmetricIT.java @@ -142,7 +142,6 @@ public void testRSAEncryptDecrypt() throws Exception { byte[] cipherbytes = Asymmetric.encryptRSA(message_bytes, client, rsaDecrypt); String ciphertext = Base64.getEncoder().encodeToString(cipherbytes); assertEquals("incorrect RSA ciphertext length.", 344, ciphertext.length()); - assertEquals("incorrect ciphertext final character.", '=', ciphertext.charAt(343)); byte[] plainbytes = Asymmetric.decryptRSA(cipherbytes, client, rsaDecrypt); String plaintext = new String(plainbytes); From d804fa6dcc769a070bbfa55d5ced990755acddb0 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Fri, 28 Sep 2018 12:54:02 -0700 Subject: [PATCH 08/11] sign/verify uses bytes --- kms/src/main/java/com/example/Asymmetric.java | 15 +++++------ .../test/java/com/example/AsymmetricIT.java | 26 +++++++++---------- 2 files changed, 19 insertions(+), 22 deletions(-) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index 7c7c5bf86a3..69cc9c43564 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -33,7 +33,6 @@ import com.google.api.services.cloudkms.v1.model.ListKeyRingsResponse; import java.io.IOException; import java.io.StringReader; -import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.MessageDigest; @@ -122,7 +121,7 @@ public static byte[] encryptRSA(byte[] plaintext, CloudKMS client, String keyPat // [START kms_sign_asymmetric] /** Create a signature for a message using a private key stored on Cloud KMS */ - public static String signAsymmetric(byte[] message, CloudKMS client, String keyPath) + public static byte[] signAsymmetric(byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException { Digest digest = new Digest(); // Note: some key algorithms will require a different hash function @@ -139,7 +138,7 @@ public static String signAsymmetric(byte[] message, CloudKMS client, String keyP .cryptoKeyVersions() .asymmetricSign(keyPath, signRequest) .execute(); - return response.getSignature(); + return Base64.getMimeDecoder().decode(response.getSignature()); } // [END kms_sign_asymmetric] @@ -148,7 +147,7 @@ public static String signAsymmetric(byte[] message, CloudKMS client, String keyP * Verify the validity of an 'RSA_SIGN_PSS_2048_SHA256' signature for the * specified message */ - public static boolean verifySignatureRSA(String signature, byte[] message, CloudKMS client, + public static boolean verifySignatureRSA(byte[] signature, byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, SignatureException, NoSuchProviderException, InvalidKeyException { Security.addProvider(new BouncyCastleProvider()); @@ -158,8 +157,7 @@ public static boolean verifySignatureRSA(String signature, byte[] message, Cloud rsaVerify.initVerify(rsaKey); rsaVerify.update(message); - byte[] sigBytes = Base64.getMimeDecoder().decode(signature); - return rsaVerify.verify(sigBytes); + return rsaVerify.verify(signature); } // [END kms_verify_signature_rsa] @@ -168,7 +166,7 @@ public static boolean verifySignatureRSA(String signature, byte[] message, Cloud * Verify the validity of an 'EC_SIGN_P256_SHA256' signature for the * specified message */ - public static boolean verifySignatureEC(String signature, byte[] message, CloudKMS client, + public static boolean verifySignatureEC(byte[] signature, byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, SignatureException, NoSuchProviderException, InvalidKeyException { Security.addProvider(new BouncyCastleProvider()); @@ -178,8 +176,7 @@ public static boolean verifySignatureEC(String signature, byte[] message, CloudK ecVerify.initVerify(ecKey); ecVerify.update(message); - byte[] sigBytes = Base64.getMimeDecoder().decode(signature); - return ecVerify.verify(sigBytes); + return ecVerify.verify(signature); } // [END kms_verify_signature_ec] diff --git a/kms/src/test/java/com/example/AsymmetricIT.java b/kms/src/test/java/com/example/AsymmetricIT.java index 4f1701a95d1..635a36ac4cc 100644 --- a/kms/src/test/java/com/example/AsymmetricIT.java +++ b/kms/src/test/java/com/example/AsymmetricIT.java @@ -36,6 +36,7 @@ import java.security.NoSuchProviderException; import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; +import java.util.Arrays; import java.util.Base64; import java.util.UUID; import java.util.regex.Matcher; @@ -139,40 +140,39 @@ public void testGetPublicKey() throws Exception { @Test public void testRSAEncryptDecrypt() throws Exception { - byte[] cipherbytes = Asymmetric.encryptRSA(message_bytes, client, rsaDecrypt); - String ciphertext = Base64.getEncoder().encodeToString(cipherbytes); - assertEquals("incorrect RSA ciphertext length.", 344, ciphertext.length()); + byte[] ciphertext = Asymmetric.encryptRSA(message_bytes, client, rsaDecrypt); + assertEquals("incorrect RSA ciphertext length.", 256, ciphertext.length); - byte[] plainbytes = Asymmetric.decryptRSA(cipherbytes, client, rsaDecrypt); + byte[] plainbytes = Asymmetric.decryptRSA(ciphertext, client, rsaDecrypt); + assertTrue("decryption failed.", Arrays.equals(message_bytes, plainbytes)); String plaintext = new String(plainbytes); assertEquals("decryption failed.", message, plaintext); } @Test public void testRSASignVerify() throws Exception { - String sig = Asymmetric.signAsymmetric(message_bytes, client, rsaSign); - assertEquals("invalid ciphertext length", 344, sig.length()); - assertEquals("incorrect ciphertext final character.", '=', sig.charAt(343)); + byte[] sig = Asymmetric.signAsymmetric(message_bytes, client, rsaSign); + assertEquals("invalid ciphertext length", 256, sig.length); boolean success = Asymmetric.verifySignatureRSA(sig, message_bytes, client, rsaSign); - assertTrue("RSA verification failed.", success); + assertTrue("RSA verification failed. Valid message not accepted", success); String changed = message + "."; byte[] changedBytes = changed.getBytes(StandardCharsets.UTF_8); boolean shouldFail = Asymmetric.verifySignatureRSA(sig, changedBytes, client, rsaSign); - assertFalse("RSA verification failed.", shouldFail); + assertFalse("RSA verification failed. Invalid message accepted", shouldFail); } @Test public void testECSignVerify() throws Exception { - String sig = Asymmetric.signAsymmetric(message_bytes, client, ecSign); - assertTrue("invalid ciphertext length", sig.length() > 50 && sig.length() < 300); + byte[] sig = Asymmetric.signAsymmetric(message_bytes, client, ecSign); + assertTrue("invalid ciphertext length", sig.length > 50 && sig.length < 300); boolean success = Asymmetric.verifySignatureEC(sig, message_bytes, client, ecSign); - assertTrue("RSA verification failed.", success); + assertTrue("EC verification failed. Valid message not accepted", success); String changed = message + "."; byte[] changedBytes = changed.getBytes(StandardCharsets.UTF_8); boolean shouldFail = Asymmetric.verifySignatureEC(sig, changedBytes, client, ecSign); - assertFalse("RSA verification failed.", shouldFail); + assertFalse("EC verification failed. Invalid message accepted", shouldFail); } } From 44e233521e5cdad63146bca2423e60aac00b3ba9 Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Tue, 16 Oct 2018 10:58:22 -0700 Subject: [PATCH 09/11] fixed region tag for imports --- kms/src/main/java/com/example/Asymmetric.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index 69cc9c43564..85b802daaeb 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -16,12 +16,12 @@ package com.example; -// [START kms_get_asymmetric_public] import com.google.api.client.googleapis.auth.oauth2.GoogleCredential; import com.google.api.client.http.HttpTransport; import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.JsonFactory; import com.google.api.client.json.jackson2.JacksonFactory; +// [START kms_asymmetric_imports] import com.google.api.services.cloudkms.v1.CloudKMS; import com.google.api.services.cloudkms.v1.CloudKMSScopes; import com.google.api.services.cloudkms.v1.model.AsymmetricDecryptRequest; @@ -52,7 +52,7 @@ import javax.crypto.NoSuchPaddingException; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.io.pem.PemReader; -// [END kms_get_asymmetric_public] +// [END kms_asymmetric_imports] @SuppressWarnings("checkstyle:abbreviationaswordinname") public class Asymmetric { From 7a8375d021fd9c01ef88f35111bb8f71b187fe6e Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Wed, 17 Oct 2018 14:01:47 -0700 Subject: [PATCH 10/11] added requirement comments --- kms/src/main/java/com/example/Asymmetric.java | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index 85b802daaeb..044af3f1fe0 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -43,7 +43,6 @@ import java.security.Signature; import java.security.SignatureException; import java.security.spec.InvalidKeySpecException; -import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Base64; import javax.crypto.BadPaddingException; @@ -58,7 +57,18 @@ public class Asymmetric { // [START kms_get_asymmetric_public] - /** Retrieves the public key from a saved asymmetric key pair on Cloud KMS */ + /** + * Retrieves the public key from a saved asymmetric key pair on Cloud KMS + * + * Requires: + * java.io.StringReader + * java.security.KeyFactory + * java.security.PublicKey + * java.security.Security + * java.security.spec.X509EncodedKeySpec + * org.bouncycastle.jce.provider.BouncyCastleProvider + * org.bouncycastle.util.io.pem.PemReader + */ public static PublicKey getAsymmetricPublicKey(CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException { @@ -104,7 +114,13 @@ public static byte[] decryptRSA(byte[] ciphertext, CloudKMS client, String keyPa // [START kms_encrypt_rsa] /** * Encrypt data locally using an 'RSA_DECRYPT_OAEP_2048_SHA256' public key - * retrieved from Cloud KMS + * retrieved from Cloud KMS + * + * Requires: + * java.security.PublicKey + * java.security.Security + * javax.crypto.Cipher + * org.bouncycastle.jce.provider.BouncyCastleProvider */ public static byte[] encryptRSA(byte[] plaintext, CloudKMS client, String keyPath) throws IOException, IllegalBlockSizeException, NoSuchPaddingException, @@ -120,7 +136,12 @@ public static byte[] encryptRSA(byte[] plaintext, CloudKMS client, String keyPat // [END kms_encrypt_rsa] // [START kms_sign_asymmetric] - /** Create a signature for a message using a private key stored on Cloud KMS */ + /** Create a signature for a message using a private key stored on Cloud KMS + * + * Requires: + * java.security.MessageDigest + * java.util.Base64 + */ public static byte[] signAsymmetric(byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException { Digest digest = new Digest(); @@ -146,6 +167,12 @@ public static byte[] signAsymmetric(byte[] message, CloudKMS client, String keyP /** * Verify the validity of an 'RSA_SIGN_PSS_2048_SHA256' signature for the * specified message + * + * Requires: + * java.security.PublicKey + * java.security.Security + * java.security.Signature + * org.bouncycastle.jce.provider.BouncyCastleProvider */ public static boolean verifySignatureRSA(byte[] signature, byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, @@ -165,6 +192,12 @@ public static boolean verifySignatureRSA(byte[] signature, byte[] message, Cloud /** * Verify the validity of an 'EC_SIGN_P256_SHA256' signature for the * specified message + * + * Requires: + * java.security.PublicKey + * java.security.Security + * java.security.Signature + * org.bouncycastle.jce.provider.BouncyCastleProvider */ public static boolean verifySignatureEC(byte[] signature, byte[] message, CloudKMS client, String keyPath) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, From 7253274027f86e9df03dde782c5dcad7da010fdd Mon Sep 17 00:00:00 2001 From: Dan Sanche Date: Wed, 17 Oct 2018 14:02:15 -0700 Subject: [PATCH 11/11] removed import region tag --- kms/src/main/java/com/example/Asymmetric.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/kms/src/main/java/com/example/Asymmetric.java b/kms/src/main/java/com/example/Asymmetric.java index 044af3f1fe0..e9902b31d1a 100644 --- a/kms/src/main/java/com/example/Asymmetric.java +++ b/kms/src/main/java/com/example/Asymmetric.java @@ -21,7 +21,6 @@ import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.JsonFactory; import com.google.api.client.json.jackson2.JacksonFactory; -// [START kms_asymmetric_imports] import com.google.api.services.cloudkms.v1.CloudKMS; import com.google.api.services.cloudkms.v1.CloudKMSScopes; import com.google.api.services.cloudkms.v1.model.AsymmetricDecryptRequest; @@ -51,7 +50,6 @@ import javax.crypto.NoSuchPaddingException; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.io.pem.PemReader; -// [END kms_asymmetric_imports] @SuppressWarnings("checkstyle:abbreviationaswordinname") public class Asymmetric {