GoogleKMS Class

Properties   Methods   Events   Config Settings   Errors  

The GoogleKMS class provides an easy-to-use interface for the Google Cloud Key Management Service.

Syntax

cloudkeys.Googlekms

Remarks

The GoogleKMS class makes it easy to work with the Google Cloud Key Management Service (KMS) in a secure manner using TLS. Google KMS allows you to create and manage key rings that contain symmetric and asymmetric keys. Each key has one or more versions which can be used for cryptographic operations.

To begin, register for a Google Cloud account. Set the GoogleProjectId property to your full Google Cloud project Id, and set the Location property to the Google Cloud location you'd like to make requests against (by default, the us multi-regional location is used). Note that each location's resources are completely separate from the others'.

This class requires authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth property to set the appropriate fields for the chosen ClientProfile and GrantType.

The class has the following defaults:

Application Profile

This profile encompasses the most basic grant types that OAuth supports. When this profile is set, all the requests and response handling is done by the class. Depending on the grant type, this may involve launching a browser so a user can login to authenticate with a authorization server. It may also involve starting an embedded web server to receive a response from a redirect.

To start the authentication and authorization process, the Authorize method should be called. If the authorization and authentication was successful, then the AccessToken field will be populated. Additionally, if a refresh token was provided the RefreshToken field will be populated as well. These values of the fields are for informational purposes. The class will also cache these tokens along with when the AccessToken will be expired. When a method that makes requests to the service provider is called or the Authorize method is called the class will automatically check to see if the access token is expired. If it is, it will then automatically try to get a new AccessToken. If the Authorize method was not used and user interaction would be required, the class will throw an error which can be caught. When user interaction is needed depends on what grant type is set in the GrantType field. To force the component to only check the access token when the Authorize method is called, the OAuthAutomaticRefresh configuration setting can be set to false.

A brief description of the supported values for the GrantType field are below. For more information, see the service documentation.

Authorization Code

When using the Authorization Code grant type, the class will use an authorization code to get an access token. For this GrantType the class expects a ClientId, ClientSecret, ServerAuthURL, and ServerTokenURL to be set. When the Authorize method is called, the component will start the embedded web server and launch the browser so the user can authorize the application. Once the user authorizes, the service provider will redirect them to the embedded web server and the class will parse the authorization code, setting the AuthorizationCode field, from the redirect. Immediately, the class will make a request to the token server to exchange the authorization code for an access token. The token server will return an access token and possibly a refresh token. If the RefreshToken field is set, or a refresh token is cached, then the class will not launch the browser and use the refresh token in its request to the token server instead of an authorization code.

Example: GoogleKMS googlekms = new GoogleKMS(); googlekms.OAuth.ClientProfile = OAuthClientProfiles.cocpApplication; googlekms.OAuth.GrantType = OAuthGrantTypes.cogtAuthorizationCode; googlekms.OAuth.ClientId = CLIENT_ID; googlekms.OAuth.ClientSecret = CLIENT_SECRET; googlekms.Authorize();

Implicit

Note: This grant type is considered insecure and should only be used when necessary.

When using the Implicit grant type, the class will request the authorization server to get an access token. For this GrantType the class expects a ClientId, ClientSecret, and ServerAuthURL to be set. When the Authorize method is called, the component will start the embedded web server and launch the browser so the user can authorize the application. Once the user authorizes, the service provider will redirect them to the embedded web server and the class will parse the access token from the redirect.

A disadvantage of the grant type is that can not use a refresh token to silently get a new access token. Most service providers offer a way to silently get a new access token. See the service documentation for specifics. This means the class will not be able to automatically get a fresh token once it expires.

Web Profile

External OAuth Support

Bearer ACCESS_TOKEN_VALUE

Assign this value to the Authorization property before attempting any operations. Setting the Authorization property will cause the class to ignore the values set in the OAuth property.

For Example: Oauth oauth = new Oauth(); oauth.ClientId = "CLIENT_ID"; oauth.ClientSecret = "CLIENT_SECRET"; oauth.AuthorizationScope = "https://www.googleapis.com/auth/cloud-platform"; oauth.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth"; oauth.ServerTokenURL = "https://accounts.google.com/o/oauth2/token"; oauth.GrantType = OauthGrantTypes.ogtAuthorizationCode; googlekms.Authorization = oauth.GetAuthorization(); Consult the documentation for the service for more information about supported scope values and more details on OAuth authentication.

Using the Class

First, select which key ring the class should interact with using the KeyRing property. If the selected key ring does not yet exist, use the CreateKeyRing method to create it. Note that key rings cannot be deleted later, and therefore key ring names can never be reused within a given Location (unless you create a new Google Cloud project).

Once a key ring has been selected (and created, if necessary), keys can be created in it using the CreateKey method. A key consists of one or more key versions (which themselves can be thought of as distinct resources), each of which has its own cryptographic material. Symmetric keys have a primary version which is used when encrypting data. Asymmetric keys do not have a primary version; a specific version must always be targeted.

When a key is created, a single key version is automatically created for it as well (and for symmetric keys, this becomes the primary version). Additional key versions can be created using the CreateVersion method. Each key version receives a sequentially-assigned version Id, and the first version's Id is always 1. As will become apparent, most operations are performed with key versions, not keys. googlekms.KeyRing = "MyKeyRing"; googlekms.CreateKeyRing(); // When a key is created, you specify its name, purpose, algorithm, and protection level. // Refer to the CreateKey method's documentation for more information. googlekms.CreateKey("MyKey", 1, "GOOGLE_SYMMETRIC_ENCRYPTION", false); // When a new version is created, the algorithm and protection level are reused. googlekms.CreateVersion("MyKey");

Like key rings, keys and key versions cannot be deleted. However, a key version can be disabled, or its cryptographic material can be destroyed, making it permanently unusable. To enable or disable a key version, use the SetVersionEnabled method; to destroy a key version's cryptographic material, use the DestroyVersion method. Note that the latter doesn't destroy the cryptographic material immediately; instead, it schedules it for destruction 24 hours from the time of the call. The CancelDestruction method can be called within this waiting period to cancel the destruction. // Disable a key version to make it unusable until it is re-enabled. googlekms.SetVersionEnabled("MyKey", "7", false); // Destroy a key version's cryptographic material to make it permanently unusable. googlekms.DestroyVersion("MyKey", "7"); // The destruction takes place after a 24 hour waiting period; it can be canceled during that period. // If destruction is canceled, the key version is always placed into a disabled state. googlekms.CancelDestruction("MyKey", "7");

To list key rings, keys, or key versions, use the ListKeyRings, ListKeys, or ListVersions method. If there are multiple pages of results when listing a resource, the appropriate marker property will be populated, and all pages of results can be accumulated by continuing to call the relevant listing method until the marker property is empty. do { googlekms.ListKeyRings(); } while (!string.IsNullOrEmpty(googlekms.KeyRingMarker)); foreach (GoogleKeyRing keyring in googlekms.KeyRings) { Console.WriteLine(keyring.Name); } googlekms.KeyRing = "MyKeyRing"; do { googlekms.ListKeys(); } while (!string.IsNullOrEmpty(googlekms.KeyMarker)); foreach (GoogleKey key in googlekms.Keys) { Console.WriteLine(key.Name); } do { googlekms.ListKeyVersions("MyKey"); } while (!string.IsNullOrEmpty(googlekms.VersionMarker)); foreach (GoogleKeyVersion version in googlekms.Versions) { Console.WriteLine(version.Name + " " + version.VersionId); }

Depending on a key's purpose, it can be used to perform different cryptographic operations. Keys whose purpose is encryption/decryption can be used in Encrypt and Decrypt operations. Keys whose purpose is sign/verify can be used in Sign and Verify operations. To perform a cryptographic operation, use InputData, InputFile, or SetInputStream to supply the input data that should be processed. All operations will output the result data to OutputData, OutputFile, or SetOutputStream (except Verify; refer to its documentation for more information).

Note that Google does not support server-side asymmetric encryption or asymmetric verification. The class performs these operations locally as a convenience to account for this. // Create an asymmetric key whose purpose is encryption/decryption. googlekms.CreateKey("MyAsymmEncKey", 3, "RSA_DECRYPT_OAEP_3072_SHA256", false); // Encrypt the string "Test123" and write the encrypted data to an output file. googlekms.InputData = "Test123"; googlekms.OutputFile = "C:/temp/enc.dat"; googlekms.Encrypt("MyAsymmEncKey", "1"); // ...Later, decrypt the data again. googlekms.InputFile = "C:/temp/enc.dat"; googlekms.OutputFile = ""; // So that the data will be output to the OutputData property. googlekms.Decrypt("MyAsymmEncKey", "1");

The class also supports a variety of other functionality, including:

• Retrieval of a single resource's information with GetKeyRingInfo, GetKeyInfo, or GetVersionInfo.
• Getting an asymmetric key's public key using GetPublicKey.
• Label support using AddLabel and the Labels collection.
• Updating key information with UpdateKey and SetPrimaryVersion.
• And more!

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

AdditionalData Property (GoogleKMS Class)

Additional data to send when performing symmetric encryption or decryption.

Syntax

public byte[] getAdditionalData();


public void setAdditionalData(byte[] additionalData);

Default Value

""

Remarks

This property can be set before calling Encrypt or Decrypt with a symmetric key to have the server include the specified data, known as additional authenticated data, when performing the cryptographic operation. If such data is provided during encryption, it must also be provided in order to successfully decrypt the data. Refer to the Google Cloud KMS documentation for more information.

Up to 65536 bytes of data may be provided. Note that this property is ignored when asymmetric encryption or decryption is performed.

This property is not available at design time.

Authorization Property (GoogleKMS Class)

OAuth 2.0 Authorization Token.

Syntax

public String getAuthorization();


public void setAuthorization(String authorization);

Default Value

""

Remarks

This class supports authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth class or a separate process. Once complete you should have an authorization string which looks like:

Bearer ACCESS_TOKEN

Firewall Property (GoogleKMS Class)

A set of properties related to firewall access.

Syntax

public Firewall getFirewall();


public void setFirewall(Firewall firewall);

Remarks

This is a Firewall type property which contains fields describing the firewall through which the class will attempt to connect.

GoogleProjectId Property (GoogleKMS Class)

The Id of the Google Cloud project to make requests against.

Syntax

public String getGoogleProjectId();


public void setGoogleProjectId(String googleProjectId);

Default Value

""

Remarks

This property specifies the Id of the Google Cloud project that the class should make requests against; it must be set before attempting any operations.

Note that the full Google Cloud project Id must be specified, not just the project number.

This property is not available at design time.

Idle Property (GoogleKMS Class)

The current status of the class.

Syntax

public boolean isIdle();

Default Value

True

Remarks

Idle will be False if the component is currently busy (communicating and/or waiting for an answer), and True at all other times.

This property is read-only.

InputData Property (GoogleKMS Class)

The data to process.

Syntax

public byte[] getInputData();


public void setInputData(byte[] inputData);

Default Value

""

Remarks

This property specifies the data that should be processed in a cryptographic operation.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

This property is not available at design time.

InputFile Property (GoogleKMS Class)

The file whose data should be processed.

Syntax

public String getInputFile();


public void setInputFile(String inputFile);

Default Value

""

Remarks

This property specifies the file whose data should be processed in a cryptographic operation. It accepts both absolute and relative file paths.

Setting this property to a non-empty value will discard any stream set using the SetInputStream method. Similarly, passing a non-null value to the aforementioned method will clear this property.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

KeyMarker Property (GoogleKMS Class)

A marker indicating what page of keys to return next.

Syntax

public String getKeyMarker();


public void setKeyMarker(String keyMarker);

Default Value

""

Remarks

This property will be populated when ListKeys is called if the results are paged and there are more pages. To list all keys, continue to call ListKeys until this property returns empty string.

Refer to ListKeys for more information.

This property is not available at design time.

KeyRing Property (GoogleKMS Class)

Selects a key ring for the class to interact with.

Syntax

public String getKeyRing();


public void setKeyRing(String keyRing);

Default Value

""

Remarks

This property specifies the key ring, by name, that the class should interact with.

This property is not available at design time.

KeyRingMarker Property (GoogleKMS Class)

A marker indicating what page of key rings to return next.

Syntax

public String getKeyRingMarker();


public void setKeyRingMarker(String keyRingMarker);

Default Value

""

Remarks

This property will be populated when ListKeyRings is called if the results are paged and there are more pages. To list all key rings, continue to call ListKeyRings until this property returns empty string.

Refer to ListKeyRings for more information.

This property is not available at design time.

KeyRings Property (GoogleKMS Class)

A collection of key rings.

Syntax

public GoogleKeyRingList getKeyRings();

Remarks

This collection holds a list of GoogleKeyRing items.

Calling ListKeyRings or GetKeyRingInfo will populate this collection.

This property is read-only and not available at design time.

Keys Property (GoogleKMS Class)

A collection of keys.

Syntax

public GoogleKeyList getKeys();

Remarks

This collection holds a list of GoogleKey items.

Calling ListKeys or GetKeyInfo will populate this collection.

This property is read-only and not available at design time.

Labels Property (GoogleKMS Class)

A collection of labels.

Syntax

public GoogleLabelList getLabels();


public void setLabels(GoogleLabelList labels);

Remarks

This collection holds a list of GoogleLabel items.

Calling AddLabel or GetKeyInfo will populate this collection. The items in this collection are used by the CreateKey and UpdateKey methods.

This property is not available at design time.

LocalHost Property (GoogleKMS Class)

The name of the local host or user-assigned IP interface through which connections are initiated or accepted.

Syntax

public String getLocalHost();


public void setLocalHost(String localHost);

Default Value

""

Remarks

The LocalHost property contains the name of the local host as obtained by the gethostname() system call, or if the user has assigned an IP address, the value of that address.

In multi-homed hosts (machines with more than one IP interface) setting LocalHost to the value of an interface will make the class initiate connections (or accept in the case of server classs) only through that interface.

If the class is connected, the LocalHost property shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multi-homed hosts (machines with more than one IP interface).

NOTE: LocalHost is not persistent. You must always set it in code, and never in the property window.

Location Property (GoogleKMS Class)

The Google Cloud location to make requests against.

Syntax

public String getLocation();


public void setLocation(String location);

Default Value

"us"

Remarks

This property specifies the Google Cloud location that the class should make requests against.

Regional Locations:

A regional location's data centers exist in a specific geographical place.

Dual-Regional Locations:

A dual-regional location's data centers exist in two specific geographical places (plus a third region included for data replication and durability).

Multi-Regional Locations:

A multi-regional location's data centers are spread across a geographical area; it is not possible to predict or control exactly which data centers are selected or where they are located.

The class will always convert this property's value to lowercase. If this property is cleared, the class will reset it to the default value.

This property is not available at design time.

OAuth Property (GoogleKMS Class)

This property holds the OAuth Settings.

Syntax

public OAuthSettings getOAuth();

Remarks

This property is used to define the necessary fields to authenticate with the service provider. See the introduction for more information.

This property is read-only and not available at design time.

OtherHeaders Property (GoogleKMS Class)

This property includes other headers as determined by the user (optional).

Syntax

public String getOtherHeaders();


public void setOtherHeaders(String otherHeaders);

Default Value

""

Remarks

This property can be set to a string of headers to be appended to the HTTP request headers created from other properties like ContentType and From.

The headers must follow the format Header: Value as described in the HTTP specifications. Header lines should be separated by CRLF ("\r\n") .

Use this property with caution. If this property contains invalid headers, HTTP requests may fail.

This property is useful for extending the functionality of the class beyond what is provided.

This property is not available at design time.

OutputData Property (GoogleKMS Class)

The output data.

Syntax

public byte[] getOutputData();


public void setOutputData(byte[] outputData);

Default Value

""

Remarks

This property is populated with the data that was output from a successful cryptographic operation.

Note: For the Verify operation, this property functions as a secondary input property instead (along with InputData); refer to the Verify method for more information.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

This property is not available at design time.

OutputFile Property (GoogleKMS Class)

The file to which output data should be written.

Syntax

public String getOutputFile();


public void setOutputFile(String outputFile);

Default Value

""

Remarks

This property specifies the file to which data output from a successful cryptographic operation should be written.

Setting this property to a non-empty value will discard any stream set using the SetOutputStream method. Similarly, passing a non-null value to the aforementioned method will clear this property.

Note: For the Verify operation, the specified file functions as a secondary input file instead (along with InputFile); refer to the Verify method for more information.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

Overwrite Property (GoogleKMS Class)

Whether the output file should be overwritten if necessary.

Syntax

public boolean isOverwrite();


public void setOverwrite(boolean overwrite);

Default Value

False

Remarks

This property controls whether the specified OutputFile should be overwritten if it already exists.

ParsedHeaders Property (GoogleKMS Class)

This property includes a collection of headers returned from the last request.

Syntax

public HeaderList getParsedHeaders();

Remarks

This property contains a collection of headers returned from the last request. Whenever headers are returned from the server, the headers are parsed into a collection of headers. Each Header in this collection contains information describing that header.

MaxHeaders can be used to control the maximum number of headers saved.

This collection is indexed from 0 to size -1.

This property is read-only and not available at design time.

Proxy Property (GoogleKMS Class)

This property includes a set of properties related to proxy access.

Syntax

public Proxy getProxy();


public void setProxy(Proxy proxy);

Remarks

This property contains fields describing the proxy through which the class will attempt to connect.

PublicKey Property (GoogleKMS Class)

The public key of an asymmetric key pair.

Syntax

public String getPublicKey();

Default Value

""

Remarks

This property reflects the public key of an asymmetric key pair stored on the server, in PEM format; it is populated anytime the GetPublicKey method is called successfully.

This property is read-only and not available at design time.

PublicKeyAlgorithm Property (GoogleKMS Class)

The algorithm of an asymmetric key pair.

Syntax

public String getPublicKeyAlgorithm();

Default Value

""

Remarks

This property reflects the algorithm of an asymmetric key pair stored on the server; it is populated anytime the GetPublicKey method is called successfully. Possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

This property is read-only and not available at design time.

QueryParams Property (GoogleKMS Class)

Additional query parameters to be included in the request.

Syntax

public QueryParamList getQueryParams();


public void setQueryParams(QueryParamList queryParams);

Remarks

This is a collection of query parameters that will be added to the request. Parameters can be added via the AddQueryParam method.

SSLAcceptServerCert Property (GoogleKMS Class)

Instructs the class to unconditionally accept the server certificate that matches the supplied certificate.

Syntax

public Certificate getSSLAcceptServerCert();


public void setSSLAcceptServerCert(Certificate SSLAcceptServerCert);

Remarks

If it finds any issues with the certificate presented by the server, the class will normally terminate the connection with an error.

You may override this behavior by supplying a value for SSLAcceptServerCert. If the certificate supplied in SSLAcceptServerCert is the same as the certificate presented by the server, then the server certificate is accepted unconditionally, and the connection will continue normally.

Please note that this functionality is provided only for cases where you otherwise know that you are communicating with the right server. If used improperly, this property may create a security breach. Use it at your own risk.

SSLCert Property (GoogleKMS Class)

The certificate to be used during SSL negotiation.

Syntax

public Certificate getSSLCert();


public void setSSLCert(Certificate SSLCert);

Remarks

The digital certificate that the class will use during SSL negotiation. Set this property to a valid certificate before starting SSL negotiation. To set a certificate, you may set the Encoded field to the encoded certificate. To select a certificate, use the store and subject fields.

SSLProvider Property (GoogleKMS Class)

This specifies the SSL/TLS implementation to use.

Syntax

public int getSSLProvider();


public void setSSLProvider(int SSLProvider);


Enumerated values:
  public final static int sslpAutomatic = 0;
  public final static int sslpPlatform = 1;
  public final static int sslpInternal = 2;

Default Value

0

Remarks

This property specifies the SSL/TLS implementation to use. In most cases the default value of 0 (Automatic) is recommended and should not be changed. When set to 0 (Automatic) the class will select whether to use the platform implementation or the internal implementation depending on the operating system as well as the TLS version being used.

Possible values are:

In most cases using the default value (Automatic) is recommended. The class will select a provider depending on the current platform.

When Automatic is selected the platform implementation is used by default. When TLS 1.3 is enabled via SSLEnabledProtocols the internal implementation is used.

SSLServerCert Property (GoogleKMS Class)

The server certificate for the last established connection.

Syntax

public Certificate getSSLServerCert();

Remarks

SSLServerCert contains the server certificate for the last established connection.

SSLServerCert is reset every time a new connection is attempted.

This property is read-only.

Timeout Property (GoogleKMS Class)

A timeout for the class.

Syntax

public int getTimeout();


public void setTimeout(int timeout);

Default Value

60

Remarks

If the Timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.

If Timeout is set to a positive value, the class will wait for the operation to complete before returning control.

The class will use DoEvents to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not "freeze" and remains responsive.

If Timeout expires, and the operation is not yet complete, the class throws an exception.

Please note that by default, all timeouts are inactivity timeouts, i.e. the timeout period is extended by Timeout seconds when any amount of data is successfully sent or received.

The default value for the Timeout property is 60 seconds.

VersionMarker Property (GoogleKMS Class)

A marker indicating what page of key versions to return next.

Syntax

public String getVersionMarker();


public void setVersionMarker(String versionMarker);

Default Value

""

Remarks

This property will be populated when ListVersions is called if the results are paged and there are more pages. To list all key versions, continue to call ListVersions until this property returns empty string.

Refer to ListVersions for more information.

This property is not available at design time.

Versions Property (GoogleKMS Class)

A collection of key versions.

Syntax

public GoogleKeyVersionList getVersions();

Remarks

This collection holds a list of GoogleKeyVersion items.

Calling ListVersions or GetVersionInfo will populate this collection.

This property is read-only and not available at design time.

AddLabel Method (Googlekms Class)

Adds an item to the Labels properties.

Syntax

public void addLabel(String name, String value);

Remarks

This method adds an item to the Labels collection. Name specifies the name of the item, and Value specifies the value of the item.

A resource may have up to 64 labels. Label names and values must consist solely of lowercase letters, numbers, underscores, and hyphens; and may be up to 63 characters in length. Label names must also be unique and begin with a lowercase letter.

AddQueryParam Method (Googlekms Class)

Adds a query parameter to the QueryParams properties.

Syntax

public void addQueryParam(String name, String value);

Remarks

This method is used to add a query parameter to the QueryParams collection. Name specifies the name of the parameter, and Value specifies the value of the parameter.

All specified Values will be URL encoded by the class automatically. Consult the service documentation for details on the available parameters.

Authorize Method (Googlekms Class)

Get the authorization string required to access the protected resource.

Syntax

public void authorize();

Remarks

This method is used to get an access token that is required to access the protected resource. The method will act differently based on what is set in the ClientProfile field and the GrantType field. This method is not to be used in conjunction with the Authorization property. It should instead be used when setting the OAuth property.

For more information, see the introduction section.

CancelDestruction Method (Googlekms Class)

Cancels the destruction of a key version's cryptographic material.

Syntax

public void cancelDestruction(String keyName, String versionId);

Remarks

This method cancels the destruction of the cryptographic material for the key version specified by KeyName and VersionId. If successful, the key version's State changes to DISABLED.

Config Method (Googlekms Class)

Sets or retrieves a configuration setting.

Syntax

public String config(String configurationString);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

CreateKey Method (Googlekms Class)

Creates a new key.

Syntax

public void createKey(String keyName, int purpose, String algorithm, boolean useHSM);

Remarks

This method creates a new key with the specified KeyName in the currently-selected KeyRing. A key version is automatically created when this occurs (and for symmetric keys, it automatically becomes the primary version).

The value passed for KeyName must consist solely of alphanumeric characters, underscores, and hyphens; and may be up to 63 characters in length.

The Purpose parameter specifies what the key's purpose should be. Possible values are:

• 1: A symmetric key used for encryption and decryption.
• 2: An asymmetric key used for signing and verification.
• 3: An asymmetric key used for encryption and decryption.

For symmetric keys, the only valid value for Algorithm is GOOGLE_SYMMETRIC_ENCRYPTION (which is assumed if empty string is passed). For asymmetric keys, the algorithm specifies the key type, repeats the purpose (either SIGN or DECRYPT), and dictates the algorithm that will be used for the relevant cryptographic operations; and valid values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UseHSM parameter specifies whether the key's protection level should be SOFTWARE (false) or HSM (true).

Note that the values passed for Algorithm and UseHSM will be stored on the server as template values, and used again anytime a new key version is created with CreateVersion. The template algorithm can be changed at any time using UpdateKey; the template protection level cannot be changed.

If there are any items in the Labels collection, they will be applied to the newly-created key. Keys may have up to 64 labels.

For symmetric keys, the RotationPeriod and NextRotateDate configuration settings can also be used to enable automatic rotation, refer to their documentation for more information.

CreateKeyRing Method (Googlekms Class)

Creates a new key ring.

Syntax

public void createKeyRing();

Remarks

This method creates a new key ring using the name specified by the KeyRing property.

CreateVersion Method (Googlekms Class)

Creates a new key version.

Syntax

public String createVersion(String keyName);

Remarks

This method creates a new version of the key specified by KeyName and returns the Id of the version. Note that, for symmetric keys, the new version will not become the primary version; SetPrimaryVersion can be used to update the primary version if desired.

The key's current TemplateAlgorithm and TemplateProtectionLevel are used to create the key version. To change the key's template algorithm prior to creating a new version, use the UpdateKey method.

Decrypt Method (Googlekms Class)

Decrypts data using a key.

Syntax

public void decrypt(String keyName, String versionId);

Remarks

This method decrypts data using the key specified by KeyName and (for asymmetric keys) VersionId.

The data to decrypt is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The decrypted data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

For symmetric keys, VersionId must be empty; the server automatically detects which version of the symmetric key to use for decryption.

For asymmetric keys, VersionId must be specified.

DestroyVersion Method (Googlekms Class)

Schedules the specified key version's cryptographic material for destruction.

Syntax

public void destroyVersion(String keyName, String versionId);

Remarks

This method schedules the destruction of the cryptographic material for the key version specified by KeyName and VersionId. The key version itself is not deleted, just its cryptographic material.

If this method is successful, the key version's State changes to DESTROY_SCHEDULED, and the its cryptographic material will be destroyed after 24 hours. During this waiting period, the destruction can be canceled using the CancelDestruction method.

Important: Destroying a key version's cryptographic material makes the key version permanently unusable. If a key version must not be used by may be needed again in the future, disable using SetVersionEnabled instead.

DoEvents Method (Googlekms Class)

Processes events from the internal message queue.

Syntax

public void doEvents();

Remarks

When DoEvents is called, the class processes any available events. If no events are available, it waits for a preset period of time, and then returns.

Encrypt Method (Googlekms Class)

Encrypts data using a key.

Syntax

public void encrypt(String keyName, String versionId);

Remarks

This method encrypts data using the key specified by KeyName and (for asymmetric keys) VersionId.

The data to encrypt is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The encrypted data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

For symmetric keys, VersionId must be empty; the server always uses the primary version of the symmetric key. (Unless the ForceSymmetricEncryption configuration setting is enabled, in which case VersionId can be used to specify a non-primary version.)

For asymmetric keys, VersionId must be specified. Note, however, that Google does not support server-side asymmetric encryption (only decryption), so this method will instead call GetPublicKey internally and then use the public key to encrypt the input data locally. This functionality is offered as a convenience.

GetKeyInfo Method (Googlekms Class)

Gets information about a key.

Syntax

public void getKeyInfo(String keyName);

Remarks

This method gets information about the key specified by KeyName.

When the information is returned, the class clears the Keys collection and repopulates it with a single item that contains the key's information, and also repopulates the Labels collection. The KeyList and LabelList events are also fired.

GetKeyRingInfo Method (Googlekms Class)

Gets information about a key ring.

Syntax

public void getKeyRingInfo();

Remarks

This method gets information about the currently-selected KeyRing.

When the information is returned, the class clears the KeyRings collection and repopulates it with a single item that contains the key ring's information. The KeyRingList event is also fired.

GetPublicKey Method (Googlekms Class)

Retrieves the public key of an asymmetric key pair.

Syntax

public void getPublicKey(String keyName, String versionId);

Remarks

This method retrieves the public key of the asymmetric key pair version specified by KeyName and VersionId. The algorithm of the key pair version is also retrieved. If successful, this method populates the PublicKey and PublicKeyAlgorithm properties.

GetVersionInfo Method (Googlekms Class)

Gets information about a key version.

Syntax

public void getVersionInfo(String keyName, String versionId);

Remarks

This method gets information about the key version specified by KeyName and VersionId.

When the information is returned, the class clears the Versions collection and repopulates it with a single item that contains the key version's information. The VersionList event is also fired.

ListKeyRings Method (Googlekms Class)

Lists the key rings in the currently-selected location.

Syntax

public void listKeyRings();

Remarks

This method lists the key rings in the currently-selected Location.

Calling this method will fire the KeyRingList event once for each key ring, and will also populate the KeyRings collection.

If there are still more key rings available to list when this method returns, the KeyRingMarker property will be populated. Continue to call this method until KeyRingMarker is empty to accumulate all pages of results in the KeyRings collection.

The MaxKeyRings configuration setting can be used to control the maximum number of results to return at once.

ListKeys Method (Googlekms Class)

Lists the keys in the currently-selected key ring.

Syntax

public void listKeys();

Remarks

This method lists the keys in the currently-selected KeyRing.

Calling this method will fire the KeyList event once for each key, and will also populate the Keys collection.

If there are still more keys available to list when this method returns, the KeyMarker property will be populated. Continue to call this method until KeyMarker is empty to accumulate all pages of results in the Keys collection.

The MaxKeys configuration setting can be used to control the maximum number of results to return at once.

ListVersions Method (Googlekms Class)

Lists the key versions for the specified key.

Syntax

public void listVersions(String keyName);

Remarks

This method lists the key versions for the key specified by KeyName.

Calling this method will fire the VersionList event once for each key version, and will also populate the Versions collection.

If there are still more key versions available to list when this method returns, the VersionMarker property will be populated. Continue to call this method until VersionMarker is empty to accumulate all pages of results in the Versions collection.

The MaxVersions configuration setting can be used to control the maximum number of results to return at once.

Reset Method (Googlekms Class)

Resets the class to its initial state.

Syntax

public void reset();

Remarks

This method resets the class to its initial state.

SendCustomRequest Method (Googlekms Class)

Sends a custom request to the server.

Syntax

public void sendCustomRequest(String httpMethod, String keyName, String versionId, String action);

Remarks

This method can be used to send arbitrary requests to the server.

Valid values for HttpMethod are:

• GET (default if empty)
• HEAD
• POST
• PUT
• PATCH
• DELETE

KeyName and VersionId are optional. The former must be specified if the latter is specified; both are ignored if KeyRing is empty. Action is also optional.

When this method is called, the class does the following:

1. Builds a request URL, including query parameters, like https://cloudkms.googleapis.com/v1/projects/{GoogleProjectId}/locations/{Location}[/keyRings/{KeyRing}[/cryptoKeys/{KeyName}[/cryptoKeyVersions/{VersionId}]]][{Action}] using:
   • The GoogleProjectId, Location, and (if non-empty) KeyRing properties.
   • The KeyName, VersionId, and Action parameters.
   • All query parameters from QueryParams.
2. Adds an Authorization header with the value specified by Authorization.
3. Adds any request headers from OtherHeaders.
4. Adds any request body supplied via the stream specified using SetInputStream, the specified InputFile, or InputData.
5. Sends the request to the server.
6. Stores the response headers in the ParsedHeaders collection; and the response body in the stream specified using SetOutputStream, the specified OutputFile, or OutputData.

If the response body is JSON data, the XPath, XText, and other X* configuration settings can then be used to navigate and extract information from it.

SetInputStream Method (Googlekms Class)

Sets the stream whose data should be processed.

Syntax

public void setInputStream(java.io.InputStream inputStream);

Remarks

This method sets the stream whose data should be processed in a cryptographic operation.

Passing a non-null value for InputStream will cause the InputFile property to be cleared. Similarly, setting InputFile to a non-empty value will discard any stream set using this method.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

SetOutputStream Method (Googlekms Class)

Sets the stream to which output data should be written.

Syntax

public void setOutputStream(java.io.OutputStream outputStream);

Remarks

This method sets the stream to which data output from a successful cryptographic operation should be written.

Passing a non-null value for OutputStream will cause the OutputFile property to be cleared. Similarly, setting OutputFile to a non-empty value will discard any stream set using this method.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

SetPrimaryVersion Method (Googlekms Class)

Sets the primary version of a symmetric key.

Syntax

public void setPrimaryVersion(String keyName, String versionId);

Remarks

This method sets the primary version of the symmetric key specified by KeyName to the version identified by VersionId.

A symmetric key's primary version is the one used by the server when Encrypt is called. It can be changed at any time. Asymmetric keys cannot have primary versions.

SetVersionEnabled Method (Googlekms Class)

Enables or disables a key version.

Syntax

public void setVersionEnabled(String keyName, String versionId, boolean enabled);

Remarks

This method enables or disables the key version specified by KeyName and VersionId.

Sign Method (Googlekms Class)

Signs a message using a key.

Syntax

public void sign(String keyName, String versionId, String algorithm, boolean isDigest);

Remarks

This method signs a message using the asymmetric key version specified by KeyName and VersionId.

The message data to sign is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The signature data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

The Algorithm parameter specifies the hash algorithm used to generate a message digest; this must be the same algorithm that appears in the key version's Algorithm string. The value passed must contain one of the following strings (passing the key version's complete algorithm string is acceptable):

• SHA256
• SHA384
• SHA512

The IsDigest parameter specifies whether the message data is the original message (false) or a message digest (true). When supplying a message digest, keep in mind that the same digest will need to be provided in order to Verify the signature later.

If IsDigest is false, the class will automatically compute an appropriate message digest before the request is made. In such cases, the computed digest is made available via the MessageDigest configuration setting.

UpdateKey Method (Googlekms Class)

Updates a key.

Syntax

public void updateKey(String keyName, String templateAlgorithm, boolean updateLabels);

Remarks

This method updates the key specified by KeyName.

The TemplateAlgorithm parameter specifies the algorithm value that the server should use when creating new versions of the key (i.e., when CreateVersion is called). If TemplateAlgorithm is empty, the existing template value remains unchanged; otherwise, TemplateAlgorithm must be one of the following:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UpdateLabels parameter determines whether the class replaces the key's current labels with the items in the Labels collection (which may be empty). Keys may have up to 64 labels.

The RotationPeriod and NextRotateDate configuration settings may also be used to send additional values, refer to their documentation for more information.

Verify Method (Googlekms Class)

Verifies a digital signature using a key.

Syntax

public boolean verify(String keyName, String versionId, boolean isDigest);

Remarks

This method verifies a digital signature using the asymmetric key version specified by KeyName and VersionId. If the signature is successfully verified, this method return true, otherwise it returns false.

The message data is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The digital signature data is taken from the specified OutputFile or the OutputData property.

The IsDigest parameter specifies whether the message data is the original message (false) or a message digest (true). When a message digest is supplied, keep in mind that it must be the exact same digest that was used at signing time, regardless of whether it has been recomputed.

Google does not support server-side signature verification, so this method will call GetPublicKey internally and then use the public key to verify the digital signature locally. This functionality is offered as a convenience.

EndTransfer Event (Googlekms Class)

This event fires when a document finishes transferring.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void endTransfer(GooglekmsEndTransferEvent e) {}
  ...
}

public class GooglekmsEndTransferEvent {
  public int direction;
}

Remarks

The EndTransfer event is fired when the document text finishes transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

Error Event (Googlekms Class)

Information about errors during data delivery.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void error(GooglekmsErrorEvent e) {}
  ...
}

public class GooglekmsErrorEvent {
  public int errorCode;
  public String description;
}

Remarks

The Error event is fired in case of exceptional conditions during message processing. Normally the class throws an exception.

ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

Header Event (Googlekms Class)

This event is fired every time a header line comes in.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void header(GooglekmsHeaderEvent e) {}
  ...
}

public class GooglekmsHeaderEvent {
  public String field;
  public String value;
}

Remarks

The Field parameter contains the name of the HTTP header (which is the same as it is delivered). The Value parameter contains the header contents.

If the header line being retrieved is a continuation header line, then the Field parameter contains "" (empty string).

KeyList Event (Googlekms Class)

Fires once for each key when listing keys.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void keyList(GooglekmsKeyListEvent e) {}
  ...
}

public class GooglekmsKeyListEvent {
  public String name;
  public int purpose;
  public String creationDate;
  public String primaryVersion;
}

Remarks

This event fires once for each key returned when ListKeys or GetKeyInfo is called.

Name reflects the name of the key.

Purpose reflects the key's purpose. Possible values are:

• 0: Unspecified.
• 1: A symmetric key used for encryption and decryption.
• 2: An asymmetric key used for signing and verification.
• 3: An asymmetric key used for encryption and decryption.

CreationDate reflects the key's creation date, formatted as an RFC 3339 UTC timestamp.

PrimaryVersion reflects the Id of the key's primary version if it is symmetric. For asymmetric keys, it is always empty, since asymmetric keys cannot have a primary version.

KeyRingList Event (Googlekms Class)

Fires once for each key ring when listing key rings.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void keyRingList(GooglekmsKeyRingListEvent e) {}
  ...
}

public class GooglekmsKeyRingListEvent {
  public String name;
  public String creationDate;
}

Remarks

This event fires once for each key ring returned when ListKeyRings or GetKeyRingInfo is called.

Name reflects the name of the key ring.

CreationDate reflects the key ring's creation date, formatted as an RFC 3339 UTC timestamp.

LabelList Event (Googlekms Class)

Fires once for each label returned when a key's information is retrieved.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void labelList(GooglekmsLabelListEvent e) {}
  ...
}

public class GooglekmsLabelListEvent {
  public String keyName;
  public String name;
  public String value;
}

Remarks

This event fires once for each label returned when GetKeyInfo is called.

KeyName reflects the name of the key.

Name reflects the name of the label.

Value reflects the value of the label.

Log Event (Googlekms Class)

This event fires once for each log message.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void log(GooglekmsLogEvent e) {}
  ...
}

public class GooglekmsLogEvent {
  public int logLevel;
  public String message;
  public String logType;
}

Remarks

This event fires once for each log message generated by the class. The verbosity is controlled by the LogLevel setting.

LogLevel indicates the level of message. Possible values are as follows:

The value 1 (Info) logs basic information, including the URL, HTTP version, and status details.

The value 2 (Verbose) logs additional information about the request and response.

The value 3 (Debug) logs the headers and body for both the request and response, as well as additional debug information (if any).

Message is the log entry.

LogType identifies the type of log entry. Possible values are as follows:

• "Info"
• "RequestHeaders"
• "ResponseHeaders"
• "RequestBody"
• "ResponseBody"
• "ProxyRequest"
• "ProxyResponse"
• "FirewallRequest"
• "FirewallResponse"

SSLServerAuthentication Event (Googlekms Class)

Fired after the server presents its certificate to the client.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void SSLServerAuthentication(GooglekmsSSLServerAuthenticationEvent e) {}
  ...
}

public class GooglekmsSSLServerAuthenticationEvent {
  public byte[] certEncoded;
  public String certSubject;
  public String certIssuer;
  public String status;
  public boolean accept;
}

Remarks

This event is where the client can decide whether to continue with the connection process or not. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether to continue or not.

When Accept is False, Status shows why the verification failed (otherwise, Status contains the string "OK"). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.

SSLStatus Event (Googlekms Class)

Shows the progress of the secure connection.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void SSLStatus(GooglekmsSSLStatusEvent e) {}
  ...
}

public class GooglekmsSSLStatusEvent {
  public String message;
}

Remarks

The event is fired for informational and logging purposes only. Used to track the progress of the connection.

StartTransfer Event (Googlekms Class)

This event fires when a document starts transferring (after the headers).

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void startTransfer(GooglekmsStartTransferEvent e) {}
  ...
}

public class GooglekmsStartTransferEvent {
  public int direction;
}

Remarks

The StartTransfer event is fired when the document text starts transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

Transfer Event (Googlekms Class)

This event is fired while a document transfers (delivers document).

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void transfer(GooglekmsTransferEvent e) {}
  ...
}

public class GooglekmsTransferEvent {
  public int direction;
  public long bytesTransferred;
  public int percentDone;
  public byte[] text;
}

Remarks

The Text parameter contains the portion of the document text being received. It is empty if data are being posted to the server.

The BytesTransferred parameter contains the number of bytes transferred in this Direction since the beginning of the document text (excluding HTTP response headers).

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

The PercentDone parameter shows the progress of the transfer in the corresponding direction. If PercentDone can not be calculated the value will be -1.

Note: Events are not re-entrant. Performing time-consuming operations within this event will prevent it from firing again in a timely manner and may affect overall performance.

VersionList Event (Googlekms Class)

Fires once for each key version when listing key versions.

Syntax

public class DefaultGooglekmsEventListener implements GooglekmsEventListener {
  ...
  public void versionList(GooglekmsVersionListEvent e) {}
  ...
}

public class GooglekmsVersionListEvent {
  public String name;
  public String versionId;
  public String state;
  public String algorithm;
  public String protectionLevel;
  public String creationDate;
  public String destructionDate;
}

Remarks

This event fires once for each key version returned when ListVersions or GetVersionInfo is called.

Name reflects the name of the key.

VersionId reflects the Id of the key version.

State reflects the state of the key version. Possible values are:

• PENDING_GENERATION: The version is still being generated, and cannot be used yet. Once generation has finished, it will become ENABLED.
• ENABLED: The version is enabled and available for use.
• DISABLED: The version is disabled; it cannot be used unless it is enabled again. It may be destroyed.
• DESTROY_SCHEDULED: The version's cryptographic material is scheduled for destruction, and will be destroyed at the time reflected by DestructionDate unless CancelDestruction before then.
• DESTROYED: The version's cryptographic material has been destroyed, and the version is no longer usable. This state is permanent once entered.
• PENDING_IMPORT*: Cryptographic material has not finished importing, and the version cannot be used yet. Once the import has finished, it will become ENABLED.
• IMPORT_FAILED*: The version was not imported successfully; it cannot be used, and any imported cryptographic material has been discarded.

Algorithm reflects the key version's algorithm. For symmetric keys, this will always be GOOGLE_SYMMETRIC_ENCRYPTION. For asymmetric keys, this value describes both the key type and the algorithm that must be used during cryptographic operations, and possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

ProtectionLevel reflects the key version's protection level. Possible values are:

• SOFTWARE
• HSM
• EXTERNAL

CreationDate reflects the key version's creation date, formatted as an RFC 3339 UTC timestamp.

DestructionDate reflects the date at which the key version's cryptographic material was (or will be) destroyed, formatted as an RFC 3339 UTC timestamp; or empty string if the key version's cryptographic material has not been, and is not scheduled to be, destroyed.

Certificate Type

This is the digital certificate being used.

Remarks

This type describes the current digital certificate. The certificate may be a public or private key. The fields are used to identify or select certificates.

Fields

Constructors

public Certificate();

Creates a Certificate instance whose properties can be set. This is useful for use with CERTMGR when generating new certificates.

public Certificate( certificateFile);

Opens CertificateFile and reads out the contents as an X509 public key.

public Certificate( certificateData);

Parses CertificateData as an X509 public key.

public Certificate( certStoreType,  store,  storePassword,  subject);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the class will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).

public Certificate( certStoreType,  store,  storePassword,  subject,  configurationString);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. ConfigurationString is a newline separated list of name-value pairs that may be used to modify the default behavior. Possible values include "PersistPFXKey", which shows whether or not the PFX key is persisted after performing operations with the private key. This correlates to the PKCS12_NO_PERSIST_KEY CyrptoAPI option. The default value is True (the key is persisted). "Thumbprint" - a MD5, SHA1, or SHA256 thumbprint of the certificate to load. When specified, this value is used to select the certificate in the store. This is applicable to cstUser, cstMachine, cstPublicKeyFile, and cstPFXFile store types. "UseInternalSecurityAPI" shows whether the platform (default) or the internal security API is used when performing certificate-related operations. After the store has been successfully opened, the class will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).

public Certificate( certStoreType,  store,  storePassword,  encoded);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the class will load Encoded as an X509 certificate and search the opened store for a corresponding private key.

public Certificate( certStoreType,  storeBlob,  storePassword,  subject);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. StoreBlob is a string (binary- or base64-encoded) containing the certificate data. StorePassword is the password used to protect the store. After the store has been successfully opened, the class will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).

public Certificate( certStoreType,  storeBlob,  storePassword,  subject,  configurationString);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. StoreBlob is a string (binary- or base64-encoded) containing the certificate data. StorePassword is the password used to protect the store. After the store has been successfully opened, the class will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).

public Certificate( certStoreType,  storeBlob,  storePassword,  encoded);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a string (binary- or base64-encoded) containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the class will load Encoded as an X509 certificate and search the opened store for a corresponding private key.

Firewall Type

This is the firewall the class will connect through.

Remarks

When connecting through a firewall, this type is used to specify different properties of the firewall, such as the firewall Host and the FirewallType.

Fields

Constructors

public Firewall();

GoogleKey Type

A Google KMS key.

Remarks

This type represents a Google KMS key.

Fields

GoogleKeyRing Type

A Google KMS key ring.

Remarks

This type represents a Google KMS key ring.

Fields

GoogleKeyVersion Type

A Google KMS key version.

Remarks

This type represents a Google KMS key version.

Fields

GoogleLabel Type

A Google resource label.

Remarks

This type represents a Google resource label.

Fields

Constructors

public GoogleLabel();

public GoogleLabel( name,  value);

Header Type

This is an HTTP header as it is received from the server.

Remarks

When a header is received through a Header event, it is parsed into a Header type. This type contains a Field, and its corresponding Value.

Fields

Constructors

public Header();

public Header( field,  value);

OAuthSettings Type

The settings to use to authenticate with the service provider.

Remarks

Used to set give the class the necessary information needed to complete OAuth authentication.

Fields

Constructors

public OAuthSettings();

Proxy Type

This is the proxy the class will connect to.

Remarks

When connecting through a proxy, this type is used to specify different properties of the proxy, such as the Server and the AuthScheme.

Fields

Constructors

public Proxy();

public Proxy( server,  port);

public Proxy( server,  port,  user,  password);

QueryParam Type

A query parameter to send in the request.

Remarks

This type represents a query parameter to send in the request.

Fields

Constructors

public QueryParam();

public QueryParam( name,  value);

Config Settings (Googlekms Class)

GoogleKMS Config Settings

<firstlevel>
  <one>value</one>
  <two>
    <item>first</item>
    <item>second</item>
  </two>
  <three>value three</three>
</firstlevel>

{
  "firstlevel": {
    "one": "value",
    "two": ["first", "second"],
    "three": "value three"
  }
}

HTTP Config Settings

TCPClient Config Settings

SSL Config Settings

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
..
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
..
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

Socket Config Settings

Base Config Settings

Trappable Errors (Googlekms Class)

Common Errors

HTTP Errors

TCPClient Errors

SSL Errors

TCP/IP Errors