GoogleKMS Component

Properties   Methods   Events   Config Settings   Errors  

The GoogleKMS component provides an easy-to-use interface for the Google Cloud Key Management Service.

Syntax

TckGoogleKMS

Remarks

The GoogleKMS component makes it easy to work with the Google Cloud Key Management Service (KMS) in a secure manner using TLS. Google KMS allows you to create and manage key rings that contain symmetric and asymmetric keys. Each key has one or more versions which can be used for cryptographic operations.

To begin, register for a Google Cloud account. Set the GoogleProjectId property to your full Google Cloud project Id, and set the Location property to the Google Cloud location you'd like to make requests against (by default, the us multi-regional location is used). Note that each location's resources are completely separate from the others'.

This component requires authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth property to set the appropriate fields for the chosen ClientProfile and GrantType.

The component has the following defaults:

Application Profile

This profile encompasses the most basic grant types that OAuth supports. When this profile is set, all the requests and response handling is done by the component. Depending on the grant type, this may involve launching a browser so a user can login to authenticate with a authorization server. It may also involve starting an embedded web server to receive a response from a redirect.

To start the authentication and authorization process, the Authorize method should be called. If the authorization and authentication was successful, then the AccessToken property will be populated. Additionally, if a refresh token was provided the RefreshToken property will be populated as well. These values of the fields are for informational purposes. The component will also cache these tokens along with when the AccessToken will be expired. When a method that makes requests to the service provider is called or the Authorize method is called the component will automatically check to see if the access token is expired. If it is, it will then automatically try to get a new AccessToken. If the Authorize method was not used and user interaction would be required, the component will throw an error which can be caught. When user interaction is needed depends on what grant type is set in the GrantType property. To force the component to only check the access token when the Authorize method is called, the OAuthAutomaticRefresh configuration setting can be set to false.

A brief description of the supported values for the GrantType property are below. For more information, see the service documentation.

Authorization Code

When using the Authorization Code grant type, the component will use an authorization code to get an access token. For this GrantType the component expects a ClientId, ClientSecret, ServerAuthURL, and ServerTokenURL to be set. When the Authorize method is called, the component will start the embedded web server and launch the browser so the user can authorize the application. Once the user authorizes, the service provider will redirect them to the embedded web server and the component will parse the authorization code, setting the AuthorizationCode property, from the redirect. Immediately, the component will make a request to the token server to exchange the authorization code for an access token. The token server will return an access token and possibly a refresh token. If the RefreshToken property is set, or a refresh token is cached, then the component will not launch the browser and use the refresh token in its request to the token server instead of an authorization code.

Example: GoogleKMS googlekms = new GoogleKMS(); googlekms.OAuth.ClientProfile = CloudOAuthClientProfiles.cocpApplication; googlekms.OAuth.GrantType = OAuthSettingsGrantTypes.cogtAuthorizationCode; googlekms.OAuth.ClientId = CLIENT_ID; googlekms.OAuth.ClientSecret = CLIENT_SECRET; googlekms.Authorize();

Implicit

Note: This grant type is considered insecure and should only be used when necessary.

When using the Implicit grant type, the component will request the authorization server to get an access token. For this GrantType the component expects a ClientId, ClientSecret, and ServerAuthURL to be set. When the Authorize method is called, the component will start the embedded web server and launch the browser so the user can authorize the application. Once the user authorizes, the service provider will redirect them to the embedded web server and the component will parse the access token from the redirect.

A disadvantage of the grant type is that can not use a refresh token to silently get a new access token. Most service providers offer a way to silently get a new access token. See the service documentation for specifics. This means the component will not be able to automatically get a fresh token once it expires.

Web Profile

External OAuth Support

Bearer ACCESS_TOKEN_VALUE

Assign this value to the Authorization property before attempting any operations. Setting the Authorization property will cause the component to ignore the values set in the OAuth property.

For Example: Oauth oauth = new Oauth(); oauth.ClientId = "CLIENT_ID"; oauth.ClientSecret = "CLIENT_SECRET"; oauth.AuthorizationScope = "https://www.googleapis.com/auth/cloud-platform"; oauth.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth"; oauth.ServerTokenURL = "https://accounts.google.com/o/oauth2/token"; oauth.GrantType = OauthGrantTypes.ogtAuthorizationCode; googlekms.Authorization = oauth.GetAuthorization(); Consult the documentation for the service for more information about supported scope values and more details on OAuth authentication.

Using the Component

First, select which key ring the component should interact with using the KeyRing property. If the selected key ring does not yet exist, use the CreateKeyRing method to create it. Note that key rings cannot be deleted later, and therefore key ring names can never be reused within a given Location (unless you create a new Google Cloud project).

Once a key ring has been selected (and created, if necessary), keys can be created in it using the CreateKey method. A key consists of one or more key versions (which themselves can be thought of as distinct resources), each of which has its own cryptographic material. Symmetric keys have a primary version which is used when encrypting data. Asymmetric keys do not have a primary version; a specific version must always be targeted.

When a key is created, a single key version is automatically created for it as well (and for symmetric keys, this becomes the primary version). Additional key versions can be created using the CreateVersion method. Each key version receives a sequentially-assigned version Id, and the first version's Id is always 1. As will become apparent, most operations are performed with key versions, not keys. googlekms.KeyRing = "MyKeyRing"; googlekms.CreateKeyRing(); // When a key is created, you specify its name, purpose, algorithm, and protection level. // Refer to the CreateKey method's documentation for more information. googlekms.CreateKey("MyKey", 1, "GOOGLE_SYMMETRIC_ENCRYPTION", false); // When a new version is created, the algorithm and protection level are reused. googlekms.CreateVersion("MyKey");

Like key rings, keys and key versions cannot be deleted. However, a key version can be disabled, or its cryptographic material can be destroyed, making it permanently unusable. To enable or disable a key version, use the SetVersionEnabled method; to destroy a key version's cryptographic material, use the DestroyVersion method. Note that the latter doesn't destroy the cryptographic material immediately; instead, it schedules it for destruction 24 hours from the time of the call. The CancelDestruction method can be called within this waiting period to cancel the destruction. // Disable a key version to make it unusable until it is re-enabled. googlekms.SetVersionEnabled("MyKey", "7", false); // Destroy a key version's cryptographic material to make it permanently unusable. googlekms.DestroyVersion("MyKey", "7"); // The destruction takes place after a 24 hour waiting period; it can be canceled during that period. // If destruction is canceled, the key version is always placed into a disabled state. googlekms.CancelDestruction("MyKey", "7");

To list key rings, keys, or key versions, use the ListKeyRings, ListKeys, or ListVersions method. If there are multiple pages of results when listing a resource, the appropriate marker property will be populated, and all pages of results can be accumulated by continuing to call the relevant listing method until the marker property is empty. do { googlekms.ListKeyRings(); } while (!string.IsNullOrEmpty(googlekms.KeyRingMarker)); foreach (GoogleKeyRing keyring in googlekms.KeyRings) { Console.WriteLine(keyring.Name); } googlekms.KeyRing = "MyKeyRing"; do { googlekms.ListKeys(); } while (!string.IsNullOrEmpty(googlekms.KeyMarker)); foreach (GoogleKey key in googlekms.Keys) { Console.WriteLine(key.Name); } do { googlekms.ListKeyVersions("MyKey"); } while (!string.IsNullOrEmpty(googlekms.VersionMarker)); foreach (GoogleKeyVersion version in googlekms.Versions) { Console.WriteLine(version.Name + " " + version.VersionId); }

Depending on a key's purpose, it can be used to perform different cryptographic operations. Keys whose purpose is encryption/decryption can be used in Encrypt and Decrypt operations. Keys whose purpose is sign/verify can be used in Sign and Verify operations. To perform a cryptographic operation, use InputData, InputFile, or SetInputStream to supply the input data that should be processed. All operations will output the result data to OutputData, OutputFile, or SetOutputStream (except Verify; refer to its documentation for more information).

Note that Google does not support server-side asymmetric encryption or asymmetric verification. The component performs these operations locally as a convenience to account for this. // Create an asymmetric key whose purpose is encryption/decryption. googlekms.CreateKey("MyAsymmEncKey", 3, "RSA_DECRYPT_OAEP_3072_SHA256", false); // Encrypt the string "Test123" and write the encrypted data to an output file. googlekms.InputData = "Test123"; googlekms.OutputFile = "C:/temp/enc.dat"; googlekms.Encrypt("MyAsymmEncKey", "1"); // ...Later, decrypt the data again. googlekms.InputFile = "C:/temp/enc.dat"; googlekms.OutputFile = ""; // So that the data will be output to the OutputData property. googlekms.Decrypt("MyAsymmEncKey", "1");

The component also supports a variety of other functionality, including:

• Retrieval of a single resource's information with GetKeyRingInfo, GetKeyInfo, or GetVersionInfo.
• Getting an asymmetric key's public key using GetPublicKey.
• Label support using AddLabel and the Labels properties.
• Updating key information with UpdateKey and SetPrimaryVersion.
• And more!

Property List

The following is the full list of the properties of the component with short descriptions. Click on the links for further details.

Method List

The following is the full list of the methods of the component with short descriptions. Click on the links for further details.

Event List

The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.

Config Settings

The following is a list of config settings for the component with short descriptions. Click on the links for further details.

AdditionalData Property (GoogleKMS Component)

Additional data to send when performing symmetric encryption or decryption.

Syntax

property AdditionalData: String read get_AdditionalData write set_AdditionalData;
property AdditionalDataB: TBytes read get_AdditionalDataB write set_AdditionalDataB;

Default Value

''

Remarks

This property can be set before calling Encrypt or Decrypt with a symmetric key to have the server include the specified data, known as additional authenticated data, when performing the cryptographic operation. If such data is provided during encryption, it must also be provided in order to successfully decrypt the data. Refer to the Google Cloud KMS documentation for more information.

Up to 65536 bytes of data may be provided. Note that this property is ignored when asymmetric encryption or decryption is performed.

This property is not available at design time.

Authorization Property (GoogleKMS Component)

OAuth 2.0 Authorization Token.

Syntax

property Authorization: String read get_Authorization write set_Authorization;

Default Value

''

Remarks

This component supports authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth component or a separate process. Once complete you should have an authorization string which looks like:

Bearer ACCESS_TOKEN

Firewall Property (GoogleKMS Component)

A set of properties related to firewall access.

Syntax

property Firewall: TckFirewall read get_Firewall write set_Firewall;

Remarks

This is a Firewall-type property, which contains fields describing the firewall through which the component will attempt to connect.

GoogleProjectId Property (GoogleKMS Component)

The Id of the Google Cloud project to make requests against.

Syntax

property GoogleProjectId: String read get_GoogleProjectId write set_GoogleProjectId;

Default Value

''

Remarks

This property specifies the Id of the Google Cloud project that the component should make requests against; it must be set before attempting any operations.

Note that the full Google Cloud project Id must be specified, not just the project number.

This property is not available at design time.

Idle Property (GoogleKMS Component)

The current status of the component.

Syntax

property Idle: Boolean read get_Idle;

Default Value

true

Remarks

This property will be False if the component is currently busy (communicating or waiting for an answer), and True at all other times.

This property is read-only.

InputData Property (GoogleKMS Component)

The data to process.

Syntax

property InputData: String read get_InputData write set_InputData;
property InputDataB: TBytes read get_InputDataB write set_InputDataB;

Default Value

''

Remarks

This property specifies the data that should be processed in a cryptographic operation.

Input Sources & Output Destinations

The component automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

This property is not available at design time.

InputFile Property (GoogleKMS Component)

The file whose data should be processed.

Syntax

property InputFile: String read get_InputFile write set_InputFile;

Default Value

''

Remarks

This property specifies the file whose data should be processed in a cryptographic operation. It accepts both absolute and relative file paths.

Setting this property to a non-empty value will discard any stream set using the SetInputStream method. Similarly, passing a non-null value to the aforementioned method will clear this property.

Input Sources & Output Destinations

The component automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

KeyMarker Property (GoogleKMS Component)

A marker indicating what page of keys to return next.

Syntax

property KeyMarker: String read get_KeyMarker write set_KeyMarker;

Default Value

''

Remarks

This property will be populated when ListKeys is called if the results are paged and there are more pages. To list all keys, continue to call ListKeys until this property returns empty string.

Refer to ListKeys for more information.

This property is not available at design time.

KeyRing Property (GoogleKMS Component)

Selects a key ring for the component to interact with.

Syntax

property KeyRing: String read get_KeyRing write set_KeyRing;

Default Value

''

Remarks

This property specifies the key ring, by name, that the component should interact with.

This property is not available at design time.

KeyRingMarker Property (GoogleKMS Component)

A marker indicating what page of key rings to return next.

Syntax

property KeyRingMarker: String read get_KeyRingMarker write set_KeyRingMarker;

Default Value

''

Remarks

This property will be populated when ListKeyRings is called if the results are paged and there are more pages. To list all key rings, continue to call ListKeyRings until this property returns empty string.

Refer to ListKeyRings for more information.

This property is not available at design time.

KeyRings Property (GoogleKMS Component)

A collection of key rings.

Syntax

property KeyRings: TckGoogleKeyRingList read get_KeyRings;

Remarks

This collection holds a list of GoogleKeyRing items.

Calling ListKeyRings or GetKeyRingInfo will populate this collection.

This property is read-only and not available at design time.

Keys Property (GoogleKMS Component)

A collection of keys.

Syntax

property Keys: TckGoogleKeyList read get_Keys;

Remarks

This collection holds a list of GoogleKey items.

Calling ListKeys or GetKeyInfo will populate this collection.

This property is read-only and not available at design time.

Labels Property (GoogleKMS Component)

A collection of labels.

Syntax

property Labels: TckGoogleLabelList read get_Labels write set_Labels;

Remarks

This collection holds a list of GoogleLabel items.

Calling AddLabel or GetKeyInfo will populate this collection. The items in this collection are used by the CreateKey and UpdateKey methods.

This property is not available at design time.

LocalHost Property (GoogleKMS Component)

The name of the local host or user-assigned IP interface through which connections are initiated or accepted.

Syntax

property LocalHost: String read get_LocalHost write set_LocalHost;

Default Value

''

Remarks

This property contains the name of the local host as obtained by the gethostname() system call, or if the user has assigned an IP address, the value of that address.

In multihomed hosts (machines with more than one IP interface) setting LocalHost to the IP address of an interface will make the component initiate connections (or accept in the case of server components) only through that interface. It is recommended to provide an IP address rather than a hostname when setting this property to ensure the desired interface is used.

If the component is connected, the LocalHost property shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multihomed hosts (machines with more than one IP interface).

Note: LocalHost is not persistent. You must always set it in code, and never in the property window.

Location Property (GoogleKMS Component)

The Google Cloud location to make requests against.

Syntax

property Location: String read get_Location write set_Location;

Default Value

'us'

Remarks

This property specifies the Google Cloud location that the component should make requests against.

Regional Locations:

A regional location's data centers exist in a specific geographical place.

Dual-Regional Locations:

A dual-regional location's data centers exist in two specific geographical places (plus a third region included for data replication and durability).

Multi-Regional Locations:

A multi-regional location's data centers are spread across a geographical area; it is not possible to predict or control exactly which data centers are selected or where they are located.

The component will always convert this property's value to lowercase. If this property is cleared, the component will reset it to the default value.

This property is not available at design time.

OAuth Property (GoogleKMS Component)

This property holds the OAuth Settings.

Syntax

property OAuth: TckOAuthSettings read get_OAuth;

Remarks

This property is used to define the necessary fields to authenticate with the service provider. See the introduction for more information.

This property is read-only and not available at design time.

OtherHeaders Property (GoogleKMS Component)

Other headers as determined by the user (optional).

Syntax

property OtherHeaders: String read get_OtherHeaders write set_OtherHeaders;

Default Value

''

Remarks

This property can be set to a string of headers to be appended to the HTTP request headers created from other properties like ContentType and From.

The headers must follow the format Header: Value as described in the HTTP specifications. Header lines should be separated by CRLF ('#13#10') .

Use this property with caution. If this property contains invalid headers, HTTP requests may fail.

This property is useful for extending the functionality of the component beyond what is provided.

This property is not available at design time.

OutputData Property (GoogleKMS Component)

The output data.

Syntax

property OutputData: String read get_OutputData write set_OutputData;
property OutputDataB: TBytes read get_OutputDataB write set_OutputDataB;

Default Value

''

Remarks

This property is populated with the data that was output from a successful cryptographic operation.

Note: For the Verify operation, this property functions as a secondary input property instead (along with InputData); refer to the Verify method for more information.

Input Sources & Output Destinations

The component automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

This property is not available at design time.

OutputFile Property (GoogleKMS Component)

The file to which output data should be written.

Syntax

property OutputFile: String read get_OutputFile write set_OutputFile;

Default Value

''

Remarks

This property specifies the file to which data output from a successful cryptographic operation should be written.

Setting this property to a non-empty value will discard any stream set using the SetOutputStream method. Similarly, passing a non-null value to the aforementioned method will clear this property.

Note: For the Verify operation, the specified file functions as a secondary input file instead (along with InputFile); refer to the Verify method for more information.

Input Sources & Output Destinations

The component automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

Overwrite Property (GoogleKMS Component)

Whether the output file should be overwritten if necessary.

Syntax

property Overwrite: Boolean read get_Overwrite write set_Overwrite;

Default Value

false

Remarks

This property controls whether the specified OutputFile should be overwritten if it already exists.

ParsedHeaders Property (GoogleKMS Component)

This property includes a collection of headers returned from the last request.

Syntax

property ParsedHeaders: TckHeaderList read get_ParsedHeaders;

Remarks

This property contains a collection of headers returned from the last request. Whenever headers are returned from the server, the headers are parsed into a collection of headers. Each Header in this collection contains information describing that header.

MaxHeaders can be used to control the maximum number of headers saved.

This property is read-only and not available at design time.

Proxy Property (GoogleKMS Component)

A set of properties related to proxy access.

Syntax

property Proxy: TckProxy read get_Proxy write set_Proxy;

Remarks

This property contains fields describing the proxy through which the component will attempt to connect.

PublicKey Property (GoogleKMS Component)

The public key of an asymmetric key pair.

Syntax

property PublicKey: String read get_PublicKey;

Default Value

''

Remarks

This property reflects the public key of an asymmetric key pair stored on the server, in PEM format; it is populated anytime the GetPublicKey method is called successfully.

This property is read-only and not available at design time.

PublicKeyAlgorithm Property (GoogleKMS Component)

The algorithm of an asymmetric key pair.

Syntax

property PublicKeyAlgorithm: String read get_PublicKeyAlgorithm;

Default Value

''

Remarks

This property reflects the algorithm of an asymmetric key pair stored on the server; it is populated anytime the GetPublicKey method is called successfully. Possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

This property is read-only and not available at design time.

QueryParams Property (GoogleKMS Component)

Additional query parameters to be included in the request.

Syntax

property QueryParams: TckQueryParamList read get_QueryParams write set_QueryParams;

Remarks

This is a collection of query parameters that will be added to the request. Parameters can be added via the AddQueryParam method.

SSLAcceptServerCert Property (GoogleKMS Component)

Instructs the component to unconditionally accept the server certificate that matches the supplied certificate.

Syntax

property SSLAcceptServerCert: TckCertificate read get_SSLAcceptServerCert write set_SSLAcceptServerCert;

Remarks

If it finds any issues with the certificate presented by the server, the component will normally terminate the connection with an error.

You may override this behavior by supplying a value for SSLAcceptServerCert. If the certificate supplied in SSLAcceptServerCert is the same as the certificate presented by the server, then the server certificate is accepted unconditionally, and the connection will continue normally.

Note: This functionality is provided only for cases in which you otherwise know that you are communicating with the right server. If used improperly, this property may create a security breach. Use it at your own risk.

SSLCert Property (GoogleKMS Component)

The certificate to be used during Secure Sockets Layer (SSL) negotiation.

Syntax

property SSLCert: TckCertificate read get_SSLCert write set_SSLCert;

Remarks

This property includes the digital certificate that the component will use during SSL negotiation. Set this property to a valid certificate before starting SSL negotiation. To set a certificate, you may set the Encoded field to the encoded certificate. To select a certificate, use the store and subject fields.

SSLProvider Property (GoogleKMS Component)

The Secure Sockets Layer/Transport Layer Security (SSL/TLS) implementation to use.

Syntax

property SSLProvider: TckTSSLProviders read get_SSLProvider write set_SSLProvider;

TckTSSLProviders = (
  sslpAutomatic,
  sslpPlatform,
  sslpInternal
);

Default Value

sslpAutomatic

Remarks

This property specifies the SSL/TLS implementation to use. In most cases the default value of 0 (Automatic) is recommended and should not be changed. When set to 0 (Automatic), the component will select whether to use the platform implementation or the internal implementation depending on the operating system as well as the TLS version being used.

Possible values are as follows:

In most cases using the default value (Automatic) is recommended. The component will select a provider depending on the current platform.

When Automatic is selected, on Windows, the component will use the platform implementation. On Linux/macOS, the component will use the internal implementation. When TLS 1.3 is enabled via SSLEnabledProtocols, the internal implementation is used on all platforms.

SSLServerCert Property (GoogleKMS Component)

The server certificate for the last established connection.

Syntax

property SSLServerCert: TckCertificate read get_SSLServerCert;

Remarks

This property contains the server certificate for the last established connection.

SSLServerCert is reset every time a new connection is attempted.

This property is read-only.

Timeout Property (GoogleKMS Component)

The timeout for the component.

Syntax

property Timeout: Integer read get_Timeout write set_Timeout;

Default Value

60

Remarks

If the Timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.

If Timeout is set to a positive value, the component will wait for the operation to complete before returning control.

The component will use DoEvents to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not freeze and remains responsive.

If Timeout expires, and the operation is not yet complete, the component raises an exception.

Note: By default, all timeouts are inactivity timeouts, that is, the timeout period is extended by Timeout seconds when any amount of data is successfully sent or received.

The default value for the Timeout property is 60 seconds.

VersionMarker Property (GoogleKMS Component)

A marker indicating what page of key versions to return next.

Syntax

property VersionMarker: String read get_VersionMarker write set_VersionMarker;

Default Value

''

Remarks

This property will be populated when ListVersions is called if the results are paged and there are more pages. To list all key versions, continue to call ListVersions until this property returns empty string.

Refer to ListVersions for more information.

This property is not available at design time.

Versions Property (GoogleKMS Component)

A collection of key versions.

Syntax

property Versions: TckGoogleKeyVersionList read get_Versions;

Remarks

This collection holds a list of GoogleKeyVersion items.

Calling ListVersions or GetVersionInfo will populate this collection.

This property is read-only and not available at design time.

AddLabel Method (GoogleKMS Component)

Adds an item to the Labels properties.

Syntax

procedure AddLabel(Name: String; Value: String);

Remarks

This method adds an item to the Labels properties. Name specifies the name of the item, and Value specifies the value of the item.

A resource may have up to 64 labels. Label names and values must consist solely of lowercase letters, numbers, underscores, and hyphens; and may be up to 63 characters in length. Label names must also be unique and begin with a lowercase letter.

AddQueryParam Method (GoogleKMS Component)

Adds a query parameter to the QueryParams properties.

Syntax

procedure AddQueryParam(Name: String; Value: String);

Remarks

This method is used to add a query parameter to the QueryParams properties. Name specifies the name of the parameter, and Value specifies the value of the parameter.

All specified Values will be URL encoded by the component automatically. Consult the service documentation for details on the available parameters.

Authorize Method (GoogleKMS Component)

Get the authorization string required to access the protected resource.

Syntax

procedure Authorize();

Remarks

This method is used to get an access token that is required to access the protected resource. The method will act differently based on what is set in the ClientProfile property and the GrantType property. This method is not to be used in conjunction with the Authorization property. It should instead be used when setting the OAuth property.

For more information, see the introduction section.

CancelDestruction Method (GoogleKMS Component)

Cancels the destruction of a key version's cryptographic material.

Syntax

procedure CancelDestruction(KeyName: String; VersionId: String);

Remarks

This method cancels the destruction of the cryptographic material for the key version specified by KeyName and VersionId. If successful, the key version's State changes to DISABLED.

Config Method (GoogleKMS Component)

Sets or retrieves a configuration setting.

Syntax

function Config(ConfigurationString: String): String;

Remarks

Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

CreateKey Method (GoogleKMS Component)

Creates a new key.

Syntax

procedure CreateKey(KeyName: String; Purpose: Integer; Algorithm: String; UseHSM: Boolean);

Remarks

This method creates a new key with the specified KeyName in the currently-selected KeyRing. A key version is automatically created when this occurs (and for symmetric keys, it automatically becomes the primary version).

The value passed for KeyName must consist solely of alphanumeric characters, underscores, and hyphens; and may be up to 63 characters in length.

The Purpose parameter specifies what the key's purpose should be. Possible values are:

• 1: A symmetric key used for encryption and decryption.
• 2: An asymmetric key used for signing and verification.
• 3: An asymmetric key used for encryption and decryption.

For symmetric keys, the only valid value for Algorithm is GOOGLE_SYMMETRIC_ENCRYPTION (which is assumed if empty string is passed). For asymmetric keys, the algorithm specifies the key type, repeats the purpose (either SIGN or DECRYPT), and dictates the algorithm that will be used for the relevant cryptographic operations; and valid values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UseHSM parameter specifies whether the key's protection level should be SOFTWARE (false) or HSM (true).

Note that the values passed for Algorithm and UseHSM will be stored on the server as template values, and used again anytime a new key version is created with CreateVersion. The template algorithm can be changed at any time using UpdateKey; the template protection level cannot be changed.

If there are any items in the Labels properties, they will be applied to the newly-created key. Keys may have up to 64 labels.

For symmetric keys, the RotationPeriod and NextRotateDate configuration settings can also be used to enable automatic rotation, refer to their documentation for more information.

CreateKeyRing Method (GoogleKMS Component)

Creates a new key ring.

Syntax

procedure CreateKeyRing();

Remarks

This method creates a new key ring using the name specified by the KeyRing property.

CreateVersion Method (GoogleKMS Component)

Creates a new key version.

Syntax

function CreateVersion(KeyName: String): String;

Remarks

This method creates a new version of the key specified by KeyName and returns the Id of the version. Note that, for symmetric keys, the new version will not become the primary version; SetPrimaryVersion can be used to update the primary version if desired.

The key's current TemplateAlgorithm and TemplateProtectionLevel are used to create the key version. To change the key's template algorithm prior to creating a new version, use the UpdateKey method.

Decrypt Method (GoogleKMS Component)

Decrypts data using a key.

Syntax

procedure Decrypt(KeyName: String; VersionId: String);

Remarks

This method decrypts data using the key specified by KeyName and (for asymmetric keys) VersionId.

The data to decrypt is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The decrypted data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

For symmetric keys, VersionId must be empty; the server automatically detects which version of the symmetric key to use for decryption.

For asymmetric keys, VersionId must be specified.

DestroyVersion Method (GoogleKMS Component)

Schedules the specified key version's cryptographic material for destruction.

Syntax

procedure DestroyVersion(KeyName: String; VersionId: String);

Remarks

This method schedules the destruction of the cryptographic material for the key version specified by KeyName and VersionId. The key version itself is not deleted, just its cryptographic material.

If this method is successful, the key version's State changes to DESTROY_SCHEDULED, and the its cryptographic material will be destroyed after 24 hours. During this waiting period, the destruction can be canceled using the CancelDestruction method.

Important: Destroying a key version's cryptographic material makes the key version permanently unusable. If a key version must not be used by may be needed again in the future, disable using SetVersionEnabled instead.

DoEvents Method (GoogleKMS Component)

This method processes events from the internal message queue.

Syntax

procedure DoEvents();

Remarks

When DoEvents is called, the component processes any available events. If no events are available, it waits for a preset period of time, and then returns.

Encrypt Method (GoogleKMS Component)

Encrypts data using a key.

Syntax

procedure Encrypt(KeyName: String; VersionId: String);

Remarks

This method encrypts data using the key specified by KeyName and (for asymmetric keys) VersionId.

The data to encrypt is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The encrypted data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

For symmetric keys, VersionId must be empty; the server always uses the primary version of the symmetric key. (Unless the ForceSymmetricEncryption configuration setting is enabled, in which case VersionId can be used to specify a non-primary version.)

For asymmetric keys, VersionId must be specified. Note, however, that Google does not support server-side asymmetric encryption (only decryption), so this method will instead call GetPublicKey internally and then use the public key to encrypt the input data locally. This functionality is offered as a convenience.

GetKeyInfo Method (GoogleKMS Component)

Gets information about a key.

Syntax

procedure GetKeyInfo(KeyName: String);

Remarks

This method gets information about the key specified by KeyName.

When the information is returned, the component clears the Keys properties and repopulates it properties. The KeyList and LabelList events are also fired.

GetKeyRingInfo Method (GoogleKMS Component)

Gets information about a key ring.

Syntax

procedure GetKeyRingInfo();

Remarks

This method gets information about the currently-selected KeyRing.

When the information is returned, the component clears the KeyRings properties and repopulates them with a single item that contains the key ring's information. The KeyRingList event is also fired.

GetPublicKey Method (GoogleKMS Component)

Retrieves the public key of an asymmetric key pair.

Syntax

procedure GetPublicKey(KeyName: String; VersionId: String);

Remarks

This method retrieves the public key of the asymmetric key pair version specified by KeyName and VersionId. The algorithm of the key pair version is also retrieved. If successful, this method populates the PublicKey and PublicKeyAlgorithm properties.

GetVersionInfo Method (GoogleKMS Component)

Gets information about a key version.

Syntax

procedure GetVersionInfo(KeyName: String; VersionId: String);

Remarks

This method gets information about the key version specified by KeyName and VersionId.

When the information is returned, the component clears the Versions properties and repopulates them with a single item that contains the key version's information. The VersionList event is also fired.

ListKeyRings Method (GoogleKMS Component)

Lists the key rings in the currently-selected location.

Syntax

procedure ListKeyRings();

Remarks

This method lists the key rings in the currently-selected Location.

Calling this method will fire the KeyRingList event once for each key ring, and will also populate the KeyRings properties.

If there are still more key rings available to list when this method returns, the KeyRingMarker property will be populated. Continue to call this method until KeyRingMarker is empty to accumulate all pages of results in the KeyRings properties.

The MaxKeyRings configuration setting can be used to control the maximum number of results to return at once.

ListKeys Method (GoogleKMS Component)

Lists the keys in the currently-selected key ring.

Syntax

procedure ListKeys();

Remarks

This method lists the keys in the currently-selected KeyRing.

Calling this method will fire the KeyList event once for each key, and will also populate the Keys properties.

If there are still more keys available to list when this method returns, the KeyMarker property will be populated. Continue to call this method until KeyMarker is empty to accumulate all pages of results in the Keys properties.

The MaxKeys configuration setting can be used to control the maximum number of results to return at once.

ListVersions Method (GoogleKMS Component)

Lists the key versions for the specified key.

Syntax

procedure ListVersions(KeyName: String);

Remarks

This method lists the key versions for the key specified by KeyName.

Calling this method will fire the VersionList event once for each key version, and will also populate the Versions properties.

If there are still more key versions available to list when this method returns, the VersionMarker property will be populated. Continue to call this method until VersionMarker is empty to accumulate all pages of results in the Versions properties.

The MaxVersions configuration setting can be used to control the maximum number of results to return at once.

Reset Method (GoogleKMS Component)

Resets the component to its initial state.

Syntax

procedure Reset();

Remarks

This method resets the component to its initial state.

SendCustomRequest Method (GoogleKMS Component)

Sends a custom request to the server.

Syntax

procedure SendCustomRequest(HttpMethod: String; KeyName: String; VersionId: String; Action: String);

Remarks

This method can be used to send arbitrary requests to the server.

Valid values for HttpMethod are:

• GET (default if empty)
• HEAD
• POST
• PUT
• PATCH
• DELETE

KeyName and VersionId are optional. The former must be specified if the latter is specified; both are ignored if KeyRing is empty. Action is also optional.

When this method is called, the component does the following:

1. Builds a request URL, including query parameters, like https://cloudkms.googleapis.com/v1/projects/{GoogleProjectId}/locations/{Location}[/keyRings/{KeyRing}[/cryptoKeys/{KeyName}[/cryptoKeyVersions/{VersionId}]]][{Action}] using:
   • The GoogleProjectId, Location, and (if non-empty) KeyRing properties.
   • The KeyName, VersionId, and Action parameters.
   • All query parameters from QueryParams.
2. Adds an Authorization header with the value specified by Authorization.
3. Adds any request headers from OtherHeaders.
4. Adds any request body supplied via the stream specified using SetInputStream, the specified InputFile, or InputData.
5. Sends the request to the server.
6. Stores the response headers in the ParsedHeaders properties; and the response body in the stream specified using SetOutputStream, the specified OutputFile, or OutputData.

If the response body is JSON data, the XPath, XText, and other X* configuration settings can then be used to navigate and extract information from it.

SetInputStream Method (GoogleKMS Component)

Sets the stream whose data should be processed.

Syntax

procedure SetInputStream(InputStream: TStream);

Remarks

This method sets the stream whose data should be processed in a cryptographic operation.

Passing a non-null value for InputStream will cause the InputFile property to be cleared. Similarly, setting InputFile to a non-empty value will discard any stream set using this method.

Input Sources & Output Destinations

The component automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

SetOutputStream Method (GoogleKMS Component)

Sets the stream to which output data should be written.

Syntax

procedure SetOutputStream(OutputStream: TStream);

Remarks

This method sets the stream to which data output from a successful cryptographic operation should be written.

Passing a non-null value for OutputStream will cause the OutputFile property to be cleared. Similarly, setting OutputFile to a non-empty value will discard any stream set using this method.

Input Sources & Output Destinations

The component automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. An input stream supplied via the SetInputStream method
2. The InputFile property
3. The InputData property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. An output stream supplied via the SetOutputStream method
2. The OutputFile property
3. The OutputData property

SetPrimaryVersion Method (GoogleKMS Component)

Sets the primary version of a symmetric key.

Syntax

procedure SetPrimaryVersion(KeyName: String; VersionId: String);

Remarks

This method sets the primary version of the symmetric key specified by KeyName to the version identified by VersionId.

A symmetric key's primary version is the one used by the server when Encrypt is called. It can be changed at any time. Asymmetric keys cannot have primary versions.

SetVersionEnabled Method (GoogleKMS Component)

Enables or disables a key version.

Syntax

procedure SetVersionEnabled(KeyName: String; VersionId: String; Enabled: Boolean);

Remarks

This method enables or disables the key version specified by KeyName and VersionId.

Sign Method (GoogleKMS Component)

Signs a message using a key.

Syntax

procedure Sign(KeyName: String; VersionId: String; Algorithm: String; IsDigest: Boolean);

Remarks

This method signs a message using the asymmetric key version specified by KeyName and VersionId.

The message data to sign is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The signature data is output to the output stream supplied via the SetOutputStream method, the specified OutputFile, or the OutputData property.

The Algorithm parameter specifies the hash algorithm used to generate a message digest; this must be the same algorithm that appears in the key version's Algorithm string. The value passed must contain one of the following strings (passing the key version's complete algorithm string is acceptable):

• SHA256
• SHA384
• SHA512

The IsDigest parameter specifies whether the message data is the original message (False) or a message digest (True). When supplying a message digest, keep in mind that the same digest will need to be provided in order to Verify the signature later.

If IsDigest is False, the component will automatically compute an appropriate message digest before the request is made. In such cases, the computed digest is made available via the MessageDigest configuration setting.

UpdateKey Method (GoogleKMS Component)

Updates a key.

Syntax

procedure UpdateKey(KeyName: String; TemplateAlgorithm: String; UpdateLabels: Boolean);

Remarks

This method updates the key specified by KeyName.

The TemplateAlgorithm parameter specifies the algorithm value that the server should use when creating new versions of the key (i.e., when CreateVersion is called). If TemplateAlgorithm is empty, the existing template value remains unchanged; otherwise, TemplateAlgorithm must be one of the following:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UpdateLabels parameter determines whether the component replaces the key's current labels with the items in the Labels properties (which may be empty). Keys may have up to 64 labels.

The RotationPeriod and NextRotateDate configuration settings may also be used to send additional values, refer to their documentation for more information.

Verify Method (GoogleKMS Component)

Verifies a digital signature using a key.

Syntax

function Verify(KeyName: String; VersionId: String; IsDigest: Boolean): Boolean;

Remarks

This method verifies a digital signature using the asymmetric key version specified by KeyName and VersionId. If the signature is successfully verified, this method return True, otherwise it returns False.

The message data is taken from the input stream supplied via the SetInputStream method, the specified InputFile, or the InputData property. The digital signature data is taken from the specified OutputFile or the OutputData property.

The IsDigest parameter specifies whether the message data is the original message (False) or a message digest (True). When a message digest is supplied, keep in mind that it must be the exact same digest that was used at signing time, regardless of whether it has been recomputed.

Google does not support server-side signature verification, so this method will call GetPublicKey internally and then use the public key to verify the digital signature locally. This functionality is offered as a convenience.

EndTransfer Event (GoogleKMS Component)

This event fires when a document finishes transferring.

Syntax

type TEndTransferEvent = procedure (
  Sender: TObject;
  Direction: Integer
) of Object;

property OnEndTransfer: TEndTransferEvent read FOnEndTransfer write FOnEndTransfer;

Remarks

The EndTransfer event is fired when the document text finishes transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

Error Event (GoogleKMS Component)

Fired when information is available about errors during data delivery.

Syntax

type TErrorEvent = procedure (
  Sender: TObject;
  ErrorCode: Integer;
  const Description: String
) of Object;

property OnError: TErrorEvent read FOnError write FOnError;

Remarks

The Error event is fired in case of exceptional conditions during message processing. Normally the component raises an exception.

The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

Header Event (GoogleKMS Component)

Fired every time a header line comes in.

Syntax

type THeaderEvent = procedure (
  Sender: TObject;
  const Field: String;
  const Value: String
) of Object;

property OnHeader: THeaderEvent read FOnHeader write FOnHeader;

Remarks

The Field parameter contains the name of the HTTP header (which is the same as it is delivered). The Value parameter contains the header contents.

If the header line being retrieved is a continuation header line, then the Field parameter contains '' (empty string).

KeyList Event (GoogleKMS Component)

Fires once for each key when listing keys.

Syntax

type TKeyListEvent = procedure (
  Sender: TObject;
  const Name: String;
  Purpose: Integer;
  const CreationDate: String;
  const PrimaryVersion: String
) of Object;

property OnKeyList: TKeyListEvent read FOnKeyList write FOnKeyList;

Remarks

This event fires once for each key returned when ListKeys or GetKeyInfo is called.

Name reflects the name of the key.

Purpose reflects the key's purpose. Possible values are:

• 0: Unspecified.
• 1: A symmetric key used for encryption and decryption.
• 2: An asymmetric key used for signing and verification.
• 3: An asymmetric key used for encryption and decryption.

CreationDate reflects the key's creation date, formatted as an RFC 3339 UTC timestamp.

PrimaryVersion reflects the Id of the key's primary version if it is symmetric. For asymmetric keys, it is always empty, since asymmetric keys cannot have a primary version.

KeyRingList Event (GoogleKMS Component)

Fires once for each key ring when listing key rings.

Syntax

type TKeyRingListEvent = procedure (
  Sender: TObject;
  const Name: String;
  const CreationDate: String
) of Object;

property OnKeyRingList: TKeyRingListEvent read FOnKeyRingList write FOnKeyRingList;

Remarks

This event fires once for each key ring returned when ListKeyRings or GetKeyRingInfo is called.

Name reflects the name of the key ring.

CreationDate reflects the key ring's creation date, formatted as an RFC 3339 UTC timestamp.

LabelList Event (GoogleKMS Component)

Fires once for each label returned when a key's information is retrieved.

Syntax

type TLabelListEvent = procedure (
  Sender: TObject;
  const KeyName: String;
  const Name: String;
  const Value: String
) of Object;

property OnLabelList: TLabelListEvent read FOnLabelList write FOnLabelList;

Remarks

This event fires once for each label returned when GetKeyInfo is called.

KeyName reflects the name of the key.

Name reflects the name of the label.

Value reflects the value of the label.

Log Event (GoogleKMS Component)

Fired once for each log message.

Syntax

type TLogEvent = procedure (
  Sender: TObject;
  LogLevel: Integer;
  const Message: String;
  const LogType: String
) of Object;

property OnLog: TLogEvent read FOnLog write FOnLog;

Remarks

This event is fired once for each log message generated by the component. The verbosity is controlled by the LogLevel setting.

LogLevel indicates the level of message. Possible values are as follows:

The value 1 (Info) logs basic information, including the URL, HTTP version, and status details.

The value 2 (Verbose) logs additional information about the request and response.

The value 3 (Debug) logs the headers and body for both the request and response, as well as additional debug information (if any).

Message is the log entry.

LogType identifies the type of log entry. Possible values are as follows:

• "Info"
• "RequestHeaders"
• "ResponseHeaders"
• "RequestBody"
• "ResponseBody"
• "ProxyRequest"
• "ProxyResponse"
• "FirewallRequest"
• "FirewallResponse"

SSLServerAuthentication Event (GoogleKMS Component)

Fired after the server presents its certificate to the client.

Syntax

type TSSLServerAuthenticationEvent = procedure (
  Sender: TObject;
  const CertEncoded: String;
  const CertEncodedB: TBytes;
  const CertSubject: String;
  const CertIssuer: String;
  const Status: String;
  var Accept: Boolean
) of Object;

property OnSSLServerAuthentication: TSSLServerAuthenticationEvent read FOnSSLServerAuthentication write FOnSSLServerAuthentication;

Remarks

During this event, the client can decide whether or not to continue with the connection process. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether or not to continue.

When Accept is False, Status shows why the verification failed (otherwise, Status contains the string OK). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.

SSLStatus Event (GoogleKMS Component)

Fired when secure connection progress messages are available.

Syntax

type TSSLStatusEvent = procedure (
  Sender: TObject;
  const Message: String
) of Object;

property OnSSLStatus: TSSLStatusEvent read FOnSSLStatus write FOnSSLStatus;

Remarks

The event is fired for informational and logging purposes only. This event tracks the progress of the connection.

StartTransfer Event (GoogleKMS Component)

This event fires when a document starts transferring (after the headers).

Syntax

type TStartTransferEvent = procedure (
  Sender: TObject;
  Direction: Integer
) of Object;

property OnStartTransfer: TStartTransferEvent read FOnStartTransfer write FOnStartTransfer;

Remarks

The StartTransfer event is fired when the document text starts transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

Transfer Event (GoogleKMS Component)

Fired while a document transfers (delivers document).

Syntax

type TTransferEvent = procedure (
  Sender: TObject;
  Direction: Integer;
  BytesTransferred: Int64;
  PercentDone: Integer;
  const Text: String;
  const TextB: TBytes
) of Object;

property OnTransfer: TTransferEvent read FOnTransfer write FOnTransfer;

Remarks

The Text parameter contains the portion of the document text being received. It is empty if data are being posted to the server.

The BytesTransferred parameter contains the number of bytes transferred in this Direction since the beginning of the document text (excluding HTTP response headers).

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

The PercentDone parameter shows the progress of the transfer in the corresponding direction. If PercentDone can not be calculated the value will be -1.

Note: Events are not re-entrant. Performing time-consuming operations within this event will prevent it from firing again in a timely manner and may affect overall performance.

VersionList Event (GoogleKMS Component)

Fires once for each key version when listing key versions.

Syntax

type TVersionListEvent = procedure (
  Sender: TObject;
  const Name: String;
  const VersionId: String;
  const State: String;
  const Algorithm: String;
  const ProtectionLevel: String;
  const CreationDate: String;
  const DestructionDate: String
) of Object;

property OnVersionList: TVersionListEvent read FOnVersionList write FOnVersionList;

Remarks

This event fires once for each key version returned when ListVersions or GetVersionInfo is called.

Name reflects the name of the key.

VersionId reflects the Id of the key version.

State reflects the state of the key version. Possible values are:

• PENDING_GENERATION: The version is still being generated, and cannot be used yet. Once generation has finished, it will become ENABLED.
• ENABLED: The version is enabled and available for use.
• DISABLED: The version is disabled; it cannot be used unless it is enabled again. It may be destroyed.
• DESTROY_SCHEDULED: The version's cryptographic material is scheduled for destruction, and will be destroyed at the time reflected by DestructionDate unless CancelDestruction before then.
• DESTROYED: The version's cryptographic material has been destroyed, and the version is no longer usable. This state is permanent once entered.
• PENDING_IMPORT*: Cryptographic material has not finished importing, and the version cannot be used yet. Once the import has finished, it will become ENABLED.
• IMPORT_FAILED*: The version was not imported successfully; it cannot be used, and any imported cryptographic material has been discarded.

Algorithm reflects the key version's algorithm. For symmetric keys, this will always be GOOGLE_SYMMETRIC_ENCRYPTION. For asymmetric keys, this value describes both the key type and the algorithm that must be used during cryptographic operations, and possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

ProtectionLevel reflects the key version's protection level. Possible values are:

• SOFTWARE
• HSM
• EXTERNAL

CreationDate reflects the key version's creation date, formatted as an RFC 3339 UTC timestamp.

DestructionDate reflects the date at which the key version's cryptographic material was (or will be) destroyed, formatted as an RFC 3339 UTC timestamp; or empty string if the key version's cryptographic material has not been, and is not scheduled to be, destroyed.

Certificate Type

This is the digital certificate being used.

Remarks

This type describes the current digital certificate. The certificate may be a public or private key. The fields are used to identify or select certificates.

Fields

Constructors

>

constructor Create();

constructor Create(valEncoded: TBytes);

constructor Create(valStoreType: TckCertStoreTypes; valStore: String; valStorePassword: String; valSubject: String);

constructor Create(valStoreType: TckCertStoreTypes; valStore: TBytes; valStorePassword: String; valSubject: String);

Firewall Type

The firewall the component will connect through.

Remarks

When connecting through a firewall, this type is used to specify different properties of the firewall, such as the firewall Host and the FirewallType.

Fields

Constructors

constructor Create();

GoogleKey Type

A Google KMS key.

Remarks

This type represents a Google KMS key.

Fields

GoogleKeyRing Type

A Google KMS key ring.

Remarks

This type represents a Google KMS key ring.

Fields

GoogleKeyVersion Type

A Google KMS key version.

Remarks

This type represents a Google KMS key version.

Fields

GoogleLabel Type

A Google resource label.

Remarks

This type represents a Google resource label.

Fields

Constructors

constructor Create();

constructor Create(valName: String; valValue: String);

Header Type

This is an HTTP header as it is received from the server.

Remarks

When a header is received through a Header event, it is parsed into a Header type. This type contains a Field, and its corresponding Value.

Fields

Constructors

constructor Create();

constructor Create(valField: String; valValue: String);

OAuthSettings Type

The settings to use to authenticate with the service provider.

Remarks

Used to set give the component the necessary information needed to complete OAuth authentication.

Fields

Constructors

constructor Create();

Proxy Type

The proxy the component will connect to.

Remarks

When connecting through a proxy, this type is used to specify different properties of the proxy, such as the Server and the AuthScheme.

Fields

Constructors

constructor Create();

constructor Create(valServer: String; valPort: Integer);

constructor Create(valServer: String; valPort: Integer; valUser: String; valPassword: String);

QueryParam Type

A query parameter to send in the request.

Remarks

This type represents a query parameter to send in the request.

Fields

Constructors

constructor Create();

constructor Create(valName: String; valValue: String);

Config Settings (GoogleKMS Component)

GoogleKMS Config Settings

<firstlevel>
  <one>value</one>
  <two>
    <item>first</item>
    <item>second</item>
  </two>
  <three>value three</three>
</firstlevel>

{
  "firstlevel": {
    "one": "value",
    "two": ["first", "second"],
    "three": "value three"
  }
}

OAuth Config Settings

HTTP Config Settings

TCPClient Config Settings

SSL Config Settings

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert ...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert ...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert ...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert ...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

Socket Config Settings

Base Config Settings

Trappable Errors (GoogleKMS Component)

Common Errors

The component may also return one of the following error codes, which are inherited from other components.

HTTP Errors

The component may also return one of the following error codes, which are inherited from other components.

TCPClient Errors

SSL Errors

TCP/IP Errors