forked from IBM/keyprotect-go-client
-
Notifications
You must be signed in to change notification settings - Fork 0
/
example_test.go
218 lines (186 loc) · 5.82 KB
/
example_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
package kp_test
import (
"context"
"fmt"
kp "github.com/IBM/keyprotect-go-client"
)
func ExampleClient_CreateRootKey() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
ctx := context.Background()
rootkey, err := client.CreateRootKey(ctx, "mynewrootkey", nil)
if err != nil {
fmt.Println("Error while creating root key: ", err)
} else {
fmt.Println("New key created: ", *rootkey)
}
}
func ExampleClient_WrapCreateDEK() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd"
aad := []string{
"AAD can be pretty much any string value.",
"This entire array of strings is the AAD.",
"It has to be the same on wrap and unwrap, however",
"This can be useful, if the DEK should be bound to an application name",
"or possibly a hostname, IP address, or even email address.",
"For example",
"appname=golang-examples;",
"It is not secret though, so don't put anything sensitive here",
}
ctx := context.Background()
dek, wrappedDek, err := client.WrapCreateDEK(ctx, keyId, &aad)
if err != nil {
fmt.Println("Error while creating a DEK: ", err)
} else {
fmt.Println("Created new random DEK")
}
if len(dek) != 32 {
fmt.Println("DEK length was not 32 bytes (not a 256 bit key)")
}
fmt.Printf("Your WDEK is: %v\n", wrappedDek)
// dek is your plaintext DEK, use it for encrypt/decrypt and throw it away
// wrappedDek is your WDEK, keep this and pass it to Unwrap to get back your DEK when you need it again
}
func ExampleClient_UnwrapV2() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd"
wrappedDek := []byte("dGhpcyBpc24ndCBhIHJlYWwgcGF5bG9hZAo=")
aad := []string{
"AAD can be pretty much any string value.",
"This entire array of strings is the AAD.",
"It has to be the same on wrap and unwrap, however",
"This can be useful, if the DEK should be bound to an application name",
"or possibly a hostname, IP address, or even email address.",
"For example",
"appname=golang-examples;",
"It is not secret though, so don't put anything sensitive here",
}
ctx := context.Background()
dek, rewrapped, err := client.UnwrapV2(ctx, keyId, wrappedDek, &aad)
if err != nil {
fmt.Println("Error while unwrapping DEK: ", err)
} else {
fmt.Println("Unwrapped key successfully")
}
if len(dek) != 32 {
fmt.Println("DEK length was not 32 bytes (not a 256 bit key)")
}
// dek is your plaintext DEK, use it for encrypt/decrypt then throw it away
// rewrapped is POSSIBLY a new WDEK, if it is not empty, store that and use it on next Unwrap
if len(rewrapped) > 0 {
fmt.Printf("Your DEK was rewrapped with a new key version. Your new WDEK is %v\n", rewrapped)
// store new WDEK
wrappedDek = rewrapped
}
}
func ExampleClient_CreateStandardKey() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
fmt.Println("Creating standard key")
rootkey, err := client.CreateStandardKey(context.Background(), "mynewstandardkey", nil)
if err != nil {
fmt.Println("Error while creating standard key: ", err)
} else {
fmt.Println("New key created: ", *rootkey)
}
}
func ExampleClient_GetKey() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd"
fmt.Println("Getting standard key")
key, err := client.GetKey(context.Background(), keyId)
if err != nil {
fmt.Println("Get Key failed with error: ", err)
} else {
fmt.Printf("Key: %v\n", *key)
}
}
func ExampleClient_DeleteKey() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
keyId := "1234abcd-abcd-asdf-9eaa-deadbeefabcd"
fmt.Println("Deleting standard key")
delKey, err := client.DeleteKey(context.Background(), keyId, kp.ReturnRepresentation)
if err != nil {
fmt.Println("Error while deleting: ", err)
} else {
fmt.Println("Deleted key: ", delKey)
}
}
func ExampleClient_InstancePolicies() {
client, _ := kp.New(
kp.ClientConfig{
BaseURL: "https://us-south.kms.cloud.ibm.com",
APIKey: "notARealApiKey",
InstanceID: "a6493c3a-5b29-4ac3-9eaa-deadbeef3bfd",
},
kp.DefaultTransport(),
)
policies := kp.MultiplePolicies {
DualAuthDelete : &kp.BasicPolicyData{
Enabled: true,
},
AllowedNetwork : &kp.AllowedNetworkPolicyData{
Enabled: true,
Network: "public-and-private",
},
}
fmt.Println("Creating instance policies")
err := client.SetInstancePolicies(context.Background(), policies)
if err != nil {
fmt.Println("Error while setting instance policies")
} else {
fmt.Println("Set instance polices")
}
attributes := map[string]bool{
"CreateRootKey": true,
"CreateStandardKey": true,
}
fmt.Println("Setting key create import access instance policy")
err = client.SetKeyCreateImportAccessInstancePolicy(context.Background(), true, attributes)
if err != nil {
fmt.Println("Error while setting key create import access instance policy")
} else {
fmt.Println("Set Key Create Import Access instance policy")
}
}