zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-15 17:07:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

Refactor KmsKeyring and KmsUpdater to use a centralized serializer

Browse source 
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=151853998
This commit is contained in:
guyben 2017-03-31 12:27:10 -07:00 committed by Ben McIlwain
parent ff9c72097c
commit bb70fcb66d
7 changed files with 377 additions and 195 deletions
Download patch file Download diff file Expand all files Collapse all files

134
java/google/registry/keyring/api/KeySerializer.java Normal file
View file

@ -0,0 +1,134 @@
// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.keyring.api;
import static java.nio.charset.StandardCharsets.UTF_8;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import org.bouncycastle.bcpg.ArmoredOutputStream;
import org.bouncycastle.bcpg.HashAlgorithmTags;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;
/**
* Collection of tools to serialize / deserialize PGP types.
*
* <p>There is no way to serialize / deserialize a PGPPrivateKey on its own, you have to pair it
* with the public key.
*/
public final class KeySerializer {
private KeySerializer() {}
/**
* Serialize a PGPPublicKey
*
* <p>The reason we're not using {@link PGPPublicKey#getEncoded()} is to use {@link
* ArmoredOutputStream}.
*/
public static byte[] serializePublicKey(PGPPublicKey publicKey) throws IOException {
try (ByteArrayOutputStream byteStream = new ByteArrayOutputStream()) {
// NOTE: We have to close the ArmoredOutputStream before calling the underlying OutputStream's
// "toByteArray". Failing to do so would result in a truncated serialization as we took the
// byte array before the ArmoredOutputStream wrote all the data.
//
// Even "flushing" the ArmoredOutputStream isn't enough - as there are parts that are only
// written by the ArmoredOutputStream when it is closed: the "-----END PGP PRIVATE KEY
// BLOCK-----" (or similar) footer.
try (ArmoredOutputStream out = new ArmoredOutputStream(byteStream)) {
publicKey.encode(out);
}
return byteStream.toByteArray();
}
}
/** Deserialize a PGPPublicKey */
public static PGPPublicKey deserializePublicKey(byte[] serialized) throws IOException {
return
new BcPGPPublicKeyRing(
PGPUtil.getDecoderStream(
new ByteArrayInputStream(serialized))).getPublicKey();
}
/** Serializes a string */
public static byte[] serializeString(String key) {
return key.getBytes(UTF_8);
}
/** Deserializes a string */
public static String deserializeString(byte[] serialized) {
return new String(serialized, UTF_8);
}
/**
* Serialize a PGPKeyPair
*
* <p>Use this to serialize a PGPPrivateKey as well (pairing it with the corresponding
* PGPPublicKey), as private keys can't be serialized on their own.
*/
public static byte[] serializeKeyPair(PGPKeyPair keyPair) throws IOException, PGPException {
try (ByteArrayOutputStream byteStream = new ByteArrayOutputStream()) {
// NOTE: We have to close the ArmoredOutputStream before calling the underlying OutputStream's
// "toByteArray". Failing to do so would result in a truncated serialization as we took the
// byte array before the ArmoredOutputStream wrote all the data.
//
// Even "flushing" the ArmoredOutputStream isn't enough - as there are parts that are only
// written by the ArmoredOutputStream when it is closed: the "-----END PGP PRIVATE KEY
// BLOCK-----" (or similar) footer.
try (ArmoredOutputStream out = new ArmoredOutputStream(byteStream)) {
new PGPSecretKey(
keyPair.getPrivateKey(),
keyPair.getPublicKey(),
new JcaPGPDigestCalculatorProviderBuilder()
.setProvider("BC")
.build()
.get(HashAlgorithmTags.SHA256),
true,
null).encode(out);
}
return byteStream.toByteArray();
}
}
/** Deserialize a PGPKeyPair */
public static PGPKeyPair deserializeKeyPair(byte[] serialized)
throws IOException, PGPException {
PGPSecretKey secretKey =
new BcPGPSecretKeyRing(
PGPUtil.getDecoderStream(
new ByteArrayInputStream(serialized))).getSecretKey();
return new PGPKeyPair(
secretKey.getPublicKey(),
secretKey.extractPrivateKey(createSecretKeyDecryptor()));
}
private static PBESecretKeyDecryptor createSecretKeyDecryptor() {
// There shouldn't be a passphrase on the key
return new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
.build(new char[0]);
}
}

141
java/google/registry/keyring/kms/KmsKeyring.java
View file

@ -14,31 +14,23 @@
package google.registry.keyring.kms;
import static com.google.common.base.CaseFormat.LOWER_HYPHEN;
import static com.google.common.base.CaseFormat.UPPER_UNDERSCORE;
import static com.google.common.base.Preconditions.checkState;
import static google.registry.keyring.api.PgpHelper.KeyRequirement.ENCRYPT;
import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
import static google.registry.model.ofy.ObjectifyService.ofy;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.googlecode.objectify.Key;
import google.registry.keyring.api.KeySerializer;
import google.registry.keyring.api.Keyring;
import google.registry.keyring.api.KeyringException;
import google.registry.keyring.api.PgpHelper;
import google.registry.model.server.KmsSecret;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import javax.inject.Inject;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRing;
import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
/**
* A {@link Keyring} implementation which stores encrypted secrets in Datastore and decrypts them
@ -49,22 +41,42 @@ import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
*/
public class KmsKeyring implements Keyring {
static final String BRAINTREE_PRIVATE_KEY_NAME = "braintree-private-key";
static final String BRDA_RECEIVER_PUBLIC_NAME = "brda-receiver-public";
static final String BRDA_SIGNING_PRIVATE_NAME = "brda-signing-private";
static final String BRDA_SIGNING_PUBLIC_NAME = "brda-signing-public";
static final String ICANN_REPORTING_PASSWORD_NAME = "icann-reporting-password";
static final String JSON_CREDENTIAL_NAME = "json-credential";
static final String MARKSDB_DNL_LOGIN_NAME = "marksdb-dnl-login";
static final String MARKSDB_LORDN_PASSWORD_NAME = "marksdb-lordn-password";
static final String MARKSDB_SMDRL_LOGIN_NAME = "marksdb-smdrl-login";
static final String RDE_RECEIVER_PUBLIC_NAME = "rde-receiver-public";
static final String RDE_SIGNING_PRIVATE_NAME = "rde-signing-private";
static final String RDE_SIGNING_PUBLIC_NAME = "rde-signing-public";
static final String RDE_SSH_CLIENT_PRIVATE_NAME = "rde-ssh-client-private";
static final String RDE_SSH_CLIENT_PUBLIC_NAME = "rde-ssh-client-public";
static final String RDE_STAGING_PRIVATE_NAME = "rde-staging-private";
static final String RDE_STAGING_PUBLIC_NAME = "rde-staging-public";
static enum PrivateKeyLabel {
BRDA_SIGNING_PRIVATE,
RDE_SIGNING_PRIVATE,
RDE_STAGING_PRIVATE;
String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
}
}
static enum PublicKeyLabel {
BRDA_RECEIVER_PUBLIC,
BRDA_SIGNING_PUBLIC,
RDE_RECEIVER_PUBLIC,
RDE_SIGNING_PUBLIC,
RDE_STAGING_PUBLIC;
String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
}
}
static enum StringKeyLabel {
BRAINTREE_PRIVATE_KEY_STRING,
ICANN_REPORTING_PASSWORD_STRING,
JSON_CREDENTIAL_STRING,
MARKSDB_DNL_LOGIN_STRING,
MARKSDB_LORDN_PASSWORD_STRING,
MARKSDB_SMDRL_LOGIN_STRING,
RDE_SSH_CLIENT_PRIVATE_STRING,
RDE_SSH_CLIENT_PUBLIC_STRING;
String getLabel() {
return UPPER_UNDERSCORE.to(LOWER_HYPHEN, name());
}
}
private final KmsConnection kmsConnection;
@ -75,118 +87,101 @@ public class KmsKeyring implements Keyring {
@Override
public PGPKeyPair getRdeSigningKey() {
return getKeyPair(RDE_SIGNING_PUBLIC_NAME, RDE_SIGNING_PRIVATE_NAME);
return getKeyPair(PrivateKeyLabel.RDE_SIGNING_PRIVATE);
}
@Override
public PGPPublicKey getRdeStagingEncryptionKey() {
return getPublicKeyForEncrypting(RDE_STAGING_PUBLIC_NAME);
return getPublicKey(PublicKeyLabel.RDE_STAGING_PUBLIC);
}
@Override
public PGPPrivateKey getRdeStagingDecryptionKey() {
return getPrivateKey(RDE_STAGING_PRIVATE_NAME);
return getPrivateKey(PrivateKeyLabel.RDE_STAGING_PRIVATE);
}
@Override
public PGPPublicKey getRdeReceiverKey() {
return getPublicKeyForEncrypting(RDE_RECEIVER_PUBLIC_NAME);
return getPublicKey(PublicKeyLabel.RDE_RECEIVER_PUBLIC);
}
@Override
public PGPKeyPair getBrdaSigningKey() {
return getKeyPair(BRDA_SIGNING_PUBLIC_NAME, BRDA_SIGNING_PRIVATE_NAME);
return getKeyPair(PrivateKeyLabel.BRDA_SIGNING_PRIVATE);
}
@Override
public PGPPublicKey getBrdaReceiverKey() {
return getPublicKeyForEncrypting(BRDA_RECEIVER_PUBLIC_NAME);
return getPublicKey(PublicKeyLabel.BRDA_RECEIVER_PUBLIC);
}
@Override
public String getRdeSshClientPublicKey() {
return new String(getDecryptedData((RDE_SSH_CLIENT_PUBLIC_NAME)), UTF_8);
return getString(StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING);
}
@Override
public String getRdeSshClientPrivateKey() {
return new String(getDecryptedData(RDE_SSH_CLIENT_PRIVATE_NAME), UTF_8);
return getString(StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING);
}
@Override
public String getIcannReportingPassword() {
return new String(getDecryptedData(ICANN_REPORTING_PASSWORD_NAME), UTF_8);
return getString(StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING);
}
@Override
public String getMarksdbDnlLogin() {
return new String(getDecryptedData(MARKSDB_DNL_LOGIN_NAME), UTF_8);
return getString(StringKeyLabel.MARKSDB_DNL_LOGIN_STRING);
}
@Override
public String getMarksdbLordnPassword() {
return new String(getDecryptedData(MARKSDB_LORDN_PASSWORD_NAME), UTF_8);
return getString(StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING);
}
@Override
public String getMarksdbSmdrlLogin() {
return new String(getDecryptedData(MARKSDB_SMDRL_LOGIN_NAME), UTF_8);
return getString(StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING);
}
@Override
public String getJsonCredential() {
return new String(getDecryptedData(JSON_CREDENTIAL_NAME), UTF_8);
return getString(StringKeyLabel.JSON_CREDENTIAL_STRING);
}
@Override
public String getBraintreePrivateKey() {
return new String(getDecryptedData(BRAINTREE_PRIVATE_KEY_NAME), UTF_8);
return getString(StringKeyLabel.BRAINTREE_PRIVATE_KEY_STRING);
}
/** No persistent resources are maintained for this Keyring implementation. */
@Override
public void close() {}
private PGPKeyPair getKeyPair(String publicKeyName, String privateKeyName) {
try {
PGPPublicKey publicKey =
new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)).getPublicKey();
return new PGPKeyPair(publicKey, getPrivateKey(privateKeyName));
} catch (IOException e) {
throw new KeyringException(
String.format(
"Could not parse public key %s and private key %s", publicKeyName, privateKeyName),
e);
}
private String getString(StringKeyLabel keyLabel) {
return KeySerializer.deserializeString(getDecryptedData(keyLabel.getLabel()));
}
private PGPPublicKey getPublicKeyForEncrypting(String publicKeyName) {
private PGPKeyPair getKeyPair(PrivateKeyLabel keyLabel) {
try {
return PgpHelper.lookupPublicSubkey(
new BcPGPPublicKeyRing(getPgpInputStream(publicKeyName)), ENCRYPT)
.get();
} catch (IOException e) {
throw new KeyringException(String.format("Could not parse public key %s", publicKeyName), e);
}
}
private PGPPrivateKey getPrivateKey(String privateKeyName) {
try {
PGPSecretKeyRing privateKeyRing = new BcPGPSecretKeyRing(getPgpInputStream(privateKeyName));
// There shouldn't be a passphrase on the key
return privateKeyRing
.getSecretKey()
.extractPrivateKey(
new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
.build(new char[0]));
return KeySerializer.deserializeKeyPair(getDecryptedData(keyLabel.getLabel()));
} catch (IOException | PGPException e) {
throw new KeyringException(
String.format("Could not parse private key %s", privateKeyName), e);
String.format("Could not parse private keyLabel %s", keyLabel), e);
}
}
private InputStream getPgpInputStream(String privateKeyName) throws IOException {
return PGPUtil.getDecoderStream(new ByteArrayInputStream(getDecryptedData(privateKeyName)));
private PGPPublicKey getPublicKey(PublicKeyLabel keyLabel) {
try {
return KeySerializer.deserializePublicKey(getDecryptedData(keyLabel.getLabel()));
} catch (IOException e) {
throw new KeyringException(String.format("Could not parse public keyLabel %s", keyLabel), e);
}
}
private PGPPrivateKey getPrivateKey(PrivateKeyLabel keyLabel) {
return getKeyPair(keyLabel).getPrivateKey();
}
private byte[] getDecryptedData(String keyName) {

123
java/google/registry/keyring/kms/KmsUpdater.java
View file

@ -16,37 +16,44 @@ package google.registry.keyring.kms;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkState;
import static google.registry.keyring.kms.KmsKeyring.BRAINTREE_PRIVATE_KEY_NAME;
import static google.registry.keyring.kms.KmsKeyring.BRDA_RECEIVER_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.BRDA_SIGNING_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.ICANN_REPORTING_PASSWORD_NAME;
import static google.registry.keyring.kms.KmsKeyring.JSON_CREDENTIAL_NAME;
import static google.registry.keyring.kms.KmsKeyring.MARKSDB_DNL_LOGIN_NAME;
import static google.registry.keyring.kms.KmsKeyring.MARKSDB_LORDN_PASSWORD_NAME;
import static google.registry.keyring.kms.KmsKeyring.MARKSDB_SMDRL_LOGIN_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_RECEIVER_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SIGNING_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_SSH_CLIENT_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PRIVATE_NAME;
import static google.registry.keyring.kms.KmsKeyring.RDE_STAGING_PUBLIC_NAME;
import static google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel.BRDA_SIGNING_PRIVATE;
import static google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel.RDE_SIGNING_PRIVATE;
import static google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel.RDE_STAGING_PRIVATE;
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_RECEIVER_PUBLIC;
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.BRDA_SIGNING_PUBLIC;
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_RECEIVER_PUBLIC;
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_SIGNING_PUBLIC;
import static google.registry.keyring.kms.KmsKeyring.PublicKeyLabel.RDE_STAGING_PUBLIC;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.BRAINTREE_PRIVATE_KEY_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.ICANN_REPORTING_PASSWORD_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.JSON_CREDENTIAL_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_DNL_LOGIN_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_LORDN_PASSWORD_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.MARKSDB_SMDRL_LOGIN_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PRIVATE_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
import static google.registry.model.ofy.ObjectifyService.ofy;
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.common.collect.ImmutableMap;
import com.googlecode.objectify.VoidWork;
import google.registry.keyring.api.KeySerializer;
import google.registry.keyring.kms.KmsKeyring.PrivateKeyLabel;
import google.registry.keyring.kms.KmsKeyring.PublicKeyLabel;
import google.registry.keyring.kms.KmsKeyring.StringKeyLabel;
import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision;
import java.io.IOException;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.inject.Inject;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.bc.BcPGPSecretKeyRing;
/**
* The {@link KmsUpdater} accumulates updates to a {@link KmsKeyring} and persists them to KMS and
@ -65,77 +72,56 @@ public final class KmsUpdater {
this.secretValues = new LinkedHashMap<>();
}
public KmsUpdater setRdeSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
checkArgumentNotNull(secretKeyRing);
setSecret(RDE_SIGNING_PRIVATE_NAME, checkArgumentNotNull(secretKeyRing).getEncoded());
setSecret(RDE_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
return this;
public KmsUpdater setRdeSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
return setKeyPair(keyPair, RDE_SIGNING_PRIVATE, RDE_SIGNING_PUBLIC);
}
public KmsUpdater setRdeStagingKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
checkArgumentNotNull(secretKeyRing);
setSecret(RDE_STAGING_PRIVATE_NAME, secretKeyRing.getEncoded());
setSecret(RDE_STAGING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
return this;
public KmsUpdater setRdeStagingKey(PGPKeyPair keyPair) throws IOException, PGPException {
return setKeyPair(keyPair, RDE_STAGING_PRIVATE, RDE_STAGING_PUBLIC);
}
public KmsUpdater setRdeReceiverPublicKey(PGPPublicKey rdeReceiverPublicKey) throws IOException {
setSecret(RDE_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(rdeReceiverPublicKey).getEncoded());
return this;
public KmsUpdater setRdeReceiverPublicKey(PGPPublicKey publicKey) throws IOException {
return setPublicKey(publicKey, RDE_RECEIVER_PUBLIC);
}
public KmsUpdater setBrdaSigningKey(BcPGPSecretKeyRing secretKeyRing) throws IOException {
checkArgumentNotNull(secretKeyRing);
setSecret(BRDA_SIGNING_PRIVATE_NAME, secretKeyRing.getEncoded());
setSecret(BRDA_SIGNING_PUBLIC_NAME, secretKeyRing.getPublicKey().getEncoded());
return this;
public KmsUpdater setBrdaSigningKey(PGPKeyPair keyPair) throws IOException, PGPException {
return setKeyPair(keyPair, BRDA_SIGNING_PRIVATE, BRDA_SIGNING_PUBLIC);
}
public KmsUpdater setBrdaReceiverPublicKey(PGPPublicKey publicKey) throws IOException {
setSecret(BRDA_RECEIVER_PUBLIC_NAME, checkArgumentNotNull(publicKey).getEncoded());
return this;
return setPublicKey(publicKey, BRDA_RECEIVER_PUBLIC);
}
public KmsUpdater setRdeSshClientPublicKey(String asciiPublicKey) {
setSecret(RDE_SSH_CLIENT_PUBLIC_NAME, checkArgumentNotNull(asciiPublicKey).getBytes(UTF_8));
return this;
return setString(asciiPublicKey, RDE_SSH_CLIENT_PUBLIC_STRING);
}
public KmsUpdater setRdeSshClientPrivateKey(String asciiPrivateKey) {
setSecret(RDE_SSH_CLIENT_PRIVATE_NAME, checkArgumentNotNull(asciiPrivateKey).getBytes(UTF_8));
return this;
return setString(asciiPrivateKey, RDE_SSH_CLIENT_PRIVATE_STRING);
}
public KmsUpdater setIcannReportingPassword(String password) {
setSecret(ICANN_REPORTING_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
return this;
return setString(password, ICANN_REPORTING_PASSWORD_STRING);
}
public KmsUpdater setMarksdbDnlLogin(String login) {
setSecret(MARKSDB_DNL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
return this;
return setString(login, MARKSDB_DNL_LOGIN_STRING);
}
public KmsUpdater setMarksdbLordnPassword(String password) {
setSecret(MARKSDB_LORDN_PASSWORD_NAME, checkArgumentNotNull(password).getBytes(UTF_8));
return this;
return setString(password, MARKSDB_LORDN_PASSWORD_STRING);
}
public KmsUpdater setMarksdbSmdrlLogin(String login) {
setSecret(MARKSDB_SMDRL_LOGIN_NAME, checkArgumentNotNull(login).getBytes(UTF_8));
return this;
return setString(login, MARKSDB_SMDRL_LOGIN_STRING);
}
public KmsUpdater setJsonCredential(String credential) {
setSecret(JSON_CREDENTIAL_NAME, checkArgumentNotNull(credential).getBytes(UTF_8));
return this;
return setString(credential, JSON_CREDENTIAL_STRING);
}
public KmsUpdater setBraintreePrivateKey(String braintreePrivateKey) {
setSecret(
BRAINTREE_PRIVATE_KEY_NAME, checkArgumentNotNull(braintreePrivateKey).getBytes(UTF_8));
return this;
return setString(braintreePrivateKey, BRAINTREE_PRIVATE_KEY_STRING);
}
/**
@ -167,6 +153,31 @@ public final class KmsUpdater {
return encryptedValues.build();
}
private KmsUpdater setString(String key, StringKeyLabel stringKeyLabel) {
checkArgumentNotNull(key);
setSecret(stringKeyLabel.getLabel(), KeySerializer.serializeString(key));
return this;
}
private KmsUpdater setPublicKey(PGPPublicKey publicKey, PublicKeyLabel publicKeyLabel)
throws IOException {
checkArgumentNotNull(publicKey);
setSecret(publicKeyLabel.getLabel(), KeySerializer.serializePublicKey(publicKey));
return this;
}
private KmsUpdater setKeyPair(
PGPKeyPair keyPair, PrivateKeyLabel privateKeyLabel, PublicKeyLabel publicKeyLabel)
throws IOException, PGPException {
checkArgumentNotNull(keyPair);
setSecret(privateKeyLabel.getLabel(), KeySerializer.serializeKeyPair(keyPair));
setSecret(publicKeyLabel.getLabel(), KeySerializer.serializePublicKey(keyPair.getPublicKey()));
return this;
}
/**
* Persists encrypted secrets to Datastore as {@link KmsSecretRevision} entities and makes them
* primary. {@link KmsSecret} entities point to the latest {@link KmsSecretRevision}.