本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon KMS 使用适用于 Java 的 SDK 2.x 的示例
以下代码示例向您展示了如何使用with来执行操作和实现常见场景 Amazon KMS。 Amazon SDK for Java 2.x
操作是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景和跨服务示例的上下文查看操作。
场景是展示如何通过在同一服务中调用多个函数来完成特定任务任务的代码示例。
每个示例都包含一个指向的链接 GitHub,您可以在其中找到有关如何在上下文中设置和运行代码的说明。
开始使用
以下代码示例显示了如何开始使用 KMS 密钥。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考listKeysPaginator中的。
-
操作
以下代码示例演示如何使用 CreateAlias。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考CreateAlias中的。
-
以下代码示例演示如何使用 CreateGrant。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考CreateGrant中的。
-
以下代码示例演示如何使用 CreateKey。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考CreateKey中的。
-
以下代码示例演示如何使用 Decrypt。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; }-
有关 API 详细信息,请参阅《Amazon SDK for Java 2.x API 参考》中的 Decrypt。
-
以下代码示例演示如何使用 DeleteAlias。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考DeleteAlias中的。
-
以下代码示例演示如何使用 DescribeKey。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考DescribeKey中的。
-
以下代码示例演示如何使用 DisableKey。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考DisableKey中的。
-
以下代码示例演示如何使用 EnableKey。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考EnableKey中的。
-
以下代码示例演示如何使用 Encrypt。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; }-
有关 API 详细信息,请参阅《Amazon SDK for Java 2.x API 参考》中的 Encrypt。
-
以下代码示例演示如何使用 ListAliases。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考ListAliases中的。
-
以下代码示例演示如何使用 ListGrants。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考ListGrants中的。
-
以下代码示例演示如何使用 ListKeyPolicies。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考ListKeyPolicies中的。
-
以下代码示例演示如何使用 ListKeys。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.ListKeysRequest; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class HelloKMS { public static void main(String[] args) { Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); listAllKeys(kmsClient); kmsClient.close(); } public static void listAllKeys(KmsClient kmsClient) { try { ListKeysRequest listKeysRequest = ListKeysRequest.builder() .limit(15) .build(); ListKeysIterable keysResponse = kmsClient.listKeysPaginator(listKeysRequest); keysResponse.stream() .flatMap(r -> r.keys().stream()) .forEach(key -> System.out .println(" The key ARN is: " + key.keyArn() + ". The key Id is: " + key.keyId())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考ListKeys中的。
-
以下代码示例演示如何使用 RevokeGrant。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考RevokeGrant中的。
-
以下代码示例演示如何使用 ScheduleKeyDeletion。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考ScheduleKeyDeletion中的。
-
以下代码示例演示如何使用 Sign。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); }-
有关 API 的详细信息,请参阅登录Amazon SDK for Java 2.x API 参考。
-
以下代码示例演示如何使用 TagResource。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整实例,了解如何进行设置和运行。 public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } }-
有关 API 的详细信息,请参阅 Amazon SDK for Java 2.x API 参考TagResource中的。
-
场景
以下代码示例展示了如何:
创建 KMS 密钥。
列出您账户的 KMS 密钥并获取有关它们的详细信息。
启用和禁用 KMS 密钥。
生成可用于客户端加密的对称数据密钥。
生成用于对数据进行数字签名的非对称密钥。
标记密钥。
删除 KMS 密钥。
- 适用于 Java 的 SDK 2.x
-
注意
还有更多相关信息 GitHub。在 Amazon 代码示例存储库
中查找完整示例,了解如何进行设置和运行。 import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.AliasListEntry; import software.amazon.awssdk.services.kms.model.AlreadyExistsException; import software.amazon.awssdk.services.kms.model.CreateAliasRequest; import software.amazon.awssdk.services.kms.model.CreateGrantRequest; import software.amazon.awssdk.services.kms.model.CreateGrantResponse; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.CreateKeyResponse; import software.amazon.awssdk.services.kms.model.CustomerMasterKeySpec; import software.amazon.awssdk.services.kms.model.DecryptRequest; import software.amazon.awssdk.services.kms.model.DecryptResponse; import software.amazon.awssdk.services.kms.model.DeleteAliasRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRequest; import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest; import software.amazon.awssdk.services.kms.model.EncryptRequest; import software.amazon.awssdk.services.kms.model.EncryptResponse; import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse; import software.amazon.awssdk.services.kms.model.GrantOperation; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyState; import software.amazon.awssdk.services.kms.model.KeyUsageType; import software.amazon.awssdk.services.kms.model.KmsException; import software.amazon.awssdk.services.kms.model.LimitExceededException; import software.amazon.awssdk.services.kms.model.ListAliasesRequest; import software.amazon.awssdk.services.kms.model.ListGrantsRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest; import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse; import software.amazon.awssdk.services.kms.model.OriginType; import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest; import software.amazon.awssdk.services.kms.model.RevokeGrantRequest; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; import software.amazon.awssdk.services.kms.model.SignRequest; import software.amazon.awssdk.services.kms.model.SignResponse; import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec; import software.amazon.awssdk.services.kms.model.Tag; import software.amazon.awssdk.services.kms.model.TagResourceRequest; import software.amazon.awssdk.services.kms.model.VerifyRequest; import software.amazon.awssdk.services.kms.model.VerifyResponse; import software.amazon.awssdk.services.kms.paginators.ListAliasesIterable; import software.amazon.awssdk.services.kms.paginators.ListGrantsIterable; import software.amazon.awssdk.services.secretsmanager.model.ResourceExistsException; import software.amazon.awssdk.services.sts.StsClient; import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; import java.nio.ByteBuffer; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; import java.util.List; import java.util.ArrayList; import java.util.Scanner; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * * For more information, see the following documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class KMSScenario { public static final String DASHES = new String(new char[80]).replace("\0", "-"); private static final String accountId = getAccountId(); public static void main(String[] args) { final String usage = """ Usage: <granteePrincipal> Where: granteePrincipal - The principal (user, service account, or group) to whom the grant or permission is being given. """; if (args.length != 1) { System.out.println(usage); System.exit(1); } String granteePrincipal = args[0]; String policyName = "default"; Scanner scanner = new Scanner(System.in); String keyDesc = "Created by the AWS KMS API"; Region region = Region.US_WEST_2; KmsClient kmsClient = KmsClient.builder() .region(region) .build(); System.out.println(DASHES); System.out.println(""" Welcome to the AWS Key Management SDK Getting Started scenario. This program demonstrates how to interact with AWS Key Management using the AWS SDK for Java (v2). The AWS Key Management Service (KMS) is a secure and highly available service that allows you to create and manage AWS KMS keys and control their use across a wide range of AWS services and applications. KMS provides a centralized and unified approach to managing encryption keys, making it easier to meet your data protection and regulatory compliance requirements. This Getting Started scenario creates two key types. A symmetric encryption key is used to encrypt and decrypt data, and an asymmetric key used to digitally sign data. Let's get started... """); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("1. Create a symmetric KMS key\n"); System.out.println("First, the program will creates a symmetric KMS key that you can used to encrypt and decrypt data."); waitForInputToContinue(scanner); String targetKeyId = createKey(kmsClient, keyDesc); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 2. Enable a KMS key By default, when the SDK creates an AWS key it is enabled. The next bit of code checks to determine if the key is enabled. If it is not enabled, the code enables it. """); waitForInputToContinue(scanner); boolean isEnabled = isKeyEnabled(kmsClient, targetKeyId); if (!isEnabled) enableKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("3. Encrypt data using the symmetric KMS key"); String plaintext = "Hello, AWS KMS!"; System.out.printf(""" One of the main uses of symmetric keys is to encrypt and decrypt data. Next, the code encrypts the string '%s' with the SYMMETRIC_DEFAULT encryption algorithm. %n""", plaintext); waitForInputToContinue(scanner); SdkBytes ciphertext = encryptData(kmsClient, targetKeyId, plaintext); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("4. Create an alias"); System.out.println(""" Enter an alias name for the key. The name should be prefixed with 'alias/'. For example, 'alias/myFirstKey'. """); String aliasName = scanner.nextLine(); String fullAliasName = aliasName.isEmpty() ? "alias/dev-encryption-key" : aliasName; createCustomAlias(kmsClient, targetKeyId, fullAliasName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("5. List all of your aliases"); waitForInputToContinue(scanner); listAllAliases(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("6. Enable automatic rotation of the KMS key"); System.out.println(""" By default, when the SDK enables automatic rotation of a KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. """); waitForInputToContinue(scanner); enableKeyRotation(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println(""" 7. Create a grant A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. """); waitForInputToContinue(scanner); String grantId = grantKey(kmsClient, targetKeyId, granteePrincipal); System.out.println("The code granted principal with ARN [" + granteePrincipal + "] "); System.out.println("use of the symmetric key. The grant ID is [" + grantId + "]"); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("8. List grants for the KMS key"); waitForInputToContinue(scanner); displayGrantIds(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("9. Revoke the grant"); waitForInputToContinue(scanner); revokeKeyGrant(kmsClient, targetKeyId, grantId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("10. Decrypt the data\n"); System.out.println(""" Lets decrypt the data that was encrypted in an early step. The code uses the same key to decrypt the string that we encrypted earlier in the program. """); waitForInputToContinue(scanner); String decryptText = decryptData(kmsClient, ciphertext, targetKeyId); System.out.println("Decrypted text is: " + decryptText); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("11. Replace a key policy\n"); System.out.println(""" A key policy is a resource policy for a KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy. By default, when you create a key by using the SDK, a policy is created that gives the AWS account that owns the KMS key full access to the KMS key. Let's try to replace the automatically created policy with the following policy. "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::0000000000:root"}, "Action": "kms:*", "Resource": "*" }] """); waitForInputToContinue(scanner); boolean polAdded = replacePolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("12. Get the key policy\n"); System.out.println("The next bit of code that runs gets the key policy to make sure it exists."); waitForInputToContinue(scanner); getKeyPolicy(kmsClient, targetKeyId, policyName); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("13. Create an asymmetric KMS key and sign your data\n"); System.out.println(""" Signing your data with an AWS key can provide several benefits that make it an attractive option for your data signing needs. By using an AWS KMS key, you can leverage the security controls and compliance features provided by AWS, which can help you meet various regulatory requirements and enhance the overall security posture of your organization. """); waitForInputToContinue(scanner); signVerifyData(kmsClient); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("14. Tag your symmetric KMS Key\n"); System.out.println(""" By using tags, you can improve the overall management, security, and governance of your KMS keys, making it easier to organize, track, and control access to your encrypted data within your AWS environment """); waitForInputToContinue(scanner); tagKMSKey(kmsClient, targetKeyId); waitForInputToContinue(scanner); System.out.println(DASHES); System.out.println("15. Schedule the deletion of the KMS key\n"); System.out.println(""" By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable.\s """); System.out.println("Would you like to delete the Key Management resources? (y/n)"); String delAns = scanner.nextLine().trim(); if (delAns.equalsIgnoreCase("y")) { System.out.println("You selected to delete the AWS KMS resources."); waitForInputToContinue(scanner); deleteSpecificAlias(kmsClient, fullAliasName); disableKey(kmsClient, targetKeyId); deleteKey(kmsClient, targetKeyId); } else { System.out.println("The Key Management resources will not be deleted"); } System.out.println(DASHES); System.out.println("This concludes the AWS Key Management SDK Getting Started scenario"); System.out.println(DASHES); } public static void listAllAliases(KmsClient kmsClient) { try { ListAliasesRequest aliasesRequest = ListAliasesRequest.builder() .limit(15) .build(); ListAliasesIterable aliasesResponse = kmsClient.listAliasesPaginator(aliasesRequest); aliasesResponse.stream() .flatMap(r -> r.aliases().stream()) .forEach(alias -> System.out .println("The alias name is: " + alias.aliasName())); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void disableKey(KmsClient kmsClient, String keyId) { try { DisableKeyRequest keyRequest = DisableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.disableKey(keyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void signVerifyData(KmsClient kmsClient) { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest request = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) // Specify key spec .keyUsage(KeyUsageType.SIGN_VERIFY) // Specify key usage .origin(OriginType.AWS_KMS) // Specify key origin .build(); CreateKeyResponse response = kmsClient.createKey(request); String keyId2 = response.keyMetadata().keyId(); System.out.println("Created KMS key with ID: " + keyId2); SdkBytes bytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId2) .message(bytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); SignResponse signResponse = kmsClient.sign(signRequest); byte[] signedBytes = signResponse.signature().asByteArray(); // Verify the digital signature. VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId2) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); VerifyResponse verifyResponse = kmsClient.verify(verifyRequest); System.out.println("Signature verification result: " + verifyResponse.signatureValid()); } public static void tagKMSKey(KmsClient kmsClient, String keyId) { try { Tag tag = Tag.builder() .tagKey("Environment") .tagValue("Production") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .keyId(keyId) .tags(tag) .build(); kmsClient.tagResource(tagResourceRequest); System.out.println("The key has been tagged."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void getKeyPolicy(KmsClient kmsClient, String keyId, String policyName) { try { GetKeyPolicyRequest policyRequest = GetKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .build(); GetKeyPolicyResponse response = kmsClient.getKeyPolicy(policyRequest); System.out.println("The response is "+response.policy()); } catch (KmsException e) { if (e.getMessage().contains("No such policy exists")) { System.out.println("The policy cannot be found. Error message: " + e.getMessage()); } else { throw e; } } } public static boolean replacePolicy(KmsClient kmsClient, String keyId, String policyName) { // Change the principle in the below JSON. String policy = """ { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::%s:root"}, "Action": "kms:*", "Resource": "*" }] } """.formatted(accountId); try { PutKeyPolicyRequest keyPolicyRequest = PutKeyPolicyRequest.builder() .keyId(keyId) .policyName(policyName) .policy(policy) .build(); kmsClient.putKeyPolicy(keyPolicyRequest); System.out.println("The key policy has been replaced."); } catch (LimitExceededException e) { System.out.println("Policy limit reached. Unable to create the policy."); return false; } catch (AlreadyExistsException e) { System.out.println("Only one policy per key is supported. Unable to create the policy."); return false; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return true; } public static boolean doesKeyHavePolicy(KmsClient kmsClient, String keyId, String policyName){ ListKeyPoliciesRequest policiesRequest = ListKeyPoliciesRequest.builder() .keyId(keyId) .build(); boolean hasPolicy = false; ListKeyPoliciesResponse response = kmsClient.listKeyPolicies(policiesRequest); List<String>policyNames = response.policyNames(); for (String pol : policyNames) { hasPolicy = true; } return hasPolicy; } public static void deleteKey(KmsClient kmsClient, String keyId) { try { ScheduleKeyDeletionRequest deletionRequest = ScheduleKeyDeletionRequest.builder() .keyId(keyId) .pendingWindowInDays(7) .build(); kmsClient.scheduleKeyDeletion(deletionRequest); System.out.println("The key will be deleted in 7 days."); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void deleteSpecificAlias(KmsClient kmsClient, String aliasName) { try { DeleteAliasRequest deleteAliasRequest = DeleteAliasRequest.builder() .aliasName(aliasName) .build(); kmsClient.deleteAlias(deleteAliasRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static boolean isKeyEnabled(KmsClient kmsClient, String keyId) { try { DescribeKeyRequest keyRequest = DescribeKeyRequest.builder() .keyId(keyId) .build(); DescribeKeyResponse response = kmsClient.describeKey(keyRequest); KeyState keyState = response.keyMetadata().keyState(); if (keyState == KeyState.ENABLED) { System.out.println("The key is enabled."); return true; } else { System.out.println("The key is not enabled. Key state: " + keyState); } } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return false; } public static String decryptData(KmsClient kmsClient, SdkBytes encryptedData, String keyId) { try { DecryptRequest decryptRequest = DecryptRequest.builder() .ciphertextBlob(encryptedData) .keyId(keyId) .build(); DecryptResponse decryptResponse = kmsClient.decrypt(decryptRequest); return decryptResponse.plaintext().asString(StandardCharsets.UTF_8); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void revokeKeyGrant(KmsClient kmsClient, String keyId, String grantId) { try { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); kmsClient.revokeGrant(grantRequest); System.out.println("Grant ID: [" + grantId +"] was successfully revoked!"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void displayGrantIds(KmsClient kmsClient, String keyId) { try { ListGrantsRequest grantsRequest = ListGrantsRequest.builder() .keyId(keyId) .limit(15) .build(); ListGrantsIterable response = kmsClient.listGrantsPaginator(grantsRequest); response.stream() .flatMap(r -> r.grants().stream()) .forEach(grant -> { System.out.println("The grant Id is : " + grant.grantId()); List<GrantOperation> ops = grant.operations(); for (GrantOperation op : ops) { System.out.println(op.name()); } }); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static String grantKey(KmsClient kmsClient, String keyId, String granteePrincipal) { try { // Add the desired KMS Grant permissions. List<GrantOperation> grantPermissions = new ArrayList<>(); grantPermissions.add(GrantOperation.ENCRYPT); grantPermissions.add(GrantOperation.DECRYPT); grantPermissions.add(GrantOperation.DESCRIBE_KEY); CreateGrantRequest grantRequest = CreateGrantRequest.builder() .keyId(keyId) .name("grant1") .granteePrincipal(granteePrincipal) .operations(grantPermissions) .build(); CreateGrantResponse response = kmsClient.createGrant(grantRequest); return response.grantId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } public static void enableKeyRotation(KmsClient kmsClient, String keyId) { try { EnableKeyRotationRequest enableKeyRotationRequest = EnableKeyRotationRequest.builder() .keyId(keyId) .build(); kmsClient.enableKeyRotation(enableKeyRotationRequest); System.out.println("Key rotation has been enabled for key with id [" + keyId + "]"); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } public static void createCustomAlias(KmsClient kmsClient, String targetKeyId, String aliasName) { try { CreateAliasRequest aliasRequest = CreateAliasRequest.builder() .aliasName(aliasName) .targetKeyId(targetKeyId) .build(); kmsClient.createAlias(aliasRequest); System.out.println(aliasName + " was successfully created."); } catch (ResourceExistsException e) { System.err.println("Alias already exists: " + e.getMessage()); System.err.println("Moving on..."); } catch (Exception e) { System.err.println("An unexpected error occurred: " + e.getMessage()); System.err.println("Moving on..."); } } public static SdkBytes encryptData(KmsClient kmsClient, String keyId, String text) { try { SdkBytes myBytes = SdkBytes.fromUtf8String(text); EncryptRequest encryptRequest = EncryptRequest.builder() .keyId(keyId) .plaintext(myBytes) .build(); EncryptResponse response = kmsClient.encrypt(encryptRequest); String algorithm = response.encryptionAlgorithm().toString(); System.out.println("The string was encrypted with algorithm " + algorithm + "."); // Get the encrypted data. SdkBytes encryptedData = response.ciphertextBlob(); return encryptedData; } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return null; } public static String createKey(KmsClient kmsClient, String keyDesc) { try { CreateKeyRequest keyRequest = CreateKeyRequest.builder() .description(keyDesc) .customerMasterKeySpec(CustomerMasterKeySpec.SYMMETRIC_DEFAULT) .keyUsage("ENCRYPT_DECRYPT") .build(); CreateKeyResponse result = kmsClient.createKey(keyRequest); System.out.println("Symmetric key with ARN [" + result.keyMetadata().arn() + "] has been created."); return result.keyMetadata().keyId(); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } return ""; } // Enable the KMS key. public static void enableKey(KmsClient kmsClient, String keyId) { try { EnableKeyRequest enableKeyRequest = EnableKeyRequest.builder() .keyId(keyId) .build(); kmsClient.enableKey(enableKeyRequest); } catch (KmsException e) { System.err.println(e.getMessage()); System.exit(1); } } private static void waitForInputToContinue(Scanner scanner) { while (true) { System.out.println(""); System.out.println("Enter 'c' followed by <ENTER> to continue:"); String input = scanner.nextLine(); if (input.trim().equalsIgnoreCase("c")) { System.out.println("Continuing with the program..."); System.out.println(""); break; } else { // Handle invalid input. System.out.println("Invalid input. Please try again."); } } } private static String getAccountId(){ try (StsClient stsClient = StsClient.create()){ GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(); return callerIdentity.account(); } } }-
有关 API 详细信息,请参阅《Amazon SDK for Java 2.x API 参考》中的以下主题。
-