Package com.google.crypto.tink

Class KmsClients

java.lang.Object

com.google.crypto.tink.KmsClients

public final class KmsClients
extends java.lang.Object

A container for KmsClient-objects that are needed by KeyManager-objects for primitives that use KMS-managed keys.

This class consists exclusively of static methods that register and load KmsClient-objects.

Since:

1.0.0

Method Summary

Modifier and Type	Method	Description
static void	add(KmsClient client)	Adds a client to the list of known KmsClient-objects.
static KmsClient	get(java.lang.String keyUri)	Returns the first KmsClient registered with add(com.google.crypto.tink.KmsClient) that supports keyUri.
static KmsClient	getAutoLoaded(java.lang.String keyUri)	Deprecated. Don't use this.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

add

public static void add(KmsClient client)

Adds a client to the list of known KmsClient-objects.

This function will always add the client to a global list. So this function should only be called on startup and not on every operation.

It is often not necessary to use this function. For example, you can call KmsClient.getAead(java.lang.String) to get a remote Aead. Use this Aead to encrypt a keyset with TinkProtoKeysetFormat.serializeEncryptedKeyset(com.google.crypto.tink.KeysetHandle, com.google.crypto.tink.Aead, byte[]), or to create an envelope Aead using KmsEnvelopeAead.create(com.google.crypto.tink.aead.AeadParameters, com.google.crypto.tink.Aead).

get

public static KmsClient get(java.lang.String keyUri)
                     throws java.security.GeneralSecurityException

Returns the first KmsClient registered with add(com.google.crypto.tink.KmsClient) that supports keyUri.

Throws:

java.security.GeneralSecurityException - if no KMS clients can be found that support keyUri

getAutoLoaded

@Deprecated
public static KmsClient getAutoLoaded(java.lang.String keyUri)
                               throws java.security.GeneralSecurityException

Deprecated.

Don't use this.

Returns the first KmsClient automatically loaded with ServiceLoader that supports keyUri.

Warning This method searches over the classpath for all implementations of KmsClient. An attacker that can insert a class in your classpath (e.g., someone controlling a library that you're using) could provide a fake KmsClient that steal your keys. For this reason Tink does not use this method.

Throws:

java.security.GeneralSecurityException - if cannot found any KMS clients that support keyUri