How-to guides

• 1: Key Management Service Encryption example using keys

The user can enter the essential information of the Key Management Service service and create the service by selecting detailed options through the Samsung Cloud Platform Console.

Key Management Service creation

You can create and use the Key Management Service on the Samsung Cloud Platform Console.

To create a Key Management Service, follow the following procedure.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service creation button. It moves to the Key Management Service creation page.
3. Key Management Service creation page, enter the information required for service creation and add additional information.

• Service Information Input area, please enter or select the required information.

  Classification	Mandatory	Detailed Description
  Key Name	Required	Enter Key Name
  Public Certification Algorithm	Option	Select whether to use the public certification algorithm The public certification algorithm option is only available in SCP Sovereign The public certification algorithm provides the Aria algorithm that has completed security verification by the National Intelligence Service
  Purpose	Required	Select the purpose and encryption method of the key
  Automatic Rotation	Option	Select whether to use automatic rotation of the key Use is selected, the internal algorithm of the generated key is converted to a different value and applied for each set rotation cycle
  Auto Rotation > Rotation Period	Required	Enter the rotation period of the key The rotation period can enter a value between 1~730 days. If the rotation period is not entered, it is automatically set to 90 days
  Description	Options	Enter additional information for the key

  Table. Key Management Service service information input items
• Additional Information Input area, please enter or select the required information.

  Classification	Mandatory	Detailed Description
  Tag	Selection	Add Tag Up to 50 can be added per resource Click the Add Tag button and enter or select Key, Value

  Table. Key Management Service Additional Information Input Items

4. Summary panel, review the detailed information generated and the estimated billing amount, and click the Complete button.

• Once creation is complete, check the created resource on the Key Management Service list page.

Key Management Service detailed information check

Key Management Service can check and modify the entire resource list and detailed information. The Key Management Service details page consists of details, tags, and operation history tabs.

Key Management Service detailed information to confirm, please follow the next procedure.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click the resource to check the detailed information. It moves to the Key Management Service details page.

• Key Management Service details page top displays the status information and additional features description.

  Classification	Detailed Description
  Status	Indicates the status of Key Management Service Active: Available/Activated Stop: Stopped/Deactivated To be Terminated: Scheduled for Deletion Creating: Being Created/Creation Error (Only immediate deletion is possible for retrying creation)
  Key Rotation	A button that can manually rotate the generated key
  Key Deactivation	a button that can deactivate the generated key
  Service Cancellation	Button to cancel the service

  Table. Key Management Service Status Information and Additional Features

Detailed Information

Key Management Service list page where you can check the detailed information of the selected resource and modify the information if necessary.

Classification	Detailed Description
Service	Service Name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource Title
Resource ID	Unique resource ID in the service
Creator	The user who created the service
Creation Time	The time when the service was created
Key Name	Name of the generated key
Public Certification Algorithm	Cryptographic algorithm verified through the Korea Cryptographic Module Validation Program When selected, it is possible to generate an encryption key that meets the public encryption standards The public certification algorithm option is only available on SCP Sovereign
Purpose	Purpose of the key such as encryption/decryption and signing/verification and encryption method
Automatic Rotation	Whether to use automatic rotation of the key
Rotation Period	Set the rotation period when using auto-rotation
Next rotation date	Display of the next rotation date of the key according to the rotation cycle Automatically execute key rotation on the corresponding date
usage count	the number of times the key is used to call the encryption/decryption function
Description	Display additional description for the key

Table. Key Management Service detailed information tab items

Tag

Key Management Service list page where you can check the tag information of the selected resource, and add, change or delete it.

Classification	Detailed Description
Tag List	Tag list Check Key, Value information of the tag Up to 50 tags can be added per resource Search and select from existing Key and Value lists when entering tags

Table. Key Management Service tags tab items

Work History

Key Management Service list page where you can check the operation history of the selected resource.

Classification	Detailed Description
Work History	Work Performance Contents Encryption, Decryption, Signing, Verification, Data Key Generation, Rewrap API Log Item Display
Work Time	Work Performance Time
Resource Type	Resource Type
Resource Name	Resource Title
Task Result	Task Execution Result(Success/Failure)
Worker Information	Information of the user who performed the task

Table. Key Management Service job history tab detailed information items

Key Management Service management

You can create a new version of the registered key or change its usage status.

KMS Key Rotation Settings

Key rotation is a function that converts the internal algorithm of the generated key into another value.

Note

• When rotating the key, only the master key value is changed, and the ciphertext and plaintext values of the data key created previously are not changed.
• Even if the key rotation is performed, the master key has the previous version of the data, so there is no effect on the decryption performed through the master key, and the value of the data key being used is also not changed.
• However, if you wrap (decrypt and re-encrypt) with a changed master key, calling the rewrapData API will execute the key rotation function.

To create a new version of the created Key Management Service (key rotation), follow these steps.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click on the resource to check the detailed information. It moves to the Key Management Service details page.
4. Key Management Service details page, click the key rotation button. It moves to the key rotation popup window.
5. Key Rotation popup window, check the message and click the Confirm button.

KMS Key Activation Settings

You can set whether to use the selected key.

Reference

If you change the key to an inactive state, users who use the key can no longer use the key.

To set whether to enable or disable the created Key Management Service, follow the next procedure.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click on the resource to check the detailed information. It moves to the Key Management Service details page.
4. Key Management Service details page, click the key activation/key deactivation button. Move to the key activation/key deactivation popup window.
5. Key Activation/Key Deactivation popup window, check the message and click the Confirm button.

Key Management Service utilizing keys for encryption cases

The procedure example for storing important data of the user Application by issuing a data key from KMS and encrypting it is as follows.

1. Application startup, when KMS master key information is used to issue a data key, and then the data key in plain text form is used on the client-side to perform secure data encryption and storage.
2. The data key is stored in the database in the form encrypted with the master key.
3. When performing security data decryption, it requests decryption with KMS master key information by querying the data key stored in the database.

Key Management Service uses the key for encryption/decryption procedures, which are explained in the following concept diagram.

Encryption

Decryption

Key Management Service Cancellation

You can cancel the Key Management Service that is not being used.

Caution

If the key is revoked, all requests and functions of the Key Management Service will be unavailable, and it will be permanently deleted immediately or 72 hours later through scheduled revocation.

To cancel the Key Management Service, follow the following procedure.

1. All services > Security > Key Management Service menu, click. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click the resource to check the detailed information. It moves to the Key Management Service details page.
4. Key Management Service details page, click the service cancellation button. It moves to the service cancellation pop-up window.
5. Service Cancellation popup window, select Immediate Cancellation/Reserved Cancellation and confirm the contents, then click the Confirm button.
6. Once the cancellation is complete, check if the resource has been cancelled on the Key Management Service list page.

• Key deletion notification will be sent to both the user who created the key and the user who deleted it when the key deletion is completed.

Reference

• You can also deactivate the selected key by clicking the Cancel Service button in the More Menu button at the far right of the generated KMS list.
• To cancel the cancellation of a reserved service, click the Cancel Cancellation button on the KMS list page or detail page.
• Service Cancellation Cancellation In the popup window, if you click Confirm, the selected key will be restored to an inactive state without being deleted.
• To reuse the key, click the Key Activation button on the Key Management Service details page.

1 - Key Management Service Encryption example using keys

Key Management Service Encryption Example Using Keys

This is a Java code example for implementing envelope encryption (Envelope Encryption) and data signing/verification using a key generated by KMS.

Envelope Encryption

It presents an envelope encryption scenario, and you can view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Obtain a Data Key to encrypt password information using envelope encryption.
2. Use the issued Data Key information to encrypt the password.
3. Encrypt the password and encrypted Data Key information using envelope encryption and save it as a JSON file.

Java Example Code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }};
// END POINT
static String KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s";
static String KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s";
// KEY ID
static String KEY_ID = {{Master Key ID}};
  
createEnvelop() {
    // Request creation of a new data key
    String encryptedDataKey = getDataKey();
    // Data to be encrypted
    String example_json_data = "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}";
    // Encrypted data envelope(Envelop encryption)
    String envelope = encryptData(example_json_data, encryptedDataKey);
    // In this example code, the encrypted data envelope is saved to a file
    File envelopeFile = new File("envelope.json");
}
  
getDataKey() {
    String endPoint = String.format(KMS_API_CREATE_DATAKEY, KEY_ID);
    String url = KMS_API_BASE_URI + endPoint;
    JSONObject data = new JSONObject();
    data.put("key_type", "plaintext");
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    return respJsonObject.get("ciphertext").toString();
}
  
encryptData() {
    Map<String, String> envelope = new HashMap<>();
    // Data key decryption
    String dataKey = decryptDataKey(encryptedDataKey);
    // Encrypt the generated data key using AES-CBC method
    // Cipher Class usage (User can use the encryption algorithm they are already using)
    SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), "AES");
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.ENCRYPT_MODE, secretKey);
    byte[] iv = cipher.getParameters().getParameterSpec(IvParameterSpec.class).getIV();
    byte[] cipherText = cipher.doFinal(obj.toString().getBytes());
  
    envelope.put("encryptedKey", encryptedDataKey);
    envelope.put("cipherText", encodeBase64(cipherText));
    envelope.put("iv", encodeBase64(iv));
  
    return JSONValue.toJSONString(envelope);
}
  
decryptDataKey() {
    String endPoint = String.format(KMS_API_DECRYPT, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("cipherText", sealedKey);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String plaintext = (respJsonObject.get("plaintext")).toString();
    return plaintext;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  
// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
const KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  
createEnvelop() {
        // Request new data key creation
        encryptedDataKey := getDataKey()

        // data to be encrypted
        example_json_data := "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}"
        // encrypted data envelope(Envelop encryption)
        envelope := encryptData(example_json_data, encryptedDataKey)
        // In this example code, the encrypted data envelope is saved to a file
        file, _ := os.Create("envelope.json")
        defer file.Close()

        file.WriteString(envelope)
"}
  
getDataKey() {
        endPoint := fmt.Sprintf(KMS_API_CREATE_DATAKEY, KEY_ID)
        data := map[string]interface{}{
            "key_type": "plaintext",
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDatakeyInfo{}
        json.Unmarshal([]byte(respJsonObject), info)
  
        return info.DataKey
"}
  
encryptData() {
        envelope := make(map[string]string)
        // Data key decryption
        dataKey := decryptDataKey(encryptedDataKey)
        secretKey, _ := base64.StdEncoding.DecodeString(dataKey)
        // Encrypt the generated data key using AES-CBC method
        // Cipher Class use
        block, _ := aes.NewCipher(secretKey)
        cipherText := make([]byte, aes.BlockSize+len(example_json_data))
        iv := cipherText[:aes.BlockSize]
        if _, err := io.ReadFull(rand.Reader, iv); err != nil {
               panic(err)
        }
  
        mode := cipher.NewCFBEncrypter(block, iv)
        mode.XORKeyStream(cipherText[aes.BlockSize:], []byte(example_json_data))
  

        envelope["encryptedKey"] = encryptedDataKey
        envelope["cipherText"] = base64.StdEncoding.EncodeToString(cipherText)
        envelope["iv"] = base64.StdEncoding.EncodeToString(iv)
  
        jsonString, _ := json.Marshal(envelope)
  
        return string(jsonString)
}
  

decryptDataKey() {
        endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
        data := map[string]interface{}{
               "cipherText": sealedKey,
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDecryptInfo{}
        json.Unmarshal([]byte(respJsonObject), info)
  
        return info.DecryptedData
  
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}
  
# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/"
  

# KEY ID
KEY_ID = {{Master Key ID}}
    
create_envelop()
    # Request new data key creation
    encrypted_data_key = get_dataKey()

  

    # Data to be encrypted
    example_json_data = {"PASSWORDTEST":"SECRET_CREDENTIALTEST"}
    json_data_str = json.dumps(example_json_data)
     
    # Encrypted Data Envelope(Envelop encryption)
    envelope = encrypt_data(json_data_str,encrypted_data_key)
  
    # In this example code, the encrypted data envelope is saved to a file
    with open("envelope.json", "w") as file:
        file.write(envelope)
  
    
get_dataKey()
    end_point = f"{KMS_API_CREATE_DATAKEY}{KEY_ID}"
    data = {
        "key_type": "plaintext"
    }
    response_object = call_api(end_point, data)
  
    data_key = response_object.get("ciphertext", "")
  
    return data_key
  
  
encrypt_data()
    envelope = {}
    # Data key decryption
    dataKey = decrypt_data_key(encrypted_data_key)
    decoded_data_key = base64.b64decode(dataKey)
  
    # Encrypt the generated data key using AES-CBC
    # Cipher Class use
    iv = get_random_bytes(16)
    cipher = AES.new(decoded_data_key, AES.MODE_CBC, iv)
    data_to_encrypt = obj
    data_bytes = data_to_encrypt.encode()

    padded_data = pad(data_bytes, AES.block_size)
    cipher_text = cipher.encrypt(padded_data).hex()

  
    envelope["encryptedKey"] = encrypted_data_key
    envelope["cipherText"] = cipher_text
    envelope["iv"] = base64.b64encode(iv).decode()
    
    return json.dumps(envelope)
  
decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code output

Displays the result value of the example code.

  {
        "cipherText":"d3S81rzaGAl8U12LlKSlRbDekPlGuibTntXX962KCjBIKuXdPOG8N8vk3Jet8lyG",
        "iv":"0kP7QKZ6BUeQPlThk4tySA==",
        "encryptedKey":"vault:v1:KJjjLtGHTbaV5N8LWC5O9eMDCaJVeff5SM\/MAYseugjiqiXFVgdXaKXg6kym0NmjHkO\/wLPsa+YK0aVk"
    }

## Use envelope encryption

Present a use case for envelope encryption and you can check the example code in Java, Go, Python written according to the scenario and the resulting values.

### Scenario

1. Decrypt the Data Key of the encrypted envelope file.
2. Decrypt the encrypted data of the envelope file using the decrypted Data Key.

### Java Example Code
This is a Java example code written according to the presented scenario.

// URI static String KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }}; // END POINT static String KMS_API_DECRYPT = “/v1/kms/openapi/decrypt/%s”; // KEY ID static String KEY_ID = {{Master Key ID}};;

getData() { // Encrypted data envelope(Envelop encryption) String envelope = new String(Files.readAllBytes(Paths.get(“envelope.json”))); JSONParser parser = new JSONParser(); JSONObject envelopeJson = (JSONObject) parser.parse(envelope); String encryptedDataKey = envelopeJson.get(“encryptedKey”).toString(); String cipherText = envelopeJson.get(“cipherText”).toString(); String iv = envelopeJson.get(“iv”).toString();

return decryptData(cipherText, encryptedDataKey, iv);

}

decryptData() { String dataKey = decryptDataKey(encryptedDataKey); IvParameterSpec ivParameterSpec = new IvParameterSpec(decodeBase64(iv)); SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), “AES”); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec); byte[] plaintext = cipher.doFinal(decodeBase64(cipherText));

return new String(plaintext);

}

decryptDataKey() { String endPoint = String.format(KMS_API_DECRYPT, KEY_ID); JSONObject data = new JSONObject(); data.put(“cipherText”, sealedKey); JSONObject respJsonObject = callApi(endPoint, data.toJSONString()); String plaintext = (respJsonObject.get(“plaintext”)).toString(); return plaintext; }

### Go example code
This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  
// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  
getData() {
    // Load encrypted data envelope(Envelop encryption)
    jsonData, _ := os.ReadFile("envelope.json")
    var envelope map[string]interface{}
    if err := json.Unmarshal(jsonData, &envelope); err != nil {
           fmt.Println("JSON parsing error:", err)
           os.Exit(1)
    }
    encryptedDataKey := envelope["encryptedKey"].(string)
    cipherText := envelope["cipherText"].(string)
    iv := envelope["iv"].(string)
  
    return decryptData(cipherText, encryptedDataKey, iv)
}
  
decryptData() {
    dataKey := decryptDataKey(encryptedDataKey)
    ciphertext, _ := base64.StdEncoding.DecodeString(cipherText)
    dataKeyBytes, _ := base64.StdEncoding.DecodeString(dataKey)
    decodedData := ciphertext[aes.BlockSize:]
    ivparam := ciphertext[:aes.BlockSize]
    block, _ := aes.NewCipher(dataKeyBytes)
  
    mode := cipher.NewCFBDecrypter(block, ivparam)
    mode.XORKeyStream(decodedData, decodedData)
    decryptedData := string(decodedData)
  
    return decryptedData
"}
  
decryptDataKey() {
    endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
    data := map[string]interface{}{
           "cipherText": sealedKey,
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSDecryptInfo{}
    json.Unmarshal([]byte(respJsonObject), info)
  
    return info.DecryptedData
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }}
  

# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
  
# KEY ID
KEY_ID = {{Master Key ID}}
    
get_data()
    # Open Encrypted Data Envelope(Envelop encryption)
    with open("envelope.json", "r") as file:
        envelope = file.read()

    envelope_json = json.loads(envelope)
    encrypted_data_key = envelope_json["encryptedKey"]
    cipher_text = envelope_json["cipherText"]
    iv = envelope_json["iv"]
    return decrypt_data(cipher_text, encrypted_data_key, iv)
  
decrypt_data()
    data_key = decrypt_data_key(encrypted_data_key)
    iv_bytes = base64.b64decode(iv)
    decoded_data_key = base64.b64decode(data_key)
    cipher_txt = bytes.fromhex(cipher_text)
  
    cipher = AES.new(decoded_data_key, AES.MODE_CBC, iv_bytes)
    plain_text_bytes = unpad(cipher.decrypt(cipher_txt), AES.block_size)
    plain_text = plain_text_bytes.decode('utf-8')
    return plain_text
    
decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code output

Displays the result value of the example code.

  {"PASSWORD":"SECRET_CREDENTIAL"}

Use Data Signature

It presents a data signature usage scenario to ensure data integrity, and you can check the Java, Go, Python example code and results written according to the scenario.

Scenario

1. Call OpenAPI with the data to be signed and sign it.
2. The signed data is enveloped and saved as a json file.

Java Example Code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }};
  
// END POINT
static String KMS_API_SIGN = "/v1/kms/openapi/sign/%s";
  
// KEY ID
static String KEY_ID = {{master key ID}};
  
signEnvelop() {
    // signature data envelope(Envelop encryption)
    String envelope = sign();
    // In this example code, the signature data envelope is saved to a file
    File envelopeFile = new File("signEnvelope.json");
    OutputStream os = new BufferedOutputStream(new FileOutputStream(envelopeFile));
  
    try {
        os.write(envelope.getBytes());
    } finally {
        os.close();
    }
}
  
sign() {
    Map<String, String> envelope = new HashMap<>();
  
    String example_credential = "SCP KMS Sign Test!!!";
    String endPoint = String.format(KMS_API_SIGN, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", encodeToBase64(example_credential));
  
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
  
    envelope.put("signature", respJsonObject.get("signature").toString());
    if(respJsonObject.get("batch_results") != null) {
  
        envelope.put("batch_results", respJsonObject.get("batch_results").toString());
    }
  
    return JSONValue.toJSONString(envelope);
"}

Go example code

This is a Go example code written according to the given scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  

// END POINT
const KMS_API_SIGN = "/v1/kms/openapi/sign/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  

signEnvelop() {
    // signature data envelope(Envelop encryption)
    envelope := sign()
    // In this example code, the signature data envelope is saved to a file
    file, _ := os.Create("signEnvelope.json")
    defer file.Close()
    file.WriteString(envelope)
"}
  
sign() {
    envelope := make(map[string]string)
    example_credential := "SCP KMS Sign Test!!!"
    endPoint := fmt.Sprintf(KMS_API_SIGN, KEY_ID)
    data := map[string]interface{}{
        "input": base64.StdEncoding.EncodeToString([]byte(example_credential)),
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSSignInfo{}
    json.Unmarshal([]byte(respJsonObject), info)
  
    envelope["signature"] = info.Signature
  
    jsonString, _ := json.Marshal(envelope)
  
    return string(jsonString)
}

Python Example Code

This is a Python example code written according to the given scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}
  
# END POINT
KMS_API_SIGN = "/v1/kms/openapi/sign/"
  

# KEY ID
KEY_ID = {{Master Key ID}}
    
sign_envelop()
    # Signature Data Envelope(Envelop encryption)
    envelope = sign()
  
    # This example code saves the signature data envelope to a file
    with open("signEnvelope.json", "w") as file:
        file.write(envelope)
  
    
sign()
    envelope = {}
  
    example_credential = "SCP KMS Sign Test!!!"
    end_point = f"{KMS_API_SIGN}{KEY_ID}"
    credential_bytes = example_credential.encode('utf-8')
  

    data = {
        "input": base64.b64encode(credential_bytes).decode('utf-8')
    }
  
    resp_json_object = call_api(end_point,data)
  
    envelope["signature"] = resp_json_object.get("signature")
  
    return json.dumps(envelope)

Example code output

Displays the result value of the example code.

  {
    "signature":"vault:v1:qHGf4ALkTao1Yy\/lpSbLQ2l8YVpsHWBP6ic3Ux1BKSodQQxnEIrjPyUwXXQ1NZfGSVxdeVe5Y6kb0nUPNADQpzkOh9\/e8T\/QCOs9==",
    "projectId":"PROJECT-qWrHRJX5sZnTkopcr9N1dk"
}

Data Validation Use

It presents a verification usage scenario for validating data integrity, and you can view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Retrieve the signature value of the signed envelope file.
2. Verify the signed data and output the result.

Java example code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }};
  
// END POINT
static String KMS_API_VERIFY = "/v1/kms/openapi/verify/%s";
  
// KEY ID
static String KEY_ID = {{Master Key ID}};
  
getSign() {
    // signature data envelope(Envelop encryption)
    String envelope = new String(Files.readAllBytes(Paths.get("signEnvelope.json")));
    JSONParser parser = new JSONParser();
    JSONObject envelopeJson = (JSONObject) parser.parse(envelope);
    String signature = envelopeJson.get("signature").toString();
  
    return verify(signature);
}
  
verify() {
    String endPoint = String.format(KMS_API_VERIFY, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", "U0NQIEtNUyBTaWduIFRlc3QhISE=");
    data.put("signature", signature);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String valid = (respJsonObject.get("valid")).toString();
    return valid;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}

// END POINT const KMS_API_VERIFY = “/v1/kms/openapi/verify/%s”

// KEY ID const KEY_ID = {{Master Key ID}}

getSign() { // Load signature data envelope (Envelop encryption) jsonData, _ := os.ReadFile(“signEnvelope.json”) var envelope map[string]interface{} if err := json.Unmarshal(jsonData, &envelope); err != nil { fmt.Println(“JSON parsing error:”, err) os.Exit(1) } signature := envelope[“signature”].(string)

return verify(signature)

}

verify() { endPoint := fmt.Sprintf(KMS_API_VERIFY, KEY_ID) data := map[string]interface{}{ “input”: “U0NQIEtNUyBTaWduIFRlc3QhISE=”, “signature”: signature, } jsonData, _ := json.Marshal(data) respJsonObject := callApi(endPoint, jsonData) info := &KMSVerifyInfo{} json.Unmarshal([]byte(respJsonObject), info)

return info.Valid

}

### Python example code
This is a Python example code written according to the presented scenario.

URI

KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}

END POINT

KMS_API_VERIFY = “/v1/kms/openapi/verify/”

KEY ID

KEY_ID = {{Master Key ID}}

get_sign() # Signature data envelope(Envelop encryption) Open with open(“signEnvelope.json”, “r”) as file: envelope = file.read()

envelope_json = json.loads(envelope)
signature = envelope_json["signature"]

return verify(signature)

verify() end_point = f"{KMS_API_VERIFY}{KEY_ID}"

data = {
    "input": "U0NQIEtNUyBTaWduIFRlc3QhISE=",
    "signature": signature
}

resp_json_object = call_api(end_point,data)
valid = resp_json_object.get("valid")

return valid

### Example code output
Displays the result value of the example code.

{ “valid”: true “}