public final class KmsClients extends Object
KmsClient-objects that are needed by KeyManager-objects for
primitives that use KMS-managed keys.
This class consists exclusively of static methods that register and load KmsClient-objects.
| Modifier and Type | Method and Description |
|---|---|
static void |
add(KmsClient client)
Adds a client to the list of known
KmsClient-objects. |
static KmsClient |
get(String keyUri)
Returns the first
KmsClient registered with add(com.google.crypto.tink.KmsClient) that supports keyUri. |
static KmsClient |
getAutoLoaded(String keyUri)
Deprecated.
Don't use this.
|
public static void add(KmsClient client)
KmsClient-objects.
This function will always add the client to a global list. So this function should
only be called on startup and not on every operation.
It is often not necessary to use this function. For example, you can call KmsClient.getAead(java.lang.String) to get a remote Aead. Use this Aead to encrypt a keyset with
TinkProtoKeysetFormat.serializeEncryptedKeyset(com.google.crypto.tink.KeysetHandle, com.google.crypto.tink.Aead, byte[]), or to create an envelope Aead
using KmsEnvelopeAead.create(com.google.crypto.tink.aead.AeadParameters, com.google.crypto.tink.Aead).
public static KmsClient get(String keyUri) throws GeneralSecurityException
KmsClient registered with add(com.google.crypto.tink.KmsClient) that supports keyUri.GeneralSecurityException - if no KMS clients can be found that support keyUri@Deprecated public static KmsClient getAutoLoaded(String keyUri) throws GeneralSecurityException
KmsClient automatically loaded with ServiceLoader
that supports keyUri.
Warning This method searches over the classpath for all implementations of KmsClient. An attacker that can insert a class in your classpath (e.g., someone controlling a
library that you're using) could provide a fake KmsClient that steal your keys. For
this reason Tink does not use this method.
GeneralSecurityException - if cannot found any KMS clients that support keyUri