Created
February 24, 2021 17:38
-
-
Save heaths/6f924feba11460ab234a86da307abd79 to your computer and use it in GitHub Desktop.
Sample for creating an RSA key, wrapping and unwrapping an AES key in Key Vault using Golang
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "context" | |
| "fmt" | |
| "os" | |
| "strings" | |
| "net/url" | |
| "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault" | |
| "github.com/Azure/go-autorest/autorest/azure/auth" | |
| ) | |
| func main() { | |
| // Requires environment variables: | |
| // * AZURE_TENANT_ID | |
| // * AZURE_CLIENT_ID | |
| // * AZURE_CLIENT_SECRET | |
| // * AZURE_AD_RESOURCE | |
| // * Key Vault: https://vault.azure.net | |
| // * Managed HSM: https://managedhsm.azure.net | |
| // * AZURE_KEYVAULT_URL | |
| authorizer, err := auth.NewAuthorizerFromEnvironment() | |
| if err != nil { | |
| fmt.Fprintf(os.Stderr, "Error: %v\n", err) | |
| os.Exit(1) | |
| } | |
| keyClient := keyvault.New() | |
| keyClient.Authorizer = authorizer | |
| vaultURL, vaultURLDefined := os.LookupEnv("AZURE_KEYVAULT_URL") | |
| if !vaultURLDefined { | |
| fmt.Fprintf(os.Stderr, "Error: AZURE_KEYVAULT_URL environment variable required\n") | |
| os.Exit(1) | |
| } | |
| key, err := keyClient.CreateKey(context.Background(), | |
| vaultURL, | |
| "test-key", | |
| keyvault.KeyCreateParameters{ | |
| Kty: keyvault.RSA, | |
| }) | |
| if err != nil { | |
| fmt.Fprintf(os.Stderr, "Error: failed to create key: %v\n", err) | |
| os.Exit(1) | |
| } | |
| fmt.Printf("Created key: %s\n", *key.Key.Kid) | |
| kid, err := url.Parse(*key.Key.Kid) | |
| if err != nil { | |
| fmt.Fprintf(os.Stderr, "Error: failed to parse URL %s: %v\n", key.Key.Kid, err) | |
| os.Exit(1) | |
| } | |
| paths := strings.Split(kid.Path, "/") | |
| name, version := paths[2], paths[3] | |
| // Just a random AES key. Must be base64url-encoded. | |
| value := "5Gmjxm9vuasEEwhDVDAsghb4dWHp0Lyj5cbG7Sh2P6c" | |
| result, err := keyClient.WrapKey(context.Background(), | |
| vaultURL, | |
| name, | |
| version, | |
| keyvault.KeyOperationsParameters{ | |
| Algorithm: keyvault.RSAOAEP, | |
| Value: &value, | |
| }) | |
| if err != nil { | |
| fmt.Fprintf(os.Stderr, "Error: failed to wrap key: %v\n", err) | |
| os.Exit(1) | |
| } | |
| fmt.Printf("Wrapped key: %s\n", *result.Result) | |
| result, err = keyClient.UnwrapKey(context.Background(), | |
| "https://heathskeyvaulthsm.managedhsm.azure.net/", | |
| name, | |
| version, | |
| keyvault.KeyOperationsParameters{ | |
| Algorithm: keyvault.RSAOAEP, | |
| Value: result.Result, | |
| }) | |
| if err != nil { | |
| fmt.Fprintf(os.Stderr, "Error: failed to unwrap key: %v\n", err) | |
| os.Exit(1) | |
| } | |
| fmt.Printf("Unwrapped key: %s\n", *result.Result) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment