Importing a Security Object

Fortanix DSM can import keys, certificates, and secrets that were created outside of Fortanix DSM. Note that except for public keys and certificates, it is generally more secure to create keys inside of Fortanix DSM as described in the previous section “Generating Security Objects”.

The key value must be unencrypted (that is, not encrypted or password-protected). If the key you are importing is an encrypted key, you must first decrypt the key, either in your application or using a program such as openssl. Alternatively, you may import wrapped keys into Fortanix DSM as described in the section “Unwrapping Security Objects”.

Importing keys is performed with an importSecurityObject API. The SobjectRequest object defines the properties of the key that will be imported, including the key material to be used for the key. The ObjectType property of the SobjectRequest determine what type of Security-object will be imported. Use type SECRET to import Secrets. The KeySize and ellipticCurve properties of the SobjectRequest are ignored, as the key size or curve can be determined from the key material. The name property is required and must be unique. The value property provides the key material. The required format of value depends on what type of object is being imported.

If you do not override the default enabled operations, the imported key will be supporting all operations that make sense for the type of key. By default, imported keys will have the Export operation enabled too. So, for example, RSA keys will have the Sign, Verify, Encrypt, Decrypt, WrapKey, UnwrapKey, DeriveKey, and AppManageable operations. They will not have the MacGenerate or MacVerify operations, since those operations are not defined for RSA keys.

WARNING

Enabled operations may be removed from keys, but they cannot be added.

The enabled operations are specified using the keyOps property of the SobjectRequest. This property is a List. The imported key will be created with its enabled operations equal to the list provided.

If you want to import keys that can be exported from Fortanix DSM, you will need to request that the key be imported with the Export operation enabled along with any other operations you wish to enable on the key.

For example, to create a 2048 RSA key that is exportable and may only be used for signing and verifying the signature, use this SobjectRequest:

C#

SecurityObjectsApi securityObjectsApi = new SecurityObjectsApi(apiClient);
#Import RSA Key
SobjectRequest sobjectRequest = new SobjectRequest(
          Name: "Name"),
          Value: (<key value as bytes[]>),
          ObjType: ObjectType.RSA);
KeyObject keyObject = securityObjectsApi.ImportSecurityObject(sobjectRequest);

#Import Secret
SobjectRequest sobjectRequest = new SobjectRequest(
        Name: "Name"),
        Value: (<secret value as bytes[]>),
        ObjType: ObjectType.SECRET);
KeyObject keyObject = securityObjectsApi.ImportSecurityObject(sobjectRequest);

Go

#Import RSA Key
objType := sdkms.ObjectTypeRsa
value := []byte(<key value as bytes>)
sobjectReq := sdkms.SobjectRequest{
Name: &name,
ObjType: &objType,
Value: &value,
}
sobject, err := client.ImportSobject(ctx, sobjectReq)

Java

//Import RSA Key
SobjectRequest sobjectRequest = new SobjectRequest()          
          .name("Name").value(<key value as bytes[]>)
          .objType(ObjectType.RSA);
          .keyOps(Arrays.asList(KeyOperations.SIGN, KeyOperations.VERIFY, KeyOperations.EXPORT)); 
SecurityObjectsApi securityObjectsApi = new SecurityObjectsApi(apiClient);
KeyObject keyObject = securityObjectsApi.importSecurityObject(sobjectRequest);

// Import Certificate
SobjectRequest sobjectRequest = new SobjectRequest()
          .name("Name").value(<certificate value as bytes[]>)
          .objType(ObjectType.CERTIFICATE);
SecurityObjectsApi securityObjectsApi = new SecurityObjectsApi(apiClient);
KeyObject keyObject = securityObjectsApi.importSecurityObject (sobjectRequest);

// Import Secret
SobjectRequest sobjectRequest = new SobjectRequest()
          .name("Name").value(<secret value as bytes[]>)
          .objType(ObjectType.SECRET);
SecurityObjectsApi securityObjectsApi = new SecurityObjectsApi(apiClient);
KeyObject keyObject = securityObjectsApi.importSecurityObject (sobjectRequest);

Python

api_instance = sdkms.v1.SecurityObjectsApi(api_client=client)

#Import RSA Key
request = sdkms.v1.SobjectRequest(name='Name', value=<key value as bytes>, obj_type= sdkms.v1.ObjectType.RSA)
key = api_instance.import_security_object(request)

REST API using curl

#Generate RSA Key
curl <Endpoint URL>/crypto/v1/key -H 'Authorization: Bearer YhXwwa-6C...ig5g' -d '{"name": "Name", "key_size": 2048, "obj_type": "RSA"}'