ark::aws::KmsClient

Defined in header “ark/aws/kms_client.hh”.

---

This is a wrapper around the AWS key management client, and provides facilities for creation of keys, signing data, and downloading public keys.

Methods

• KmsClient()
  Constructor.

• KmsClient(const core::Url & endpoint)
  Constructor uses an alternate endpoint for talking to the KMS, useful for testing.

• ~KmsClient()
  Destructor.

• std::string create_rsa_keypair(const std::string & description, const std::map< std::string, std::string > & tags, size_t bits)
  Requests that a RSA keypair is created. The number of bits can be 2048, 3072, or 4096. Returns the KeyId for you to use in other calls.

• std::string get_public_key(const std::string & key_id)
  Returns the public half of an assymetric key, requested by key identifier.

• std::string rsa_sign_message(const std::string & key_id, const std::string & message)
  Signs the given ‘message’. The given key_id is used to sign the message, and the resulting string is a PKCS1 V1.5 signature (using SHA256).

  From an AWS standpoint, the digest of the file is sent to be signed, not the content.

• std::string rsa_sign_message(const std::string & key_id, const std::string_view & message)
  Signs the given ‘message’. The given key_id is used to sign the message, and the resulting string is a PKCS1 V1.5 signature (using SHA256).

  From an AWS standpoint, the digest of the file is sent to be signed, not the content.

• std::string rsa_sign_message(const std::string & key_id, const std::filesystem::path & file)
  Signs the given ‘path’. The given key_id is used to sign the message, and the resulting string is a PKCS1 V1.5 signature (using SHA256).

  From an AWS standpoint, the digest of the file is sent to be signed, not the content.

• std::string rsa_sign_message_with_digest(const std::string & key_id, const std::string & digest)
  Creates a signature from the given digest, returning it as if it’s PKCS1 V1.5 signature (using SHA256). The digest must be a SHA256 digest.