Importing an RSA Key as an External Key Version Using a Script
You can automate the import of AES key material as a new key version for an existing key.
Note
If you're using MacOS or Linux, you'll need to install the OpenSSL 1.1.1 series to run commands. If you plan to use the RSA encryption algorithm that uses a temporary AES key, then you must also patch OpenSSL with a patch that supports it, see Configuring OpenSSL to Wrap Key Material. If you're using Windows, you'll need to install Git Bash for Windows and run commands with that tool.
If you're using MacOS or Linux, you'll need to install the OpenSSL 1.1.1 series to run commands. If you plan to use the RSA encryption algorithm that uses a temporary AES key, then you must also patch OpenSSL with a patch that supports it, see Configuring OpenSSL to Wrap Key Material. If you're using Windows, you'll need to install Git Bash for Windows and run commands with that tool.
Open a command prompt, and then run the following script, replacing example file names and values as appropriate:
#!/bin/bash
#
# This script is for demonstration purposes only. It provides
# a functioning set of calls to show how to import RSA keys
# into the OCI Vault service.
#
set -e;
#set -x;
OPENSSL_PATH="<path to patched openssl.sh>"
PRIVATE_KEY="<path to target private key which needs to be imported>"
WRAPPING_KEY="<path to vault public wrapping key>"
KEY_OCID="<Key OCID of OCI Vault in which the key version will be created>"
WORK_DIR=$(mktemp -d -t kms_XXXX)
BASE64="base64"
echo "Openssl Path: ${OPENSSL_PATH}"
echo "Work Dir: ${WORK_DIR}"
# Convert the private key to PKCS8 DER format.
target_key_path=${WORK_DIR}/target_key.key
${OPENSSL_PATH} pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in ${PRIVATE_KEY} -out ${target_key_path}
# Generate a temporary AES key.
temp_aes_key_path=${WORK_DIR}/temp_aes_key.key
${OPENSSL_PATH} rand -out ${temp_aes_key_path} 32
# Wrap the temporary AES key by using RSA-OAEP with SHA-256.
wrapped_temp_aes_key=${WORK_DIR}/wrapped_temp_aes_key.bin
${OPENSSL_PATH} pkeyutl -encrypt -in ${temp_aes_key_path} -inkey ${WRAPPING_KEY} -pubin -out ${wrapped_temp_aes_key} -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
# Wrap the target RSA key.
wrapped_target_key=${WORK_DIR}/wrapped_target_key.bin
temp_aes_key_hexdump=$(hexdump -v -e '/1 "%02x"' < ${temp_aes_key_path})
${OPENSSL_PATH} enc -id-aes256-wrap-pad -iv A65959A6 -K ${temp_aes_key_hexdump} -in ${target_key_path} -out ${wrapped_target_key}
# Create the wrapped key material.
wrapped_key_material_bin=${WORK_DIR}/wrapped_key_material.bin
cat ${wrapped_temp_aes_key} ${wrapped_target_key} > ${wrapped_key_material_bin}
echo "Binary wrapped key for console is available at: ${wrapped_key_material_bin}"
#
# Import the wrapped key to the Vault service after base64 encoding the payload.
#
wrapped_key_material_base64=${WORK_DIR}/wrapped_key_material.base64
${BASE64} ${wrapped_key_material_bin} -w 0 > ${wrapped_key_material_base64}
echo "Base64 encoded wrapped key for CLI or API is available at: ${wrapped_key_material_base64}"
##### 1. IMPORT NEW KEY_VERSION USING CONSOLE #####
# browse and upload ${WORK_DIR}/wrapped_key_material.bin file in import key version section on console.
##### 2. IMPORT NEW KEY_VERSION USING OCI_CLI #####
# key_material=$(${BASE64} ${wrapped_key_material_bin})
# echo "{ \"wrappingAlgorithm\": \"RSA_OAEP_AES_SHA256\", \"keyMaterial\": \"${key_material}\" }" > wrapped_import_key.json
#
# oci kms management key-version import --key-id ${KEY_OCID} --wrapped-import-key file://wrapped_import_key.json