in kmsp11/object_loader.cc [32:71]
bool ObjectLoader::IsLoadable(const kms_v1::CryptoKey& key) {
switch (key.purpose()) {
case kms_v1::CryptoKey::ASYMMETRIC_DECRYPT:
case kms_v1::CryptoKey::ASYMMETRIC_SIGN:
case kms_v1::CryptoKey::MAC:
case kms_v1::CryptoKey::RAW_ENCRYPT_DECRYPT:
break;
default:
LOG(INFO) << "INFO: key " << key.name()
<< " is not loadable due to unsupported purpose "
<< EnumNameOrValue(
kms_v1::CryptoKey::CryptoKeyPurpose_Name(key.purpose()),
key.purpose());
return false;
}
if (key.version_template().protection_level() !=
kms_v1::ProtectionLevel::HSM &&
key.version_template().protection_level() !=
kms_v1::ProtectionLevel::SOFTWARE) {
LOG(INFO) << "INFO: key " << key.name()
<< " is not loadable due to unsupported protection level "
<< EnumNameOrValue(kms_v1::ProtectionLevel_Name(
key.version_template().protection_level()),
key.version_template().protection_level());
return false;
}
if (key.version_template().protection_level() ==
kms_v1::ProtectionLevel::SOFTWARE &&
!allow_software_keys_) {
LOG(INFO) << "INFO: key " << key.name()
<< " is not loadable because it has protection level = "
"SOFTWARE but only keys with protection level = HSM are "
"allowed. If you want to be able to use software keys, use "
"allow_software_keys in the configuration.";
return false;
}
return true;
}