absl::StatusOr CreateNewVersionOfExistingKey()

in kmsp11/session.cc [129:191]

• 55 lines of code
• 7 McCabe index (conditional complexity)

absl::StatusOr<kms_v1::CryptoKeyVersion> CreateNewVersionOfExistingKey(
    const KmsClient& client, const kms_v1::CryptoKey& crypto_key,
    const KeyGenerationParams& gen_params, bool allow_software_keys) {
   if (crypto_key.purpose() != gen_params.algorithm.purpose) {
    return NewError(
        absl::StatusCode::kInvalidArgument,
        absl::StrFormat("key attribute mismatch when attempting to create "
                        "new version of existing key: "
                        "current purpose=%d, requested purpose=%d",
                        crypto_key.purpose(), gen_params.algorithm.purpose),
        CKR_ARGUMENTS_BAD, SOURCE_LOCATION);
  }

  if (crypto_key.version_template().algorithm() !=
          gen_params.algorithm.algorithm) {
    return NewError(
        absl::StatusCode::kInvalidArgument,
        absl::StrFormat("key attribute mismatch when attempting to create "
                        "new version of existing key: "
                        "current algorithm=%d, requested algorithm=%d",
                        crypto_key.version_template().algorithm(),
                        gen_params.algorithm.algorithm),
        CKR_ARGUMENTS_BAD, SOURCE_LOCATION);
  }

  // Check that if the protection level is specified in the key generation
  // params, it matches the protection level of the crypto key.
  if (gen_params.protection_level.has_value() &&
      *gen_params.protection_level !=
          crypto_key.version_template().protection_level()) {
    return NewError(
        absl::StatusCode::kInvalidArgument,
        absl::StrFormat("key attribute mismatch when attempting to create "
                        "new version of existing key: "
                        "current protection_level=%d, "
                        "requested protection_level=%d",
                        crypto_key.version_template().protection_level(),
                        *gen_params.protection_level),
        CKR_ARGUMENTS_BAD, SOURCE_LOCATION);
  }

  // Check the crypto key's protection level against the allowed protection
  // levels.
  absl::flat_hash_set<kms_v1::ProtectionLevel> allowed_protection_levels = {
      kms_v1::HSM};
  if (allow_software_keys) allowed_protection_levels.insert(kms_v1::SOFTWARE);
  if (!allowed_protection_levels.contains(
          crypto_key.version_template().protection_level())) {
    return NewError(
        absl::StatusCode::kInvalidArgument,
        absl::StrFormat("key attribute mismatch when attempting to create "
                        "new version of existing key: "
                        "current protection_level=%d, "
                        "allowed protection_level=%s",
                        crypto_key.version_template().protection_level(),
                        absl::StrJoin(allowed_protection_levels, " or ")),
        CKR_ARGUMENTS_BAD, SOURCE_LOCATION);
  }

  kms_v1::CreateCryptoKeyVersionRequest req;
  req.set_parent(crypto_key.name());
  return client.CreateCryptoKeyVersionAndWait(req);
}