rebase: bump github.com/IBM/keyprotect-go-client from 0.7.0 to 0.8.0

Bumps [github.com/IBM/keyprotect-go-client](https://github.com/IBM/keyprotect-go-client) from 0.7.0 to 0.8.0. - [Release notes](https://github.com/IBM/keyprotect-go-client/releases) - [Commits](https://github.com/IBM/keyprotect-go-client/compare/v0.7.0...v0.8.0) --- updated-dependencies: - dependency-name: github.com/IBM/keyprotect-go-client dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 10:33:35 +00:00 · 2022-06-27 20:15:13 +00:00
parent d6719c4d62
commit 4b709310e2
17 changed files with 721 additions and 168 deletions
--- a/vendor/github.com/IBM/keyprotect-go-client/README.md
+++ b/vendor/github.com/IBM/keyprotect-go-client/README.md
@ -119,18 +119,18 @@ crkID := key.ID
 myDEK := []byte{"thisisadataencryptionkey"}
 // Do some encryption with myDEK
 // Wrap the DEK so we can safely store it
-wrappedDEK, err := client.Wrap(ctx, crkID, myDEK, nil)
+wrappedDEK, err := client.Wrap(ctx, crkIDOrAlias, myDEK, nil)


 // Unwrap the DEK
-dek, err := client.Unwrap(ctx, crkID, wrappedDEK, nil)
+dek, err := client.Unwrap(ctx, crkIDOrAlias, wrappedDEK, nil)
 // Do some encryption/decryption using the DEK
 // Discard the DEK
 dek = nil
 ```

 Note you can also pass additional authentication data (AAD) to wrap and unwrap calls
-to provide another level of protection for your DEK.  The AAD is a string array with 
+to provide another level of protection for your DEK.  The AAD is a string array with
 each element up to 255 chars.  For example:

 ```go
@ -138,11 +138,11 @@ myAAD := []string{"First aad string", "second aad string", "third aad string"}
 myDEK := []byte{"thisisadataencryptionkey"}
 // Do some encryption with myDEK
 // Wrap the DEK so we can safely store it
-wrappedDEK, err := client.Wrap(ctx, crkID, myDEK, &myAAD)
+wrappedDEK, err := client.Wrap(ctx, crkIDOrAlias, myDEK, &myAAD)


 // Unwrap the DEK
-dek, err := client.Unwrap(ctx, crkID, wrappedDEK, &myAAD)
+dek, err := client.Unwrap(ctx, crkIDOrAlias, wrappedDEK, &myAAD)
 // Do some encryption/decryption using the DEK
 // Discard the DEK
 dek = nil
@ -151,7 +151,7 @@ dek = nil
 Have key protect create a DEK for you:

 ```go
-dek, wrappedDek, err := client.WrapCreateDEK(ctx, crkID, nil)
+dek, wrappedDek, err := client.WrapCreateDEK(ctx, crkIDOrAlias, nil)
 // Do some encrypt/decrypt with the dek
 // Discard the DEK
 dek = nil
@ -163,7 +163,7 @@ Can also specify AAD:

 ```go
 myAAD := []string{"First aad string", "second aad string", "third aad string"}
-dek, wrappedDek, err := client.WrapCreateDEK(ctx, crkID, &myAAD)
+dek, wrappedDek, err := client.WrapCreateDEK(ctx, crkIDOrAlias, &myAAD)
 // Do some encrypt/decrypt with the dek
 // Discard the DEK
 dek = nil
@ -171,3 +171,46 @@ dek = nil
 // Save the wrapped DEK for later.  Call Unwrap to use it, make
 // sure to specify the same AAD.
 ```
+### Fetching List Key Versions With Parameters.
+
+```go
+
+limit := uint32(2)
+offset := uint32(0)
+totalCount := true
+
+listkeyVersionsOptions := &kp.ListKeyVersionsOptions{
+  Limit : &limit,
+  Offset : &offset,
+  TotalCount : &totalCount,
+}
+
+keyVersions, err := client.ListKeyVersions(ctx, "key_id_or_alias", listkeyVersionsOptions)
+if err != nil {
+    fmt.Println(err)
+}
+fmt.Println(keyVersions)
+```
+
+### Fetching List Key With Parameters.
+
+```go
+
+limit := uint32(5)
+offset := uint32(0)
+extractable := false
+keyStates := []kp.KeyState{kp.KeyState(kp.Active), kp.KeyState(kp.Suspended)}
+
+listKeysOptions := &kp.ListKeysOptions{
+  Limit : &limit,
+  Offset : &offset,
+  Extractable : &extractable,
+  State : keyStates,
+}
+
+keys, err := client.ListKeys(ctx, listKeysOptions)
+if err != nil {
+    fmt.Println(err)
+}
+fmt.Println(keys)
+```
--- a/vendor/github.com/IBM/keyprotect-go-client/import_token.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/import_token.go
@ -32,7 +32,13 @@ import (
 	"time"
 )

-const importTokenEncAlgo = "RSAES_OAEP_SHA_256" // currently the only one supported
+// EncryptionAlgorithm represents the encryption algorithm used for key creation
+const (
+	// AlgorithmRSAOAEP256 denotes RSA OAEP SHA 256 encryption, supported by KP
+	AlgorithmRSAOAEP256 string = "RSAES_OAEP_SHA_256"
+	// AlgorithmRSAOAEP1 denotes RSA OAEP SHA 1 encryption, supported by HPCS
+	AlgorithmRSAOAEP1 string = "RSAES_OAEP_SHA_1"
+)

 // ImportTokenCreateRequest represents request parameters for creating a
 // ImportToken.
--- a/vendor/github.com/IBM/keyprotect-go-client/key_alias.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/key_alias.go
@ -33,9 +33,9 @@ type KeyAliases struct {
 // An alias name acts as an identifier just like key ID
 // For more information please refer to the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-create-key-alias#create-key-alias-api
-func (c *Client) CreateKeyAlias(ctx context.Context, aliasName, keyID string) (*KeyAlias, error) {
+func (c *Client) CreateKeyAlias(ctx context.Context, aliasName, idOrAlias string) (*KeyAlias, error) {

-	req, err := c.newRequest("POST", fmt.Sprintf(requestPath, keyID, aliasName), nil)
+	req, err := c.newRequest("POST", fmt.Sprintf(requestPath, idOrAlias, aliasName), nil)
 	if err != nil {
 		return nil, err
 	}
@ -56,9 +56,9 @@ func (c *Client) CreateKeyAlias(ctx context.Context, aliasName, keyID string) (*
 // DeleteKeyAlias deletes an alias name associated with a key
 // For more information please refer to the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-create-key-alias#delete-key-alias
-func (c *Client) DeleteKeyAlias(ctx context.Context, aliasName, keyID string) error {
+func (c *Client) DeleteKeyAlias(ctx context.Context, aliasName, idOrAlias string) error {

-	req, err := c.newRequest("DELETE", fmt.Sprintf(requestPath, keyID, aliasName), nil)
+	req, err := c.newRequest("DELETE", fmt.Sprintf(requestPath, idOrAlias, aliasName), nil)
 	if err != nil {
 		return err
 	}
--- a/vendor/github.com/IBM/keyprotect-go-client/keys.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/keys.go
@ -21,6 +21,7 @@ import (
 	"log"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 )

@ -38,6 +39,17 @@ var (
 // PreferReturn designates the value for the "Prefer" header.
 type PreferReturn int

+type KeyState uint32
+
+// https://cloud.ibm.com/docs/key-protect?topic=key-protect-key-states
+const (
+	Active KeyState = iota + 1
+	Suspended
+	Deactivated
+	_
+	Destroyed
+)
+
 // Key represents a key as returned by the KP API.
 type Key struct {
 	ID                  string      `json:"id,omitempty"`
@ -65,6 +77,9 @@ type Key struct {
 	Deleted             *bool       `json:"deleted,omitempty"`
 	DeletedBy           *string     `json:"deletedBy,omitempty"`
 	DeletionDate        *time.Time  `json:"deletionDate,omitempty"`
+	PurgeAllowed        *bool       `json:"purgeAllowed,omitempty"`
+	PurgeAllowedFrom    *time.Time  `json:"purgeAllowedFrom,omitempty"`
+	PurgeScheduledOn    *time.Time  `json:"purgeScheduledOn,omitempty"`
 	DualAuthDelete      *DualAuth   `json:"dualAuthDelete,omitempty"`
 }

@ -80,13 +95,27 @@ type Keys struct {
 	Keys     []Key        `json:"resources"`
 }

+type KeyVersionsMetadata struct {
+	CollectionType  string  `json:"collectionType"`
+	CollectionTotal *uint32 `json:"collectionTotal"`
+	TotalCount      *uint32 `json:"totalCount,omitempty"`
+}
+
+type KeyVersions struct {
+	Metadata   KeyVersionsMetadata `json:"metadata"`
+	KeyVersion []KeyVersion        `json:"resources"`
+}
+
 // KeysActionRequest represents request parameters for a key action
 // API call.
 type KeysActionRequest struct {
-	PlainText  string   `json:"plaintext,omitempty"`
-	AAD        []string `json:"aad,omitempty"`
-	CipherText string   `json:"ciphertext,omitempty"`
-	Payload    string   `json:"payload,omitempty"`
+	PlainText           string   `json:"plaintext,omitempty"`
+	AAD                 []string `json:"aad,omitempty"`
+	CipherText          string   `json:"ciphertext,omitempty"`
+	Payload             string   `json:"payload,omitempty"`
+	EncryptedNonce      string   `json:"encryptedNonce,omitempty"`
+	IV                  string   `json:"iv,omitempty"`
+	EncryptionAlgorithm string   `json:"encryptionAlgorithm,omitempty"`
 }

 type KeyVersion struct {
@ -101,23 +130,14 @@ func (c *Client) CreateKey(ctx context.Context, name string, expiration *time.Ti

 // CreateImportedKey creates a new KP key from the given key material.
 func (c *Client) CreateImportedKey(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool) (*Key, error) {
-	key := Key{
-		Name:        name,
-		Type:        keyType,
-		Extractable: extractable,
-		Payload:     payload,
-	}
-
-	if payload != "" && encryptedNonce != "" && iv != "" {
-		key.EncryptedNonce = encryptedNonce
-		key.IV = iv
-		key.EncryptionAlgorithm = importTokenEncAlgo
-	}
-
-	if expiration != nil {
-		key.Expiration = expiration
-	}
+	key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, nil, AlgorithmRSAOAEP256)
+	return c.createKey(ctx, key)
+}

+// CreateImportedKeyWithSHA1 creates a new KP key from the given key material
+// using RSAES OAEP SHA 1 as encryption algorithm.
+func (c *Client) CreateImportedKeyWithSHA1(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) {
+	key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP1)
 	return c.createKey(ctx, key)
 }

@ -160,25 +180,33 @@ func (c *Client) CreateKeyWithAliases(ctx context.Context, name string, expirati
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-root-keys#import-root-key-api
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-import-standard-keys#import-standard-key-gui
 func (c *Client) CreateImportedKeyWithAliases(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string) (*Key, error) {
+	key := c.createKeyTemplate(ctx, name, expiration, payload, encryptedNonce, iv, extractable, aliases, AlgorithmRSAOAEP256)
+	return c.createKey(ctx, key)
+}
+
+func (c *Client) createKeyTemplate(ctx context.Context, name string, expiration *time.Time, payload, encryptedNonce, iv string, extractable bool, aliases []string, encryptionAlgorithm string) Key {
 	key := Key{
 		Name:        name,
 		Type:        keyType,
 		Extractable: extractable,
 		Payload:     payload,
-		Aliases:     aliases,
+	}
+
+	if aliases != nil {
+		key.Aliases = aliases
 	}

 	if !extractable && payload != "" && encryptedNonce != "" && iv != "" {
 		key.EncryptedNonce = encryptedNonce
 		key.IV = iv
-		key.EncryptionAlgorithm = importTokenEncAlgo
+		key.EncryptionAlgorithm = encryptionAlgorithm
 	}

 	if expiration != nil {
 		key.Expiration = expiration
 	}

-	return c.createKey(ctx, key)
+	return key
 }

 func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) {
@ -203,6 +231,36 @@ func (c *Client) createKey(ctx context.Context, key Key) (*Key, error) {
 	return &keysResponse.Keys[0], nil
 }

+// SetKeyRing method transfers a key associated with one key ring to another key ring
+// For more information please refer to the link below:
+// https://cloud.ibm.com/docs/key-protect?topic=key-protect-grouping-keys#transfer-key-key-ring
+func (c *Client) SetKeyRing(ctx context.Context, idOrAlias, newKeyRingID string) (*Key, error) {
+	if idOrAlias == "" {
+		return nil, fmt.Errorf("Please provide a valid key ID or alias")
+	}
+
+	if newKeyRingID == "" {
+		return nil, fmt.Errorf("Please provide a valid key ring id")
+	}
+
+	keyRingRequestBody := struct {
+		KeyRingID string
+	}{
+		KeyRingID: newKeyRingID,
+	}
+
+	req, err := c.newRequest("PATCH", fmt.Sprintf("keys/%s", idOrAlias), keyRingRequestBody)
+	if err != nil {
+		return nil, err
+	}
+
+	response := Keys{}
+	if _, err := c.do(ctx, req, &response); err != nil {
+		return nil, err
+	}
+	return &response.Keys[0], nil
+}
+
 // GetKeys retrieves a collection of keys that can be paged through.
 func (c *Client) GetKeys(ctx context.Context, limit int, offset int) (*Keys, error) {
 	if limit == 0 {
@ -228,6 +286,55 @@ func (c *Client) GetKeys(ctx context.Context, limit int, offset int) (*Keys, err
 	return &keys, nil
 }

+//ListKeysOptions struct to add the query parameters for the List Keys function
+type ListKeysOptions struct {
+	Extractable *bool
+	Limit       *uint32
+	Offset      *uint32
+	State       []KeyState
+}
+
+// ListKeys retrieves a list of keys that are stored in your Key Protect service instance.
+// https://cloud.ibm.com/apidocs/key-protect#getkeys
+func (c *Client) ListKeys(ctx context.Context, listKeysOptions *ListKeysOptions) (*Keys, error) {
+
+	req, err := c.newRequest("GET", "keys", nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// extracting the query parameters and encoding the same in the request url
+	if listKeysOptions != nil {
+		values := req.URL.Query()
+		if listKeysOptions.Limit != nil {
+			values.Set("limit", fmt.Sprint(*listKeysOptions.Limit))
+		}
+		if listKeysOptions.Offset != nil {
+			values.Set("offset", fmt.Sprint(*listKeysOptions.Offset))
+		}
+		if listKeysOptions.State != nil {
+			var states []string
+			for _, i := range listKeysOptions.State {
+				states = append(states, strconv.Itoa(int(i)))
+			}
+
+			values.Set("state", strings.Join(states, ","))
+		}
+		if listKeysOptions.Extractable != nil {
+			values.Set("extractable", fmt.Sprint(*listKeysOptions.Extractable))
+		}
+		req.URL.RawQuery = values.Encode()
+	}
+
+	keys := Keys{}
+	_, err = c.do(ctx, req, &keys)
+	if err != nil {
+		return nil, err
+	}
+
+	return &keys, nil
+}
+
 // GetKey retrieves a key by ID or alias name.
 // For more information on Key Alias please refer to the link below
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-retrieve-key
@ -245,10 +352,10 @@ func (c *Client) GetKeyMetadata(ctx context.Context, idOrAlias string) (*Key, er
 	return c.getKey(ctx, idOrAlias, "keys/%s/metadata")
 }

-func (c *Client) getKey(ctx context.Context, id string, path string) (*Key, error) {
+func (c *Client) getKey(ctx context.Context, idOrAlias string, path string) (*Key, error) {
 	keys := Keys{}

-	req, err := c.newRequest("GET", fmt.Sprintf(path, id), nil)
+	req, err := c.newRequest("GET", fmt.Sprintf(path, idOrAlias), nil)
 	if err != nil {
 		return nil, err
 	}
@ -267,10 +374,51 @@ type ForceOpt struct {
 	Force bool
 }

-// DeleteKey deletes a key resource by specifying the ID of the key.
-func (c *Client) DeleteKey(ctx context.Context, id string, prefer PreferReturn, callOpts ...CallOpt) (*Key, error) {
+// ListKeyVersionsOptions struct to add the query parameters for the ListKeyVersions function
+type ListKeyVersionsOptions struct {
+	Limit      *uint32
+	Offset     *uint32
+	TotalCount *bool
+}

-	req, err := c.newRequest("DELETE", fmt.Sprintf("keys/%s", id), nil)
+// ListKeyVersions gets all the versions of the key resource by specifying ID of the key and/or optional parameters
+// https://cloud.ibm.com/apidocs/key-protect#getkeyversions
+func (c *Client) ListKeyVersions(ctx context.Context, idOrAlias string, listKeyVersionsOptions *ListKeyVersionsOptions) (*KeyVersions, error) {
+	keyVersion := KeyVersions{}
+	// forming the request
+	req, err := c.newRequest("GET", fmt.Sprintf("keys/%s/versions", idOrAlias), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// extracting the query parameters and encoding the same in the request url
+	if listKeyVersionsOptions != nil {
+		values := req.URL.Query()
+		if listKeyVersionsOptions.Limit != nil {
+			values.Set("limit", fmt.Sprint(*listKeyVersionsOptions.Limit))
+		}
+		if listKeyVersionsOptions.Offset != nil {
+			values.Set("offset", fmt.Sprint(*listKeyVersionsOptions.Offset))
+		}
+		if listKeyVersionsOptions.TotalCount != nil {
+			values.Set("totalCount", fmt.Sprint(*listKeyVersionsOptions.TotalCount))
+		}
+		req.URL.RawQuery = values.Encode()
+	}
+
+	//making a request
+	_, err = c.do(ctx, req, &keyVersion)
+	if err != nil {
+		return nil, err
+	}
+
+	return &keyVersion, nil
+}
+
+// DeleteKey deletes a key resource by specifying the ID of the key.
+func (c *Client) DeleteKey(ctx context.Context, idOrAlias string, prefer PreferReturn, callOpts ...CallOpt) (*Key, error) {
+
+	req, err := c.newRequest("DELETE", fmt.Sprintf("keys/%s", idOrAlias), nil)
 	if err != nil {
 		return nil, err
 	}
@ -301,12 +449,37 @@ func (c *Client) DeleteKey(ctx context.Context, id string, prefer PreferReturn,
 	return nil, nil
 }

+// Purge key method shreds all the metadata and registrations associated with a key that has been
+// deleted. The purge operation is allowed to be performed on a key from 4 hours after its deletion
+// and its action is irreversible.
+// For more information please refer to the link below:
+// https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-keys#delete-keys-key-purge
+func (c *Client) PurgeKey(ctx context.Context, idOrAlias string, prefer PreferReturn) (*Key, error) {
+	req, err := c.newRequest("DELETE", fmt.Sprintf("keys/%s/purge", idOrAlias), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Prefer", preferHeaders[prefer])
+
+	keys := Keys{}
+	_, err = c.do(ctx, req, &keys)
+	if err != nil {
+		return nil, err
+	}
+	if len(keys.Keys) > 0 {
+		return &keys.Keys[0], nil
+	}
+
+	return nil, nil
+}
+
 // RestoreKey method reverts a delete key status to active key
 // This method performs restore of any key from deleted state to active state.
 // For more information please refer to the link below:
-// https://cloud.ibm.com/dowcs/key-protect?topic=key-protect-restore-keys
-func (c *Client) RestoreKey(ctx context.Context, id string) (*Key, error) {
-	req, err := c.newRequest("POST", fmt.Sprintf("keys/%s/restore", id), nil)
+// https://cloud.ibm.com/docs/key-protect?topic=key-protect-restore-keys
+func (c *Client) RestoreKey(ctx context.Context, idOrAlias string) (*Key, error) {
+	req, err := c.newRequest("POST", fmt.Sprintf("keys/%s/restore", idOrAlias), nil)
 	if err != nil {
 		return nil, err
 	}
@ -322,17 +495,17 @@ func (c *Client) RestoreKey(ctx context.Context, id string) (*Key, error) {
 }

 // Wrap calls the wrap action with the given plain text.
-func (c *Client) Wrap(ctx context.Context, id string, plainText []byte, additionalAuthData *[]string) ([]byte, error) {
-	_, ct, err := c.wrap(ctx, id, plainText, additionalAuthData)
+func (c *Client) Wrap(ctx context.Context, idOrAlias string, plainText []byte, additionalAuthData *[]string) ([]byte, error) {
+	_, ct, err := c.wrap(ctx, idOrAlias, plainText, additionalAuthData)
 	return ct, err
 }

 // WrapCreateDEK calls the wrap action without plain text.
-func (c *Client) WrapCreateDEK(ctx context.Context, id string, additionalAuthData *[]string) ([]byte, []byte, error) {
-	return c.wrap(ctx, id, nil, additionalAuthData)
+func (c *Client) WrapCreateDEK(ctx context.Context, idOrAlias string, additionalAuthData *[]string) ([]byte, []byte, error) {
+	return c.wrap(ctx, idOrAlias, nil, additionalAuthData)
 }

-func (c *Client) wrap(ctx context.Context, id string, plainText []byte, additionalAuthData *[]string) ([]byte, []byte, error) {
+func (c *Client) wrap(ctx context.Context, idOrAlias string, plainText []byte, additionalAuthData *[]string) ([]byte, []byte, error) {
 	keysActionReq := &KeysActionRequest{}

 	if plainText != nil {
@ -347,7 +520,7 @@ func (c *Client) wrap(ctx context.Context, id string, plainText []byte, addition
 		keysActionReq.AAD = *additionalAuthData
 	}

-	keysAction, err := c.doKeysAction(ctx, id, "wrap", keysActionReq)
+	keysAction, err := c.doKeysAction(ctx, idOrAlias, "wrap", keysActionReq)
 	if err != nil {
 		return nil, nil, err
 	}
@ -359,8 +532,8 @@ func (c *Client) wrap(ctx context.Context, id string, plainText []byte, addition
 }

 // Unwrap is deprecated since it returns only plaintext and doesn't know how to handle rotation.
-func (c *Client) Unwrap(ctx context.Context, id string, cipherText []byte, additionalAuthData *[]string) ([]byte, error) {
-	plainText, _, err := c.UnwrapV2(ctx, id, cipherText, additionalAuthData)
+func (c *Client) Unwrap(ctx context.Context, idOrAlias string, cipherText []byte, additionalAuthData *[]string) ([]byte, error) {
+	plainText, _, err := c.UnwrapV2(ctx, idOrAlias, cipherText, additionalAuthData)
 	if err != nil {
 		return nil, err
 	}
@ -368,7 +541,7 @@ func (c *Client) Unwrap(ctx context.Context, id string, cipherText []byte, addit
 }

 // Unwrap with rotation support.
-func (c *Client) UnwrapV2(ctx context.Context, id string, cipherText []byte, additionalAuthData *[]string) ([]byte, []byte, error) {
+func (c *Client) UnwrapV2(ctx context.Context, idOrAlias string, cipherText []byte, additionalAuthData *[]string) ([]byte, []byte, error) {

 	keysAction := &KeysActionRequest{
 		CipherText: string(cipherText),
@ -378,7 +551,7 @@ func (c *Client) UnwrapV2(ctx context.Context, id string, cipherText []byte, add
 		keysAction.AAD = *additionalAuthData
 	}

-	respAction, err := c.doKeysAction(ctx, id, "unwrap", keysAction)
+	respAction, err := c.doKeysAction(ctx, idOrAlias, "unwrap", keysAction)
 	if err != nil {
 		return nil, nil, err
 	}
@ -390,13 +563,13 @@ func (c *Client) UnwrapV2(ctx context.Context, id string, cipherText []byte, add
 }

 // Rotate rotates a CRK.
-func (c *Client) Rotate(ctx context.Context, id, payload string) error {
+func (c *Client) Rotate(ctx context.Context, idOrAlias, payload string) error {

 	actionReq := &KeysActionRequest{
 		Payload: payload,
 	}

-	_, err := c.doKeysAction(ctx, id, "rotate", actionReq)
+	_, err := c.doKeysAction(ctx, idOrAlias, "rotate", actionReq)
 	if err != nil {
 		return err
 	}
@ -404,12 +577,78 @@ func (c *Client) Rotate(ctx context.Context, id, payload string) error {
 	return nil
 }

+type KeyPayload struct {
+	payload             string
+	encryptedNonce      string
+	iv                  string
+	encryptionAlgorithm string
+}
+
+func NewKeyPayload(payload, encryptedNonce, iv string) KeyPayload {
+	kp := KeyPayload{
+		payload:        payload,
+		encryptedNonce: encryptedNonce,
+		iv:             iv,
+	}
+	return kp
+}
+
+// EncryptWithRSA256 sets the encryption algorithm for key create to RSAES_OAEP_SHA_256
+// This is the default algorithm for key creation under Key Protect service
+func (kp KeyPayload) WithRSA256() KeyPayload {
+	kp.encryptionAlgorithm = "RSAES_OAEP_SHA_256"
+	return kp
+}
+
+// EncryptWithRSA1 sets the encryption algorithm for key create to RSAES_OAEP_SHA_1
+// This algorithm is only supported by the Hyper Protect(HPCS) service
+func (kp KeyPayload) WithRSA1() KeyPayload {
+	kp.encryptionAlgorithm = "RSAES_OAEP_SHA_1"
+	return kp
+}
+
+// RotateV2 methods supports rotation of a root key with or without payload and also rotate a
+// securely imported root key.
+func (c *Client) RotateV2(ctx context.Context, idOrAlias string, new_key *KeyPayload) error {
+	var actionReq *KeysActionRequest
+	if new_key != nil {
+		actionReq = &KeysActionRequest{
+			Payload:             new_key.payload,
+			EncryptedNonce:      new_key.encryptedNonce,
+			IV:                  new_key.iv,
+			EncryptionAlgorithm: new_key.encryptionAlgorithm,
+		}
+	}
+
+	_, err := c.doKeysAction(ctx, idOrAlias, "rotate", actionReq)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// SyncAssociatedResources method executes the sync request which verifies and updates
+// the resources associated with the key.
+// For more information please refer to the link below
+// https://cloud.ibm.com/docs/key-protect?topic=key-protect-sync-associated-resources
+func (c *Client) SyncAssociatedResources(ctx context.Context, idOrAlias string) error {
+	req, err := c.newRequest("POST", fmt.Sprintf("keys/%s/actions/sync", idOrAlias), nil)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.do(ctx, req, nil)
+
+	return err
+}
+
 // Disable a key. The key will not be deleted but it will not be active
 // and key operations cannot be performed on a disabled key.
 // For more information can refer to the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-disable-keys
-func (c *Client) DisableKey(ctx context.Context, id string) error {
-	_, err := c.doKeysAction(ctx, id, "disable", nil)
+func (c *Client) DisableKey(ctx context.Context, idOrAlias string) error {
+	_, err := c.doKeysAction(ctx, idOrAlias, "disable", nil)
 	return err
 }

@ -418,8 +657,8 @@ func (c *Client) DisableKey(ctx context.Context, id string) error {
 // Note: This does not recover Deleted keys.
 // For more information can refer to the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-disable-keys#enable-api
-func (c *Client) EnableKey(ctx context.Context, id string) error {
-	_, err := c.doKeysAction(ctx, id, "enable", nil)
+func (c *Client) EnableKey(ctx context.Context, idOrAlias string) error {
+	_, err := c.doKeysAction(ctx, idOrAlias, "enable", nil)
 	return err
 }

@ -427,8 +666,8 @@ func (c *Client) EnableKey(ctx context.Context, id string) error {
 // After the key is set to deletion it can be deleted by another user who has Manager access.
 // For more information refer to the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-dual-auth-keys#set-key-deletion-api
-func (c *Client) InitiateDualAuthDelete(ctx context.Context, id string) error {
-	_, err := c.doKeysAction(ctx, id, "setKeyForDeletion", nil)
+func (c *Client) InitiateDualAuthDelete(ctx context.Context, idOrAlias string) error {
+	_, err := c.doKeysAction(ctx, idOrAlias, "setKeyForDeletion", nil)
 	return err
 }

@ -436,25 +675,20 @@ func (c *Client) InitiateDualAuthDelete(ctx context.Context, id string) error {
 // be prevented from getting deleted by unsetting the key for deletion.
 // For more information refer to the Key Protect docs in the link below:
 //https://cloud.ibm.com/docs/key-protect?topic=key-protect-delete-dual-auth-keys#unset-key-deletion-api
-func (c *Client) CancelDualAuthDelete(ctx context.Context, id string) error {
-	_, err := c.doKeysAction(ctx, id, "unsetKeyForDeletion", nil)
+func (c *Client) CancelDualAuthDelete(ctx context.Context, idOrAlias string) error {
+	_, err := c.doKeysAction(ctx, idOrAlias, "unsetKeyForDeletion", nil)
 	return err
 }

 // doKeysAction calls the KP Client to perform an action on a key.
-func (c *Client) doKeysAction(ctx context.Context, id string, action string, keysActionReq *KeysActionRequest) (*KeysActionRequest, error) {
+func (c *Client) doKeysAction(ctx context.Context, idOrAlias string, action string, keysActionReq *KeysActionRequest) (*KeysActionRequest, error) {
 	keyActionRsp := KeysActionRequest{}

-	v := url.Values{}
-	v.Set("action", action)
-
-	req, err := c.newRequest("POST", fmt.Sprintf("keys/%s", id), keysActionReq)
+	req, err := c.newRequest("POST", fmt.Sprintf("keys/%s/actions/%s", idOrAlias, action), keysActionReq)
 	if err != nil {
 		return nil, err
 	}

-	req.URL.RawQuery = v.Encode()
-
 	_, err = c.do(ctx, req, &keyActionRsp)
 	if err != nil {
 		return nil, err
--- a/vendor/github.com/IBM/keyprotect-go-client/policy.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/policy.go
@ -59,15 +59,15 @@ type Policies struct {
 	Policies []Policy         `json:"resources"`
 }

-// GetPolicy retrieves a policy by Key ID. This function is
+// GetPolicy retrieves a policy by Key ID or alias. This function is
 // deprecated, as it only returns one policy and does not let you
 // select which policy set it will return. It is kept for backward
 // compatibility on keys with only one rotation policy. Please update
 // to use the new GetPolicies or Get<type>Policy functions.
-func (c *Client) GetPolicy(ctx context.Context, id string) (*Policy, error) {
+func (c *Client) GetPolicy(ctx context.Context, idOrAlias string) (*Policy, error) {
 	policyresponse := Policies{}

-	req, err := c.newRequest("GET", fmt.Sprintf("keys/%s/policies", id), nil)
+	req, err := c.newRequest("GET", fmt.Sprintf("keys/%s/policies", idOrAlias), nil)
 	if err != nil {
 		return nil, err
 	}
@ -84,7 +84,7 @@ func (c *Client) GetPolicy(ctx context.Context, id string) (*Policy, error) {
 // the rotation interval needed. This function is deprecated as it will only
 // let you set key rotation  policies. To set dual auth and other newer policies
 // on a key, please use the new SetPolicies of Set<type>Policy functions.
-func (c *Client) SetPolicy(ctx context.Context, id string, prefer PreferReturn, rotationInterval int) (*Policy, error) {
+func (c *Client) SetPolicy(ctx context.Context, idOrAlias string, prefer PreferReturn, rotationInterval int) (*Policy, error) {

 	policy := Policy{
 		Type: policyType,
@ -103,7 +103,7 @@ func (c *Client) SetPolicy(ctx context.Context, id string, prefer PreferReturn,

 	policyresponse := Policies{}

-	req, err := c.newRequest("PUT", fmt.Sprintf("keys/%s/policies", id), &policyRequest)
+	req, err := c.newRequest("PUT", fmt.Sprintf("keys/%s/policies", idOrAlias), &policyRequest)
 	if err != nil {
 		return nil, err
 	}
@ -118,11 +118,11 @@ func (c *Client) SetPolicy(ctx context.Context, id string, prefer PreferReturn,
 	return &policyresponse.Policies[0], nil
 }

-// GetPolicies retrieves all policies details associated with a Key ID.
-func (c *Client) GetPolicies(ctx context.Context, id string) ([]Policy, error) {
+// GetPolicies retrieves all policies details associated with a Key ID or alias.
+func (c *Client) GetPolicies(ctx context.Context, idOrAlias string) ([]Policy, error) {
 	policyresponse := Policies{}

-	req, err := c.newRequest("GET", fmt.Sprintf("keys/%s/policies", id), nil)
+	req, err := c.newRequest("GET", fmt.Sprintf("keys/%s/policies", idOrAlias), nil)
 	if err != nil {
 		return nil, err
 	}
@ -155,10 +155,10 @@ func (c *Client) getPolicy(ctx context.Context, id, policyType string, policyres
 // GetRotationPolivy method retrieves rotation policy details of a key
 // For more information can refet the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#view-rotation-policy-api
-func (c *Client) GetRotationPolicy(ctx context.Context, id string) (*Policy, error) {
+func (c *Client) GetRotationPolicy(ctx context.Context, idOrAlias string) (*Policy, error) {
 	policyresponse := Policies{}

-	err := c.getPolicy(ctx, id, RotationPolicy, &policyresponse)
+	err := c.getPolicy(ctx, idOrAlias, RotationPolicy, &policyresponse)
 	if err != nil {
 		return nil, err
 	}
@ -173,10 +173,10 @@ func (c *Client) GetRotationPolicy(ctx context.Context, id string) (*Policy, err
 // GetDualAuthDeletePolicy method retrieves dual auth delete policy details of a key
 // For more information can refer the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-dual-auth-key-policy#view-dual-auth-key-policy-api
-func (c *Client) GetDualAuthDeletePolicy(ctx context.Context, id string) (*Policy, error) {
+func (c *Client) GetDualAuthDeletePolicy(ctx context.Context, idOrAlias string) (*Policy, error) {
 	policyresponse := Policies{}

-	err := c.getPolicy(ctx, id, DualAuthDelete, &policyresponse)
+	err := c.getPolicy(ctx, idOrAlias, DualAuthDelete, &policyresponse)
 	if err != nil {
 		return nil, err
 	}
@ -188,10 +188,10 @@ func (c *Client) GetDualAuthDeletePolicy(ctx context.Context, id string) (*Polic
 	return &policyresponse.Policies[0], nil
 }

-func (c *Client) setPolicy(ctx context.Context, id, policyType string, policyRequest Policies) (*Policies, error) {
+func (c *Client) setPolicy(ctx context.Context, idOrAlias, policyType string, policyRequest Policies) (*Policies, error) {
 	policyresponse := Policies{}

-	req, err := c.newRequest("PUT", fmt.Sprintf("keys/%s/policies", id), &policyRequest)
+	req, err := c.newRequest("PUT", fmt.Sprintf("keys/%s/policies", idOrAlias), &policyRequest)
 	if err != nil {
 		return nil, err
 	}
@ -207,10 +207,10 @@ func (c *Client) setPolicy(ctx context.Context, id, policyType string, policyReq
 	return &policyresponse, nil
 }

-// SetRotationPolicy updates the rotation policy associated with a key by specifying key ID and rotation interval.
+// SetRotationPolicy updates the rotation policy associated with a key by specifying key ID  or alias and rotation interval.
 // For more information can refer the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-rotation-policy#update-rotation-policy-api
-func (c *Client) SetRotationPolicy(ctx context.Context, id string, rotationInterval int) (*Policy, error) {
+func (c *Client) SetRotationPolicy(ctx context.Context, idOrAlias string, rotationInterval int) (*Policy, error) {
 	policy := Policy{
 		Type: policyType,
 		Rotation: &Rotation{
@ -226,7 +226,7 @@ func (c *Client) SetRotationPolicy(ctx context.Context, id string, rotationInter
 		Policies: []Policy{policy},
 	}

-	policyresponse, err := c.setPolicy(ctx, id, RotationPolicy, policyRequest)
+	policyresponse, err := c.setPolicy(ctx, idOrAlias, RotationPolicy, policyRequest)
 	if err != nil {
 		return nil, err
 	}
@ -238,10 +238,10 @@ func (c *Client) SetRotationPolicy(ctx context.Context, id string, rotationInter
 	return &policyresponse.Policies[0], nil
 }

-// SetDualAuthDeletePolicy updates the dual auth delete policy by passing the key ID and enable detail
+// SetDualAuthDeletePolicy updates the dual auth delete policy by passing the key ID  or alias and enable detail
 // For more information can refer the Key Protect docs in the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-set-dual-auth-key-policy#create-dual-auth-key-policy-api
-func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, id string, enabled bool) (*Policy, error) {
+func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, idOrAlias string, enabled bool) (*Policy, error) {
 	policy := Policy{
 		Type: policyType,
 		DualAuth: &DualAuth{
@ -257,7 +257,7 @@ func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, id string, enabled
 		Policies: []Policy{policy},
 	}

-	policyresponse, err := c.setPolicy(ctx, id, DualAuthDelete, policyRequest)
+	policyresponse, err := c.setPolicy(ctx, idOrAlias, DualAuthDelete, policyRequest)
 	if err != nil {
 		return nil, err
 	}
@ -273,7 +273,7 @@ func (c *Client) SetDualAuthDeletePolicy(ctx context.Context, id string, enabled
 // To set rotation policy for the key pass the setRotationPolicy parameter as true and set the rotationInterval detail.
 // To set dual auth delete policy for the key pass the setDualAuthDeletePolicy parameter as true and set the dualAuthEnable detail.
 // Both the policies can be set or either of the policies can be set.
-func (c *Client) SetPolicies(ctx context.Context, id string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool) ([]Policy, error) {
+func (c *Client) SetPolicies(ctx context.Context, idOrAlias string, setRotationPolicy bool, rotationInterval int, setDualAuthDeletePolicy, dualAuthEnable bool) ([]Policy, error) {
 	policies := []Policy{}
 	if setRotationPolicy {
 		rotationPolicy := Policy{
@ -304,7 +304,7 @@ func (c *Client) SetPolicies(ctx context.Context, id string, setRotationPolicy b

 	policyresponse := Policies{}

-	req, err := c.newRequest("PUT", fmt.Sprintf("keys/%s/policies", id), &policyRequest)
+	req, err := c.newRequest("PUT", fmt.Sprintf("keys/%s/policies", idOrAlias), &policyRequest)
 	if err != nil {
 		return nil, err
 	}