def __init__(self, project_id: str = None, location_id: str = None, key_ring_id: str = None, crypto_key_id: str = None, key_name: str = None, credential_path: str = None): """ init :param project_id: GCP project id :param location_id: key location id ("global" etc.) :param key_ring_id: key ring id :param crypto_key_id: crypt key :param key_name: full path of key like below, 'projects/(\S+)/locations/(\S+)/keyRings/(\S+)/cryptoKeys/(\S+)' :param credential_path: credential file path for a service account """ if credential_path is not None: credentials = service_account.Credentials.from_service_account_file( credential_path) else: credentials = None if key_name is not None: self.__name = key_name ids = re.findall( 'projects/(\S+)/locations/(\S+)/keyRings/(\S+)/cryptoKeys/(\S+)', key_name) if len(ids) != 1: raise ValueError("Failed to parse key name") else: ids = ids[0] if len(ids) != 4: raise ValueError("Failed to parse key name") self.__project_id = ids[0] self.__location_id = ids[1] self.__key_ring_id = ids[2] self.__crypto_key_id = ids[3] self.__client = kms.KeyManagementServiceClient( credentials=credentials) else: self.__project_id = project_id self.__location_id = location_id self.__key_ring_id = key_ring_id self.__crypto_key_id = crypto_key_id self.__client = kms.KeyManagementServiceClient( credentials=credentials) self.__update_key_name()
def update_key_set_primary(project_id, location_id, key_ring_id, key_id, version_id): """ Update the primary version of a key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key to make primary (e.g. '2'). Returns: CryptoKey: Updated Cloud KMS key. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key name. key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) # Call the API. updated_key = client.update_crypto_key_primary_version( request={ 'name': key_name, 'crypto_key_version_id': version_id }) print('Updated {} primary to {}'.format(updated_key.name, version_id)) return updated_key
def destroy_key_version(project_id, location_id, key_ring_id, key_id, version_id): """ Schedule destruction of the given key version. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key version to destroy (e.g. '1'). Returns: CryptoKeyVersion: The version. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Call the API. destroyed_version = client.destroy_crypto_key_version( request={'name': key_version_name}) print('Destroyed key version: {}'.format(destroyed_version.name)) return destroyed_version
def encrypt_symmetric(plaintext, project_id='prueba-tecnica-295209', location_id='global', key_ring_id='prueba', key_id='clave'): """ Encrypt plaintext using a symmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). plaintext (string): message to encrypt Returns: bytes: Encrypted ciphertext. """ # Import base64 for printing the ciphertext. import base64 # Convert the plaintext to bytes. plaintext_bytes = plaintext.encode('utf-8') # Create the client. client = kms.KeyManagementServiceClient() # Build the key name. key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) # Call the API. encrypt_response = client.encrypt(request={'name': key_name, 'plaintext': plaintext_bytes}) #print('Ciphertext: {}'.format(base64.b64encode(encrypt_response.ciphertext))) return encrypt_response
def kms_encrypt_decrypt_cursor(cursor, kms_type): if cursor and hasattr(config, 'KMS_KEY_INFO') and \ 'keyring' in config.KMS_KEY_INFO and \ 'key' in config.KMS_KEY_INFO and \ 'location' in config.KMS_KEY_INFO: project_id = os.environ['GOOGLE_CLOUD_PROJECT'] location_id = config.KMS_KEY_INFO['location'] key_ring_id = config.KMS_KEY_INFO['keyring'] crypto_key_id = config.KMS_KEY_INFO['key'] try: client = kms.KeyManagementServiceClient() name = client.crypto_key_path_path(project_id, location_id, key_ring_id, crypto_key_id) if kms_type == 'encrypt': encrypt_response = client.encrypt( name, cursor.encode() if isinstance(cursor, str) else cursor) response = base64.urlsafe_b64encode( encrypt_response.ciphertext).decode() else: encrypt_response = client.decrypt( name, base64.urlsafe_b64decode(cursor)) response = encrypt_response.plaintext except Exception as e: logging.error( f"An exception occurred when {kms_type}-ing a cursor: {str(e)}" ) return None else: response = cursor return response
def get_public_key(project_id, location_id, key_ring_id, key_id, version_id): """ Get the public key for an asymmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key to use (e.g. '1'). Returns: PublicKey: Cloud KMS public key response. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Call the API. public_key = client.get_public_key(request={'name': key_version_name}) print('Public key: {}'.format(public_key.pem)) return public_key
def restore_key_version(project_id, location_id, key_ring_id, key_id, version_id): """ Restore a key version scheduled for destruction. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the version to use (e.g. '1'). Returns: CryptoKeyVersion: Restored Cloud KMS key version. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Call the API. restored_version = client.restore_crypto_key_version(key_version_name) print('Restored key version: {}'.format(restored_version.name)) return restored_version
def decrypt_symmetric(project_id, location_id, key_ring_id, key_id, ciphertext): """ Decrypt the ciphertext using the symmetric key Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). ciphertext (bytes): Encrypted bytes to decrypt. Returns: DecryptResponse: Response including plaintext. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key name. key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) # Call the API. decrypt_response = client.decrypt(request={ 'name': key_name, 'ciphertext': ciphertext }) print('Plaintext: {}'.format(decrypt_response.plaintext)) return decrypt_response
def create_key_ring(project_id, location_id, id): """ Creates a new key ring in Cloud KMS Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). id (string): ID of the key ring to create (e.g. 'my-key-ring'). Returns: KeyRing: Cloud KMS key ring. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the parent location name. location_name = f'projects/{project_id}/locations/{location_id}' # Build the key ring. key_ring = {} # Call the API. created_key_ring = client.create_key_ring(request={'parent': location_name, 'key_ring_id': id, 'key_ring': key_ring}) print('Created key ring: {}'.format(created_key_ring.name)) return created_key_ring
def check_state_imported_key(project_id, location_id, key_ring_id, import_job_id): """ Check the state of an import job in Cloud KMS. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). import_job_id (string): ID of the import job (e.g. 'my-import-job'). """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Retrieve the fully-qualified import_job string. import_job_name = client.import_job_path(project_id, location_id, key_ring_id, import_job_id) # Retrieve the state from an existing import job. import_job = client.get_import_job(name=import_job_name) print('Current state of import job {}: {}'.format(import_job.name, import_job.state))
def _ensure_init(self): if self._fernet is None: kms_client = kms.KeyManagementServiceClient() fernet_key = kms_client.decrypt(self._KMS_KEY_PATH, base64.b64decode(self._ENCRYPTED_KEY)) self._key = fernet_key.plaintext self._fernet = Fernet(self._key.decode('utf-8'))
def kms_client(self): # credentials credentials = None if self.credentials_file: credentials = service_account.Credentials.from_service_account_file(self.credentials_file) credentials = credentials.with_scopes(["https://www.googleapis.com/auth/cloudkms"]) return kms.KeyManagementServiceClient(credentials=credentials)
def kms_encrypt_decrypt_cursor(cursor, process): if cursor: project_id = os.environ["GOOGLE_CLOUD_PROJECT"] location_id = "europe" key_ring_id = f"{project_id}-keyring" crypto_key_id = "db-cursor-key" try: client = kms.KeyManagementServiceClient() name = client.crypto_key_path(project_id, location_id, key_ring_id, crypto_key_id) if process == "encrypt": text = cursor.encode() if isinstance(cursor, str) else cursor encrypt_response = client.encrypt(name=name, plaintext=text) response = base64.urlsafe_b64encode( encrypt_response.ciphertext).decode() else: text = base64.urlsafe_b64decode(cursor) encrypt_response = client.decrypt(name=name, ciphertext=text) response = encrypt_response.plaintext except Exception as e: logging.error( f"An exception occurred when {process}-ing a cursor: {str(e)}") return None else: response = None return response
def create_key_version(project_id, location_id, key_ring_id, key_id): """ Creates a new version of the given key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key for which to create a new version (e.g. 'my-key'). Returns: CryptoKeyVersion: Cloud KMS key version. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the parent key name. key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) # Build the key version. version = {} # Call the API. created_version = client.create_crypto_key_version(key_name, version) print('Created key version: {}'.format(created_version.name)) return created_version
def get_key_labels(project_id, location_id, key_ring_id, key_id): """ Get a key and its labels. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). Returns: CryptoKey: Cloud KMS key. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key name. key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) # Call the API. key = client.get_crypto_key(request={'name': key_name}) # Example of iterating over labels. for k, v in key.labels.items(): print('{} = {}'.format(k, v)) return key
def encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext): """ Encrypt plaintext using a symmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). plaintext (string): message to encrypt Returns: bytes: Encrypted ciphertext. """ # Import the client library. from google.cloud import kms # Import base64 for printing the ciphertext. import base64 # Convert the plaintext to bytes. plaintext_bytes = plaintext.encode('utf-8') # Optional, but recommended: compute plaintext's CRC32C. # See crc32c() function defined below. plaintext_crc32c = crc32c(plaintext_bytes) # Create the client. client = kms.KeyManagementServiceClient() # Build the key name. key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) # Call the API. encrypt_response = client.encrypt( request={ 'name': key_name, 'plaintext': plaintext_bytes, 'plaintext_crc32c': plaintext_crc32c }) # Optional, but recommended: perform integrity verification on encrypt_response. # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: # https://cloud.google.com/kms/docs/data-integrity-guidelines if not encrypt_response.verified_plaintext_crc32c: raise Exception( 'The request sent to the server was corrupted in-transit.') if not encrypt_response.ciphertext_crc32c == crc32c( encrypt_response.ciphertext): raise Exception( 'The response received from the server was corrupted in-transit.') # End integrity verification print('Ciphertext: {}'.format(base64.b64encode( encrypt_response.ciphertext))) return encrypt_response
def verify_asymmetric_ec(project_id, location_id, key_ring_id, key_id, version_id, message, signature): """ Verify the signature of an message signed with an asymmetric EC key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the version to use (e.g. '1'). message (string): Original message (e.g. 'my message') signature (bytes): Signature from a sign request. Returns: bool: True if verified, False otherwise """ # Import the client library. from google.cloud import kms # Import cryptographic helpers from the cryptography package. from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec, utils # Import hashlib. import hashlib # Convert the message to bytes. message_bytes = message.encode('utf-8') # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Get the public key. public_key = client.get_public_key(key_version_name) # Extract and parse the public key as a PEM-encoded RSA key. pem = public_key.pem.encode('utf-8') ec_key = serialization.load_pem_public_key(pem, default_backend()) hash_ = hashlib.sha256(message_bytes).digest() # Attempt to verify. try: sha256 = hashes.SHA256() ec_key.verify(signature, hash_, ec.ECDSA(utils.Prehashed(sha256))) print('Signature verified') return True except InvalidSignature: print('Signature failed to verify') return False
def __init__(self): # This facade is currently using both libraries as the Cloud Client library doesn't support locations # Cloud Client client_info = ClientInfo(user_agent=get_user_agent()) self.cloud_client = kms.KeyManagementServiceClient(client_info=client_info) # self.cloud_client = kms.KeyManagementServiceClient() super().__init__('cloudkms', 'v1') # API Client
def encrypt_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, plaintext): """ Encrypt plaintext using the public key portion of an asymmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key version to use (e.g. '1'). plaintext (string): message to encrypt Returns: bytes: Encrypted ciphertext. """ # Import the client library. from google.cloud import kms # Import base64 for printing the ciphertext. import base64 # Import cryptographic helpers from the cryptography package. from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding # Convert the plaintext to bytes. plaintext_bytes = plaintext.encode('utf-8') # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Get the public key. public_key = client.get_public_key(request={'name': key_version_name}) # Extract and parse the public key as a PEM-encoded RSA key. pem = public_key.pem.encode('utf-8') rsa_key = serialization.load_pem_public_key(pem, default_backend()) # Construct the padding. Note that the padding differs based on key choice. sha256 = hashes.SHA256() mgf = padding.MGF1(algorithm=sha256) pad = padding.OAEP(mgf=mgf, algorithm=sha256, label=None) # Encrypt the data using the public key. ciphertext = rsa_key.encrypt(plaintext_bytes, pad) print('Ciphertext: {}'.format(base64.b64encode(ciphertext))) return ciphertext
def decrypt_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, ciphertext): """ Decrypt the ciphertext using an asymmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): ID of the key version to use (e.g. '1'). ciphertext (bytes): Encrypted bytes to decrypt. Returns: DecryptResponse: Response including plaintext. """ # Import the client library. from google.cloud import kms # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Optional, but recommended: compute ciphertext's CRC32C. # See crc32c() function defined below. ciphertext_crc32c = crc32c(ciphertext) # Call the API. decrypt_response = client.asymmetric_decrypt( request={ 'name': key_version_name, 'ciphertext': ciphertext, 'ciphertext_crc32c': ciphertext_crc32c }) # Optional, but recommended: perform integrity verification on decrypt_response. # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: # https://cloud.google.com/kms/docs/data-integrity-guidelines if not decrypt_response.verified_ciphertext_crc32c: raise Exception( 'The request sent to the server was corrupted in-transit.') if not decrypt_response.plaintext_crc32c == crc32c( decrypt_response.plaintext): raise Exception( 'The response received from the server was corrupted in-transit.') # End integrity verification print('Plaintext: {}'.format(decrypt_response.plaintext)) return decrypt_response
def create_key_rotation_schedule(project_id, location_id, key_ring_id, id): """ Creates a new key in Cloud KMS that automatically rotates. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). id (string): ID of the key to create (e.g. 'my-rotating-key'). Returns: CryptoKey: Cloud KMS key. """ # Import the client library. from google.cloud import kms # Import time for getting the current time. import time # Create the client. client = kms.KeyManagementServiceClient() # Build the parent key ring name. key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) # Build the key. purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION key = { 'purpose': purpose, 'version_template': { 'algorithm': algorithm, }, # Rotate the key every 30 days. 'rotation_period': { 'seconds': 60 * 60 * 24 * 30 }, # Start the first rotation in 24 hours. 'next_rotation_time': { 'seconds': int(time.time()) + 60 * 60 * 24 } } # Call the API. created_key = client.create_crypto_key(request={ 'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key }) print('Created labeled key: {}'.format(created_key.name)) return created_key
def encrypt(project, location, keyring, cryptokey, # pylint: disable=too-many-arguments bucket, target, secret_name): unversioned_key = get_unversioned_key(project, location, keyring, cryptokey) kms_client = kms.KeyManagementServiceClient() versioned_key = kms_client.get_crypto_key(unversioned_key).primary.name with open_file(secret_name) as secret_file: unencrypted = secret_file.read() encrypted = encrypt_secret(versioned_key, unencrypted, client=kms_client) save_secret(project, bucket, target, encrypted, unversioned_key)
def reencrypt(project, bucket, target): storage_client = storage.Client(project=project) secret = get_secret(project, bucket, target, client=storage_client) encrypted = secret['secret'] key = secret['key'] kms_client = kms.KeyManagementServiceClient() primary_key = kms_client.get_crypto_key(key).primary.name decrypted = decrypt_secret(key, encrypted, client=kms_client) encrypted = encrypt_secret(primary_key, decrypted, client=kms_client) save_secret(project, bucket, target, encrypted, key, client=storage_client)
def create_key_hsm(project_id, location_id, key_ring_id, id): """ Creates a new key in Cloud KMS backed by Cloud HSM. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). id (string): ID of the key to create (e.g. 'my-hsm-key'). Returns: CryptoKey: Cloud KMS key. """ # Import the client library. from google.cloud import kms from google.protobuf import duration_pb2 import datetime # Create the client. client = kms.KeyManagementServiceClient() # Build the parent key ring name. key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) # Build the key. purpose = kms.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION protection_level = kms.ProtectionLevel.HSM key = { 'purpose': purpose, 'version_template': { 'algorithm': algorithm, 'protection_level': protection_level }, # Optional: customize how long key versions should be kept before # destroying. 'destroy_scheduled_duration': duration_pb2.Duration().FromTimedelta(datetime.timedelta(days=1)) } # Call the API. created_key = client.create_crypto_key(request={ 'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key }) print('Created hsm key: {}'.format(created_key.name)) return created_key
def create_key_asymmetric_sign(project_id, location_id, key_ring_id, id): """ Creates a new asymmetric signing key in Cloud KMS. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). id (string): ID of the key to create (e.g. 'my-asymmetric-signing-key'). Returns: CryptoKey: Cloud KMS key. """ # Import the client library. from google.cloud import kms from google.protobuf import duration_pb2 import datetime # Create the client. client = kms.KeyManagementServiceClient() # Build the parent key ring name. key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) # Build the key. purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 key = { 'purpose': purpose, 'version_template': { 'algorithm': algorithm, }, # Optional: customize how long key versions should be kept before # destroying. 'destroy_scheduled_duration': duration_pb2.Duration().FromTimedelta(datetime.timedelta(days=1)) } # Call the API. created_key = client.create_crypto_key(request={ 'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key }) print('Created asymmetric signing key: {}'.format(created_key.name)) return created_key
def create_key_ring(self, id): # Create the client. client = kms.KeyManagementServiceClient() # Build the parent location name. location_name = f'projects/{self.project_id}/locations/{self.location_id}' # Build the key ring. key_ring = {} # Call the API. created_key_ring = client.create_key_ring( request={'parent': location_name, 'key_ring_id': id, 'key_ring': key_ring}) # print('Created key ring: {}'.format(created_key_ring.name)) return created_key_ring
def setUp(self): super(TestKMSIntegration, self).setUp() client = kms.KeyManagementServiceClient() project = Config.CLIENT.project location = self.bucket.location.lower() keyring_name = self.KEYRING_NAME purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT # If the keyring doesn't exist create it. keyring_path = client.key_ring_path(project, location, keyring_name) try: client.get_key_ring(keyring_path) except exceptions.NotFound: parent = client.location_path(project, location) client.create_key_ring(parent, keyring_name, {}) # Mark this service account as an owner of the new keyring service_account = Config.CLIENT.get_service_account_email() policy = { "bindings": [ { "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": [ "serviceAccount:" + service_account, ] } ] } client.set_iam_policy(keyring_path, policy) # Populate the keyring with the keys we use in the tests key_names = [ 'gcs-test', 'gcs-test-alternate', 'explicit-kms-key-name', 'default-kms-key-name', 'override-default-kms-key-name', 'alt-default-kms-key-name', ] for key_name in key_names: key_path = client.crypto_key_path( project, location, keyring_name, key_name) try: client.get_crypto_key(key_path) except exceptions.NotFound: key = {'purpose': purpose} client.create_crypto_key(keyring_path, key_name, key)
def sign_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, message): """ Sign a message using the public key part of an asymmetric key. Args: project_id (string): Google Cloud project ID (e.g. 'my-project'). location_id (string): Cloud KMS location (e.g. 'us-east1'). key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). key_id (string): ID of the key to use (e.g. 'my-key'). version_id (string): Version to use (e.g. '1'). message (string): Message to sign. Returns: AsymmetricSignResponse: Signature. """ # Import the client library. from google.cloud import kms # Import base64 for printing the ciphertext. import base64 # Import hashlib for calculating hashes. import hashlib # Create the client. client = kms.KeyManagementServiceClient() # Build the key version name. key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) # Convert the message to bytes. message_bytes = message.encode('utf-8') # Calculate the hash. hash_ = hashlib.sha256(message_bytes).digest() # Build the digest. # # Note: Key algorithms will require a varying hash function. For # example, EC_SIGN_P384_SHA384 requires SHA-384. digest = {'sha256': hash_} # Call the API sign_response = client.asymmetric_sign(request={'name': key_version_name, 'digest': digest}) print('Signature: {}'.format(base64.b64encode(sign_response.signature))) return sign_response
def __init__(self, config, *args, **kwargs): super(GCPBackend, self).__init__(config) self.kms_client = kms.KeyManagementServiceClient() self.datastore_client = datastore.Client( project=config.get("datastore_project") or self._get_default_project(), namespace=config.get("datastore_namespace"), ) self.datastore_kind = config.get("datastore_kind", "Secret") self.datastore_property_ciphertext = config.get( "datastore_property_ciphertext", "ciphertext") self.datastore_property_keyid = config.get("datastore_property_keyid", "keyid") self.default_keyid = config.get("keyid") or self._get_default_keyid()
def setUp(self): super(TestKMSIntegration, self).setUp() client = kms.KeyManagementServiceClient() # If the keyring doesn't exist create it. name = client.key_ring_path(Config.CLIENT.project, self.bucket.location.lower(), self.KEYRING_NAME) try: client.get_key_ring(name) except exceptions.NotFound: parent = client.location_path(Config.CLIENT.project, self.bucket.location.lower()) client.create_key_ring(parent, self.KEYRING_NAME, {}) # Ensure this service account is marked as an owner to the test keyring keyring_location_path = client.key_ring_path( Config.CLIENT.project, self.bucket.location.lower(), self.KEYRING_NAME) service_account = Config.CLIENT.get_service_account_email() policy = { "bindings": [{ "role": "roles/owner", "members": [ "serviceAccount:" + service_account, ] }] } client.set_iam_policy(keyring_location_path, policy) # Populate the keyring with the keys we use in the tests for keyname in [ 'gcs-test', 'gcs-test-alternate', 'explicit-kms-key-name', 'default-kms-key-name', 'override-default-kms-key-name', 'alt-default-kms-key-name' ]: key_path = client.crypto_key_path(Config.CLIENT.project, self.bucket.location.lower(), self.KEYRING_NAME, keyname) try: client.get_crypto_key(key_path) except exceptions.NotFound: purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT key = {'purpose': purpose} client.create_crypto_key(keyring_location_path, keyname, key)