def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() try: digest = get_digest.GetDigest(args.digest_algorithm, args.input_file) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format( args.input_file, e)) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) req.asymmetricSignRequest = messages.AsymmetricSignRequest( digest=digest) resp = (client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions .AsymmetricSign(req)) try: log.WriteToFileOrStdout(args.signature_file, resp.signature, overwrite=True, binary=True, private=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) return cryptokeyversions.SetState( version_ref, messages.CryptoKeyVersion.StateValueValuesEnum.DISABLED)
def _CreateMacVerifyRequest(self, args): try: # The MacVerify API limits the input data to 64KiB. data = self._ReadFileOrStdin(args.input_file, max_bytes=65536) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format(args.input_file, e)) try: # We currently only support signatures up to SHA512 length (64 bytes). mac = self._ReadFileOrStdin(args.signature_file, max_bytes=64) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format(args.input_file, e)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsMacVerifyRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) if self._PerformIntegrityVerification(args): data_crc32c = crc32c.Crc32c(data) mac_crc32c = crc32c.Crc32c(mac) req.macVerifyRequest = messages.MacVerifyRequest( data=data, mac=mac, dataCrc32c=data_crc32c, macCrc32c=mac_crc32c) else: req.macVerifyRequest = messages.MacVerifyRequest(data=data, mac=mac) return req
def Run(self, args): try: ciphertext = console_io.ReadFromFileOrStdin( args.ciphertext_file, binary=True) except files.Error as e: raise exceptions.BadFileException( 'Failed to read ciphertext file [{0}]: {1}'.format( args.ciphertext_file, e)) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricDecryptRequest( # pylint: disable=line-too-long name=crypto_key_ref.RelativeName()) req.asymmetricDecryptRequest = messages.AsymmetricDecryptRequest( ciphertext=ciphertext) resp = ( client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions. AsymmetricDecrypt(req)) try: log.WriteToFileOrStdout( args.plaintext_file, resp.plaintext or '', overwrite=True, binary=True, private=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') versions = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions version = versions.Get( messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName())) if (version.protectionLevel != messages.CryptoKeyVersion.ProtectionLevelValueValuesEnum.HSM): raise exceptions.ToolException( 'Certificate chains are only available for HSM key versions.') if (version.state == messages.CryptoKeyVersion.StateValueValuesEnum. PENDING_GENERATION): raise exceptions.ToolException( 'Certificate chains are unavailable until the version is generated.' ) try: log.WriteToFileOrStdout( args.output_file if args.output_file else '-', _GetCertificateChainPem(version.attestation.certChains, args.certificate_chain_type), overwrite=True, binary=False) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): # pylint: disable=line-too-long fields_to_update = self.ProcessFlags(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) # Try to get the cryptoKeyVersion and raise an exception if it doesn't exist. key_version = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( messages .CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName())) # Check that this key version's ProtectionLevel is EXTERNAL if args.external_key_uri: self.CheckKeyIsExternal(key_version, messages) if args.ekm_connection_key_path: self.CheckKeyIsExternalVpc(key_version, messages) # Make update request update_req = self.CreateRequest(args, messages, fields_to_update) return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Patch( update_req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName()))
def _CreateEncryptRequest(self, args): if (args.plaintext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--plaintext-file', '--plaintext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API limits the plaintext to 64KiB. plaintext = self._ReadFileOrStdin(args.plaintext_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read plaintext file [{0}]: {1}'.format( args.plaintext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}' .format(args.additional_authenticated_data_file, e)) if args.version: crypto_key_ref = flags.ParseCryptoKeyVersionName(args) else: crypto_key_ref = flags.ParseCryptoKeyName(args) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest( name=crypto_key_ref.RelativeName()) # Populate request integrity fields. if self._PerformIntegrityVerification(args): plaintext_crc32c = crc32c.Crc32c(plaintext) # Set checksum if AAD is not provided for simpler response verification. aad_crc32c = crc32c.Crc32c( aad) if aad is not None else crc32c.Crc32c(b'') req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad, plaintextCrc32c=plaintext_crc32c, additionalAuthenticatedDataCrc32c=aad_crc32c) else: req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad) return req
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDestroyRequest( name=version_ref.RelativeName()) ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions return ckv.Destroy(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName()))
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() import_job_name = flags.ParseImportJobName(args).RelativeName() if bool(args.rsa_aes_wrapped_key_file) == bool(args.target_key_file): raise exceptions.OneOfArgumentsRequiredException( ('--target-key-file', '--rsa-aes-wrapped-key-file'), 'Either a pre-wrapped key or a key to be wrapped must be provided.') rsa_aes_wrapped_key_bytes = None if args.rsa_aes_wrapped_key_file: try: # This should be less than 64KiB. rsa_aes_wrapped_key_bytes = self._ReadFile( args.rsa_aes_wrapped_key_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read rsa_aes_wrapped_key_file [{0}]: {1}'.format( args.wrapped_target_key_file, e)) if args.target_key_file: public_key_bytes = self._ReadOrFetchPublicKeyBytes(args, import_job_name) target_key_bytes = None try: # This should be less than 64KiB. target_key_bytes = self._ReadFile( args.target_key_file, max_bytes=8192) except files.Error as e: raise exceptions.BadFileException( 'Failed to read target key file [{0}]: {1}'.format( args.target_key_file, e)) rsa_aes_wrapped_key_bytes = self._CkmRsaAesKeyWrap(public_key_bytes, target_key_bytes) # Send the request to KMS. req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest( # pylint: disable=line-too-long parent=flags.ParseCryptoKeyName(args).RelativeName()) req.importCryptoKeyVersionRequest = messages.ImportCryptoKeyVersionRequest( algorithm=maps.ALGORITHM_MAPPER_FOR_IMPORT.GetEnumForChoice( args.algorithm), importJob=import_job_name, rsaAesWrappedKey=rsa_aes_wrapped_key_bytes) if args.version: req.importCryptoKeyVersionRequest.cryptoKeyVersion = flags.ParseCryptoKeyVersionName( args).RelativeName() return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Import( req)
def Run(self, args): if (args.plaintext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--plaintext-file', '--plaintext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API limits the plaintext to 64KiB. plaintext = self._ReadFileOrStdin(args.plaintext_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read plaintext file [{0}]: {1}'.format( args.plaintext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}' .format(args.additional_authenticated_data_file, e)) if args.version: crypto_key_ref = flags.ParseCryptoKeyVersionName(args) else: crypto_key_ref = flags.ParseCryptoKeyName(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest( name=crypto_key_ref.RelativeName()) req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad) resp = client.projects_locations_keyRings_cryptoKeys.Encrypt(req) try: log.WriteToFileOrStdout(args.ciphertext_file, resp.ciphertext, binary=True, overwrite=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=version_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_ref.cryptoKeyVersionsId))) return client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( req)
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsRestoreRequest( projectsId=version_ref.projectsId, locationsId=version_ref.locationsId, keyRingsId=version_ref.keyRingsId, cryptoKeysId=version_ref.cryptoKeysId, cryptoKeyVersionsId=version_ref.cryptoKeyVersionsId) ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions return ckv.Restore(req)
def CreateRequest(self, args, messages, fields_to_update): # pylint: disable=line-too-long version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsPatchRequest( name=version_ref.RelativeName(), cryptoKeyVersion=messages.CryptoKeyVersion( state=maps.CRYPTO_KEY_VERSION_STATE_MAPPER.GetEnumForChoice( args.state), externalProtectionLevelOptions=messages .ExternalProtectionLevelOptions( externalKeyUri=args.external_key_uri))) req.updateMask = ','.join(fields_to_update) return req
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') version = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( # pylint: disable=line-too-long messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName())) # Raise exception if --attestation-file is provided for software # key versions. if (args.attestation_file and version.protectionLevel != messages.CryptoKeyVersion.ProtectionLevelValueValuesEnum.HSM): raise kms_exceptions.ArgumentError( 'Attestations are only available for HSM key versions.') if (args.attestation_file and version.state == messages. CryptoKeyVersion.StateValueValuesEnum.PENDING_GENERATION): raise kms_exceptions.ArgumentError( 'The attestation is unavailable until the version is generated.' ) if args.attestation_file and version.attestation is not None: try: log.WriteToFileOrStdout(args.attestation_file, version.attestation.content, overwrite=True, binary=True) except files.Error as e: raise exceptions.BadFileException(e) if version.attestation is not None: # Suppress the attestation content in the printed output. Users can use # --attestation-file to obtain it, instead. version.attestation.content = None # Suppress the attestation content in the printed output. Users can use # get-certificate-chain to obtain it, instead. version.attestation.certChains = None return version
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() resources.REGISTRY.SetParamDefault( 'cloudkms', None, 'cryptoKeysId', resolvers.FromArgument('--cryptokey', args.cryptokey)) version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=version_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_ref.cryptoKeyVersionsId))) return client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') resp = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.GetPublicKey( # pylint: disable=line-too-long messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicKeyRequest( # pylint: disable=line-too-long name=version_ref.RelativeName())) # TODO(b/72555857): Revisit this when we pull this into trunk. log.WriteToFileOrStdout(args.output_file if args.output_file else '-', resp.pem, overwrite=True, binary=False, private=True)
def _CreateAsymmetricSignRequest(self, args): try: digest = get_digest.GetDigest(args.digest_algorithm, args.input_file) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format(args.input_file, e)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) if self._PerformIntegrityVerification(args): # args.digest_algorithm has been verified in get_digest.GetDigest() digest_crc32c = crc32c.Crc32c(getattr(digest, args.digest_algorithm)) req.asymmetricSignRequest = messages.AsymmetricSignRequest( digest=digest, digestCrc32c=digest_crc32c) else: req.asymmetricSignRequest = messages.AsymmetricSignRequest(digest=digest) return req
def _CreateAsymmetricSignRequestOnData(self, args): """Returns an AsymmetricSignRequest for use with a data input. Populates an AsymmetricSignRequest with its data field populated by data read from args.input_file. dataCrc32c is populated if integrity verification is not skipped. Args: args: Input arguments. Returns: An AsymmetricSignRequest with data populated and dataCrc32c populated if integrity verification is not skipped. Raises: exceptions.BadFileException: An error occurred reading the input file. This can occur if the file can't be read or if the file is larger than 64 KiB. """ try: # The Asymmetric Sign API limits the data input to 64KiB. data = self._ReadBinaryFile(args.input_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format( args.input_file, e)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) if self._PerformIntegrityVerification(args): data_crc32c = crc32c.Crc32c(data) req.asymmetricSignRequest = messages.AsymmetricSignRequest( data=data, dataCrc32c=data_crc32c) else: req.asymmetricSignRequest = messages.AsymmetricSignRequest( data=data) return req
def _CreateAsymmetricDecryptRequest(self, args): try: ciphertext = console_io.ReadFromFileOrStdin(args.ciphertext_file, binary=True) except files.Error as e: raise exceptions.BadFileException( 'Failed to read ciphertext file [{0}]: {1}'.format( args.ciphertext_file, e)) messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricDecryptRequest( # pylint: disable=line-too-long name=crypto_key_ref.RelativeName()) if self._PerformIntegrityVerification(args): ciphertext_crc32c = crc32c.Crc32c(ciphertext) req.asymmetricDecryptRequest = messages.AsymmetricDecryptRequest( ciphertext=ciphertext, ciphertextCrc32c=ciphertext_crc32c) else: req.asymmetricDecryptRequest = messages.AsymmetricDecryptRequest( ciphertext=ciphertext) return req