def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() import_job_name = flags.ParseImportJobName(args).RelativeName() if bool(args.rsa_aes_wrapped_key_file) == bool(args.target_key_file): raise exceptions.OneOfArgumentsRequiredException( ('--target-key-file', '--rsa-aes-wrapped-key-file'), 'Either a pre-wrapped key or a key to be wrapped must be provided.') rsa_aes_wrapped_key_bytes = None if args.rsa_aes_wrapped_key_file: try: # This should be less than 64KiB. rsa_aes_wrapped_key_bytes = self._ReadFile( args.rsa_aes_wrapped_key_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read rsa_aes_wrapped_key_file [{0}]: {1}'.format( args.wrapped_target_key_file, e)) if args.target_key_file: public_key_bytes = self._ReadOrFetchPublicKeyBytes(args, import_job_name) target_key_bytes = None try: # This should be less than 64KiB. target_key_bytes = self._ReadFile( args.target_key_file, max_bytes=8192) except files.Error as e: raise exceptions.BadFileException( 'Failed to read target key file [{0}]: {1}'.format( args.target_key_file, e)) rsa_aes_wrapped_key_bytes = self._CkmRsaAesKeyWrap(public_key_bytes, target_key_bytes) # Send the request to KMS. req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest( # pylint: disable=line-too-long parent=flags.ParseCryptoKeyName(args).RelativeName()) req.importCryptoKeyVersionRequest = messages.ImportCryptoKeyVersionRequest( algorithm=maps.ALGORITHM_MAPPER_FOR_IMPORT.GetEnumForChoice( args.algorithm), importJob=import_job_name, rsaAesWrappedKey=rsa_aes_wrapped_key_bytes) if args.version: req.importCryptoKeyVersionRequest.cryptoKeyVersion = flags.ParseCryptoKeyVersionName( args).RelativeName() return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Import( req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() import_job_ref = flags.ParseImportJobName(args) if not import_job_ref.Name(): raise exceptions.InvalidArgumentException( 'import_job', 'import job id must be non-empty.') import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest( name=import_job_ref.RelativeName())) # Raise exception if --attestation-file is provided for software # import jobs. if (args.attestation_file and import_job.protectionLevel != messages.ImportJob.ProtectionLevelValueValuesEnum.HSM): raise exceptions.ToolException( 'Attestations are only available for HSM import jobs.') if (args.attestation_file and import_job.state == messages.ImportJob .StateValueValuesEnum.PENDING_GENERATION): raise exceptions.ToolException( 'The attestation is unavailable until the import job is generated.') if args.attestation_file and import_job.attestation is not None: try: log.WriteToFileOrStdout( args.attestation_file, import_job.attestation.content, overwrite=True, binary=True) except files.Error as e: raise exceptions.BadFileException(e) if import_job.attestation is not None: # Suppress the attestation content in the printed output. Users can use # --attestation-file to obtain it, instead. import_job.attestation.content = None return import_job
def _CreateRequest(self, args): messages = cloudkms_base.GetMessagesModule() if not args.protection_level: raise exceptions.ToolException( "--protection-level needs to be specified when creating an import job" ) if not args.import_method: raise exceptions.ToolException( "--import-method needs to be specified when creating an import job") import_job_ref = flags.ParseImportJobName(args) parent_ref = flags.ParseParentFromResource(import_job_ref) return messages.CloudkmsProjectsLocationsKeyRingsImportJobsCreateRequest( parent=parent_ref.RelativeName(), importJobId=import_job_ref.Name(), importJob=messages.ImportJob( protectionLevel=maps.IMPORT_PROTECTION_LEVEL_MAPPER .GetEnumForChoice(args.protection_level), importMethod=maps.IMPORT_METHOD_MAPPER.GetEnumForChoice( args.import_method)))