def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
import_job_name = flags.ParseImportJobName(args).RelativeName()
if bool(args.rsa_aes_wrapped_key_file) == bool(args.target_key_file):
raise exceptions.OneOfArgumentsRequiredException(
('--target-key-file', '--rsa-aes-wrapped-key-file'),
'Either a pre-wrapped key or a key to be wrapped must be provided.')
rsa_aes_wrapped_key_bytes = None
if args.rsa_aes_wrapped_key_file:
try:
# This should be less than 64KiB.
rsa_aes_wrapped_key_bytes = self._ReadFile(
args.rsa_aes_wrapped_key_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read rsa_aes_wrapped_key_file [{0}]: {1}'.format(
args.wrapped_target_key_file, e))
if args.target_key_file:
public_key_bytes = self._ReadOrFetchPublicKeyBytes(args, import_job_name)
target_key_bytes = None
try:
# This should be less than 64KiB.
target_key_bytes = self._ReadFile(
args.target_key_file, max_bytes=8192)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read target key file [{0}]: {1}'.format(
args.target_key_file, e))
rsa_aes_wrapped_key_bytes = self._CkmRsaAesKeyWrap(public_key_bytes,
target_key_bytes)
# Send the request to KMS.
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest( # pylint: disable=line-too-long
parent=flags.ParseCryptoKeyName(args).RelativeName())
req.importCryptoKeyVersionRequest = messages.ImportCryptoKeyVersionRequest(
algorithm=maps.ALGORITHM_MAPPER_FOR_IMPORT.GetEnumForChoice(
args.algorithm),
importJob=import_job_name,
rsaAesWrappedKey=rsa_aes_wrapped_key_bytes)
if args.version:
req.importCryptoKeyVersionRequest.cryptoKeyVersion = flags.ParseCryptoKeyVersionName(
args).RelativeName()
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Import(
req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
import_job_ref = flags.ParseImportJobName(args)
if not import_job_ref.Name():
raise exceptions.InvalidArgumentException(
'import_job', 'import job id must be non-empty.')
import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long
messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest(
name=import_job_ref.RelativeName()))
# Raise exception if --attestation-file is provided for software
# import jobs.
if (args.attestation_file and import_job.protectionLevel !=
messages.ImportJob.ProtectionLevelValueValuesEnum.HSM):
raise exceptions.ToolException(
'Attestations are only available for HSM import jobs.')
if (args.attestation_file and import_job.state == messages.ImportJob
.StateValueValuesEnum.PENDING_GENERATION):
raise exceptions.ToolException(
'The attestation is unavailable until the import job is generated.')
if args.attestation_file and import_job.attestation is not None:
try:
log.WriteToFileOrStdout(
args.attestation_file,
import_job.attestation.content,
overwrite=True,
binary=True)
except files.Error as e:
raise exceptions.BadFileException(e)
if import_job.attestation is not None:
# Suppress the attestation content in the printed output. Users can use
# --attestation-file to obtain it, instead.
import_job.attestation.content = None
return import_job
def _CreateRequest(self, args):
messages = cloudkms_base.GetMessagesModule()
if not args.protection_level:
raise exceptions.ToolException(
"--protection-level needs to be specified when creating an import job"
)
if not args.import_method:
raise exceptions.ToolException(
"--import-method needs to be specified when creating an import job")
import_job_ref = flags.ParseImportJobName(args)
parent_ref = flags.ParseParentFromResource(import_job_ref)
return messages.CloudkmsProjectsLocationsKeyRingsImportJobsCreateRequest(
parent=parent_ref.RelativeName(),
importJobId=import_job_ref.Name(),
importJob=messages.ImportJob(
protectionLevel=maps.IMPORT_PROTECTION_LEVEL_MAPPER
.GetEnumForChoice(args.protection_level),
importMethod=maps.IMPORT_METHOD_MAPPER.GetEnumForChoice(
args.import_method)))
