def decrypt(self, bytes_to_decrypt):
"""
Decrypts and returns bytes that were encrypted under this master key.
:param bytes bytes_to_decrypt: (required)
The bytes to decrypt using this MasterKey.
:rtype: bytes
"""
decrypt_data_details = DecryptDataDetails()
# KMS API expects the key base64 encoded
decrypt_data_details.ciphertext = convert_to_str(
base64.b64encode(bytes_to_decrypt))
decrypt_data_details.key_id = self.master_key_id
try:
decrypted_data = self.kms_crypto_client.decrypt(
decrypt_data_details).data
except ServiceError as service_error:
message = "Failed to decrypt data encryption key using masterKeyId: {master_key_id} while targeting vault: {vault_id}.".format(
master_key_id=self.master_key_id, vault_id=self.vault_id)
raise_runtime_error_from(message, service_error)
verify_crc32_checksum(
base64.b64decode(decrypted_data.plaintext),
decrypted_data.plaintext_checksum,
)
return decrypted_data.plaintext
def __init__(self, config, master_key_id, vault_id):
"""
Represents a MasterKey contained in the OCI Key Management Service.
:param dict config: (required)
An OCI config dict used to create underlying clients to talk to OCI KMS.
Note, the 'region' in this config must match the region that the key / vault
exist in otherwise they will not be found.
:param str master_key_id: (required)
The OCID of the KMS master key
:param str vault_id: (required)
The OCID of the vault containing the master key
"""
kms_vault_client = KmsVaultClient(config)
try:
vault = kms_vault_client.get_vault(vault_id).data
except ServiceError as service_error:
message = "Failed to access vaultId: {vault_id} while targeting region: {region}.".format(
vault_id=vault_id, region=config['region'])
raise_runtime_error_from(message, service_error)
self.kms_management_client = KmsManagementClient(
config, service_endpoint=vault.management_endpoint)
self.kms_crypto_client = KmsCryptoClient(
config, service_endpoint=vault.crypto_endpoint)
self.master_key_id = master_key_id
self.vault_id = vault.id
self.region = config["region"]
def generate_data_encryption_key(self, algorithm):
dek_key_shape = KeyShape()
# only AES is currently supported for client side encryption
if algorithm.algorithm.name != algorithms.AES.name:
raise ValueError(
"Only AES is currently supported for client side encryption with KMS master key"
)
dek_key_shape.algorithm = KeyShape.ALGORITHM_AES
dek_key_shape.length = algorithm.key_len
generate_key_details = GenerateKeyDetails()
generate_key_details.include_plaintext_key = True
generate_key_details.key_id = self.master_key_id
generate_key_details.key_shape = dek_key_shape
try:
generated_key = self.kms_crypto_client.generate_data_encryption_key(
generate_key_details).data
except ServiceError as service_error:
message = "Failed to generate data encryption key using masterKeyId: {master_key_id} while targeting vault: {vault_id}.".format(
master_key_id=self.master_key_id, vault_id=self.vault_id)
raise_runtime_error_from(message, service_error)
dek_plaintext_bytes = base64.b64decode(generated_key.plaintext)
dek_ciphertext_bytes = base64.b64decode(generated_key.ciphertext)
return DataEncryptionKey(
plaintext_key_bytes=dek_plaintext_bytes,
encrypted_key_bytes=dek_ciphertext_bytes,
plaintext_key_checksum=generated_key.plaintext_checksum,
)
def __init__(self, config, master_key_id, vault_id, **kwargs):
"""
Represents a MasterKey contained in the OCI Key Management Service.
:param dict config: (required)
An OCI config dict used to create underlying clients to talk to OCI KMS.
Note, the 'region' in this config must match the region that the key / vault
exist in otherwise they will not be found.
:param str master_key_id: (required)
The OCID of the KMS master key
:param str vault_id: (required)
The OCID of the vault containing the master key
:param signer: (optional)
The signer to use when signing requests made by the service client. The default is to use a :py:class:`~oci.signer.Signer` based on the values
provided in the config parameter.
One use case for this parameter is for `Instance Principals authentication <https://docs.cloud.oracle.com/Content/Identity/Tasks/callingservicesfrominstances.htm>`__
by passing an instance of :py:class:`~oci.auth.signers.InstancePrincipalsSecurityTokenSigner` as the value for this keyword argument
:type signer: :py:class:`~oci.signer.AbstractBaseSigner`
:param str region: (optional)
The region this master key resides in
"""
if not config and not kwargs.get("signer"):
raise ValueError("Either a config or signer must be passed in")
self.region = None
# Get region from **kwargs, config, or signer
if kwargs.get('region'):
self.region = kwargs.get("region")
elif "region" in config:
self.region = config["region"]
elif kwargs.get('signer'):
self.region = kwargs.get("signer").region
kms_vault_client = KmsVaultClient(config, **kwargs)
# There is a chance that caller specified a region and differs from the config or signer's region
kms_vault_client.base_client.set_region(self.region)
try:
vault = kms_vault_client.get_vault(vault_id).data
except ServiceError as service_error:
message = "Failed to access vaultId: {vault_id} while targeting region: {region}.".format(
vault_id=vault_id, region=self.region)
raise_runtime_error_from(message, service_error)
self.kms_management_client = KmsManagementClient(
config, service_endpoint=vault.management_endpoint, **kwargs)
self.kms_crypto_client = KmsCryptoClient(
config, service_endpoint=vault.crypto_endpoint, **kwargs)
self.master_key_id = master_key_id
self.vault_id = vault.id