def ConvertFromKmsSignatureAlgorithm(self, kms_algorithm):
"""Convert a KMS SignatureAlgorithm into a Binauthz SignatureAlgorithm."""
binauthz_enum = self.messages.PkixPublicKey.SignatureAlgorithmValueValuesEnum
kms_enum = kms_maps.ALGORITHM_ENUM
alg_map = {
kms_enum.RSA_SIGN_PSS_2048_SHA256.name:
binauthz_enum.RSA_PSS_2048_SHA256,
kms_enum.RSA_SIGN_PSS_3072_SHA256.name:
binauthz_enum.RSA_PSS_3072_SHA256,
kms_enum.RSA_SIGN_PSS_4096_SHA256.name:
binauthz_enum.RSA_PSS_4096_SHA256,
kms_enum.RSA_SIGN_PSS_4096_SHA512.name:
binauthz_enum.RSA_PSS_4096_SHA512,
kms_enum.RSA_SIGN_PKCS1_2048_SHA256.name:
binauthz_enum.RSA_SIGN_PKCS1_2048_SHA256,
kms_enum.RSA_SIGN_PKCS1_3072_SHA256.name:
binauthz_enum.RSA_SIGN_PKCS1_3072_SHA256,
kms_enum.RSA_SIGN_PKCS1_4096_SHA256.name:
binauthz_enum.RSA_SIGN_PKCS1_4096_SHA256,
kms_enum.RSA_SIGN_PKCS1_4096_SHA512.name:
binauthz_enum.RSA_SIGN_PKCS1_4096_SHA512,
kms_enum.EC_SIGN_P256_SHA256.name: binauthz_enum.ECDSA_P256_SHA256,
kms_enum.EC_SIGN_P384_SHA384.name: binauthz_enum.ECDSA_P384_SHA384,
}
try:
return alg_map[kms_algorithm.name]
except KeyError:
raise exceptions.InvalidArgumentError(
'Unsupported PkixPublicKey signature algorithm: "{}"'.format(
kms_algorithm.name))
def UpdateKey(self,
attestor_ref,
pubkey_id,
pgp_pubkey_content=None,
comment=None):
"""Update a key on an attestor.
Args:
attestor_ref: ResourceSpec, The attestor to be updated.
pubkey_id: The ID of the key to update.
pgp_pubkey_content: The contents of the public key file.
comment: The comment on the public key.
Returns:
The updated public key.
Raises:
NotFoundError: If an expected public key could not be located by ID.
InvalidStateError: If multiple public keys matched the provided ID.
InvalidArgumentError: If a non-PGP key is updated with pgp_pubkey_content.
"""
attestor = self.Get(attestor_ref)
existing_keys = [
public_key
for public_key in attestor.userOwnedDrydockNote.publicKeys
if public_key.id == pubkey_id
]
if not existing_keys:
raise exceptions.NotFoundError(
'No matching public key found on attestor [{}]'.format(
attestor.name))
if len(existing_keys) > 1:
raise exceptions.InvalidStateError(
'Multiple matching public keys found on attestor [{}]'.format(
attestor.name))
existing_key = existing_keys[0]
if pgp_pubkey_content is not None:
if not existing_key.asciiArmoredPgpPublicKey:
raise exceptions.InvalidArgumentError(
'Cannot update a non-PGP PublicKey with a PGP public key')
existing_key.asciiArmoredPgpPublicKey = pgp_pubkey_content
if comment is not None:
existing_key.comment = comment
updated_attestor = self.client.projects_attestors.Update(attestor)
return next(
public_key
for public_key in updated_attestor.userOwnedDrydockNote.publicKeys
if public_key.id == pubkey_id)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
if args.pgp_public_key_file and args.public_key_id_override:
raise exceptions.InvalidArgumentError(
'--public-key-id-override may not be used with old-style PGP keys'
)
if args.keyversion:
key_resource = args.CONCEPTS.keyversion.Parse()
public_key = kms.Client().GetPublicKey(key_resource.RelativeName())
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=public_key.pem,
pkix_sig_algorithm=attestors_client.
ConvertFromKmsSignatureAlgorithm(public_key.algorithm),
id_override=(args.public_key_id_override
or kms.GetKeyUri(key_resource)),
comment=args.comment)
elif args.pkix_public_key_file:
alg_mapper = pkix.GetAlgorithmMapper(api_version)
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=args.pkix_public_key_file,
pkix_sig_algorithm=alg_mapper.GetEnumForChoice(
args.pkix_public_key_algorithm),
id_override=args.public_key_id_override,
comment=args.comment)
else:
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.AddPgpKey(
attestor_ref,
pgp_pubkey_content=args.pgp_public_key_file,
comment=args.comment)