-
Notifications
You must be signed in to change notification settings - Fork 6.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
samples: Add Python code snippets for importing-a-key doc (#67)
- Loading branch information
1 parent
9d82d9a
commit d8e0fdf
Showing
6 changed files
with
318 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Copyright 2020 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_check_state_import_job] | ||
| def check_state_import_job(project_id, location_id, key_ring_id, import_job_id): | ||
| """ | ||
| Check the state of an import job in Cloud KMS. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| import_job_id (string): ID of the import job (e.g. 'my-import-job'). | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Retrieve the fully-qualified import_job string. | ||
| import_job_name = client.import_job_path( | ||
| project_id, location_id, key_ring_id, import_job_id) | ||
|
|
||
| # Retrieve the state from an existing import job. | ||
| import_job = client.get_import_job(name=import_job_name) | ||
|
|
||
| print('Current state of import job {}: {}'.format(import_job.name, import_job.state)) | ||
| # [END kms_check_state_import_job] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Copyright 2020 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_check_state_imported_key] | ||
| def check_state_imported_key(project_id, location_id, key_ring_id, import_job_id): | ||
| """ | ||
| Check the state of an import job in Cloud KMS. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| import_job_id (string): ID of the import job (e.g. 'my-import-job'). | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Retrieve the fully-qualified import_job string. | ||
| import_job_name = client.import_job_path( | ||
| project_id, location_id, key_ring_id, import_job_id) | ||
|
|
||
| # Retrieve the state from an existing import job. | ||
| import_job = client.get_import_job(name=import_job_name) | ||
|
|
||
| print('Current state of import job {}: {}'.format(import_job.name, import_job.state)) | ||
| # [END kms_check_state_imported_key] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Copyright 2020 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_create_import_job] | ||
| def create_import_job(project_id, location_id, key_ring_id, import_job_id): | ||
| """ | ||
| Create a new import job in Cloud KMS. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| import_job_id (string): ID of the import job (e.g. 'my-import-job'). | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Retrieve the fully-qualified key_ring string. | ||
| key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) | ||
|
|
||
| # Set paramaters for the import job, allowed values for ImportMethod and ProtectionLevel found here: | ||
| # https://googleapis.dev/python/cloudkms/latest/_modules/google/cloud/kms_v1/types/resources.html | ||
| import_job_params = {"import_method": kms.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256, "protection_level": kms.ProtectionLevel.HSM} | ||
|
|
||
| # Call the client to create a new import job. | ||
| import_job = client.create_import_job({"parent": key_ring_name, "import_job_id": import_job_id, "import_job": import_job_params}) | ||
|
|
||
| print('Created import job: {}'.format(import_job.name)) | ||
| # [END kms_create_import_job] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # Copyright 2020 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_create_key_for_import] | ||
| def create_key_for_import(project_id, location_id, key_ring_id, crypto_key_id): | ||
| """ | ||
| Generate Cloud KMS-compatible key material locally and sets up an empty CryptoKey within a KeyRing for import. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| crypto_key_id (string): ID of the key to import (e.g. 'my-asymmetric-signing-key'). | ||
| """ | ||
|
|
||
| # Import Python standard cryptographic libraries. | ||
| from cryptography.hazmat.backends import default_backend | ||
| from cryptography.hazmat.primitives import serialization | ||
| from cryptography.hazmat.primitives.asymmetric import ec | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Generate some key material in Python and format it in PKCS #8 DER as | ||
| # required by Google Cloud KMS. | ||
| key = ec.generate_private_key(ec.SECP256R1, default_backend()) | ||
| formatted_key = key.private_bytes( | ||
| serialization.Encoding.DER, | ||
| serialization.PrivateFormat.PKCS8, | ||
| serialization.NoEncryption()) | ||
|
|
||
| print('Generated key bytes: {}'.format(formatted_key)) | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Build the key. For more information regarding allowed values of these fields, see: | ||
| # https://googleapis.dev/python/cloudkms/latest/_modules/google/cloud/kms_v1/types/resources.html | ||
| purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN | ||
| algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 | ||
| protection_level = kms.ProtectionLevel.HSM | ||
| key = { | ||
| 'purpose': purpose, | ||
| 'version_template': { | ||
| 'algorithm': algorithm, | ||
| 'protection_level': protection_level | ||
| } | ||
| } | ||
|
|
||
| # Build the parent key ring name. | ||
| key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) | ||
|
|
||
| # Call the API. | ||
| created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': crypto_key_id, 'crypto_key': key}) | ||
| print('Created hsm key: {}'.format(created_key.name)) | ||
| # [END kms_create_key_for_import] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| # Copyright 2020 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_import_manually_wrapped_key] | ||
| def import_manually_wrapped_key(project_id, location_id, key_ring_id, crypto_key_id, import_job_id, key_material): | ||
| """ | ||
| Imports local key material to Cloud KMS. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| crypto_key_id (string): ID of the key to import (e.g. 'my-asymmetric-signing-key'). | ||
| import_job_id (string): ID of the import job (e.g. 'my-import-job'). | ||
| key_material (bytes): Locally generated key material in PKCS #8 DER format. | ||
| Returns: | ||
| CryptoKeyVersion: An instance of the imported key in Cloud KMS. | ||
| """ | ||
|
|
||
| # Import the client library and Python standard cryptographic libraries. | ||
| import os | ||
| from cryptography.hazmat.backends import default_backend | ||
| from cryptography.hazmat.primitives import hashes, keywrap, serialization | ||
| from cryptography.hazmat.primitives.asymmetric import padding | ||
| from google.cloud import kms | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Retrieve the fully-qualified crypto_key and import_job string. | ||
| crypto_key_name = client.crypto_key_path( | ||
| project_id, location_id, key_ring_id, crypto_key_id) | ||
| import_job_name = client.import_job_path( | ||
| project_id, location_id, key_ring_id, import_job_id) | ||
|
|
||
| # Generate a temporary 32-byte key for AES-KWP and wrap the key material. | ||
| kwp_key = os.urandom(32) | ||
| wrapped_target_key = keywrap.aes_key_wrap_with_padding( | ||
| kwp_key, key_material, default_backend()) | ||
|
|
||
| # Retrieve the public key from the import job. | ||
| import_job = client.get_import_job(name=import_job_name) | ||
| import_job_pub = serialization.load_pem_public_key( | ||
| bytes(import_job.public_key.pem, 'UTF-8'), default_backend()) | ||
|
|
||
| # Wrap the KWP key using the import job key. | ||
| wrapped_kwp_key = import_job_pub.encrypt( | ||
| kwp_key, | ||
| padding.OAEP( | ||
| mgf=padding.MGF1(algorithm=hashes.SHA1()), | ||
| algorithm=hashes.SHA1(), | ||
| label=None)) | ||
|
|
||
| # Import the wrapped key material. | ||
| client.import_crypto_key_version({ | ||
| "parent": crypto_key_name, | ||
| "import_job": import_job_name, | ||
| "algorithm": kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256, | ||
| "rsa_aes_wrapped_key": wrapped_kwp_key + wrapped_target_key, | ||
| }) | ||
|
|
||
| print('Imported: {}'.format(import_job.name)) | ||
| # [END kms_import_manually_wrapped_key] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters