This repository has been archived by the owner on Dec 31, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(kms): add samples for new hmac and rng apis (#161)
- Loading branch information
Showing
8 changed files
with
288 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # Copyright 2021 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_create_key_mac] | ||
| def create_key_mac(project_id, location_id, key_ring_id, id): | ||
| """ | ||
| Creates a new key in Cloud KMS for HMAC operations. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| id (string): ID of the key to create (e.g. 'my-mac-key'). | ||
| Returns: | ||
| CryptoKey: Cloud KMS key. | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
| from google.protobuf import duration_pb2 | ||
| import datetime | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Build the parent key ring name. | ||
| key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) | ||
|
|
||
| # Build the key. | ||
| purpose = kms.CryptoKey.CryptoKeyPurpose.MAC | ||
| algorithm = kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.HMAC_SHA256 | ||
| key = { | ||
| 'purpose': purpose, | ||
| 'version_template': { | ||
| 'algorithm': algorithm, | ||
| }, | ||
|
|
||
| # Optional: customize how long key versions should be kept before | ||
| # destroying. | ||
| 'destroy_scheduled_duration': duration_pb2.Duration().FromTimedelta(datetime.timedelta(days=1)) | ||
| } | ||
|
|
||
| # Call the API. | ||
| created_key = client.create_crypto_key(request={'parent': key_ring_name, 'crypto_key_id': id, 'crypto_key': key}) | ||
| print('Created mac key: {}'.format(created_key.name)) | ||
| return created_key | ||
| # [END kms_create_key_mac] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Copyright 2021 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_generate_random_bytes] | ||
| def generate_random_bytes(project_id, location_id, num_bytes): | ||
| """ | ||
| Generate random bytes with entropy sourced from the given location. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| num_bytes (integer): number of bytes of random data. | ||
| Returns: | ||
| bytes: Encrypted ciphertext. | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Import base64 for encoding the bytes for printing. | ||
| import base64 | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Build the location name. | ||
| location_name = client.common_location_path(project_id, location_id) | ||
|
|
||
| # Call the API. | ||
| protection_level = kms.ProtectionLevel.HSM | ||
| random_bytes_response = client.generate_random_bytes( | ||
| request={'location': location_name, 'length_bytes': num_bytes, 'protection_level': protection_level}) | ||
|
|
||
| print('Random bytes: {}'.format(base64.b64encode(random_bytes_response.data))) | ||
| return random_bytes_response | ||
| # [END kms_generate_random_bytes] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # Copyright 2021 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_sign_mac] | ||
| def sign_mac(project_id, location_id, key_ring_id, key_id, version_id, data): | ||
| """ | ||
| Sign a message using the public key part of an asymmetric key. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| key_id (string): ID of the key to use (e.g. 'my-key'). | ||
| version_id (string): Version to use (e.g. '1'). | ||
| data (string): Data to sign. | ||
| Returns: | ||
| MacSignResponse: Signature. | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Import base64 for printing the ciphertext. | ||
| import base64 | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Build the key version name. | ||
| key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) | ||
|
|
||
| # Convert the message to bytes. | ||
| data_bytes = data.encode('utf-8') | ||
|
|
||
| # Call the API | ||
| sign_response = client.mac_sign( | ||
| request={'name': key_version_name, 'data': data_bytes}) | ||
|
|
||
| print('Signature: {}'.format(base64.b64encode(sign_response.mac))) | ||
| return sign_response | ||
| # [END kms_sign_mac] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # Copyright 2021 Google LLC | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
|
|
||
|
|
||
| # [START kms_verify_mac] | ||
| def verify_mac(project_id, location_id, key_ring_id, key_id, version_id, data, signature): | ||
| """ | ||
| Verify the signature of data from an HMAC key. | ||
| Args: | ||
| project_id (string): Google Cloud project ID (e.g. 'my-project'). | ||
| location_id (string): Cloud KMS location (e.g. 'us-east1'). | ||
| key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). | ||
| key_id (string): ID of the key to use (e.g. 'my-key'). | ||
| version_id (string): Version to use (e.g. '1'). | ||
| data (string): Data that was signed. | ||
| signature (bytes): Signature bytes. | ||
| Returns: | ||
| MacVerifyResponse: Success. | ||
| """ | ||
|
|
||
| # Import the client library. | ||
| from google.cloud import kms | ||
|
|
||
| # Create the client. | ||
| client = kms.KeyManagementServiceClient() | ||
|
|
||
| # Build the key version name. | ||
| key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) | ||
|
|
||
| # Convert the message to bytes. | ||
| data_bytes = data.encode('utf-8') | ||
|
|
||
| # Call the API | ||
| verify_response = client.mac_verify( | ||
| request={'name': key_version_name, 'data': data_bytes, 'mac': signature}) | ||
|
|
||
| print('Verified: {}'.format(verify_response.success)) | ||
| return verify_response | ||
| # [END kms_verify_mac] |