Skip to content
This repository has been archived by the owner on Dec 31, 2023. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
feat: add support for Raw PKCS#1 signing keys (#195)
- [ ] Regenerate this pull request now.

PiperOrigin-RevId: 403966825

Source-Link: googleapis/googleapis@5b0219d

Source-Link: googleapis/googleapis-gen@ea0000e
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZWEwMDAwZTcwOGU4NjBiNjViNTc0NzgzZDVlYTYxYWQzNDA5MTFiZSJ9
  • Loading branch information
gcf-owl-bot[bot] committed Oct 18, 2021
1 parent 412bf4f commit 9c4f997
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 4 deletions.
Expand Up @@ -2387,7 +2387,7 @@ async def asymmetric_sign(
on the ``request`` instance; if ``request`` is provided, this
should not be set.
digest (:class:`google.cloud.kms_v1.types.Digest`):
Required. The digest of the data to sign. The digest
Optional. The digest of the data to sign. The digest
must be produced with the same digest algorithm as
specified by the key version's
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
Expand Down
Expand Up @@ -2475,7 +2475,7 @@ def asymmetric_sign(
on the ``request`` instance; if ``request`` is provided, this
should not be set.
digest (google.cloud.kms_v1.types.Digest):
Required. The digest of the data to sign. The digest
Optional. The digest of the data to sign. The digest
must be produced with the same digest algorithm as
specified by the key version's
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
Expand Down
3 changes: 3 additions & 0 deletions google/cloud/kms_v1/types/resources.py
Expand Up @@ -408,6 +408,9 @@ class CryptoKeyVersionAlgorithm(proto.Enum):
RSA_SIGN_PKCS1_3072_SHA256 = 6
RSA_SIGN_PKCS1_4096_SHA256 = 7
RSA_SIGN_PKCS1_4096_SHA512 = 16
RSA_SIGN_RAW_PKCS1_2048 = 28
RSA_SIGN_RAW_PKCS1_3072 = 29
RSA_SIGN_RAW_PKCS1_4096 = 30
RSA_DECRYPT_OAEP_2048_SHA256 = 8
RSA_DECRYPT_OAEP_3072_SHA256 = 9
RSA_DECRYPT_OAEP_4096_SHA256 = 10
Expand Down
46 changes: 45 additions & 1 deletion google/cloud/kms_v1/types/service.py
Expand Up @@ -869,7 +869,7 @@ class AsymmetricSignRequest(proto.Message):
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
use for signing.
digest (google.cloud.kms_v1.types.Digest):
Required. The digest of the data to sign. The digest must be
Optional. The digest of the data to sign. The digest must be
produced with the same digest algorithm as specified by the
key version's
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
Expand All @@ -894,13 +894,41 @@ class AsymmetricSignRequest(proto.Message):
However, it is a non-negative integer, which will never
exceed 2^32-1, and can be safely downconverted to uint32 in
languages that support this type.
data (bytes):
Optional. This field will only be honored for RAW_PKCS1
keys. The data to sign. A digest is computed over the data
that will be signed, PKCS #1 padding is applied to the
digest directly and then encrypted.
data_crc32c (google.protobuf.wrappers_pb2.Int64Value):
Optional. An optional CRC32C checksum of the
[AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
If specified,
[KeyManagementService][google.cloud.kms.v1.KeyManagementService]
will verify the integrity of the received
[AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
using this checksum.
[KeyManagementService][google.cloud.kms.v1.KeyManagementService]
will report an error if the checksum verification fails. If
you receive a checksum error, your client should verify that
CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
is equal to
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
and if so, perform a limited number of retries. A persistent
mismatch may indicate an issue in your computation of the
CRC32C checksum. Note: This field is defined as int64 for
reasons of compatibility across different languages.
However, it is a non-negative integer, which will never
exceed 2^32-1, and can be safely downconverted to uint32 in
languages that support this type.
"""

name = proto.Field(proto.STRING, number=1,)
digest = proto.Field(proto.MESSAGE, number=3, message="Digest",)
digest_crc32c = proto.Field(
proto.MESSAGE, number=4, message=wrappers_pb2.Int64Value,
)
data = proto.Field(proto.BYTES, number=6,)
data_crc32c = proto.Field(proto.MESSAGE, number=7, message=wrappers_pb2.Int64Value,)


class AsymmetricDecryptRequest(proto.Message):
Expand Down Expand Up @@ -1250,6 +1278,21 @@ class AsymmetricSignResponse(proto.Message):
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
used for signing. Check this field to verify that the
intended resource was used for signing.
verified_data_crc32c (bool):
Integrity verification field. A flag indicating whether
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
was received by
[KeyManagementService][google.cloud.kms.v1.KeyManagementService]
and used for the integrity verification of the
[data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A
false value of this field indicates either that
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
was left unset or that it was not delivered to
[KeyManagementService][google.cloud.kms.v1.KeyManagementService].
If you've set
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
but this field is still false, discard the response and
perform a limited number of retries.
protection_level (google.cloud.kms_v1.types.ProtectionLevel):
The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
of the
Expand All @@ -1263,6 +1306,7 @@ class AsymmetricSignResponse(proto.Message):
)
verified_digest_crc32c = proto.Field(proto.BOOL, number=3,)
name = proto.Field(proto.STRING, number=4,)
verified_data_crc32c = proto.Field(proto.BOOL, number=5,)
protection_level = proto.Field(
proto.ENUM, number=6, enum=resources.ProtectionLevel,
)
Expand Down
2 changes: 1 addition & 1 deletion scripts/fixup_kms_v1_keywords.py
Expand Up @@ -40,7 +40,7 @@ class kmsCallTransformer(cst.CSTTransformer):
CTRL_PARAMS: Tuple[str] = ('retry', 'timeout', 'metadata')
METHOD_TO_PARAMS: Dict[str, Tuple[str]] = {
'asymmetric_decrypt': ('name', 'ciphertext', 'ciphertext_crc32c', ),
'asymmetric_sign': ('name', 'digest', 'digest_crc32c', ),
'asymmetric_sign': ('name', 'digest', 'digest_crc32c', 'data', 'data_crc32c', ),
'create_crypto_key': ('parent', 'crypto_key_id', 'crypto_key', 'skip_initial_version_creation', ),
'create_crypto_key_version': ('parent', 'crypto_key_version', ),
'create_import_job': ('parent', 'import_job_id', 'import_job', ),
Expand Down
4 changes: 4 additions & 0 deletions tests/unit/gapic/kms_v1/test_key_management_service.py
Expand Up @@ -6111,6 +6111,7 @@ def test_asymmetric_sign(
signature=b"signature_blob",
verified_digest_crc32c=True,
name="name_value",
verified_data_crc32c=True,
protection_level=resources.ProtectionLevel.SOFTWARE,
)
response = client.asymmetric_sign(request)
Expand All @@ -6125,6 +6126,7 @@ def test_asymmetric_sign(
assert response.signature == b"signature_blob"
assert response.verified_digest_crc32c is True
assert response.name == "name_value"
assert response.verified_data_crc32c is True
assert response.protection_level == resources.ProtectionLevel.SOFTWARE


Expand Down Expand Up @@ -6167,6 +6169,7 @@ async def test_asymmetric_sign_async(
signature=b"signature_blob",
verified_digest_crc32c=True,
name="name_value",
verified_data_crc32c=True,
protection_level=resources.ProtectionLevel.SOFTWARE,
)
)
Expand All @@ -6182,6 +6185,7 @@ async def test_asymmetric_sign_async(
assert response.signature == b"signature_blob"
assert response.verified_digest_crc32c is True
assert response.name == "name_value"
assert response.verified_data_crc32c is True
assert response.protection_level == resources.ProtectionLevel.SOFTWARE


Expand Down

0 comments on commit 9c4f997

Please sign in to comment.