From 9c4f997d09e9a83141eda767cd2bb63a0bf58a37 Mon Sep 17 00:00:00 2001 From: "gcf-owl-bot[bot]" <78513119+gcf-owl-bot[bot]@users.noreply.github.com> Date: Mon, 18 Oct 2021 17:24:37 +0000 Subject: [PATCH] feat: add support for Raw PKCS#1 signing keys (#195) - [ ] Regenerate this pull request now. PiperOrigin-RevId: 403966825 Source-Link: https://github.com/googleapis/googleapis/commit/5b0219d5e496aecf5943d559e3cfe67b48163fd9 Source-Link: https://github.com/googleapis/googleapis-gen/commit/ea0000e708e860b65b574783d5ea61ad340911be Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZWEwMDAwZTcwOGU4NjBiNjViNTc0NzgzZDVlYTYxYWQzNDA5MTFiZSJ9 --- .../key_management_service/async_client.py | 2 +- .../services/key_management_service/client.py | 2 +- google/cloud/kms_v1/types/resources.py | 3 ++ google/cloud/kms_v1/types/service.py | 46 ++++++++++++++++++- scripts/fixup_kms_v1_keywords.py | 2 +- .../kms_v1/test_key_management_service.py | 4 ++ 6 files changed, 55 insertions(+), 4 deletions(-) diff --git a/google/cloud/kms_v1/services/key_management_service/async_client.py b/google/cloud/kms_v1/services/key_management_service/async_client.py index 6aa94ef9..ce3c6908 100644 --- a/google/cloud/kms_v1/services/key_management_service/async_client.py +++ b/google/cloud/kms_v1/services/key_management_service/async_client.py @@ -2387,7 +2387,7 @@ async def asymmetric_sign( on the ``request`` instance; if ``request`` is provided, this should not be set. digest (:class:`google.cloud.kms_v1.types.Digest`): - Required. The digest of the data to sign. The digest + Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. diff --git a/google/cloud/kms_v1/services/key_management_service/client.py b/google/cloud/kms_v1/services/key_management_service/client.py index 06b5ab13..639c5801 100644 --- a/google/cloud/kms_v1/services/key_management_service/client.py +++ b/google/cloud/kms_v1/services/key_management_service/client.py @@ -2475,7 +2475,7 @@ def asymmetric_sign( on the ``request`` instance; if ``request`` is provided, this should not be set. digest (google.cloud.kms_v1.types.Digest): - Required. The digest of the data to sign. The digest + Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. diff --git a/google/cloud/kms_v1/types/resources.py b/google/cloud/kms_v1/types/resources.py index 8f2da1b3..91c0ecdd 100644 --- a/google/cloud/kms_v1/types/resources.py +++ b/google/cloud/kms_v1/types/resources.py @@ -408,6 +408,9 @@ class CryptoKeyVersionAlgorithm(proto.Enum): RSA_SIGN_PKCS1_3072_SHA256 = 6 RSA_SIGN_PKCS1_4096_SHA256 = 7 RSA_SIGN_PKCS1_4096_SHA512 = 16 + RSA_SIGN_RAW_PKCS1_2048 = 28 + RSA_SIGN_RAW_PKCS1_3072 = 29 + RSA_SIGN_RAW_PKCS1_4096 = 30 RSA_DECRYPT_OAEP_2048_SHA256 = 8 RSA_DECRYPT_OAEP_3072_SHA256 = 9 RSA_DECRYPT_OAEP_4096_SHA256 = 10 diff --git a/google/cloud/kms_v1/types/service.py b/google/cloud/kms_v1/types/service.py index 9f789293..c3d32be9 100644 --- a/google/cloud/kms_v1/types/service.py +++ b/google/cloud/kms_v1/types/service.py @@ -869,7 +869,7 @@ class AsymmetricSignRequest(proto.Message): [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing. digest (google.cloud.kms_v1.types.Digest): - Required. The digest of the data to sign. The digest must be + Optional. The digest of the data to sign. The digest must be produced with the same digest algorithm as specified by the key version's [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. @@ -894,6 +894,32 @@ class AsymmetricSignRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. + data (bytes): + Optional. This field will only be honored for RAW_PKCS1 + keys. The data to sign. A digest is computed over the data + that will be signed, PKCS #1 padding is applied to the + digest directly and then encrypted. + data_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Optional. An optional CRC32C checksum of the + [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]. + If specified, + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will verify the integrity of the received + [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data] + using this checksum. + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will report an error if the checksum verification fails. If + you receive a checksum error, your client should verify that + CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]) + is equal to + [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c], + and if so, perform a limited number of retries. A persistent + mismatch may indicate an issue in your computation of the + CRC32C checksum. Note: This field is defined as int64 for + reasons of compatibility across different languages. + However, it is a non-negative integer, which will never + exceed 2^32-1, and can be safely downconverted to uint32 in + languages that support this type. """ name = proto.Field(proto.STRING, number=1,) @@ -901,6 +927,8 @@ class AsymmetricSignRequest(proto.Message): digest_crc32c = proto.Field( proto.MESSAGE, number=4, message=wrappers_pb2.Int64Value, ) + data = proto.Field(proto.BYTES, number=6,) + data_crc32c = proto.Field(proto.MESSAGE, number=7, message=wrappers_pb2.Int64Value,) class AsymmetricDecryptRequest(proto.Message): @@ -1250,6 +1278,21 @@ class AsymmetricSignResponse(proto.Message): [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. Check this field to verify that the intended resource was used for signing. + verified_data_crc32c (bool): + Integrity verification field. A flag indicating whether + [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] + was received by + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + and used for the integrity verification of the + [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A + false value of this field indicates either that + [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] + was left unset or that it was not delivered to + [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. + If you've set + [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] + but this field is still false, discard the response and + perform a limited number of retries. protection_level (google.cloud.kms_v1.types.ProtectionLevel): The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the @@ -1263,6 +1306,7 @@ class AsymmetricSignResponse(proto.Message): ) verified_digest_crc32c = proto.Field(proto.BOOL, number=3,) name = proto.Field(proto.STRING, number=4,) + verified_data_crc32c = proto.Field(proto.BOOL, number=5,) protection_level = proto.Field( proto.ENUM, number=6, enum=resources.ProtectionLevel, ) diff --git a/scripts/fixup_kms_v1_keywords.py b/scripts/fixup_kms_v1_keywords.py index 9ee8a97d..1c0a208b 100644 --- a/scripts/fixup_kms_v1_keywords.py +++ b/scripts/fixup_kms_v1_keywords.py @@ -40,7 +40,7 @@ class kmsCallTransformer(cst.CSTTransformer): CTRL_PARAMS: Tuple[str] = ('retry', 'timeout', 'metadata') METHOD_TO_PARAMS: Dict[str, Tuple[str]] = { 'asymmetric_decrypt': ('name', 'ciphertext', 'ciphertext_crc32c', ), - 'asymmetric_sign': ('name', 'digest', 'digest_crc32c', ), + 'asymmetric_sign': ('name', 'digest', 'digest_crc32c', 'data', 'data_crc32c', ), 'create_crypto_key': ('parent', 'crypto_key_id', 'crypto_key', 'skip_initial_version_creation', ), 'create_crypto_key_version': ('parent', 'crypto_key_version', ), 'create_import_job': ('parent', 'import_job_id', 'import_job', ), diff --git a/tests/unit/gapic/kms_v1/test_key_management_service.py b/tests/unit/gapic/kms_v1/test_key_management_service.py index 4550d6b3..ee18395b 100644 --- a/tests/unit/gapic/kms_v1/test_key_management_service.py +++ b/tests/unit/gapic/kms_v1/test_key_management_service.py @@ -6111,6 +6111,7 @@ def test_asymmetric_sign( signature=b"signature_blob", verified_digest_crc32c=True, name="name_value", + verified_data_crc32c=True, protection_level=resources.ProtectionLevel.SOFTWARE, ) response = client.asymmetric_sign(request) @@ -6125,6 +6126,7 @@ def test_asymmetric_sign( assert response.signature == b"signature_blob" assert response.verified_digest_crc32c is True assert response.name == "name_value" + assert response.verified_data_crc32c is True assert response.protection_level == resources.ProtectionLevel.SOFTWARE @@ -6167,6 +6169,7 @@ async def test_asymmetric_sign_async( signature=b"signature_blob", verified_digest_crc32c=True, name="name_value", + verified_data_crc32c=True, protection_level=resources.ProtectionLevel.SOFTWARE, ) ) @@ -6182,6 +6185,7 @@ async def test_asymmetric_sign_async( assert response.signature == b"signature_blob" assert response.verified_digest_crc32c is True assert response.name == "name_value" + assert response.verified_data_crc32c is True assert response.protection_level == resources.ProtectionLevel.SOFTWARE