135 lines
4.9 KiB
Python
135 lines
4.9 KiB
Python
# -*- coding: utf-8 -*- #
|
|
# Copyright 2025 Google LLC. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Decapsulate an input file using a key-encapsulation key version."""
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import unicode_literals
|
|
|
|
from apitools.base.py import exceptions as apitools_exceptions
|
|
from googlecloudsdk.api_lib.cloudkms import base as cloudkms_base
|
|
from googlecloudsdk.calliope import base
|
|
from googlecloudsdk.calliope import exceptions
|
|
from googlecloudsdk.command_lib.kms import crc32c
|
|
from googlecloudsdk.command_lib.kms import e2e_integrity
|
|
from googlecloudsdk.command_lib.kms import flags
|
|
from googlecloudsdk.core import log
|
|
from googlecloudsdk.core.console import console_io
|
|
from googlecloudsdk.core.util import files
|
|
|
|
|
|
@base.UniverseCompatible
|
|
class Decapsulate(base.Command):
|
|
r"""Decapsulate an input file using a key-encapsulation key version.
|
|
|
|
Decapsulates the given ciphertext file using the provided key-encapsulation
|
|
key version and saves the decapsulated shared secret to the shared secret file.
|
|
|
|
By default, the command performs integrity verification on data sent to and
|
|
received from Cloud KMS. Use `--skip-integrity-verification` to disable
|
|
integrity verification.
|
|
|
|
## EXAMPLES
|
|
The following command will read the file '/tmp/my/secret.file.enc', decapsulate it
|
|
using the key encapsulation CryptoKey `my-key` Version 3 and write the shared secret
|
|
to '/tmp/my/secret.file.dec'.
|
|
|
|
$ {command} \
|
|
--location=us-central1 \
|
|
--keyring=my-keyring \
|
|
--key=my-key \
|
|
--version=3 \
|
|
--ciphertext-file=/tmp/my/secret.file.enc \
|
|
--shared-secret-file=/tmp/my/secret.file.dec
|
|
|
|
"""
|
|
|
|
@staticmethod
|
|
def Args(parser):
|
|
flags.AddKeyResourceFlags(parser, 'to use for decapsulation.')
|
|
flags.AddCryptoKeyVersionFlag(parser, 'to use for decapsulation')
|
|
flags.AddCiphertextFileFlag(parser, 'to decapsulate')
|
|
flags.AddSharedSecretFileFlag(parser, 'to output')
|
|
flags.AddSkipIntegrityVerification(parser)
|
|
|
|
def _PerformIntegrityVerification(self, args):
|
|
return not args.skip_integrity_verification
|
|
|
|
def _CreateDecapsulateRequest(self, args):
|
|
try:
|
|
ciphertext = console_io.ReadFromFileOrStdin(
|
|
args.ciphertext_file, binary=True)
|
|
except files.Error as e:
|
|
raise exceptions.BadFileException(
|
|
'Failed to read ciphertext file [{0}]: {1}'.format(
|
|
args.ciphertext_file, e))
|
|
|
|
messages = cloudkms_base.GetMessagesModule()
|
|
crypto_key_ref = flags.ParseCryptoKeyVersionName(args)
|
|
|
|
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDecapsulateRequest( # pylint: disable=line-too-long
|
|
name=crypto_key_ref.RelativeName()
|
|
)
|
|
if self._PerformIntegrityVerification(args):
|
|
ciphertext_crc32c = crc32c.Crc32c(ciphertext)
|
|
req.decapsulateRequest = messages.DecapsulateRequest(
|
|
ciphertext=ciphertext, ciphertextCrc32c=ciphertext_crc32c
|
|
)
|
|
else:
|
|
req.decapsulateRequest = messages.DecapsulateRequest(
|
|
ciphertext=ciphertext
|
|
)
|
|
|
|
return req
|
|
|
|
def _VerifyResponseIntegrityFields(self, req, resp):
|
|
"""Verifies integrity fields in response."""
|
|
|
|
# ciphertext_crc32c was verified server-side.
|
|
if not resp.verifiedCiphertextCrc32c:
|
|
raise e2e_integrity.ClientSideIntegrityVerificationError(
|
|
e2e_integrity.GetRequestToServerCorruptedErrorMessage())
|
|
|
|
# Verify plaintext checksum.
|
|
if not crc32c.Crc32cMatches(resp.sharedSecret, resp.sharedSecretCrc32c):
|
|
raise e2e_integrity.ClientSideIntegrityVerificationError(
|
|
e2e_integrity.GetResponseFromServerCorruptedErrorMessage())
|
|
|
|
def Run(self, args):
|
|
req = self._CreateDecapsulateRequest(args)
|
|
client = cloudkms_base.GetClientInstance()
|
|
try:
|
|
resp = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Decapsulate(
|
|
req
|
|
)
|
|
|
|
if self._PerformIntegrityVerification(args):
|
|
self._VerifyResponseIntegrityFields(req, resp)
|
|
|
|
log.WriteToFileOrStdout(
|
|
args.shared_secret_file,
|
|
resp.sharedSecret or '',
|
|
overwrite=True,
|
|
binary=True,
|
|
private=True,
|
|
)
|
|
|
|
# Intercept INVALID_ARGUMENT errors related to checksum verification to
|
|
# present a user-friendly message. All other errors are surfaced as-is.
|
|
except apitools_exceptions.HttpBadRequestError as error:
|
|
e2e_integrity.ProcessHttpBadRequestError(error)
|
|
except files.Error as e:
|
|
raise exceptions.BadFileException(e)
|