File: //snap/google-cloud-cli/current/lib/surface/kms/asymmetric_sign.py
# -*- coding: utf-8 -*- #
# Copyright 2017 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Sign a user input file using an asymmetric-signing key."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import exceptions as apitools_exceptions
from googlecloudsdk.api_lib.cloudkms import base as cloudkms_base
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions
from googlecloudsdk.command_lib.kms import crc32c
from googlecloudsdk.command_lib.kms import e2e_integrity
from googlecloudsdk.command_lib.kms import flags
from googlecloudsdk.command_lib.kms import get_digest
from googlecloudsdk.core import log
from googlecloudsdk.core.util import files
class AsymmetricSign(base.Command):
r"""Sign a user input file using an asymmetric-signing key version.
Creates a digital signature of the input file using the provided
asymmetric-signing key version and saves the base64 encoded signature.
The required flag `signature-file` indicates the path to store signature.
By default, the command performs integrity verification on data sent to and
received from Cloud KMS. Use `--skip-integrity-verification` to disable
integrity verification.
## EXAMPLES
The following command will read the file '/tmp/my/file.to.sign', digest it
with the digest algorithm 'sha256' and sign it using the asymmetric CryptoKey
`dont-panic` Version 3, and save the signature in base64 format to
'/tmp/my/signature'.
$ {command} \
--location=us-central1 \
--keyring=hitchhiker \
--key=dont-panic \
--version=3 \
--digest-algorithm=sha256 \
--input-file=/tmp/my/file.to.sign \
--signature-file=/tmp/my/signature
"""
@staticmethod
def Args(parser):
flags.AddKeyResourceFlags(parser, 'to use for signing.')
flags.AddCryptoKeyVersionFlag(parser, 'to use for signing')
flags.AddDigestAlgorithmFlag(parser, 'The algorithm to digest the input.')
flags.AddInputFileFlag(parser, 'to sign')
flags.AddSignatureFileFlag(parser, 'to output')
flags.AddSkipIntegrityVerification(parser)
def _PerformIntegrityVerification(self, args):
return not args.skip_integrity_verification
def _SignOnDigest(self, args):
return args.digest_algorithm is not None
def _ReadBinaryFile(self, path, max_bytes):
data = files.ReadBinaryFileContents(path)
if len(data) > max_bytes:
raise exceptions.BadFileException(
'The file [{0}] is larger than the maximum size of {1} bytes.'.format(
path, max_bytes))
return data
def _CreateAsymmetricSignRequestOnDigest(self, args):
try:
digest = get_digest.GetDigest(args.digest_algorithm, args.input_file)
except EnvironmentError as e:
raise exceptions.BadFileException(
'Failed to read input file [{0}]: {1}'.format(args.input_file, e))
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long
name=flags.ParseCryptoKeyVersionName(args).RelativeName())
if self._PerformIntegrityVerification(args):
# args.digest_algorithm has been verified in get_digest.GetDigest()
digest_crc32c = crc32c.Crc32c(getattr(digest, args.digest_algorithm))
req.asymmetricSignRequest = messages.AsymmetricSignRequest(
digest=digest, digestCrc32c=digest_crc32c)
else:
req.asymmetricSignRequest = messages.AsymmetricSignRequest(digest=digest)
return req
def _CreateAsymmetricSignRequestOnData(self, args):
"""Returns an AsymmetricSignRequest for use with a data input.
Populates an AsymmetricSignRequest with its data field populated by data
read from args.input_file. dataCrc32c is populated if integrity verification
is not skipped.
Args:
args: Input arguments.
Returns:
An AsymmetricSignRequest with data populated and dataCrc32c populated if
integrity verification is not skipped.
Raises:
exceptions.BadFileException: An error occurred reading the input file.
This can occur if the file can't be read or if the file is larger than
64 KiB.
"""
try:
# The Asymmetric Sign API limits the data input to 64KiB.
data = self._ReadBinaryFile(args.input_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read input file [{0}]: {1}'.format(args.input_file, e))
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long
name=flags.ParseCryptoKeyVersionName(args).RelativeName())
if self._PerformIntegrityVerification(args):
data_crc32c = crc32c.Crc32c(data)
req.asymmetricSignRequest = messages.AsymmetricSignRequest(
data=data, dataCrc32c=data_crc32c)
else:
req.asymmetricSignRequest = messages.AsymmetricSignRequest(data=data)
return req
def _CreateAsymmetricSignRequest(self, args):
if self._SignOnDigest(args):
return self._CreateAsymmetricSignRequestOnDigest(args)
else:
return self._CreateAsymmetricSignRequestOnData(args)
def _VerifyResponseIntegrityFields(self, req, resp, use_digest=True):
"""Verifies integrity fields in AsymmetricSignResponse."""
# Verify resource name.
if req.name != resp.name:
raise e2e_integrity.ResourceNameVerificationError(
e2e_integrity.GetResourceNameMismatchErrorMessage(
req.name, resp.name))
if use_digest:
# digest_crc32c was verified server-side.
if not resp.verifiedDigestCrc32c:
raise e2e_integrity.ClientSideIntegrityVerificationError(
e2e_integrity.GetRequestToServerCorruptedErrorMessage())
else:
# data_crc32c was verified server-side.
if not resp.verifiedDataCrc32c:
raise e2e_integrity.ClientSideIntegrityVerificationError(
e2e_integrity.GetRequestToServerCorruptedErrorMessage())
# Verify signature checksum.
if not crc32c.Crc32cMatches(resp.signature, resp.signatureCrc32c):
raise e2e_integrity.ClientSideIntegrityVerificationError(
e2e_integrity.GetResponseFromServerCorruptedErrorMessage())
def Run(self, args):
client = cloudkms_base.GetClientInstance()
req = self._CreateAsymmetricSignRequest(args)
try:
resp = (
client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
.AsymmetricSign(req))
# Intercept INVALID_ARGUMENT errors related to checksum verification, to
# present a user-friendly message. All other errors are surfaced as-is.
except apitools_exceptions.HttpBadRequestError as error:
e2e_integrity.ProcessHttpBadRequestError(error)
if self._PerformIntegrityVerification(args):
self._VerifyResponseIntegrityFields(
req, resp, use_digest=self._SignOnDigest(args))
try:
log.WriteToFileOrStdout(
args.signature_file,
resp.signature,
overwrite=True,
binary=True,
private=True)
except files.Error as e:
raise exceptions.BadFileException(e)