8000 feat: add support for Raw PKCS#1 signing keys (#195) · googleapis/python-kms@9c4f997 · GitHub
[go: up one dir, main page]
Skip to content
This repository was archived by the owner on Dec 31, 2023. It is now read-only.

Commit 9c4f997

Browse files
gcf-owl-bot[bot]gcf-owl-bot[bot]
authored
feat: add support for Raw PKCS#1 signing keys (#195)
- [ ] Regenerate this pull request now. PiperOrigin-RevId: 403966825 Source-Link: googleapis/googleapis@5b0219d Source-Link: https://github.com/googleapis/googleapis-gen/commit/ea0000e708e860b65b574783d5ea61ad340911be Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZWEwMDAwZTcwOGU4NjBiNjViNTc0NzgzZDVlYTYxYWQzNDA5MTFiZSJ9
1 parent 412bf4f commit 9c4f997

File tree

6 files changed

+55
-4
lines changed

6 files changed

+55
-4
lines changed

google/cloud/kms_v1/services/key_management_service/async_client.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2387,7 +2387,7 @@ async def asymmetric_sign(
23872387
on the ``request`` instance; if ``request`` is provided, this
23882388
should not be set.
23892389
digest (:class:`google.cloud.kms_v1.types.Digest`):
2390-
Required. The digest of the data to sign. The digest
2390+
Optional. The digest of the data to sign. The digest
23912391
must be produced with the same digest algorithm as
23922392
specified by the key version's
23932393
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

google/cloud/kms_v1/services/key_management_service/client.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2475,7 +2475,7 @@ def asymmetric_sign(
24752475
on the ``request`` instance; if ``request`` is provided, this
24762476
should not be set.
24772477
digest (google.cloud.kms_v1.types.Digest):
2478-
Required. The digest of the data to sign. The digest
2478+
Optional. The digest of the data to sign. The digest
24792479
must be produced with the same digest algorithm as
24802480
specified by the key version's
24812481
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

google/cloud/kms_v1/types/resources.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -408,6 +408,9 @@ class CryptoKeyVersionAlgorithm(proto.Enum):
408408
RSA_SIGN_PKCS1_3072_SHA256 = 6
409409
RSA_SIGN_PKCS1_4096_SHA256 = 7
410410
RSA_SIGN_PKCS1_4096_SHA512 = 16
411+
RSA_SIGN_RAW_PKCS1_2048 = 28
412+
RSA_SIGN_RAW_PKCS1_3072 = 29
413+
RSA_SIGN_RAW_PKCS1_4096 = 30
411414
RSA_DECRYPT_OAEP_2048_SHA256 = 8
412415
RSA_DECRYPT_OAEP_3072_SHA256 = 9
413416
RSA_DECRYPT_OAEP_4096_SHA256 = 10

google/cloud/kms_v1/types/service.py

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -869,7 +869,7 @@ class AsymmetricSignRequest(proto.Message):
869869
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
870870
use for signing.
871871
digest (google.cloud.kms_v1.types.Digest):
872-
Required. The digest of the data to sign. The digest must be
872+
Optional. The digest of the data to sign. The digest must be
873873
produced with the same digest algorithm as specified by the
874874
key version's
875875
[algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
@@ -894,13 +894,41 @@ class AsymmetricSignRequest(proto.Message):
894894
However, it is a non-negative integer, which will never
895895
exceed 2^32-1, and can be safely downconverted to uint32 in
896896
languages that support this type.
897+
data (bytes):
898+
Optional. This field will only be honored for RAW_PKCS1
899+
keys. The data to sign. A digest is computed over the data
900+
that will be signed, PKCS #1 padding is applied to the
901+
digest directly and then encrypted.
902+
data_crc32c (google.protobuf.wrappers_pb2.Int64Value):
903+
Optional. An optional CRC32C checksum of the
904+
[AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
905+
If specified,
906+
[KeyManagementService][google.cloud.kms.v1.KeyManagementService]
907+
will verify the integrity of the received
908+
[AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
909+
using this checksum.
910+
[KeyManagementService][google.cloud.kms.v1.KeyManagementService]
911+
will report an error if the checksum verification fails. If
912+
you receive a checksum error, your client should verify that
913+
CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
914+
is equal to
915+
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
916+
and if so, perform a limited number of retries. A persistent
917+
mismatch may indicate an issue in your computation of the
918+
CRC32C checksum. Note: This field is defined as int64 for
919+
reasons of compatibility across different languages.
920+
However, it is a non-negative integer, which will never
921+
exceed 2^32-1, and can be safely downconverted to uint32 in
922+
languages that support this type.
897923
"""
898924

899925
name = proto.Field(proto.STRING, number=1,)
900926
digest = proto.Field(proto.MESSAGE, number=3, message="Digest",)
901927
digest_crc32c = proto.Field(
902928
proto.MESSAGE, number=4, message=wrappers_pb2.Int64Value,
903929
)
930+
data = proto.Field(proto.BYTES, number=6,)
931+
data_crc32c = proto.Field(proto.MESSAGE, number=7, message=wrappers_pb2.Int64Value,)
904932

905933

906934
class AsymmetricDecryptRequest(proto.Message):
@@ -1250,6 +1278,21 @@ class AsymmetricSignResponse(proto.Message):
12501278
[CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
12511279
used for signing. Check this field to verify that the
12521280
intended resource was used for signing.
1281+
verified_data_crc32c (bool):
1282+
Integrity verification field. A flag indicating whether
1283+
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
1284+
was received by
1285+
[KeyManagementService][google.cloud.kms.v1.KeyManagementService]
1286+
and used for the integrity verification of the
1287+
[data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A
1288+
false value of this field indicates either that
1289+
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
1290+
was left unset or that it was not delivered to
1291+
[KeyManagementService][google.cloud.kms.v1.KeyManagementService].
1292+
If you've set
1293+
[AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
1294+
but this field is still false, discard the response and
1295+
perform a limited number of retries.
12531296
protection_level (google.cloud.kms_v1.types.ProtectionLevel):
12541297
The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
12551298
of the
@@ -1263,6 +1306,7 @@ class AsymmetricSignResponse(proto.Message):
12631306
)
12641307
verified_digest_crc32c = proto.Field(proto.BOOL, number=3,)
12651308
name = proto.Field(proto.STRING, number=4,)
1309+
verified_data_crc32c = proto.Field(proto.BOOL, number=5,)
12661310
protection_level = proto.Field(
12671311
proto.ENUM, number=6, enum=resources.ProtectionLevel,
12681312
)

scripts/fixup_kms_v1_keywords.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ class kmsCallTransformer(cst.CSTTransformer):
4040
CTRL_PARAMS: Tuple[str] = ('retry', 'timeout', 'metadata')
4141
METHOD_TO_PARAMS: Dict[str, Tuple[str]] = {
4242
'asymmetric_decrypt': ('name', 'ciphertext', 'ciphertext_crc32c', ),
43-
'asymmetric_sign': ('name', 'digest', 'digest_crc32c', ),
43+
'asymmetric_sign': ('name', 'digest', 'digest_crc32c', 'data', 'data_crc32c', ),
4444
'create_crypto_key': ('parent', 'crypto_key_id', 'crypto_key', 'skip_initial_version_creation', ),
4545
'create_crypto_key_version': ('parent', 'crypto_key_version', ),
4646
'create_import_job': ('parent', 'import_job_id', 'import_job', ),

tests/unit/gapic/kms_v1/test_key_management_service.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6111,6 +6111,7 @@ def test_asymmetric_sign(
61116111
signature=b"signature_blob",
61126112
verified_digest_crc32c=True,
61136113
name="name_value",
6114+
verified_data_crc32c=True,
61146115
protection_level=resources.ProtectionLevel.SOFTWARE,
61156116
)
61166117
response = client.asymmetric_sign(request)
@@ -6125,6 +6126,7 @@ def test_asymmetric_sign(
61256126
assert response.signature == b"signature_blob"
61266127
assert response.verified_digest_crc32c is True
61276128
assert response.name == "name_value"
6129+
assert response.verified_data_crc32c is True
61286130
assert response.protection_level == resources.ProtectionLevel.SOFTWARE
61296131

61306132

@@ -6167,6 +6169,7 @@ async def test_asymmetric_sign_async(
61676169
signature=b"signature_blob",
61686170
verified_digest_crc32c=True,
61696171
name="name_value",
6172+
verified_data_crc32c=True,
61706173
protection_level=resources.ProtectionLevel.SOFTWARE,
61716174
)
61726175
)
@@ -6182,6 +6185,7 @@ async def test_asymmetric_sign_async(
61826185
assert response.signature == b"signature_blob"
61836186
assert response.verified_digest_crc32c is True
61846187
assert response.name == "name_value"
6188+
assert response.verified_data_crc32c is True
61856189
assert response.protection_level == resources.ProtectionLevel.SOFTWARE
61866190

61876191

0 commit comments

Comments
 (0)
0