C"dZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl mZddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZGd de j,Zy)z&Decrypt a ciphertext file using a key.)absolute_import)division)unicode_literals) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filesc>eZdZdZedZdZdZdZdZ dZ y) DecryptaDecrypt a ciphertext file using a Cloud KMS key. `{command}` decrypts the given ciphertext file using the given Cloud KMS key and writes the result to the named plaintext file. Note that to permit users to decrypt using a key, they must be have at least one of the following IAM roles for that key: `roles/cloudkms.cryptoKeyDecrypter`, `roles/cloudkms.cryptoKeyEncrypterDecrypter`. Additional authenticated data (AAD) is used as an additional check by Cloud KMS to authenticate a decryption request. If an additional authenticated data file is provided, its contents must match the additional authenticated data provided during encryption and must not be larger than 64KiB. If you don't provide a value for `--additional-authenticated-data-file`, an empty string is used. For a thorough explanation of AAD, refer to this guide: https://cloud.google.com/kms/docs/additional-authenticated-data If `--ciphertext-file` or `--additional-authenticated-data-file` is set to '-', that file is read from stdin. Note that both files cannot be read from stdin. Similarly, if `--plaintext-file` is set to '-', the decrypted plaintext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES To decrypt the file 'path/to/ciphertext' using the key `frodo` with key ring `fellowship` and location `global` and write the plaintext to 'path/to/plaintext.dec', run: $ {command} \ --key=frodo \ --keyring=fellowship \ --location=global \ --ciphertext-file=path/to/input/ciphertext \ --plaintext-file=path/to/output/plaintext.dec To decrypt the file 'path/to/ciphertext' using the key `frodo` and the additional authenticated data that was used to encrypt the ciphertext, and write the decrypted plaintext to stdout, run: $ {command} \ --key=frodo \ --keyring=fellowship \ --location=global \ --additional-authenticated-data-file=path/to/aad \ --ciphertext-file=path/to/input/ciphertext \ --plaintext-file='-' ctj|dtj|dtj|dtj|tj |y)NaCloud KMS key to use for decryption. * For symmetric keys, Cloud KMS detects the decryption key version from the ciphertext. If you specify a key version as part of a symmetric decryption request, an error is logged and decryption fails. * For asymmetric keys, the encryption key version can't be detected automatically. You must keep track of this information and provide the key version in the decryption request. The key version itself is not sensitive data and does not need to be encrypted.z^to decrypt. This file should contain the result of encrypting a file with `gcloud kms encrypt`z to output)r AddKeyResourceFlagsAddCiphertextFileFlagAddPlaintextFileFlagAddAadFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/decrypt.pyArgsz Decrypt.ArgsUs` C D +, v{3   &&v.ctj|d}t||kDr%tjdj |||S)NT)binaryzPj#22&),,6 38c J$22S3Bc J[ ;;(  ' ' 5 < <""A ' ((([[A)) J VD;;Q ?A AAs/F "G G /GGH*/HHctj|j|js't j t j y)z&Verifies integrity fields in response.N)r Crc32cMatches plaintextplaintextCrc32cr $ClientSideIntegrityVerificationError*GetResponseFromServerCorruptedErrorMessage)r rAresps r_VerifyResponseIntegrityFieldsz&Decrypt._VerifyResponseIntegrityFieldssE   0D0D E  > >  B B D FF Frc|j|}tj} |jj |}|j|r|j| j?tj|j5 dddtj dytj"|j|jddy#t j $r}tj|Yd}~d}~wwxYw#1swYxYw#tj$$r}t'j(|d}~wwxYw)NzDecrypted file is emptyT)r overwrite)rDr6GetClientInstance&projects_locations_keyRings_cryptoKeysrapitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr(rLrGr FileWriterplaintext_filer PrintWriteToFileOrStdoutr3rr)r r'rAclientrKerrorr=s rRunz Decrypt.Runs  $ $T *C  , , .F6  : : B B3 Gd  ))$/ ))#t4 +     d11 2 3 +,     N  2 26..u5563 2 ;;+  ' ' **+sMC&+D DD 1-D D2D  DDD E 3EE N) __name__ __module__ __qualname____doc__ staticmethodrr$r(rDrLrZrrrr!s71f//$0;zF+rrN)r^ __future__rrrapitools.base.pyrrQgooglecloudsdk.api_lib.cloudkmsrr6googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr Commandrr`rrrjsC-&'>A(.180#2*n+dlln+r