&dZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl mZddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZd ZGdde j.Zy)z*Decrypt a ciphertext file using a raw key.)absolute_import)division)unicode_literals) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filesc>eZdZdZedZdZdZdZdZ dZ y) RawDecryptaDecrypt a ciphertext file using a raw key. `{command}` decrypts the given ciphertext file using the given CryptoKey containing a raw key and writes the result to the named plaintext file. The ciphertext file must not be larger than 64KiB. The supported algorithms are: `AES-128-GCM`, `AES-256-GCM`, `AES-128-CBC`, `AES-256-CBC`, `AES-128-CTR`, `and AES-256-CTR`. `AES-GCM` provides authentication which means that it accepts additional authenticated data (AAD). So, the flag `--additional-authenticated-data-file` is only valid with `AES-128-GCM` and `AES-256-GCM` algorithms. If AAD is provided during encryption, it must be provided during decryption too. The file must not be larger than 64KiB. If `--plaintext-file` or `--additional-authenticated-data-file` or `--initialization-vector-file` is set to '-', that file is read from stdin. Similarly, if `--ciphertext-file` is set to '-', the ciphertext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES The following command reads and decrypts the file `path/to/input/ciphertext`. The file will be decrypted using the CryptoKey `KEYNAME` containing a raw key, from the KeyRing `KEYRING` in the `global` location. It uses the additional authenticated data file `path/to/input/aad` (only valid with the `AES-GCM` algorithms) and the initialization vector file `path/to/input/iv`. The resulting plaintext will be written to `path/to/output/plaintext`. $ {command} \ --key=KEYNAME \ --keyring=KEYRING \ --location=global \ --ciphertext-file=path/to/input/ciphertext \ --additional-authenticated-data-file=path/to/input/aad \ --initialization-vector-file=path/to/input/iv \ --plaintext-file=path/to/output/plaintext c6tj|dtj|ddtj|dtj|dtj |dtj |tj|y)Nz$The (raw) key to use for decryption.zto use for decryptionTzto store the decrypted dataz to decryptzfor decryption)r AddKeyResourceFlagsAddCryptoKeyVersionFlagAddPlaintextFileFlagAddCiphertextFileFlag AddIvFileFlagAddAadFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/raw_decrypt.pyArgszRawDecrypt.ArgsNst f&LM !!&*A4H v'DE  5  01   &&v.ctj|d}t||kDr%tjdj |||S)NT)binaryz 5  #  3 3s :  / / F 5  ''3.  3 3s :  / / 2 5  ((   ))j    ) )_ ! b 2w/!  ' ' ( * 1 1/ B  C ..  ##  3 3u$ 44T:N..0Hdd  ( ( *eG  ))$/ -- 3--#i==%j"*"<"<!&),%.,6 #=#g N #+"<"<!&)#=#g NA ;;  ' ' 5 < <""A   ;;  ' ' @ G G--q  ([[ )) J VD;;Q ?   sHH >  ? ? A   9 9  > >  ? ? A   2 2  > >  ? ? A    0D0D E  > >  B B D  Frcd}|j|}tj} |jj |}|j|r|j| |j?tj|j5 dddtj dytj"|j|jddy#t j $r}tj|Yd}~d}~wwxYw#1swYxYw#tj$$r}t'j(|d}~wwxYw)NzDecrypted file is emptyT)r overwrite)rLr<GetClientInstance8projects_locations_keyRings_cryptoKeys_cryptoKeyVersionsrapitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr+rXrTr FileWriterplaintext_filer PrintWriteToFileOrStdoutr9rr!)r#r*responserHclienterrorrCs rRunzRawDecrypt.RunsH++D1G  , , .F6PP[[ h ))$/ ))(3 +    #   d11 2 3 +,    !3!3DD   2 26..u5563 2 ;;+  ' ' **+sMC '+D!DD!2-D! D3D  DDD!!E4E  EN) __name__ __module__ __qualname____doc__ staticmethodrr'r+rLrXrgrrrr#s7(T//0aF6+rrN)rk __future__rrrapitools.base.pyrr]googlecloudsdk.api_lib.cloudkmsrr<googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr r:CommandrrmrrrwsH1&'>A(.180#2*[+[+r