w,dZddlmZddlmZddlmZddlZddlmZddl m Z ddl m Z ddl mZddl mZdd l mZdd l mZdd lmZdd lmZdd lmZdZGdde j0Zy)z)Encrypt a plaintext file using a raw key.)absolute_import)division)unicode_literalsN) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filesc>eZdZdZedZdZdZdZdZ dZ y) RawEncrypta( Encrypt a plaintext file using a raw key. Encrypts the given plaintext file using the given CryptoKey containing a raw key and writes the result to the named ciphertext file. The plaintext file must not be larger than 64KiB. For the AES-CBC algorithms, no server-side padding is being done, so the plaintext must be a multiple of the block size. The supported algorithms are: `AES-128-GCM`, `AES-256-GCM`, `AES-128-CBC`, `AES-256-CBC`, `AES-128-CTR`, `and AES-256-CTR`. `AES-GCM` provides authentication which means that it accepts additional authenticated data (AAD). So, the flag `--additional-authenticated-data-file` is only valid with `AES-128-GCM` and `AES-256-GCM` algorithms. The initialization vector (flag `--initialization-vector-file`) is only supported for `AES-CBC` and `AES-CTR` algorithms, and must be 16B in length. Therefore, both additional authenticated data and initialization vector can't be provided during encryption. If an additional authenticated data file is provided, its contents must also be provided during decryption. The file must not be larger than 64KiB. The flag `--version` indicates the version of the key to use for encryption. If `--plaintext-file` or `--additional-authenticated-data-file` or `--initialization-vector-file` is set to '-', that file is read from stdin. Similarly, if `--ciphertext-file` is set to '-', the ciphertext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES The following command reads and encrypts the file `path/to/input/plaintext`. The file will be encrypted using the `AES-GCM` CryptoKey `KEYNAME` from the KeyRing `KEYRING` in the `global` location using the additional authenticated data file `path/to/input/aad`. The resulting ciphertext will be written to `path/to/output/ciphertext`. $ {command} \ --key=KEYNAME \ --keyring=KEYRING \ --location=global \ --plaintext-file=path/to/input/plaintext \ --additional-authenticated-data-file=path/to/input/aad \ --ciphertext-file=path/to/output/ciphertext The following command reads and encrypts the file `path/to/input/plaintext`. The file will be encrypted using the `AES-CBC` CryptoKey `KEYNAME` from the KeyRing `KEYRING` in the `global` location using the initialization vector stored at `path/to/input/aad`. The resulting ciphertext will be written to `path/to/output/ciphertext`. $ {command} \ --key=KEYNAME \ --keyring=KEYRING \ --location=global \ --plaintext-file=path/to/input/plaintext \ --initialization-vector-file=path/to/input/iv \ --ciphertext-file=path/to/output/ciphertext c6tj|dtj|ddtj|dtj|dtj |dtj |tj|y)NzThe key to use for encryption.zto use for encryptionTz to encryptz to outputzfor encryption)r AddKeyResourceFlagsAddCryptoKeyVersionFlagAddPlaintextFileFlagAddCiphertextFileFlag AddIvFileFlagAddAadFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/raw_encrypt.pyArgszRawEncrypt.Argsfss f&FG !!&*A4H v|4  4  01   &&v.ctj|d}t||kDr%tjdj |||S)NT)binaryz   c! ''3.  2 2c 9  / / N ''(;(;u'Mi C ..  ##  3 3u$  B &&   " "  + +#  RO #)) * , 3 3O D  44T:N..0H  ` `  ( ( * a C  ))$/y1--#i==%j&88!&)*%.,6 9c J '88!&)9c JE ;;  ' ' 4 ; ;!!1  [[ )) J VD;;Q ?   [[ )) B I I//    sH3G9I !J 9I /H;;IJ /JJ  K /KKc|j|jk7r=tjtj|j|j|js'tj tj |js'tj tj |js'tj tj tj|j|js'tj tjy)aVerifies integrity fields in RawEncryptResponse. Note: This methods assumes that self._PerformIntegrityVerification() is True and that all request CRC32C fields were pupolated. Args: req: messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsRawEncryptRequest() object resp: messages.RawEncryptResponse() object. Returns: Void. Raises: e2e_integrity.ServerSideIntegrityVerificationError if the server reports request integrity verification error. e2e_integrity.ClientSideIntegrityVerificationError if response integrity verification fails. N)r.r ResourceNameVerificationError#GetResourceNameMismatchErrorMessageverifiedPlaintextCrc32c$ClientSideIntegrityVerificationError'GetRequestToServerCorruptedErrorMessage)verifiedAdditionalAuthenticatedDataCrc32c"verifiedInitializationVectorCrc32cr Crc32cMatches ciphertextciphertextCrc32c*GetResponseFromServerCorruptedErrorMessage)r#rHresps r_VerifyResponseIntegrityFieldsz)RawEncrypt._VerifyResponseIntegrityFieldss* xx499  7 7  ; ;CHHdii P   ' '  > >  ? ? A   9 9  > >  ? ? A   2 2  > >  ? ? A    1F1F G  > >  B B D  Hrctj}|j|}d} |jj |}|j|r|j|| tj|j|jdd|jsS|j rFdt#t%j&ddz}t)j*||j dyyy#t j $r}tj|Yd}~d}~wwxYw#t(j,$r}t/j0|d}~wwxYw)NT)r overwritez./inialization_vector_)r\)r<GetClientInstancerL8projects_locations_keyRings_cryptoKeys_cryptoKeyVersionsrapitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr+rZr WriteToFileOrStdoutciphertext_filerVr5r0struuiduuid4r WriteBinaryFileContentsr9rr!)r#r*clientrHrYerror iv_file_namerCs rRunzRawEncrypt.Run s-  , , .F  ' ' -C D6  L L W W d ))$/ ))#t4+      , ,1J1J/#djjl2CBQ2GG  %%   % % 2K ,  2 26..u556& ;;+  ' ' **+s0C5(B D*5D'D""D'*E=EEN) __name__ __module__ __qualname____doc__ staticmethodrr'r+rLrZrlrrrr$s8?B//0Xt0d+rr)rp __future__rrrrfapitools.base.pyrr`googlecloudsdk.api_lib.cloudkmsrr<googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr r:Commandrrrrrr|sK0&' >A(.180#2*C+C+r