feat: add support for Raw PKCS#1 signing keys (#195)

- [ ] Regenerate this pull request now. PiperOrigin-RevId: 403966825 Source-Link: googleapis/googleapis@5b0219d Source-Link: googleapis/googleapis-gen@ea0000e Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZWEwMDAwZTcwOGU4NjBiNjViNTc0NzgzZDVlYTYxYWQzNDA5MTFiZSJ9
googleapis · Oct 18, 2021 · 29aaf20 · 29aaf20
1 parent f872c91
commit 29aaf20
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 4 deletions.
diff --git a/...ages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py b/...ages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py
@@ -2387,7 +2387,7 @@ async def asymmetric_sign(
                 on the ``request`` instance; if ``request`` is provided, this
                 should not be set.
             digest (:class:`google.cloud.kms_v1.types.Digest`):
-                Required. The digest of the data to sign. The digest
+                Optional. The digest of the data to sign. The digest
                 must be produced with the same digest algorithm as
                 specified by the key version's
                 [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py b/packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py
@@ -2475,7 +2475,7 @@ def asymmetric_sign(
                 on the ``request`` instance; if ``request`` is provided, this
                 should not be set.
             digest (google.cloud.kms_v1.types.Digest):
-                Required. The digest of the data to sign. The digest
+                Optional. The digest of the data to sign. The digest
                 must be produced with the same digest algorithm as
                 specified by the key version's
                 [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].

diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py b/packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py
@@ -408,6 +408,9 @@ class CryptoKeyVersionAlgorithm(proto.Enum):
         RSA_SIGN_PKCS1_3072_SHA256 = 6
         RSA_SIGN_PKCS1_4096_SHA256 = 7
         RSA_SIGN_PKCS1_4096_SHA512 = 16
+        RSA_SIGN_RAW_PKCS1_2048 = 28
+        RSA_SIGN_RAW_PKCS1_3072 = 29
+        RSA_SIGN_RAW_PKCS1_4096 = 30
         RSA_DECRYPT_OAEP_2048_SHA256 = 8
         RSA_DECRYPT_OAEP_3072_SHA256 = 9
         RSA_DECRYPT_OAEP_4096_SHA256 = 10

diff --git a/packages/google-cloud-kms/google/cloud/kms_v1/types/service.py b/packages/google-cloud-kms/google/cloud/kms_v1/types/service.py
@@ -869,7 +869,7 @@ class AsymmetricSignRequest(proto.Message):
             [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
             use for signing.
         digest (google.cloud.kms_v1.types.Digest):
-            Required. The digest of the data to sign. The digest must be
+            Optional. The digest of the data to sign. The digest must be
             produced with the same digest algorithm as specified by the
             key version's
             [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
@@ -894,13 +894,41 @@ class AsymmetricSignRequest(proto.Message):
             However, it is a non-negative integer, which will never
             exceed 2^32-1, and can be safely downconverted to uint32 in
             languages that support this type.
+        data (bytes):
+            Optional. This field will only be honored for RAW_PKCS1
+            keys. The data to sign. A digest is computed over the data
+            that will be signed, PKCS #1 padding is applied to the
+            digest directly and then encrypted.
+        data_crc32c (google.protobuf.wrappers_pb2.Int64Value):
+            Optional. An optional CRC32C checksum of the
+            [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
+            If specified,
+            [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+            will verify the integrity of the received
+            [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
+            using this checksum.
+            [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+            will report an error if the checksum verification fails. If
+            you receive a checksum error, your client should verify that
+            CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
+            is equal to
+            [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
+            and if so, perform a limited number of retries. A persistent
+            mismatch may indicate an issue in your computation of the
+            CRC32C checksum. Note: This field is defined as int64 for
+            reasons of compatibility across different languages.
+            However, it is a non-negative integer, which will never
+            exceed 2^32-1, and can be safely downconverted to uint32 in
+            languages that support this type.
     """
 
     name = proto.Field(proto.STRING, number=1,)
     digest = proto.Field(proto.MESSAGE, number=3, message="Digest",)
     digest_crc32c = proto.Field(
         proto.MESSAGE, number=4, message=wrappers_pb2.Int64Value,
     )
+    data = proto.Field(proto.BYTES, number=6,)
+    data_crc32c = proto.Field(proto.MESSAGE, number=7, message=wrappers_pb2.Int64Value,)
 
 
 class AsymmetricDecryptRequest(proto.Message):
@@ -1250,6 +1278,21 @@ class AsymmetricSignResponse(proto.Message):
             [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
             used for signing. Check this field to verify that the
             intended resource was used for signing.
+        verified_data_crc32c (bool):
+            Integrity verification field. A flag indicating whether
+            [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+            was received by
+            [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
+            and used for the integrity verification of the
+            [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A
+            false value of this field indicates either that
+            [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+            was left unset or that it was not delivered to
+            [KeyManagementService][google.cloud.kms.v1.KeyManagementService].
+            If you've set
+            [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
+            but this field is still false, discard the response and
+            perform a limited number of retries.
         protection_level (google.cloud.kms_v1.types.ProtectionLevel):
             The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel]
             of the
@@ -1263,6 +1306,7 @@ class AsymmetricSignResponse(proto.Message):
     )
     verified_digest_crc32c = proto.Field(proto.BOOL, number=3,)
     name = proto.Field(proto.STRING, number=4,)
+    verified_data_crc32c = proto.Field(proto.BOOL, number=5,)
     protection_level = proto.Field(
         proto.ENUM, number=6, enum=resources.ProtectionLevel,
     )

diff --git a/packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py b/packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py
@@ -40,7 +40,7 @@ class kmsCallTransformer(cst.CSTTransformer):
     CTRL_PARAMS: Tuple[str] = ('retry', 'timeout', 'metadata')
     METHOD_TO_PARAMS: Dict[str, Tuple[str]] = {
         'asymmetric_decrypt': ('name', 'ciphertext', 'ciphertext_crc32c', ),
-        'asymmetric_sign': ('name', 'digest', 'digest_crc32c', ),
+        'asymmetric_sign': ('name', 'digest', 'digest_crc32c', 'data', 'data_crc32c', ),
         'create_crypto_key': ('parent', 'crypto_key_id', 'crypto_key', 'skip_initial_version_creation', ),
         'create_crypto_key_version': ('parent', 'crypto_key_version', ),
         'create_import_job': ('parent', 'import_job_id', 'import_job', ),

diff --git a/packages/google-cloud-kms/tests/unit/gapic/kms_v1/test_key_management_service.py b/packages/google-cloud-kms/tests/unit/gapic/kms_v1/test_key_management_service.py
@@ -6111,6 +6111,7 @@ def test_asymmetric_sign(
             signature=b"signature_blob",
             verified_digest_crc32c=True,
             name="name_value",
+            verified_data_crc32c=True,
             protection_level=resources.ProtectionLevel.SOFTWARE,
         )
         response = client.asymmetric_sign(request)
@@ -6125,6 +6126,7 @@ def test_asymmetric_sign(
     assert response.signature == b"signature_blob"
     assert response.verified_digest_crc32c is True
     assert response.name == "name_value"
+    assert response.verified_data_crc32c is True
     assert response.protection_level == resources.ProtectionLevel.SOFTWARE
 
 
@@ -6167,6 +6169,7 @@ async def test_asymmetric_sign_async(
                 signature=b"signature_blob",
                 verified_digest_crc32c=True,
                 name="name_value",
+                verified_data_crc32c=True,
                 protection_level=resources.ProtectionLevel.SOFTWARE,
             )
         )
@@ -6182,6 +6185,7 @@ async def test_asymmetric_sign_async(
     assert response.signature == b"signature_blob"
     assert response.verified_digest_crc32c is True
     assert response.name == "name_value"
+    assert response.verified_data_crc32c is True
     assert response.protection_level == resources.ProtectionLevel.SOFTWARE