Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding compute engine private key generation sample. #279

Merged
merged 1 commit into from
Apr 25, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions compute/encryption/generate_wrapped_rsa_key.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
#!/usr/bin/env python

# Copyright 2016 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""Example of authenticating using access tokens directly on Compute Engine.

For more information, see the README.md under /compute.
"""

# [START all]

import argparse
import base64
import os

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
import requests


GOOGLE_PUBLIC_CERT_URL = (
'https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem')


def get_google_public_cert_key():
r = requests.get(GOOGLE_PUBLIC_CERT_URL)
r.raise_for_status()

# Load the certificate.
certificate = x509.load_pem_x509_certificate(
r.text.encode('utf-8'), default_backend())

# Get the certicate's public key.
public_key = certificate.public_key()

return public_key


def wrap_rsa_key(public_key, private_key_bytes):
# Use the Google public key to encrypt the customer private key.
# This means that only the Google private key is capable of decrypting
# the customer private key.
wrapped_key = public_key.encrypt(
private_key_bytes,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None))
encoded_wrapped_key = base64.b64encode(wrapped_key)
return encoded_wrapped_key


def main(key_file):
# Generate a new 256-bit private key if no key is specified.
if not key_file:
customer_key_bytes = os.urandom(32)
else:
with open(key_file, 'rb') as f:
customer_key_bytes = f.read()

google_public_key = get_google_public_cert_key()
wrapped_rsa_key = wrap_rsa_key(google_public_key, customer_key_bytes)

print('Base-64 encoded private key: {}'.format(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will print out:

Base-64 encoded private key: xxxxxxxxxx
Wrapped RSA key: xxxxxxxx

so it can not be used for producing the file which you can use with gcloud. Does it make sense to only print out the wrapped key so that you can use this script in your shell scripting?

Maybe I'm wrong, and this use case should be covered by gcloud sdk (gcloud should provide wrap-private-key subcommand, or something) though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sed can extract it if someone is hard-headed enough to use this for shell scripting but too adverse to actually modify the file. :P

base64.b64encode(customer_key_bytes).decode('utf-8')))
print('Wrapped RSA key: {}'.format(wrapped_rsa_key.decode('utf-8')))


if __name__ == '__main__':
parser = argparse.ArgumentParser(
description=__doc__,
formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument(
'--key_file', help='File containing your binary private key.')

args = parser.parse_args()

main(args.key_file)
# [END all]
18 changes: 18 additions & 0 deletions compute/encryption/generate_wrapped_rsa_key_test.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Copyright 2016, Google, Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import generate_wrapped_rsa_key


def test_main():
generate_wrapped_rsa_key.main()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good for initial test. How about to write an e2e test that performs one of the operations listed on:
https://cloud.google.com/compute/docs/disks/customer-supplied-encryption
and runs it on jenkins?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can file a bug for that, but that's a really large test. It'd have to create an instance with an encrypted disk and then run tests from there. Yikes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a tough test, but IMO only checking if one of the operations succeeds is a good first step. I will file an issue.

2 changes: 2 additions & 0 deletions compute/encryption/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
cryptography==1.3.1
requests==2.9.1