diff --git a/compute/encryption/generate_wrapped_rsa_key.py b/compute/encryption/generate_wrapped_rsa_key.py new file mode 100644 index 0000000000000..832c90b679ad0 --- /dev/null +++ b/compute/encryption/generate_wrapped_rsa_key.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python + +# Copyright 2016 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Example of authenticating using access tokens directly on Compute Engine. + +For more information, see the README.md under /compute. +""" + +# [START all] + +import base64 +import os + +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import padding +import requests + + +GOOGLE_PUBLIC_CERT_URL = ( + 'https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem') + + +def get_google_public_cert_key(): + r = requests.get(GOOGLE_PUBLIC_CERT_URL) + r.raise_for_status() + + # Load the certificate. + certificate = x509.load_pem_x509_certificate( + r.text.encode('utf-8'), default_backend()) + + # Get the certicate's public key. + public_key = certificate.public_key() + + return public_key + + +def wrap_rsa_key(public_key, private_key_bytes): + # Use the Google public key to encrypt the customer private key. + # This means that only the Google private key is capable of decrypting + # the customer private key. + wrapped_key = public_key.encrypt( + private_key_bytes, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None)) + encoded_wrapped_key = base64.b64encode(wrapped_key) + return encoded_wrapped_key + + +def main(): + # Generate a new 256-bit private key. + customer_key_bytes = os.urandom(32) + + google_public_key = get_google_public_cert_key() + wrapped_rsa_key = wrap_rsa_key(google_public_key, customer_key_bytes) + + print('Base-64 encoded private key: {}'.format( + base64.b64encode(customer_key_bytes).decode('utf-8'))) + print('Wrapped RSA key: {}'.format(wrapped_rsa_key.decode('utf-8'))) + + +if __name__ == '__main__': + main() +# [END all] diff --git a/compute/encryption/generate_wrapped_rsa_key_test.py b/compute/encryption/generate_wrapped_rsa_key_test.py new file mode 100644 index 0000000000000..0a4df73d1e5e1 --- /dev/null +++ b/compute/encryption/generate_wrapped_rsa_key_test.py @@ -0,0 +1,18 @@ +# Copyright 2016, Google, Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import generate_wrapped_rsa_key + + +def test_main(): + generate_wrapped_rsa_key.main() diff --git a/compute/encryption/requirements.txt b/compute/encryption/requirements.txt new file mode 100644 index 0000000000000..7c778bee74a33 --- /dev/null +++ b/compute/encryption/requirements.txt @@ -0,0 +1,2 @@ +cryptography==1.3.1 +requests==2.9.1