GoogleCloudPlatform · dandhlee · Nov 14, 2022 · Feb 7, 2017 · Feb 8, 2017 · Feb 9, 2017
@@ -69,3 +69,4 @@
 /trace/**/*                            @ymotongpoo @GoogleCloudPlatform/python-samples-reviewers
 /translate/**/*                        @nicain @GoogleCloudPlatform/python-samples-reviewers
 /workflows/**/*                        @GoogleCloudPlatform/python-samples-reviewers
+/kms/**/**                             @GoogleCloudPlatform/dee-infra @GoogleCloudPlatform/python-samples-reviewers
@@ -126,6 +126,11 @@ assign_issues_by:
   - 'api: monitoring'
   to: 
   - GoogleCloudPlatform/dee-observability
+- labels:
+  - 'api: kms'
+  - 'api: cloudkms'
+  to: 
+  - GoogleCloudPlatform/dee-infra
 
 assign_prs_by:
 - labels:

@@ -0,0 +1,120 @@
+Google Cloud Key Management Service Python Samples
+===============================================================================
+
+.. image:: https://gstatic.com/cloudssh/images/open-btn.png
+   :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/attestations/README.rst
+
+
+This directory contains samples for Google Cloud Key Management Service. The `Cloud Key Management Service`_ allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service.
+
+
+
+
+.. _Cloud Key Management Service: https://cloud.google.com/kms/docs/
+
+
+
+
+
+Setup
+-------------------------------------------------------------------------------
+
+
+Install Dependencies
+++++++++++++++++++++
+
+#. Clone python-kms and change directory to the sample directory you want to use.
+
+    .. code-block:: bash
+
+        $ git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
+
+#. Install `pip`_ and `virtualenv`_ if you do not already have them. You may want to refer to the `Python Development Environment Setup Guide`_ for Google Cloud Platform for instructions.
+
+   .. _Python Development Environment Setup Guide:
+       https://cloud.google.com/python/setup
+
+#. Create a virtualenv. Samples are compatible with Python 2.7 and 3.4+.
+
+    .. code-block:: bash
+
+        $ virtualenv env
+        $ source env/bin/activate
+
+#. Install the dependencies needed to run the samples.
+
+    .. code-block:: bash
+
+        $ pip install -r requirements.txt
+
+.. _pip: https://pip.pypa.io/
+.. _virtualenv: https://virtualenv.pypa.io/
+
+Samples
+-------------------------------------------------------------------------------
+
+Verify attestations and certificate chains for keys generated by Cloud HSM
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+.. image:: https://gstatic.com/cloudssh/images/open-btn.png
+   :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/attestations/verify_attestation_chains.py,kms/attestations/README.rst
+
+
+
+
+To run this sample:
+
+.. code-block:: bash
+
+    $ python verify_attestation_chains.py
+
+    usage: verify_attestation_chains.py [-h] [--certificates CERTIFICATES]
+                                        [--attestation ATTESTATION]
+
+    This application verifies HSM attestations using certificate chains
+    obtained from Cloud HSM and the HSM manufacturer.
+
+    For more information, visit https://cloud.google.com/kms/docs/attest-key.
+
+    optional arguments:
+      -h, --help            show this help message and exit
+      --certificates CERTIFICATES
+                            The certificate chains filename.
+      --attestation ATTESTATION
+                            The attestation filename.
+
+
+
+Verify attestations for keys generated by Cloud HSM
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+.. image:: https://gstatic.com/cloudssh/images/open-btn.png
+   :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/attestations/verify_attestation.py,kms/attestations/README.rst
+
+
+
+
+To run this sample:
+
+.. code-block:: bash
+
+    $ python verify_attestation.py
+
+    usage: verify_attestation.py [-h] attestation_file bundle_file
+
+    This application verifies HSM attestations using certificate bundles obtained
+    from Cloud HSM. For more information, visit https://cloud.google.com/kms/docs
+    /attest-key.
+
+    positional arguments:
+      attestation_file  Name of attestation file.
+      bundle_file       Name of certificate bundle file.
+
+    optional arguments:
+      -h, --help        show this help message and exit
+
+
+
+
+
+.. _Google Cloud SDK: https://cloud.google.com/sdk/
@@ -0,0 +1,42 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default TEST_CONFIG_OVERRIDE for python repos.
+
+# You can copy this file into your directory, then it will be imported from
+# the noxfile.py.
+
+# The source of truth:
+# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/main/noxfile_config.py
+
+TEST_CONFIG_OVERRIDE = {
+    # You can opt out from the test for specific Python versions.
+    "ignored_versions": ["2.7"],
+    # Old samples are opted out of enforcing Python type hints
+    # All new samples should feature them
+    "enforce_type_hints": False,
+    # An envvar key for determining the project id to use. Change it
+    # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
+    # build specific Cloud project. You can also use your own string
+    # to use your own Cloud project.
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT',
+    # If you need to use a specific version of pip,
+    # change pip_version_override to the string representation
+    # of the version number, for example, "20.2.4"
+    "pip_version_override": None,
+    # A dictionary you want to inject into your test. Don't put any
+    # secrets here. These values will override predefined values.
+    "envs": {},
+}
@@ -0,0 +1 @@
+pytest==7.2.0
@@ -0,0 +1,3 @@
+cryptography==38.0.2
+pem==21.2.0
+requests==2.28.1
@@ -0,0 +1,86 @@
+#!/usr/bin/env python
+
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""This application verifies HSM attestations using certificate bundles
+obtained from Cloud HSM.
+
+For more information, visit https://cloud.google.com/kms/docs/attest-key.
+"""
+
+# [START kms_verify_attestations]
+import argparse
+import gzip
+
+from cryptography import exceptions
+from cryptography import x509
+from cryptography.hazmat import backends
+from cryptography.hazmat.primitives.asymmetric import padding
+import pem
+
+
+def verify(attestation_file, bundle_file):
+    """Verifies an attestation using a bundle of certificates.
+
+    Args:
+      attestation_file: The name of the attestation file.
+      bundle_file: The name of the bundle file containing the certificates
+        used to verify the attestation.
+
+    Returns:
+      True if at least one of the certificates in bundle_file can verify the
+      attestation data and its signature.
+    """
+    with gzip.open(attestation_file, 'rb') as f:
+        # An attestation file consists of a data portion and a 256 byte
+        # signature portion concatenated together.
+        attestation = f.read()
+        # Separate the components.
+        data = attestation[:-256]
+        signature = attestation[-256:]
+
+        # Verify the attestation with one of the certificates in the bundle
+        for cert in pem.parse_file(bundle_file):
+            cert_obj = x509.load_pem_x509_certificate(
+                str(cert).encode('utf-8'), backends.default_backend())
+            try:
+                # Check if the data was signed by the private key associated
+                # with the public key in the certificate. The data should have
+                # been signed with PKCS1v15 padding.
+                cert_obj.public_key().verify(
+                    signature, data, padding.PKCS1v15(),
+                    cert_obj.signature_hash_algorithm)
+                return True
+            except exceptions.InvalidSignature:
+                # Certificate bundles contain certificates that will not be
+                # able to verify the attestation, so the InvalidSignature
+                # errors can be ignored.
+                continue
+        return False
+# [END kms_verify_attestations]
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+            description=__doc__)
+    parser.add_argument('attestation_file', help="Name of attestation file.")
+    parser.add_argument('bundle_file', help="Name of certificate bundle file.")
+
+    args = parser.parse_args()
+
+    if verify(args.attestation_file, args.bundle_file):
+        print('Signature verified.')
+    else:
+        print('Signature verification failed.')