Skip to content
Permalink
Browse files
feat(samples): add local generation for crypto keys (#98)
  • Loading branch information
FrodoTheTrue committed Aug 3, 2021
1 parent 73effb4 commit 0668ffde892bec99a4cd574bbc257fcc2de6c1c7
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 59 deletions.
@@ -15,7 +15,6 @@
# limitations under the License.

# [START privateca_create_certificate]
from google.cloud import kms
import google.cloud.security.privateca_v1 as privateca_v1
from google.protobuf import duration_pb2

@@ -26,13 +25,10 @@ def create_certificate(
ca_pool_name: str,
ca_name: str,
certificate_name: str,
kms_location: str,
key_ring_id: str,
key_id: str,
key_version_id: str,
common_name: str,
domain_name: str,
certificate_lifetime: int,
public_key_bytes: bytes,
) -> None:
"""
Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
@@ -44,30 +40,21 @@ def create_certificate(
ca_pool_name: set a unique name for the CA pool.
ca_name: the name of the certificate authority which issues the certificate.
certificate_name: set a unique name for the certificate.
kms_location: Cloud KMS location.
key_ring_id: ID of the Cloud KMS key ring.
key_id: ID of the key to use.
key_version_id: verstion ID of the key to use.
common_name: a title for your certificate.
domain_name: fully qualified domain name for your certificate.
certificate_lifetime: the validity of the certificate in seconds.
public_key_bytes: public key used in signing the certificates.
"""

kmsClient = kms.KeyManagementServiceClient()
caServiceClient = privateca_v1.CertificateAuthorityServiceClient()

# To sign and issue a certificate, a public key is essential. Here, we are making use
# of Cloud KMS to retrieve an already created public key. For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
# Generating keys locally is also possible.
# The public key used to sign the certificate can be generated using any crypto library/framework.
# Also you can use Cloud KMS to retrieve an already created public key.
# For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.

key_version_name = kmsClient.crypto_key_version_path(
project_id, kms_location, key_ring_id, key_id, key_version_id
)
kms_public_key = kmsClient.get_public_key(name=key_version_name)

# Set the Public Key and its format as obtained from the Cloud KMS.
# Set the Public Key and its format.
public_key = privateca_v1.PublicKey(
key=str.encode(kms_public_key.pem),
key=public_key_bytes,
format_=privateca_v1.PublicKey.KeyFormat.PEM,
)

@@ -1,2 +1,3 @@
pytest==6.2.4
google-auth==1.34.0
google-auth==1.34.0
cryptography==3.4.7
@@ -17,8 +17,13 @@
import typing
import uuid

from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.hazmat.primitives.asymmetric import rsa

from cryptography.hazmat.primitives.serialization import Encoding
from cryptography.hazmat.primitives.serialization import PublicFormat

import google.auth
from google.cloud import kms

from create_certificate import create_certificate
from disable_certificate_authority import disable_certificate_authority
@@ -31,7 +36,6 @@
COMMON_NAME = "COMMON_NAME"
ORGANIZATION = "ORGANIZATION"
CERTIFICATE_LIFETIME = 1000000
KEY_VERSION = 1
DOMAIN_NAME = "domain.com"


@@ -42,62 +46,32 @@ def generate_name() -> str:
def test_create_and_revoke_certificate_authority(
certificate_authority, capsys: typing.Any
) -> None:
KEY_RING_ID = generate_name()
CRYPTO_KEY_ID = generate_name()
CERT_NAME = generate_name()

CA_POOL_NAME, CA_NAME = certificate_authority
enable_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME)

kms_client = kms.KeyManagementServiceClient()

kms_location_name = kms_client.common_location_path(PROJECT, LOCATION)

kms_client.create_key_ring(
request={
"parent": kms_location_name,
"key_ring_id": KEY_RING_ID,
"key_ring": {},
}
private_key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=backend
)

key_ring_path = kms_client.key_ring_path(PROJECT, LOCATION, KEY_RING_ID)

purpose = kms.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN
algorithm = (
kms.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
)
key = {
"purpose": purpose,
"version_template": {
"algorithm": algorithm,
},
}

kms_client.create_crypto_key(
request={
"parent": key_ring_path,
"crypto_key_id": CRYPTO_KEY_ID,
"crypto_key": key,
}
public_key_bytes = private_key.public_key().public_bytes(
Encoding.PEM, PublicFormat.SubjectPublicKeyInfo
)

# Wait while crypto key is generating
time.sleep(30)
time.sleep(5)

create_certificate(
PROJECT,
LOCATION,
CA_POOL_NAME,
CA_NAME,
CERT_NAME,
LOCATION,
KEY_RING_ID,
CRYPTO_KEY_ID,
KEY_VERSION,
COMMON_NAME,
DOMAIN_NAME,
CERTIFICATE_LIFETIME,
public_key_bytes,
)

revoke_certificate(

0 comments on commit 0668ffd

Please sign in to comment.