此示例演示了如何使用 Google 公钥加密客户私钥,并确保只有 Google 才能解密。
代码示例
Python
试用此示例之前,请按照《Compute Engine 快速入门:使用客户端库》中的 Python 设置说明进行操作。如需了解详情,请参阅 Compute Engine Python API 参考文档。
如需向 Compute Engine 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import argparse
import base64
import os
from typing import Optional
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
import requests
GOOGLE_PUBLIC_CERT_URL = (
"https://cloud-certs.storage.googleapis.com/google-cloud-csek-ingress.pem"
)
def get_google_public_cert_key() -> RSAPublicKey:
"""
Downloads the Google public certificate.
Returns:
RSAPublicKey object with the Google public certificate.
"""
r = requests.get(GOOGLE_PUBLIC_CERT_URL)
r.raise_for_status()
# Load the certificate.
certificate = x509.load_pem_x509_certificate(r.content, default_backend())
# Get the certicate's public key.
public_key = certificate.public_key()
return public_key
def wrap_rsa_key(public_key: RSAPublicKey, private_key_bytes: bytes) -> bytes:
"""
Use the Google public key to encrypt the customer private key.
This means that only the Google private key is capable of decrypting
the customer private key.
Args:
public_key: The public key to use for encrypting.
private_key_bytes: The private key to be encrypted.
Returns:
private_key_bytes encrypted using the public_key. Encoded using
base64.
"""
wrapped_key = public_key.encrypt(
private_key_bytes,
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None,
),
)
encoded_wrapped_key = base64.b64encode(wrapped_key)
return encoded_wrapped_key
def main(key_file: Optional[str]) -> None:
"""
This script will encrypt a private key with Google public key.
Args:
key_file: path to a file containing your private key. If not
provided, a new key will be generated (256 bit).
"""
# Generate a new 256-bit private key if no key is specified.
if not key_file:
customer_key_bytes = os.urandom(32)
else:
with open(key_file, "rb") as f:
customer_key_bytes = f.read()
google_public_key = get_google_public_cert_key()
wrapped_rsa_key = wrap_rsa_key(google_public_key, customer_key_bytes)
b64_key = base64.b64encode(customer_key_bytes).decode("utf-8")
print(f"Base-64 encoded private key: {b64_key}")
print(f"Wrapped RSA key: {wrapped_rsa_key.decode('utf-8')}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("--key_file", help="File containing your binary private key.")
args = parser.parse_args()
main(args.key_file)
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。