このトピックでは、Cloud HSM で乱数生成ツールからランダムなバイトを取得する方法について説明します。
始める前に
- サービスによってランダムバイトが生成されるクラウドのロケーションで、
cloudkms.locations.generateRandomBytes
権限を付与します。Cloud Key Management Service の権限については、権限とロールをご覧ください。
ランダムバイトを生成する
C#
このコードを実行するには、まず C# 開発環境を設定し、Cloud KMS C# SDK をインストールします。
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Kms.V1;
public class GenerateRandomBytesSample
{
public byte[] GenerateRandomBytes(
string projectId = "my-project", string locationId = "us-east1", int numBytes = 256)
{
// Create the client.
KeyManagementServiceClient client = KeyManagementServiceClient.Create();
// Build the location name.
LocationName locationName = new LocationName(projectId, locationId);
// Call the API.
GenerateRandomBytesResponse result = client.GenerateRandomBytes(locationName.ToString(), numBytes, ProtectionLevel.Hsm);
// The data comes back as raw bytes, which may include non-printable
// characters. To print the result, you could encode it as base64.
// string encodedData = result.Data.ToBase64();
return result.Data.ToByteArray();
}
}
Go
このコードを実行するには、まず Go 開発環境を設定し、Cloud KMS Go SDK をインストールします。
import (
"context"
"encoding/base64"
"fmt"
"io"
kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb"
)
// generateRandomBytes generates random bytes with entropy sourced from the
// given location.
func generateRandomBytes(w io.Writer, location string, numBytes int32) error {
// name := "projects/my-project/locations/us-east1"
// numBytes := 256
// Create the client.
ctx := context.Background()
client, err := kms.NewKeyManagementClient(ctx)
if err != nil {
return fmt.Errorf("failed to create kms client: %w", err)
}
defer client.Close()
// Build the request.
req := &kmspb.GenerateRandomBytesRequest{
Location: location,
LengthBytes: numBytes,
ProtectionLevel: kmspb.ProtectionLevel_HSM,
}
// Generate random bytes.
result, err := client.GenerateRandomBytes(ctx, req)
if err != nil {
return fmt.Errorf("failed to generate random bytes: %w", err)
}
// The data comes back as raw bytes, which may include non-printable
// characters. This base64-encodes the result so it can be printed below.
encodedData := base64.StdEncoding.EncodeToString(result.Data)
fmt.Fprintf(w, "Random bytes: %s", encodedData)
return nil
}
Java
このコードを実行するには、まず Java 開発環境を設定し、Cloud KMS Java SDK をインストールします。
import com.google.cloud.kms.v1.GenerateRandomBytesResponse;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.kms.v1.LocationName;
import com.google.cloud.kms.v1.ProtectionLevel;
import java.io.IOException;
import java.util.Base64;
public class GenerateRandomBytes {
public void generateRandomBytes() throws IOException {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String locationId = "us-east1";
int numBytes = 256;
generateRandomBytes(projectId, locationId, numBytes);
}
// Create a new key for use with MacSign.
public void generateRandomBytes(String projectId, String locationId, int numBytes)
throws IOException {
// Initialize client that will be used to send requests. This client only
// needs to be created once, and can be reused for multiple requests. After
// completing all of your requests, call the "close" method on the client to
// safely clean up any remaining background resources.
try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
// Build the parent name for the location.
LocationName locationName = LocationName.of(projectId, locationId);
// Generate the bytes.
GenerateRandomBytesResponse response =
client.generateRandomBytes(locationName.toString(), numBytes, ProtectionLevel.HSM);
// The data comes back as raw bytes, which may include non-printable
// characters. This base64-encodes the result so it can be printed below.
String encodedData = Base64.getEncoder().encodeToString(response.getData().toByteArray());
System.out.printf("Random bytes: %s", encodedData);
}
}
}
Node.js
このコードを実行するには、まず Node.js 開発環境を設定し、Cloud KMS Node.js SDK をインストールします。
//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const numBytes = 256;
// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');
// Instantiates a client
const client = new KeyManagementServiceClient();
// Build the location name
const locationName = client.locationPath(projectId, locationId);
async function generateRandomBytes() {
const [randomBytesResponse] = await client.generateRandomBytes({
location: locationName,
lengthBytes: numBytes,
protectionLevel: 'HSM',
});
console.log(`Random bytes: ${randomBytesResponse.data.toString('base64')}`);
return randomBytesResponse;
}
return generateRandomBytes();
PHP
このコードを実行するには、まず Google Cloud での PHP の使用について学び、Cloud KMS PHP SDK をインストールします。
use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
use Google\Cloud\Kms\V1\GenerateRandomBytesRequest;
use Google\Cloud\Kms\V1\ProtectionLevel;
/**
* Generate a random byte string using Cloud KMS.
*
* @param string $projectId The Google Cloud project ID.
* @param string $locationId The location ID (e.g. us-east1).
* @param int $numBytes The number of bytes to generate.
*/
function generate_random_bytes(
string $projectId,
string $locationId = 'us-east1',
int $numBytes = 256
) {
// Create the Cloud KMS client.
$client = new KeyManagementServiceClient();
// Build the parent name.
$locationName = $client->locationName($projectId, $locationId);
// Call the API.
$generateRandomBytesRequest = (new GenerateRandomBytesRequest())
->setLocation($locationName)
->setLengthBytes($numBytes)
->setProtectionLevel(ProtectionLevel::HSM);
$randomBytesResponse = $client->generateRandomBytes($generateRandomBytesRequest);
// The data comes back as raw bytes, which may include non-printable
// characters. This base64-encodes the result so it can be printed below.
$encodedData = base64_encode($randomBytesResponse->getData());
printf('Random bytes: %s' . PHP_EOL, $encodedData);
return $randomBytesResponse;
}
Python
このコードを実行するには、まず Python 開発環境を設定し、Cloud KMS Python SDK をインストールします。
# Import base64 for encoding the bytes for printing.
import base64
# Import the client library.
from google.cloud import kms
def generate_random_bytes(project_id: str, location_id: str, num_bytes: int) -> bytes:
"""
Generate random bytes with entropy sourced from the given location.
Args:
project_id (string): Google Cloud project ID (e.g. 'my-project').
location_id (string): Cloud KMS location (e.g. 'us-east1').
num_bytes (integer): number of bytes of random data.
Returns:
bytes: Encrypted ciphertext.
"""
# Create the client.
client = kms.KeyManagementServiceClient()
# Build the location name.
location_name = client.common_location_path(project_id, location_id)
# Call the API.
protection_level = kms.ProtectionLevel.HSM
random_bytes_response = client.generate_random_bytes(
request={
"location": location_name,
"length_bytes": num_bytes,
"protection_level": protection_level,
}
)
print(f"Random bytes: {base64.b64encode(random_bytes_response.data)}")
return random_bytes_response
Ruby
このコードを実行するには、まず Ruby 開発環境を設定し、Cloud KMS Ruby SDK をインストールします。
# TODO(developer): uncomment these values before running the sample.
# project_id = "my-project"
# location_id = "us-east1"
# num_bytes = 256
# Require the library.
require "google/cloud/kms"
# Create the client.
client = Google::Cloud::Kms.key_management_service
# Build the parent location name.
location_name = client.location_path project: project_id,
location: location_id
# Call the API.
response = client.generate_random_bytes location: location_name, length_bytes: num_bytes, protection_level: :HSM
# The data comes back as raw bytes, which may include non-printable
# characters. This base64-encodes the result so it can be printed below.
encoded_data = Base64.strict_encode64 response.data
puts "Random bytes: #{encoded_data}"
既知の制限事項
GenerateRandomBytes
API 呼び出しでは、呼び出しあたり最大 1,024 のランダムバイトを生成できます。生成されるランダムバイトの数を増やすには、複数の API 呼び出しを実行します。GenerateRandomBytes
API 呼び出しは、ソフトウェアまたは外部の保護レベルではサポートされません。