透過非對稱金鑰加密及解密資料

 using Google.Cloud.Kms.V1; using System; using System.Security.Cryptography; using System.Text;  public class EncryptAsymmetricSample {     public byte[] EncryptAsymmetric(       string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123",       string message = "Sample message")     {         // Create the client.         KeyManagementServiceClient client = KeyManagementServiceClient.Create();          // Build the key version name.         CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId);          // Get the public key.         PublicKey publicKey = client.GetPublicKey(keyVersionName);          // Split the key into blocks and base64-decode the PEM parts.         string[] blocks = publicKey.Pem.Split("-", StringSplitOptions.RemoveEmptyEntries);         byte[] pem = Convert.FromBase64String(blocks[1]);          // Create a new RSA key.         RSA rsa = RSA.Create();         rsa.ImportSubjectPublicKeyInfo(pem, out _);          // Convert the message into bytes. Cryptographic plaintexts and         // ciphertexts are always byte arrays.         byte[] plaintext = Encoding.UTF8.GetBytes(message);          // Encrypt the data.         byte[] ciphertext = rsa.Encrypt(plaintext, RSAEncryptionPadding.OaepSHA256);         return ciphertext;     } }

import ( 	"context" 	"crypto/rand" 	"crypto/rsa" 	"crypto/sha256" 	"crypto/x509" 	"encoding/pem" 	"fmt" 	"io"  	kms "cloud.google.com/go/kms/apiv1" 	"cloud.google.com/go/kms/apiv1/kmspb" )  // encryptAsymmetric encrypts data on your local machine using an // 'RSA_DECRYPT_OAEP_2048_SHA256' public key retrieved from Cloud KMS. func encryptAsymmetric(w io.Writer, name string, message string) error { 	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123" 	// message := "Sample message"  	// Create the client. 	ctx := context.Background() 	client, err := kms.NewKeyManagementClient(ctx) 	if err != nil { 		return fmt.Errorf("failed to create kms client: %w", err) 	} 	defer client.Close()  	// Retrieve the public key from Cloud KMS. This is the only operation that 	// involves Cloud KMS. The remaining operations take place on your local 	// machine. 	response, err := client.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{ 		Name: name, 	}) 	if err != nil { 		return fmt.Errorf("failed to get public key: %w", err) 	}  	// Parse the public key. Note, this example assumes the public key is in the 	// RSA format. 	block, _ := pem.Decode([]byte(response.Pem)) 	publicKey, err := x509.ParsePKIXPublicKey(block.Bytes) 	if err != nil { 		return fmt.Errorf("failed to parse public key: %w", err) 	} 	rsaKey, ok := publicKey.(*rsa.PublicKey) 	if !ok { 		return fmt.Errorf("public key is not rsa") 	}  	// Convert the message into bytes. Cryptographic plaintexts and 	// ciphertexts are always byte arrays. 	plaintext := []byte(message)  	// Encrypt data using the RSA public key. 	ciphertext, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, rsaKey, plaintext, nil) 	if err != nil { 		return fmt.Errorf("rsa.EncryptOAEP: %w", err) 	} 	fmt.Fprintf(w, "Encrypted ciphertext: %s", ciphertext) 	return nil } 

import com.google.cloud.kms.v1.CryptoKeyVersionName; import com.google.cloud.kms.v1.KeyManagementServiceClient; import com.google.cloud.kms.v1.PublicKey; import java.io.BufferedReader; import java.io.IOException; import java.io.StringReader; import java.nio.charset.StandardCharsets; import java.security.GeneralSecurityException; import java.security.KeyFactory; import java.security.spec.MGF1ParameterSpec; import java.security.spec.X509EncodedKeySpec; import java.util.Base64; import java.util.stream.Collectors; import javax.crypto.Cipher; import javax.crypto.spec.OAEPParameterSpec; import javax.crypto.spec.PSource;  public class EncryptAsymmetric {    public void encryptAsymmetric() throws IOException, GeneralSecurityException {     // TODO(developer): Replace these variables before running the sample.     String projectId = "your-project-id";     String locationId = "us-east1";     String keyRingId = "my-key-ring";     String keyId = "my-key";     String keyVersionId = "123";     String plaintext = "Plaintext to encrypt";     encryptAsymmetric(projectId, locationId, keyRingId, keyId, keyVersionId, plaintext);   }    // Encrypt data that was encrypted using the public key component of the given   // key version.   public void encryptAsymmetric(       String projectId,       String locationId,       String keyRingId,       String keyId,       String keyVersionId,       String plaintext)       throws IOException, GeneralSecurityException {     // Initialize client that will be used to send requests. This client only     // needs to be created once, and can be reused for multiple requests. After     // completing all of your requests, call the "close" method on the client to     // safely clean up any remaining background resources.     try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {       // Build the key version name from the project, location, key ring, key,       // and key version.       CryptoKeyVersionName keyVersionName =           CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);        // Get the public key.       PublicKey publicKey = client.getPublicKey(keyVersionName);        // Convert the public PEM key to a DER key (see helper below).       byte[] derKey = convertPemToDer(publicKey.getPem());       X509EncodedKeySpec keySpec = new X509EncodedKeySpec(derKey);       java.security.PublicKey rsaKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);        // Encrypt plaintext for the 'RSA_DECRYPT_OAEP_2048_SHA256' key.       // For other key algorithms:       // https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html       Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");       OAEPParameterSpec oaepParams =           new OAEPParameterSpec(               "SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);       cipher.init(Cipher.ENCRYPT_MODE, rsaKey, oaepParams);       byte[] ciphertext = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8));       System.out.printf("Ciphertext: %s%n", ciphertext);     }   }    // Converts a base64-encoded PEM certificate like the one returned from Cloud   // KMS into a DER formatted certificate for use with the Java APIs.   private byte[] convertPemToDer(String pem) {     BufferedReader bufferedReader = new BufferedReader(new StringReader(pem));     String encoded =         bufferedReader             .lines()             .filter(line -> !line.startsWith("-----BEGIN") && !line.startsWith("-----END"))             .collect(Collectors.joining());     return Base64.getDecoder().decode(encoded);   } }

// // TODO(developer): Uncomment these variables before running the sample. // // const projectId = 'my-project'; // const locationId = 'us-east1'; // const keyRingId = 'my-key-ring'; // const keyId = 'my-key'; // const versionId = '123'; // const plaintextBuffer = Buffer.from('...');  // Imports the Cloud KMS library const {KeyManagementServiceClient} = require('@google-cloud/kms');  // Instantiates a client const client = new KeyManagementServiceClient();  // Build the key version name const versionName = client.cryptoKeyVersionPath(   projectId,   locationId,   keyRingId,   keyId,   versionId );  async function encryptAsymmetric() {   // Get public key from Cloud KMS   const [publicKey] = await client.getPublicKey({     name: versionName,   });    // Optional, but recommended: perform integrity verification on publicKey.   // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:   // https://cloud.google.com/kms/docs/data-integrity-guidelines   const crc32c = require('fast-crc32c');   if (publicKey.name !== versionName) {     throw new Error('GetPublicKey: request corrupted in-transit');   }   if (crc32c.calculate(publicKey.pem) !== Number(publicKey.pemCrc32c.value)) {     throw new Error('GetPublicKey: response corrupted in-transit');   }    // Import and setup crypto   const crypto = require('crypto');    // Encrypt plaintext locally using the public key. This example uses a key   // that was configured with sha256 hash with OAEP padding. Update these   // values to match the Cloud KMS key.   //   // NOTE: In Node < 12, this function does not properly consume the OAEP   // padding and thus produces invalid ciphertext. If you are using Node to do   // public key encryption, please use version 12+.   const ciphertextBuffer = crypto.publicEncrypt(     {       key: publicKey.pem,       oaepHash: 'sha256',       padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,     },     plaintextBuffer   );    console.log(`Ciphertext: ${ciphertextBuffer.toString('base64')}`);   return ciphertextBuffer; }  return encryptAsymmetric();

function encrypt_asymmetric(     string $projectId = 'my-project',     string $locationId = 'us-east1',     string $keyRingId = 'my-key-ring',     string $keyId = 'my-key',     string $versionId = '123',     string $plaintext = '...' ): void {     // PHP has limited support for asymmetric encryption operations.     // Specifically, openssl_public_encrypt() does not allow customizing     // algorithms or padding. Thus, it is not currently possible to use PHP     // core for asymmetric operations on RSA keys.     //     // Third party libraries like phpseclib may provide the required     // functionality. Google does not endorse this external library. }

 # Import base64 for printing the ciphertext. import base64  # Import cryptographic helpers from the cryptography package. from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import padding  # Import the client library. from google.cloud import kms   def encrypt_asymmetric(     project_id: str,     location_id: str,     key_ring_id: str,     key_id: str,     version_id: str,     plaintext: str, ) -> bytes:     """     Encrypt plaintext using the public key portion of an asymmetric key.      Args:         project_id (string): Google Cloud project ID (e.g. 'my-project').         location_id (string): Cloud KMS location (e.g. 'us-east1').         key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').         key_id (string): ID of the key to use (e.g. 'my-key').         version_id (string): ID of the key version to use (e.g. '1').         plaintext (string): message to encrypt      Returns:         bytes: Encrypted ciphertext.      """      # Convert the plaintext to bytes.     plaintext_bytes = plaintext.encode("utf-8")      # Create the client.     client = kms.KeyManagementServiceClient()      # Build the key version name.     key_version_name = client.crypto_key_version_path(         project_id, location_id, key_ring_id, key_id, version_id     )      # Get the public key.     public_key = client.get_public_key(request={"name": key_version_name})      # Extract and parse the public key as a PEM-encoded RSA key.     pem = public_key.pem.encode("utf-8")     rsa_key = serialization.load_pem_public_key(pem, default_backend())      # Construct the padding. Note that the padding differs based on key choice.     sha256 = hashes.SHA256()     mgf = padding.MGF1(algorithm=sha256)     pad = padding.OAEP(mgf=mgf, algorithm=sha256, label=None)      # Encrypt the data using the public key.     ciphertext = rsa_key.encrypt(plaintext_bytes, pad)     print(f"Ciphertext: {base64.b64encode(ciphertext)!r}")     return ciphertext  

# Ruby has limited support for asymmetric encryption operations. Specifically, # public_encrypt() does not allow customizing the MGF hash algorithm. Thus, it # is not currently possible to use Ruby core for asymmetric encryption # operations on RSA keys from Cloud KMS. # # Third party libraries may provide the required functionality. Google does # not endorse these external libraries.

 using Google.Cloud.Kms.V1; using Google.Protobuf; using System.Text;  public class DecryptAsymmetricSample {     public string DecryptAsymmetric(       string projectId = "my-project", string locationId = "us-east1", string keyRingId = "my-key-ring", string keyId = "my-key", string keyVersionId = "123",       byte[] ciphertext = null)     {         // Create the client.         KeyManagementServiceClient client = KeyManagementServiceClient.Create();          // Build the key version name.         CryptoKeyVersionName keyVersionName = new CryptoKeyVersionName(projectId, locationId, keyRingId, keyId, keyVersionId);          // Call the API.         AsymmetricDecryptResponse result = client.AsymmetricDecrypt(keyVersionName, ByteString.CopyFrom(ciphertext));          // Get the plaintext. Cryptographic plaintexts and ciphertexts are         // always byte arrays.         byte[] plaintext = result.Plaintext.ToByteArray();          // Return the result.         return Encoding.UTF8.GetString(plaintext);     } }

import ( 	"context" 	"fmt" 	"hash/crc32" 	"io"  	kms "cloud.google.com/go/kms/apiv1" 	"cloud.google.com/go/kms/apiv1/kmspb" 	"google.golang.org/protobuf/types/known/wrapperspb" )  // decryptAsymmetric will attempt to decrypt a given ciphertext with an // 'RSA_DECRYPT_OAEP_2048_SHA256' key from Cloud KMS. func decryptAsymmetric(w io.Writer, name string, ciphertext []byte) error { 	// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key/cryptoKeyVersions/123" 	// ciphertext := []byte("...")  // result of an asymmetric encryption call  	// Create the client. 	ctx := context.Background() 	client, err := kms.NewKeyManagementClient(ctx) 	if err != nil { 		return fmt.Errorf("failed to create kms client: %w", err) 	} 	defer client.Close()  	// Optional but recommended: Compute ciphertext's CRC32C. 	crc32c := func(data []byte) uint32 { 		t := crc32.MakeTable(crc32.Castagnoli) 		return crc32.Checksum(data, t) 	} 	ciphertextCRC32C := crc32c(ciphertext)  	// Build the request. 	req := &kmspb.AsymmetricDecryptRequest{ 		Name:             name, 		Ciphertext:       ciphertext, 		CiphertextCrc32C: wrapperspb.Int64(int64(ciphertextCRC32C)), 	}  	// Call the API. 	result, err := client.AsymmetricDecrypt(ctx, req) 	if err != nil { 		return fmt.Errorf("failed to decrypt ciphertext: %w", err) 	}  	// Optional, but recommended: perform integrity verification on result. 	// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit: 	// https://cloud.google.com/kms/docs/data-integrity-guidelines 	if result.VerifiedCiphertextCrc32C == false { 		return fmt.Errorf("AsymmetricDecrypt: request corrupted in-transit") 	} 	if int64(crc32c(result.Plaintext)) != result.PlaintextCrc32C.Value { 		return fmt.Errorf("AsymmetricDecrypt: response corrupted in-transit") 	}  	fmt.Fprintf(w, "Decrypted plaintext: %s", result.Plaintext) 	return nil } 

import com.google.cloud.kms.v1.AsymmetricDecryptResponse; import com.google.cloud.kms.v1.CryptoKeyVersionName; import com.google.cloud.kms.v1.KeyManagementServiceClient; import com.google.protobuf.ByteString; import java.io.IOException;  public class DecryptAsymmetric {    public void decryptAsymmetric() throws IOException {     // TODO(developer): Replace these variables before running the sample.     String projectId = "your-project-id";     String locationId = "us-east1";     String keyRingId = "my-key-ring";     String keyId = "my-key";     String keyVersionId = "123";     byte[] ciphertext = null;     decryptAsymmetric(projectId, locationId, keyRingId, keyId, keyVersionId, ciphertext);   }    // Decrypt data that was encrypted using the public key component of the given   // key version.   public void decryptAsymmetric(       String projectId,       String locationId,       String keyRingId,       String keyId,       String keyVersionId,       byte[] ciphertext)       throws IOException {     // Initialize client that will be used to send requests. This client only     // needs to be created once, and can be reused for multiple requests. After     // completing all of your requests, call the "close" method on the client to     // safely clean up any remaining background resources.     try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {       // Build the key version name from the project, location, key ring, key,       // and key version.       CryptoKeyVersionName keyVersionName =           CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);        // Decrypt the ciphertext.       AsymmetricDecryptResponse response =           client.asymmetricDecrypt(keyVersionName, ByteString.copyFrom(ciphertext));       System.out.printf("Plaintext: %s%n", response.getPlaintext().toStringUtf8());     }   } }

// // TODO(developer): Uncomment these variables before running the sample. // // const projectId = 'my-project'; // const locationId = 'us-east1'; // const keyRingId = 'my-key-ring'; // const keyId = 'my-key'; // const versionId = '123'; // const ciphertext = Buffer.from('...');  // Imports the Cloud KMS library const {KeyManagementServiceClient} = require('@google-cloud/kms');  // Instantiates a client const client = new KeyManagementServiceClient();  // Build the key version name const versionName = client.cryptoKeyVersionPath(   projectId,   locationId,   keyRingId,   keyId,   versionId );  // Optional, but recommended: compute plaintext's CRC32C. const crc32c = require('fast-crc32c'); const ciphertextCrc32c = crc32c.calculate(ciphertext);  async function decryptAsymmetric() {   const [decryptResponse] = await client.asymmetricDecrypt({     name: versionName,     ciphertext: ciphertext,     ciphertextCrc32c: {       value: ciphertextCrc32c,     },   });    // Optional, but recommended: perform integrity verification on decryptResponse.   // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:   // https://cloud.google.com/kms/docs/data-integrity-guidelines   if (!decryptResponse.verifiedCiphertextCrc32c) {     throw new Error('AsymmetricDecrypt: request corrupted in-transit');   }   if (     crc32c.calculate(decryptResponse.plaintext) !==     Number(decryptResponse.plaintextCrc32c.value)   ) {     throw new Error('AsymmetricDecrypt: response corrupted in-transit');   }    // NOTE: The ciphertext must be properly formatted. In Node < 12, the   // crypto.publicEncrypt() function does not properly consume the OAEP   // padding and thus produces invalid ciphertext. If you are using Node to do   // public key encryption, please use version 12+.   const plaintext = decryptResponse.plaintext.toString('utf8');    console.log(`Plaintext: ${plaintext}`);   return plaintext; }  return decryptAsymmetric();

use Google\Cloud\Kms\V1\AsymmetricDecryptRequest; use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;  function decrypt_asymmetric(     string $projectId = 'my-project',     string $locationId = 'us-east1',     string $keyRingId = 'my-key-ring',     string $keyId = 'my-key',     string $versionId = '123',     string $ciphertext = '...' ) {     // Create the Cloud KMS client.     $client = new KeyManagementServiceClient();      // Build the key version name.     $keyVersionName = $client->cryptoKeyVersionName($projectId, $locationId, $keyRingId, $keyId, $versionId);      // Call the API.     $asymmetricDecryptRequest = (new AsymmetricDecryptRequest())         ->setName($keyVersionName)         ->setCiphertext($ciphertext);     $decryptResponse = $client->asymmetricDecrypt($asymmetricDecryptRequest);     printf('Plaintext: %s' . PHP_EOL, $decryptResponse->getPlaintext());      return $decryptResponse; }

from google.cloud import kms   def decrypt_asymmetric(     project_id: str,     location_id: str,     key_ring_id: str,     key_id: str,     version_id: str,     ciphertext: bytes, ) -> kms.DecryptResponse:     """     Decrypt the ciphertext using an asymmetric key.      Args:         project_id (string): Google Cloud project ID (e.g. 'my-project').         location_id (string): Cloud KMS location (e.g. 'us-east1').         key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').         key_id (string): ID of the key to use (e.g. 'my-key').         version_id (string): ID of the key version to use (e.g. '1').         ciphertext (bytes): Encrypted bytes to decrypt.      Returns:         DecryptResponse: Response including plaintext.      """      # Create the client.     client = kms.KeyManagementServiceClient()      # Build the key version name.     key_version_name = client.crypto_key_version_path(         project_id, location_id, key_ring_id, key_id, version_id     )      # Optional, but recommended: compute ciphertext's CRC32C.     # See crc32c() function defined below.     ciphertext_crc32c = crc32c(ciphertext)      # Call the API.     decrypt_response = client.asymmetric_decrypt(         request={             "name": key_version_name,             "ciphertext": ciphertext,             "ciphertext_crc32c": ciphertext_crc32c,         }     )      # Optional, but recommended: perform integrity verification on decrypt_response.     # For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:     # https://cloud.google.com/kms/docs/data-integrity-guidelines     if not decrypt_response.verified_ciphertext_crc32c:         raise Exception("The request sent to the server was corrupted in-transit.")     if not decrypt_response.plaintext_crc32c == crc32c(decrypt_response.plaintext):         raise Exception(             "The response received from the server was corrupted in-transit."         )     # End integrity verification      print(f"Plaintext: {decrypt_response.plaintext!r}")     return decrypt_response   def crc32c(data: bytes) -> int:     """     Calculates the CRC32C checksum of the provided data.     Args:         data: the bytes over which the checksum should be calculated.     Returns:         An int representing the CRC32C checksum of the provided bytes.     """     import crcmod  # type: ignore      crc32c_fun = crcmod.predefined.mkPredefinedCrcFun("crc-32c")     return crc32c_fun(data)  

# TODO(developer): uncomment these values before running the sample. # project_id  = "my-project" # location_id = "us-east1" # key_ring_id = "my-key-ring" # key_id      = "my-key" # version_id  = "123" # ciphertext  = "..."  # Require the library. require "google/cloud/kms"  # Create the client. client = Google::Cloud::Kms.key_management_service  # Build the key version name. key_version_name = client.crypto_key_version_path project:            project_id,                                                   location:           location_id,                                                   key_ring:           key_ring_id,                                                   crypto_key:         key_id,                                                   crypto_key_version: version_id  # Call the API. response = client.asymmetric_decrypt key_version_name, ciphertext puts "Plaintext: #{response.plaintext}"