&SrSSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r SSK Jr SSK J r SSK Jr SS K Jr SS KJr SS KJr SS KJr S r"SS\ R.5rg)z*Decrypt a ciphertext file using a raw key.)absolute_import)division)unicode_literals) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filescF\rSrSrSr\S5rSrSrSr Sr Sr S r g ) RawDecrypt#aNDecrypt a ciphertext file using a raw key. `{command}` decrypts the given ciphertext file using the given CryptoKey containing a raw key and writes the result to the named plaintext file. The ciphertext file must not be larger than 64KiB. The supported algorithms are: `AES-128-GCM`, `AES-256-GCM`, `AES-128-CBC`, `AES-256-CBC`, `AES-128-CTR`, `and AES-256-CTR`. `AES-GCM` provides authentication which means that it accepts additional authenticated data (AAD). So, the flag `--additional-authenticated-data-file` is only valid with `AES-128-GCM` and `AES-256-GCM` algorithms. If AAD is provided during encryption, it must be provided during decryption too. The file must not be larger than 64KiB. If `--plaintext-file` or `--additional-authenticated-data-file` or `--initialization-vector-file` is set to '-', that file is read from stdin. Similarly, if `--ciphertext-file` is set to '-', the ciphertext is written to stdout. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES The following command reads and decrypts the file `path/to/input/ciphertext`. The file will be decrypted using the CryptoKey `KEYNAME` containing a raw key, from the KeyRing `KEYRING` in the `global` location. It uses the additional authenticated data file `path/to/input/aad` (only valid with the `AES-GCM` algorithms) and the initialization vector file `path/to/input/iv`. The resulting plaintext will be written to `path/to/output/plaintext`. $ {command} \ --key=KEYNAME \ --keyring=KEYRING \ --location=global \ --ciphertext-file=path/to/input/ciphertext \ --additional-authenticated-data-file=path/to/input/aad \ --initialization-vector-file=path/to/input/iv \ --plaintext-file=path/to/output/plaintext cD[R"US5 [R"USS5 [R"US5 [R"US5 [R "US5 [R "U5 [R"U5 g)Nz$The (raw) key to use for decryption.zto use for decryptionTzto store the decrypted dataz to decryptzfor decryption)r AddKeyResourceFlagsAddCryptoKeyVersionFlagAddPlaintextFileFlagAddCiphertextFileFlag AddIvFileFlagAddAadFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/raw_decrypt.pyArgsRawDecrypt.ArgsNst f&LM !!&*A4H v'DE  5  01   &&v.c[R"USS9n[U5U:a%[R"SR X55eU$)NT)binaryz 5  #  3 3s :  / / F 5  ''3.  3 3s :  / / 2 5  ((   ))j    ) )_ ! b 2w/!  ' ' ( * 1 1/ B  C ..  ##  3 3u$ 44T:N..0Hdd  ( ( *eG  ))$// -- 3--#i==%j"*"<"<!&),%.,6 #=#g N #+"<"<!&)#=#g NA ;;  ' ' 5 < <""A   ;;  ' ' @ G G--q  ([[ )) J VD;;Q ?   sH'HI*1J6I'20I""I'*J3>0J..J36K? 0K::K?cUR(d)[R"[R"55eUR(d)[R"[R"55eUR (d)[R"[R"55e[ R"URUR5(d)[R"[R"55eg)z&Verifies integrity fields in response.N) verifiedCiphertextCrc32cr $ClientSideIntegrityVerificationError'GetRequestToServerCorruptedErrorMessage)verifiedAdditionalAuthenticatedDataCrc32c"verifiedInitializationVectorCrc32cr Crc32cMatches plaintextplaintextCrc32c*GetResponseFromServerCorruptedErrorMessage)r%resps r_VerifyResponseIntegrityFields)RawDecrypt._VerifyResponseIntegrityFieldss  ( (  > >  ? ? A   9 9  > >  ? ? A   2 2  > >  ? ? A    0D0D E E  > >  B B D  FrcSnURU5n[R"5nURR U5nURU5(aURU5 URcA[R"UR5 SSS5 [R "S5 g[R""URURSSS9 g![ R a n[R"U5 SnANSnAff=f!,(df  N=f![R$an[&R("U5eSnAff=f)NzDecrypted file is emptyT)r overwrite)rPr@GetClientInstance8projects_locations_keyRings_cryptoKeys_cryptoKeyVersionsrapitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr.r]rYr FileWriterplaintext_filer PrintWriteToFileOrStdoutr=rr#)r%r-responserLclienterrorrGs rRunRawDecrypt.RunsH++D1G  , , .F6PP[[ h ))$// ))(3 +    #   d11 2 3 +,    !3!3DD   2 26..u5563 2 ;;+  ' ' **+sMC'--D/DD/;+D/'D;DD D,(D//EEEN) __name__ __module__ __qualname____firstlineno____doc__ staticmethodrr)r.rPr]rm__static_attributes__rorrrr#s7(T//0aF6+rrN)rt __future__rrrapitools.base.pyrrcgooglecloudsdk.api_lib.cloudkmsrr@googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr r>CommandrrorrrsH1&'>A(.180#2*[+[+r