0

我一直在尝试了解如何使用 Google Cloud Key Management System,并且已经完成了快速入门教程和文档。我创建了我的钥匙圈和它们各自的钥匙,并在我的笔记本电脑上使用 SDK 对其进行了测试,它们工作正常。

然后,我尝试使用笔记本电脑上的 WAMP 开发环境完成信封加密示例,如https://deliciousbrains.com/php-encryption-methods/所示。我已经按照https://cloud.google.com/docs/authentication/production#auth-cloud-implicit-php中的描述设置了一个服务帐户和环境变量。

但是,当我尝试在浏览器中运行代码时,我收到以下消息:

Fatal error: Uncaught Google_Service_Exception: { "error": { "code": 401, "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "errors": [ { "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "domain": "global", "reason": "unauthorized" } ], "status": "UNAUTHENTICATED" } } in C:\Bitnami\wampstack-7.2.11-0\apache2\htdocs\racingaway\vendor\google\apiclient\src\Google\Http\REST.php:118 Stack trace: #0 C:\Bitnami\wampstack-7.2.11-0\apache2\htdocs\racingaway\vendor\google\apiclient\src\Google\Http\REST.php(94): Google_Http_REST::decodeHttpResponse(Object(GuzzleHttp\Psr7\Response), Object(GuzzleHttp\Psr7\Request), 'Goo in C:\Bitnami\wampstack-7.2.11-0\apache2\htdocs\racingaway\vendor\google\apiclient\src\Google\Http\REST.php on line 118

我已尝试按照上述消息中的链接(https://developers.google.com/identity/sign-in/web/devconsole-project),这会将我带到https://developers.google.com/identity/ sign-in/web/sign-in#before_you_begin,这似乎是关于为最终用户设置 OAuth 客户端。但是,我想做的是服务器到服务器的身份验证。我现在很困惑,非常感谢一些关于我需要做什么才能让我的测试应用程序工作的明智建议。

我使用的代码如下:

<?php

use Google_Service_CloudKMS as Kms;
use Google_Service_CloudKMS_DecryptRequest as DecryptRequest;
use Google_Service_CloudKMS_EncryptRequest as EncryptRequest;

class KeyManager
{
    private $kms;
    private $encryptRequest;
    private $decryptRequest;
    private $projectId;
    private $locationId;
    private $keyRingId;
    private $cryptoKeyId;

public function __construct(Kms $kms, EncryptRequest $encryptRequest, DecryptRequest $decryptRequest, $projectId, $locationId, $keyRingId, $cryptoKeyId)
{
    $this->kms            = $kms;
    $this->encryptRequest = $encryptRequest;
    $this->decryptRequest = $decryptRequest;
    $this->projectId      = $projectId;
    $this->locationId     = $locationId;
    $this->keyRingId      = $keyRingId;
    $this->cryptoKeyId    = $cryptoKeyId;
}

public function encrypt($data)
{
    $key        = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
    $nonce      = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $ciphertext = sodium_crypto_secretbox($data, $nonce, $key);

    return [
        'data'   => base64_encode($nonce . $ciphertext),
        'secret' => $this->encryptKey($key),
    ];
}

public function decrypt($secret, $data)
{
    $decoded    = base64_decode($data);
    $key        = $this->decryptSecret($secret);
    $nonce      = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
    $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');

    return sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
}

private function encryptKey($key)
{
    $this->encryptRequest->setPlaintext(base64_encode($key));

    $response = $this->kms->projects_locations_keyRings_cryptoKeys->encrypt(
        $this->getResourceName(),
        $this->encryptRequest
    );

    return $response['ciphertext'];
}

private function decryptSecret($secret)
{
    $this->decryptRequest->setCiphertext($secret);

    $response = $this->kms->projects_locations_keyRings_cryptoKeys->decrypt(
        $this->getResourceName(),
        $this->decryptRequest
    );

    return base64_decode($response['plaintext']);
}

public function getResourceName()
{
    return sprintf(
        'projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s',
        $this->projectId,
        $this->locationId,
        $this->keyRingId,
        $this->cryptoKeyId
    );
}

}

上面的类被下面的代码使用:

<?php

require_once( "get_paths.php" );
require_once( GetIncludePath()."class.keymanager.php" );

use Google_Service_CloudKMS as Kms;
use Google_Service_CloudKMS_DecryptRequest as DecryptRequest;
use Google_Service_CloudKMS_EncryptRequest as EncryptRequest;

$client = new Google_Client();
$client->setAuthConfig(getenv('GOOGLE_APPLICATION_CREDENTIALS'));
$client->addScope('https://www.googleapis.com/auth/cloud-platform');

$keyManager = new KeyManager(
    new Kms($client),
    new EncryptRequest(),
    new DecryptRequest(),
 //   $projectId,
     "snappy-thought-226213",
  //  $locationId,
     "europe-west2",
  //  $keyRingId,
    "racingaway_key_ring",
  //  $cryptoKeyId
    "racingaway_key_2"
);


$encrypted = $keyManager->encrypt('This is a secret!');
var_dump($encrypted);

?>
4

0 回答 0