KMS: Clean up base64 logic in the encrypt and decrypt functions. #1074
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
theacodes
approved these changes
Aug 16, 2017
busunkim96
pushed a commit
to googleapis/python-kms
that referenced
this pull request
Jun 4, 2020
…074)](GoogleCloudPlatform/python-docs-samples#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
rsamborski
pushed a commit
that referenced
this pull request
Nov 8, 2022
)](#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
8 tasks
rsamborski
pushed a commit
that referenced
this pull request
Nov 8, 2022
)](#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
rsamborski
pushed a commit
that referenced
this pull request
Nov 11, 2022
)](#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
rsamborski
pushed a commit
that referenced
this pull request
Nov 14, 2022
)](#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
dandhlee
pushed a commit
that referenced
this pull request
Nov 14, 2022
)](#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
parthea
pushed a commit
to googleapis/google-cloud-python
that referenced
this pull request
Oct 21, 2023
)](GoogleCloudPlatform/python-docs-samples#1074) The use of base64 is essentially an implementation detail of the Cloud KMS REST API: it is required only so that arbitrary binary data can be included in a JSON string, which only allows Unicode characters. Therefore, the "encrypt" sample function should decode the base64-encoded ciphertext before writing the file. Similarly, "decrypt" should not assume that an input file is base64-encoded, but should perform the base64-encoding itself before sending the encrypted data to KMS. This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands behave. See https://stackoverflow.com/q/45699472 for an example of user confusion caused by the mismatch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The use of base64 is essentially an implementation detail of the Cloud KMS REST
API: it is required only so that arbitrary binary data can be included in a JSON
string, which only allows Unicode characters. Therefore, the "encrypt" sample
function should decode the base64-encoded ciphertext before writing the
file. Similarly, "decrypt" should not assume that an input file is
base64-encoded, but should perform the base64-encoding itself before sending the
encrypted data to KMS.
This aligns with how the "gcloud kms encrypt" and "gcloud kms decrypt" commands
behave. See https://stackoverflow.com/q/45699472 for an example of user
confusion caused by the mismatch.