in fakekms/asymmetric_rpcs.go [81:130]
func (f *fakeKMS) AsymmetricDecrypt(ctx context.Context, req *kmspb.AsymmetricDecryptRequest) (*kmspb.AsymmetricDecryptResponse, error) {
if err := allowlist("name", "ciphertext", "ciphertext_crc32c").check(req); err != nil {
return nil, err
}
name, err := parseCryptoKeyVersionName(req.Name)
if err != nil {
return nil, err
}
ckv, err := f.cryptoKeyVersion(name)
if err != nil {
return nil, err
}
if ckv.pb.State != kmspb.CryptoKeyVersion_ENABLED {
return nil, errFailedPrecondition("key version %s is not enabled", name)
}
def, _ := algorithmDef(ckv.pb.Algorithm)
if def.Purpose != kmspb.CryptoKey_ASYMMETRIC_DECRYPT {
return nil, errFailedPrecondition("keys with algorithm %s may not be used for asymmetric decryption",
nameForValue(kmspb.CryptoKeyVersion_CryptoKeyVersionAlgorithm_name, int32(ckv.pb.Algorithm)))
}
if req.Ciphertext == nil {
return nil, errInvalidArgument("ciphertext is empty")
}
if len(req.Ciphertext) > maxCiphertextSize {
return nil, errInvalidArgument("len(ciphertext)=%d, want len(ciphertext)<=%d", len(req.Ciphertext), maxCiphertextSize)
}
ciphertextChecksum := crc32c(req.Ciphertext)
if req.CiphertextCrc32C != nil && ciphertextChecksum.Value != req.CiphertextCrc32C.Value {
return nil, errInvalidArgument("invalid ciphertext checksum")
}
pt, err := ckv.keyMaterial.(crypto.Decrypter).Decrypt(rand.Reader, req.Ciphertext, def.Opts)
if err != nil {
return nil, errInvalidArgument("decryption failed: %v", err)
}
return &kmspb.AsymmetricDecryptResponse{
Plaintext: pt,
PlaintextCrc32C: crc32c(pt),
VerifiedCiphertextCrc32C: req.CiphertextCrc32C != nil,
ProtectionLevel: ckv.pb.ProtectionLevel,
}, nil
}