From 172b5062fafb5639fb9621f18c56bdb2478f16a2 Mon Sep 17 00:00:00 2001 From: Anthonios Partheniou Date: Wed, 2 Jun 2021 05:30:52 -0400 Subject: [PATCH] chore: delete unused protos (#116) --- google/cloud/kms_v1/proto/resources.proto | 605 ------------ google/cloud/kms_v1/proto/service.proto | 1100 --------------------- 2 files changed, 1705 deletions(-) delete mode 100644 google/cloud/kms_v1/proto/resources.proto delete mode 100644 google/cloud/kms_v1/proto/service.proto diff --git a/google/cloud/kms_v1/proto/resources.proto b/google/cloud/kms_v1/proto/resources.proto deleted file mode 100644 index 88e31bd9..00000000 --- a/google/cloud/kms_v1/proto/resources.proto +++ /dev/null @@ -1,605 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.cloud.kms.v1; - -import "google/api/field_behavior.proto"; -import "google/api/resource.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/timestamp.proto"; -import "google/protobuf/wrappers.proto"; -import "google/api/annotations.proto"; - -option cc_enable_arenas = true; -option csharp_namespace = "Google.Cloud.Kms.V1"; -option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; -option java_multiple_files = true; -option java_outer_classname = "KmsResourcesProto"; -option java_package = "com.google.cloud.kms.v1"; -option php_namespace = "Google\\Cloud\\Kms\\V1"; - -// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. -message KeyRing { - option (google.api.resource) = { - type: "cloudkms.googleapis.com/KeyRing" - pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" - }; - - // Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format - // `projects/*/locations/*/keyRings/*`. - string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created. - google.protobuf.Timestamp create_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; -} - -// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic -// operations. -// -// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion], -// which represent the actual key material used in cryptographic operations. -message CryptoKey { - option (google.api.resource) = { - type: "cloudkms.googleapis.com/CryptoKey" - pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" - }; - - // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a - // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by - // its purpose. For more information, see - // [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). - enum CryptoKeyPurpose { - // Not specified. - CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; - - // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with - // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and - // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. - ENCRYPT_DECRYPT = 1; - - // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with - // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and - // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. - ASYMMETRIC_SIGN = 5; - - // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with - // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and - // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. - ASYMMETRIC_DECRYPT = 6; - } - - // Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format - // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. - string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used - // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given - // in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. - // - // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via - // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. - // - // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] may have a - // primary. For other keys, this field will be omitted. - CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Immutable. The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. - CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; - - // Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. - google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically: - // - // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. - // 2. Mark the new version as primary. - // - // Key rotations performed manually via - // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and - // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] - // do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. - // - // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support - // automatic rotation. For other keys, this field must be omitted. - google.protobuf.Timestamp next_rotation_time = 7; - - // Controls the rate of automatic rotation. - oneof rotation_schedule { - // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service - // automatically rotates a key. Must be at least 24 hours and at most - // 876,000 hours. - // - // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set. - // - // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support - // automatic rotation. For other keys, this field must be omitted. - google.protobuf.Duration rotation_period = 8; - } - - // A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. - // The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either - // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or - // auto-rotation are controlled by this template. - CryptoKeyVersionTemplate version_template = 11; - - // Labels with user-defined metadata. For more information, see - // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). - map labels = 10; -} - -// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating -// a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with -// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or -// automatically as a result of auto-rotation. -message CryptoKeyVersionTemplate { - // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on - // this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. - ProtectionLevel protection_level = 1; - - // Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use - // when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template. - // - // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both - // this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is - // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. - CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(google.api.field_behavior) = REQUIRED]; -} - -// Contains an HSM-generated attestation about a key operation. For more -// information, see [Verifying attestations] -// (https://cloud.google.com/kms/docs/attest-key). -message KeyOperationAttestation { - // Attestation formats provided by the HSM. - enum AttestationFormat { - // Not specified. - ATTESTATION_FORMAT_UNSPECIFIED = 0; - - // Cavium HSM attestation compressed with gzip. Note that this format is - // defined by Cavium and subject to change at any time. - CAVIUM_V1_COMPRESSED = 3; - - // Cavium HSM attestation V2 compressed with gzip. This is a new format - // introduced in Cavium's version 3.2-08. - CAVIUM_V2_COMPRESSED = 4; - } - - // Output only. The format of the attestation data. - AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The attestation data provided by the HSM when the key - // operation was performed. - bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; -} - -// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the -// associated key material. -// -// An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be -// used for cryptographic operations. -// -// For security reasons, the raw cryptographic key material represented by a -// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to -// encrypt, decrypt, or sign data when an authorized user or application invokes -// Cloud KMS. -message CryptoKeyVersion { - option (google.api.resource) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" - }; - - // The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what - // parameters must be used for each cryptographic operation. - // - // The - // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] - // algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. - // - // Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. - // - // The fields in the name after "RSA_SIGN_" correspond to the following - // parameters: padding algorithm, modulus bit length, and digest algorithm. - // - // For PSS, the salt length used is equal to the length of digest - // algorithm. For example, - // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] - // will use PSS with a salt length of 256 bits or 32 bytes. - // - // Algorithms beginning with "RSA_DECRYPT_" are usable with - // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. - // - // The fields in the name after "RSA_DECRYPT_" correspond to the following - // parameters: padding algorithm, modulus bit length, and digest algorithm. - // - // Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] - // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. - // - // The fields in the name after "EC_SIGN_" correspond to the following - // parameters: elliptic curve, digest algorithm. - // - // For more information, see [Key purposes and algorithms] - // (https://cloud.google.com/kms/docs/algorithms). - enum CryptoKeyVersionAlgorithm { - // Not specified. - CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; - - // Creates symmetric encryption keys. - GOOGLE_SYMMETRIC_ENCRYPTION = 1; - - // RSASSA-PSS 2048 bit key with a SHA256 digest. - RSA_SIGN_PSS_2048_SHA256 = 2; - - // RSASSA-PSS 3072 bit key with a SHA256 digest. - RSA_SIGN_PSS_3072_SHA256 = 3; - - // RSASSA-PSS 4096 bit key with a SHA256 digest. - RSA_SIGN_PSS_4096_SHA256 = 4; - - // RSASSA-PSS 4096 bit key with a SHA512 digest. - RSA_SIGN_PSS_4096_SHA512 = 15; - - // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. - RSA_SIGN_PKCS1_2048_SHA256 = 5; - - // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. - RSA_SIGN_PKCS1_3072_SHA256 = 6; - - // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. - RSA_SIGN_PKCS1_4096_SHA256 = 7; - - // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. - RSA_SIGN_PKCS1_4096_SHA512 = 16; - - // RSAES-OAEP 2048 bit key with a SHA256 digest. - RSA_DECRYPT_OAEP_2048_SHA256 = 8; - - // RSAES-OAEP 3072 bit key with a SHA256 digest. - RSA_DECRYPT_OAEP_3072_SHA256 = 9; - - // RSAES-OAEP 4096 bit key with a SHA256 digest. - RSA_DECRYPT_OAEP_4096_SHA256 = 10; - - // RSAES-OAEP 4096 bit key with a SHA512 digest. - RSA_DECRYPT_OAEP_4096_SHA512 = 17; - - // ECDSA on the NIST P-256 curve with a SHA256 digest. - EC_SIGN_P256_SHA256 = 12; - - // ECDSA on the NIST P-384 curve with a SHA384 digest. - EC_SIGN_P384_SHA384 = 13; - - // Algorithm representing symmetric encryption by an external key manager. - EXTERNAL_SYMMETRIC_ENCRYPTION = 18; - } - - // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used. - enum CryptoKeyVersionState { - // Not specified. - CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; - - // This version is still being generated. It may not be used, enabled, - // disabled, or destroyed yet. Cloud KMS will automatically mark this - // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. - PENDING_GENERATION = 5; - - // This version may be used for cryptographic operations. - ENABLED = 1; - - // This version may not be used, but the key material is still available, - // and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state. - DISABLED = 2; - - // This version is destroyed, and the key material is no longer stored. - // A version may not leave this state once entered. - DESTROYED = 3; - - // This version is scheduled for destruction, and will be destroyed soon. - // Call - // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] - // to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state. - DESTROY_SCHEDULED = 4; - - // This version is still being imported. It may not be used, enabled, - // disabled, or destroyed yet. Cloud KMS will automatically mark this - // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready. - PENDING_IMPORT = 6; - - // This version was not imported successfully. It may not be used, enabled, - // disabled, or destroyed. The submitted key material has been discarded. - // Additional details can be found in - // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. - IMPORT_FAILED = 7; - } - - // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned - // for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in - // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and - // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. - enum CryptoKeyVersionView { - // Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include - // the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. - CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; - - // Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the - // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. - FULL = 1; - } - - // Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format - // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. - string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. - CryptoKeyVersionState state = 3; - - // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are - // performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. - ProtectionLevel protection_level = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this - // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports. - CryptoKeyVersionAlgorithm algorithm = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. Statement that was generated and signed by the HSM at key - // creation time. Use this statement to verify attributes of the key as stored - // on the HSM, independently of Google. Only provided for key versions with - // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. - KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. - google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was - // generated. - google.protobuf.Timestamp generate_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled - // for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is - // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. - google.protobuf.Timestamp destroy_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time this CryptoKeyVersion's key material was - // destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is - // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. - google.protobuf.Timestamp destroy_event_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this - // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was - // imported. - string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material - // was imported. - google.protobuf.Timestamp import_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The root cause of an import failure. Only present if - // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is - // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. - string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // ExternalProtectionLevelOptions stores a group of additional fields for - // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the - // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. - ExternalProtectionLevelOptions external_protection_level_options = 17; -} - -// The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via -// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. -message PublicKey { - option (google.api.resource) = { - type: "cloudkms.googleapis.com/PublicKey" - pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" - }; - - // The public key, encoded in PEM format. For more information, see the - // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for - // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and - // [Textual Encoding of Subject Public Key Info] - // (https://tools.ietf.org/html/rfc7468#section-13). - string pem = 1; - - // The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated - // with this key. - CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; - - // Integrity verification field. A CRC32C checksum of the returned - // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed - // by computing the CRC32C checksum of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and - // comparing your results to this field. Discard the response in case of - // non-matching checksum values, and perform a limited number of retries. A - // persistent mismatch may indicate an issue in your computation of the CRC32C - // checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value pem_crc32c = 3; - - // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. - // Provided here for verification. - // - // NOTE: This field is in Beta. - string name = 4; -} - -// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and -// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material, -// generated outside of Cloud KMS. -// -// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key", -// which is a public/private key pair. You use the wrapping key to encrypt (also -// known as wrap) the pre-existing key material to protect it during the import -// process. The nature of the wrapping key depends on the choice of -// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation -// is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to -// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key] -// can be fetched. The fetched public key can then be used to wrap your -// pre-existing key material. -// -// Once the key material is wrapped, it can be imported into a new -// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling -// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. -// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single -// [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to -// unwrap the key material. Only Cloud KMS has access to the private key. -// -// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS -// will no longer be able to import or unwrap any key material that was wrapped -// with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. -// -// For more information, see -// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). -message ImportJob { - option (google.api.resource) = { - type: "cloudkms.googleapis.com/ImportJob" - pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" - }; - - // The public key component of the wrapping key. For details of the type of - // key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. - message WrappingPublicKey { - // The public key, encoded in PEM format. For more information, see the [RFC - // 7468](https://tools.ietf.org/html/rfc7468) sections for [General - // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and - // [Textual Encoding of Subject Public Key Info] - // (https://tools.ietf.org/html/rfc7468#section-13). - string pem = 1; - } - - // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this - // [ImportJob][google.cloud.kms.v1.ImportJob]. - enum ImportMethod { - // Not specified. - IMPORT_METHOD_UNSPECIFIED = 0; - - // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping - // scheme defined in the PKCS #11 standard. In summary, this involves - // wrapping the raw key with an ephemeral AES key, and wrapping the - // ephemeral AES key with a 3072 bit RSA key. For more details, see - // [RSA AES key wrap - // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). - RSA_OAEP_3072_SHA1_AES_256 = 1; - - // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping - // scheme defined in the PKCS #11 standard. In summary, this involves - // wrapping the raw key with an ephemeral AES key, and wrapping the - // ephemeral AES key with a 4096 bit RSA key. For more details, see - // [RSA AES key wrap - // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). - RSA_OAEP_4096_SHA1_AES_256 = 2; - } - - // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. - enum ImportJobState { - // Not specified. - IMPORT_JOB_STATE_UNSPECIFIED = 0; - - // The wrapping key for this job is still being generated. It may not be - // used. Cloud KMS will automatically mark this job as - // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated. - PENDING_GENERATION = 1; - - // This job may be used in - // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and - // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] - // requests. - ACTIVE = 2; - - // This job can no longer be used and may not leave this state once entered. - EXPIRED = 3; - } - - // Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format - // `projects/*/locations/*/keyRings/*/importJobs/*`. - string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Required. Immutable. The wrapping method to be used for incoming key material. - ImportMethod import_method = 2 [ - (google.api.field_behavior) = REQUIRED, - (google.api.field_behavior) = IMMUTABLE - ]; - - // Required. Immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the - // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the - // [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you - // attempt to import into. - ProtectionLevel protection_level = 9 [ - (google.api.field_behavior) = REQUIRED, - (google.api.field_behavior) = IMMUTABLE - ]; - - // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created. - google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated. - google.protobuf.Timestamp generate_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for - // expiration and can no longer be used to import key material. - google.protobuf.Timestamp expire_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if - // [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. - google.protobuf.Timestamp expire_event_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can - // be used. - ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. The public key with which to wrap key material prior to - // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is - // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. - WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; - - // Output only. Statement that was generated and signed by the key creator - // (for example, an HSM) at key creation time. Use this statement to verify - // attributes of the key as stored on the HSM, independently of Google. - // Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection - // level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. - KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; -} - -// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed. -// For more information, see [Protection levels] -// (https://cloud.google.com/kms/docs/algorithms#protection_levels). -enum ProtectionLevel { - // Not specified. - PROTECTION_LEVEL_UNSPECIFIED = 0; - - // Crypto operations are performed in software. - SOFTWARE = 1; - - // Crypto operations are performed in a Hardware Security Module. - HSM = 2; - - // Crypto operations are performed by an external key manager. - EXTERNAL = 3; -} - -// ExternalProtectionLevelOptions stores a group of additional fields for -// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the -// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level. -message ExternalProtectionLevelOptions { - // The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. - string external_key_uri = 1; -} diff --git a/google/cloud/kms_v1/proto/service.proto b/google/cloud/kms_v1/proto/service.proto deleted file mode 100644 index 65d20771..00000000 --- a/google/cloud/kms_v1/proto/service.proto +++ /dev/null @@ -1,1100 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -package google.cloud.kms.v1; - -import "google/api/annotations.proto"; -import "google/api/client.proto"; -import "google/api/field_behavior.proto"; -import "google/api/resource.proto"; -import "google/cloud/kms/v1/resources.proto"; -import "google/protobuf/field_mask.proto"; -import "google/protobuf/wrappers.proto"; - -option cc_enable_arenas = true; -option csharp_namespace = "Google.Cloud.Kms.V1"; -option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; -option java_multiple_files = true; -option java_outer_classname = "KmsProto"; -option java_package = "com.google.cloud.kms.v1"; -option php_namespace = "Google\\Cloud\\Kms\\V1"; - -// Google Cloud Key Management Service -// -// Manages cryptographic keys and operations using those keys. Implements a REST -// model with the following objects: -// -// * [KeyRing][google.cloud.kms.v1.KeyRing] -// * [CryptoKey][google.cloud.kms.v1.CryptoKey] -// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] -// * [ImportJob][google.cloud.kms.v1.ImportJob] -// -// If you are using manual gRPC libraries, see -// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc). -service KeyManagementService { - option (google.api.default_host) = "cloudkms.googleapis.com"; - option (google.api.oauth_scopes) = - "https://www.googleapis.com/auth/cloud-platform," - "https://www.googleapis.com/auth/cloudkms"; - - // Lists [KeyRings][google.cloud.kms.v1.KeyRing]. - rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) { - option (google.api.http) = { - get: "/v1/{parent=projects/*/locations/*}/keyRings" - }; - option (google.api.method_signature) = "parent"; - } - - // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey]. - rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) { - option (google.api.http) = { - get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" - }; - option (google.api.method_signature) = "parent"; - } - - // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. - rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) returns (ListCryptoKeyVersionsResponse) { - option (google.api.http) = { - get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" - }; - option (google.api.method_signature) = "parent"; - } - - // Lists [ImportJobs][google.cloud.kms.v1.ImportJob]. - rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) { - option (google.api.http) = { - get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" - }; - option (google.api.method_signature) = "parent"; - } - - // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing]. - rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) { - option (google.api.http) = { - get: "/v1/{name=projects/*/locations/*/keyRings/*}" - }; - option (google.api.method_signature) = "name"; - } - - // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its - // [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. - rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) { - option (google.api.http) = { - get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" - }; - option (google.api.method_signature) = "name"; - } - - // Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. - rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) returns (CryptoKeyVersion) { - option (google.api.http) = { - get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" - }; - option (google.api.method_signature) = "name"; - } - - // Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The - // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be - // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or - // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. - rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) { - option (google.api.http) = { - get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey" - }; - option (google.api.method_signature) = "name"; - } - - // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob]. - rpc GetImportJob(GetImportJobRequest) returns (ImportJob) { - option (google.api.http) = { - get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}" - }; - option (google.api.method_signature) = "name"; - } - - // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location. - rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) { - option (google.api.http) = { - post: "/v1/{parent=projects/*/locations/*}/keyRings" - body: "key_ring" - }; - option (google.api.method_signature) = "parent,key_ring_id,key_ring"; - } - - // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing]. - // - // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and - // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] - // are required. - rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) { - option (google.api.http) = { - post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" - body: "crypto_key" - }; - option (google.api.method_signature) = "parent,crypto_key_id,crypto_key"; - } - - // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey]. - // - // The server will assign the next sequential id. If unset, - // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to - // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]. - rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) returns (CryptoKeyVersion) { - option (google.api.http) = { - post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" - body: "crypto_key_version" - }; - option (google.api.method_signature) = "parent,crypto_key_version"; - } - - // Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the - // wrapped key material provided in the request. - // - // The version ID will be assigned the next sequential id within the - // [CryptoKey][google.cloud.kms.v1.CryptoKey]. - rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) returns (CryptoKeyVersion) { - option (google.api.http) = { - post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import" - body: "*" - }; - } - - // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing]. - // - // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required. - rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) { - option (google.api.http) = { - post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" - body: "import_job" - }; - option (google.api.method_signature) = "parent,import_job_id,import_job"; - } - - // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey]. - rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) { - option (google.api.http) = { - patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" - body: "crypto_key" - }; - option (google.api.method_signature) = "crypto_key,update_mask"; - } - - // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata. - // - // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between - // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and - // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this - // method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to - // move between other states. - rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) returns (CryptoKeyVersion) { - option (google.api.http) = { - patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" - body: "crypto_key_version" - }; - option (google.api.method_signature) = "crypto_key_version,update_mask"; - } - - // Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. - // The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be - // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. - rpc Encrypt(EncryptRequest) returns (EncryptResponse) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt" - body: "*" - }; - option (google.api.method_signature) = "name,plaintext"; - } - - // Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] - // must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. - rpc Decrypt(DecryptRequest) returns (DecryptResponse) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt" - body: "*" - }; - option (google.api.method_signature) = "name,ciphertext"; - } - - // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] - // ASYMMETRIC_SIGN, producing a signature that can be verified with the public - // key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. - rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign" - body: "*" - }; - option (google.api.method_signature) = "name,digest"; - } - - // Decrypts data that was encrypted with a public key retrieved from - // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with - // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT. - rpc AsymmetricDecrypt(AsymmetricDecryptRequest) returns (AsymmetricDecryptResponse) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt" - body: "*" - }; - option (google.api.method_signature) = "name,ciphertext"; - } - - // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. - // - // Returns an error if called on an asymmetric key. - rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) returns (CryptoKey) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion" - body: "*" - }; - option (google.api.method_signature) = "name,crypto_key_version_id"; - } - - // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction. - // - // Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to - // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24 - // hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state] - // will be changed to - // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key - // material will be irrevocably destroyed. - // - // Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached, - // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process. - rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) returns (CryptoKeyVersion) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy" - body: "*" - }; - option (google.api.method_signature) = "name"; - } - - // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the - // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - // state. - // - // Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state] - // will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], - // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared. - rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) returns (CryptoKeyVersion) { - option (google.api.http) = { - post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore" - body: "*" - }; - option (google.api.method_signature) = "name"; - } -} - -// Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. -message ListKeyRingsRequest { - // Required. The resource name of the location associated with the - // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "locations.googleapis.com/Location" - } - ]; - - // Optional. Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the - // response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by - // including the [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] in a subsequent - // request. If unspecified, the server will pick an appropriate default. - int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Optional pagination token, returned earlier via - // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]. - string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Only include resources that match the filter in the response. For - // more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string filter = 4 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Specify how the results should be sorted. If not specified, the - // results will be sorted in the default order. For more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; -} - -// Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. -message ListCryptoKeysRequest { - // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format - // `projects/*/locations/*/keyRings/*`. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/KeyRing" - } - ]; - - // Optional. Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the - // response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by - // including the [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] in a subsequent - // request. If unspecified, the server will pick an appropriate default. - int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Optional pagination token, returned earlier via - // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]. - string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; - - // The fields of the primary version to include in the response. - CryptoKeyVersion.CryptoKeyVersionView version_view = 4; - - // Optional. Only include resources that match the filter in the response. For - // more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string filter = 5 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Specify how the results should be sorted. If not specified, the - // results will be sorted in the default order. For more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; -} - -// Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. -message ListCryptoKeyVersionsRequest { - // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format - // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKey" - } - ]; - - // Optional. Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to - // include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can - // subsequently be obtained by including the - // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] in a subsequent request. - // If unspecified, the server will pick an appropriate default. - int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Optional pagination token, returned earlier via - // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]. - string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; - - // The fields to include in the response. - CryptoKeyVersion.CryptoKeyVersionView view = 4; - - // Optional. Only include resources that match the filter in the response. For - // more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string filter = 5 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Specify how the results should be sorted. If not specified, the - // results will be sorted in the default order. For more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; -} - -// Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. -message ListImportJobsRequest { - // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format - // `projects/*/locations/*/keyRings/*`. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/KeyRing" - } - ]; - - // Optional. Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the - // response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by - // including the [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] in a subsequent - // request. If unspecified, the server will pick an appropriate default. - int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Optional pagination token, returned earlier via - // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]. - string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Only include resources that match the filter in the response. For - // more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string filter = 4 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. Specify how the results should be sorted. If not specified, the - // results will be sorted in the default order. For more information, see - // [Sorting and filtering list - // results](https://cloud.google.com/kms/docs/sorting-and-filtering). - string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; -} - -// Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. -message ListKeyRingsResponse { - // The list of [KeyRings][google.cloud.kms.v1.KeyRing]. - repeated KeyRing key_rings = 1; - - // A token to retrieve next page of results. Pass this value in - // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] to retrieve the next page of results. - string next_page_token = 2; - - // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query. - int32 total_size = 3; -} - -// Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. -message ListCryptoKeysResponse { - // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. - repeated CryptoKey crypto_keys = 1; - - // A token to retrieve next page of results. Pass this value in - // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] to retrieve the next page of results. - string next_page_token = 2; - - // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query. - int32 total_size = 3; -} - -// Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. -message ListCryptoKeyVersionsResponse { - // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. - repeated CryptoKeyVersion crypto_key_versions = 1; - - // A token to retrieve next page of results. Pass this value in - // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of - // results. - string next_page_token = 2; - - // The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the - // query. - int32 total_size = 3; -} - -// Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. -message ListImportJobsResponse { - // The list of [ImportJobs][google.cloud.kms.v1.ImportJob]. - repeated ImportJob import_jobs = 1; - - // A token to retrieve next page of results. Pass this value in - // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] to retrieve the next page of results. - string next_page_token = 2; - - // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query. - int32 total_size = 3; -} - -// Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing]. -message GetKeyRingRequest { - // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/KeyRing" - } - ]; -} - -// Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey]. -message GetCryptoKeyRequest { - // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKey" - } - ]; -} - -// Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion]. -message GetCryptoKeyVersionRequest { - // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - } - ]; -} - -// Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. -message GetPublicKeyRequest { - // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to - // get. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - } - ]; -} - -// Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob]. -message GetImportJobRequest { - // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/ImportJob" - } - ]; -} - -// Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing]. -message CreateKeyRingRequest { - // Required. The resource name of the location associated with the - // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "locations.googleapis.com/Location" - } - ]; - - // Required. It must be unique within a location and match the regular - // expression `[a-zA-Z0-9_-]{1,63}` - string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED]; - - // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values. - KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED]; -} - -// Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey]. -message CreateCryptoKeyRequest { - // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the - // [CryptoKeys][google.cloud.kms.v1.CryptoKey]. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/KeyRing" - } - ]; - - // Required. It must be unique within a KeyRing and match the regular - // expression `[a-zA-Z0-9_-]{1,63}` - string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED]; - - // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values. - CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED]; - - // If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any - // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call - // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or - // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion] - // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey]. - bool skip_initial_version_creation = 5; -} - -// Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]. -message CreateCryptoKeyVersionRequest { - // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with - // the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKey" - } - ]; - - // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values. - CryptoKeyVersion crypto_key_version = 2 [(google.api.field_behavior) = REQUIRED]; -} - -// Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. -message ImportCryptoKeyVersionRequest { - // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to - // be imported into. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKey" - } - ]; - - // Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] of - // the key being imported. This does not need to match the - // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this - // version imports into. - CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 [(google.api.field_behavior) = REQUIRED]; - - // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to - // wrap this key material. - string import_job = 4 [(google.api.field_behavior) = REQUIRED]; - - // Required. The incoming wrapped key material that is to be imported. - oneof wrapped_key_material { - // Wrapped key material produced with - // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] - // or - // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]. - // - // This field contains the concatenation of two wrapped keys: - //
    - //
  1. An ephemeral AES-256 wrapping key wrapped with the - // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1, - // MGF1 with SHA-1, and an empty label. - //
    2. - //
  2. The key to be imported, wrapped with the ephemeral AES-256 key - // using AES-KWP (RFC 5649). - //
    3. - //
- // - // If importing symmetric key material, it is expected that the unwrapped - // key contains plain bytes. If importing asymmetric key material, it is - // expected that the unwrapped key is in PKCS#8-encoded DER format (the - // PrivateKeyInfo structure from RFC 5208). - // - // This format is the same as the format produced by PKCS#11 mechanism - // CKM_RSA_AES_KEY_WRAP. - bytes rsa_aes_wrapped_key = 5; - } -} - -// Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob]. -message CreateImportJobRequest { - // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the - // [ImportJobs][google.cloud.kms.v1.ImportJob]. - string parent = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/KeyRing" - } - ]; - - // Required. It must be unique within a KeyRing and match the regular - // expression `[a-zA-Z0-9_-]{1,63}` - string import_job_id = 2 [(google.api.field_behavior) = REQUIRED]; - - // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values. - ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED]; -} - -// Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey]. -message UpdateCryptoKeyRequest { - // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values. - CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED]; - - // Required. List of fields to be updated in this request. - google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; -} - -// Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion]. -message UpdateCryptoKeyVersionRequest { - // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values. - CryptoKeyVersion crypto_key_version = 1 [(google.api.field_behavior) = REQUIRED]; - - // Required. List of fields to be updated in this request. - google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; -} - -// Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. -message EncryptRequest { - // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - // to use for encryption. - // - // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its - // [primary version][google.cloud.kms.v1.CryptoKey.primary]. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "*" - } - ]; - - // Required. The data to encrypt. Must be no larger than 64KiB. - // - // The maximum size depends on the key version's - // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For - // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger - // than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the - // plaintext and additional_authenticated_data fields must be no larger than - // 8KiB. - bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED]; - - // Optional. Optional data that, if specified, must also be provided during decryption - // through [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. - // - // The maximum size depends on the key version's - // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For - // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than - // 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the - // plaintext and additional_authenticated_data fields must be no larger than - // 8KiB. - bytes additional_authenticated_data = 3 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. An optional CRC32C checksum of the [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. If - // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the - // received [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext] using this checksum. - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification - // fails. If you receive a checksum error, your client should verify that - // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]) is equal to - // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c], and if so, perform a limited number of - // retries. A persistent mismatch may indicate an issue in your computation of - // the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value plaintext_crc32c = 7 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. An optional CRC32C checksum of the - // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. If specified, - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the received - // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data] using this checksum. - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification - // fails. If you receive a checksum error, your client should verify that - // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]) is equal to - // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c], and if so, perform - // a limited number of retries. A persistent mismatch may indicate an issue in - // your computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(google.api.field_behavior) = OPTIONAL]; -} - -// Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. -message DecryptRequest { - // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. - // The server will choose the appropriate version. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKey" - } - ]; - - // Required. The encrypted data originally returned in - // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. - bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED]; - - // Optional. Optional data that must match the data originally supplied in - // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. - bytes additional_authenticated_data = 3 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. An optional CRC32C checksum of the [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. If - // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the - // received [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext] using this checksum. - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification - // fails. If you receive a checksum error, your client should verify that - // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]) is equal to - // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c], and if so, perform a limited number - // of retries. A persistent mismatch may indicate an issue in your computation - // of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value ciphertext_crc32c = 5 [(google.api.field_behavior) = OPTIONAL]; - - // Optional. An optional CRC32C checksum of the - // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. If specified, - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the received - // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data] using this checksum. - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification - // fails. If you receive a checksum error, your client should verify that - // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]) is equal to - // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c], and if so, perform - // a limited number of retries. A persistent mismatch may indicate an issue in - // your computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(google.api.field_behavior) = OPTIONAL]; -} - -// Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. -message AsymmetricSignRequest { - // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - } - ]; - - // Required. The digest of the data to sign. The digest must be produced with - // the same digest algorithm as specified by the key version's - // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. - Digest digest = 3 [(google.api.field_behavior) = REQUIRED]; - - // Optional. An optional CRC32C checksum of the [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. If - // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the - // received [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] using this checksum. - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification - // fails. If you receive a checksum error, your client should verify that - // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]) is equal to - // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c], and if so, perform a limited - // number of retries. A persistent mismatch may indicate an issue in your - // computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value digest_crc32c = 4 [(google.api.field_behavior) = OPTIONAL]; -} - -// Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. -message AsymmetricDecryptRequest { - // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for - // decryption. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - } - ]; - - // Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public - // key using OAEP. - bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED]; - - // Optional. An optional CRC32C checksum of the [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. - // If specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the - // received [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext] using this checksum. - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification - // fails. If you receive a checksum error, your client should verify that - // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]) is equal to - // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c], and if so, perform a - // limited number of retries. A persistent mismatch may indicate an issue in - // your computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value ciphertext_crc32c = 4 [(google.api.field_behavior) = OPTIONAL]; -} - -// Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. -message DecryptResponse { - // The decrypted data originally supplied in [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. - bytes plaintext = 1; - - // Integrity verification field. A CRC32C checksum of the returned - // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. An integrity check of - // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] can be performed by computing the CRC32C - // checksum of [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] and comparing your results to - // this field. Discard the response in case of non-matching checksum values, - // and perform a limited number of retries. A persistent mismatch may indicate - // an issue in your computation of the CRC32C checksum. Note: receiving this - // response message indicates that [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to - // successfully decrypt the [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value plaintext_crc32c = 2; -} - -// Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. -message EncryptResponse { - // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption. Check - // this field to verify that the intended resource was used for encryption. - string name = 1; - - // The encrypted data. - bytes ciphertext = 2; - - // Integrity verification field. A CRC32C checksum of the returned - // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. An integrity check of - // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] can be performed by computing the CRC32C - // checksum of [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] and comparing your results to - // this field. Discard the response in case of non-matching checksum values, - // and perform a limited number of retries. A persistent mismatch may indicate - // an issue in your computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value ciphertext_crc32c = 4; - - // Integrity verification field. A flag indicating whether - // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] was received by - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the - // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of this field - // indicates either that [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] was left unset or - // that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've set - // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] but this field is still false, discard - // the response and perform a limited number of retries. - // - // NOTE: This field is in Beta. - bool verified_plaintext_crc32c = 5; - - // Integrity verification field. A flag indicating whether - // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] was received by - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the - // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A false value of this - // field indicates either that - // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] was left unset or - // that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've set - // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] but this field is - // still false, discard the response and perform a limited number of retries. - // - // NOTE: This field is in Beta. - bool verified_additional_authenticated_data_crc32c = 6; -} - -// Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. -message AsymmetricSignResponse { - // The created signature. - bytes signature = 1; - - // Integrity verification field. A CRC32C checksum of the returned - // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]. An integrity check of - // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] can be performed by computing the - // CRC32C checksum of [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] and comparing your - // results to this field. Discard the response in case of non-matching - // checksum values, and perform a limited number of retries. A persistent - // mismatch may indicate an issue in your computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value signature_crc32c = 2; - - // Integrity verification field. A flag indicating whether - // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] was received by - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the - // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value of this field - // indicates either that [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] was left - // unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've - // set [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] but this field is still false, - // discard the response and perform a limited number of retries. - // - // NOTE: This field is in Beta. - bool verified_digest_crc32c = 3; - - // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. Check - // this field to verify that the intended resource was used for signing. - // - // NOTE: This field is in Beta. - string name = 4; -} - -// Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. -message AsymmetricDecryptResponse { - // The decrypted data originally encrypted with the matching public key. - bytes plaintext = 1; - - // Integrity verification field. A CRC32C checksum of the returned - // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]. An integrity check of - // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] can be performed by computing the - // CRC32C checksum of [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] and comparing - // your results to this field. Discard the response in case of non-matching - // checksum values, and perform a limited number of retries. A persistent - // mismatch may indicate an issue in your computation of the CRC32C checksum. - // Note: This field is defined as int64 for reasons of compatibility across - // different languages. However, it is a non-negative integer, which will - // never exceed 2^32-1, and can be safely downconverted to uint32 in languages - // that support this type. - // - // NOTE: This field is in Beta. - google.protobuf.Int64Value plaintext_crc32c = 2; - - // Integrity verification field. A flag indicating whether - // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] was received by - // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the - // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A false value of this - // field indicates either that [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] - // was left unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If - // you've set [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] but this field is - // still false, discard the response and perform a limited number of retries. - // - // NOTE: This field is in Beta. - bool verified_ciphertext_crc32c = 3; -} - -// Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. -message UpdateCryptoKeyPrimaryVersionRequest { - // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKey" - } - ]; - - // Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary. - string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED]; -} - -// Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. -message DestroyCryptoKeyVersionRequest { - // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - } - ]; -} - -// Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. -message RestoreCryptoKeyVersionRequest { - // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. - string name = 1 [ - (google.api.field_behavior) = REQUIRED, - (google.api.resource_reference) = { - type: "cloudkms.googleapis.com/CryptoKeyVersion" - } - ]; -} - -// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest. -message Digest { - // Required. The message digest. - oneof digest { - // A message digest produced with the SHA-256 algorithm. - bytes sha256 = 1; - - // A message digest produced with the SHA-384 algorithm. - bytes sha384 = 2; - - // A message digest produced with the SHA-512 algorithm. - bytes sha512 = 3; - } -} - -// Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location]. -message LocationMetadata { - // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with - // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] - // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location. - bool hsm_available = 1; - - // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with - // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] - // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in this location. - bool ekm_available = 2; -}