// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package google.cloud.kms.v1;
import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/kms/v1/resources.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/wrappers.proto";
option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Kms.V1";
option go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb";
option java_multiple_files = true;
option java_outer_classname = "KmsProto";
option java_package = "com.google.cloud.kms.v1";
option php_namespace = "Google\\Cloud\\Kms\\V1";
// Google Cloud Key Management Service
//
// Manages cryptographic keys and operations using those keys. Implements a REST
// model with the following objects:
//
// * [KeyRing][google.cloud.kms.v1.KeyRing]
// * [CryptoKey][google.cloud.kms.v1.CryptoKey]
// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
// * [ImportJob][google.cloud.kms.v1.ImportJob]
//
// If you are using manual gRPC libraries, see
// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
service KeyManagementService {
option (google.api.default_host) = "cloudkms.googleapis.com";
option (google.api.oauth_scopes) =
"https://www.googleapis.com/auth/cloud-platform,"
"https://www.googleapis.com/auth/cloudkms";
// Lists [KeyRings][google.cloud.kms.v1.KeyRing].
rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/locations/*}/keyRings"
};
option (google.api.method_signature) = "parent";
}
// Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
};
option (google.api.method_signature) = "parent";
}
// Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest)
returns (ListCryptoKeyVersionsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
};
option (google.api.method_signature) = "parent";
}
// Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) {
option (google.api.http) = {
get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
};
option (google.api.method_signature) = "parent";
}
// Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) {
option (google.api.http) = {
get: "/v1/{name=projects/*/locations/*/keyRings/*}"
};
option (google.api.method_signature) = "name";
}
// Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as
// well as its [primary][google.cloud.kms.v1.CryptoKey.primary]
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) {
option (google.api.http) = {
get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
};
option (google.api.method_signature) = "name";
}
// Returns metadata for a given
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest)
returns (CryptoKeyVersion) {
option (google.api.http) = {
get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
};
option (google.api.method_signature) = "name";
}
// Returns the public key for the given
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
// [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
// [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
// or
// [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) {
option (google.api.http) = {
get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey"
};
option (google.api.method_signature) = "name";
}
// Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
rpc GetImportJob(GetImportJobRequest) returns (ImportJob) {
option (google.api.http) = {
get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}"
};
option (google.api.method_signature) = "name";
}
// Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and
// Location.
rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/locations/*}/keyRings"
body: "key_ring"
};
option (google.api.method_signature) = "parent,key_ring_id,key_ring";
}
// Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
// [KeyRing][google.cloud.kms.v1.KeyRing].
//
// [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
// [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
// are required.
rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
body: "crypto_key"
};
option (google.api.method_signature) = "parent,crypto_key_id,crypto_key";
}
// Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
// [CryptoKey][google.cloud.kms.v1.CryptoKey].
//
// The server will assign the next sequential id. If unset,
// [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
// [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest)
returns (CryptoKeyVersion) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
body: "crypto_key_version"
};
option (google.api.method_signature) = "parent,crypto_key_version";
}
// Import wrapped key material into a
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
//
// All requests must specify a [CryptoKey][google.cloud.kms.v1.CryptoKey]. If
// a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] is additionally
// specified in the request, key material will be reimported into that
// version. Otherwise, a new version will be created, and will be assigned the
// next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest)
returns (CryptoKeyVersion) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import"
body: "*"
};
}
// Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
// [KeyRing][google.cloud.kms.v1.KeyRing].
//
// [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is
// required.
rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) {
option (google.api.http) = {
post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
body: "import_job"
};
option (google.api.method_signature) = "parent,import_job_id,import_job";
}
// Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) {
option (google.api.http) = {
patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
body: "crypto_key"
};
option (google.api.method_signature) = "crypto_key,update_mask";
}
// Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
// metadata.
//
// [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
// [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
// and
// [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
// using this method. See
// [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
// and
// [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
// to move between other states.
rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest)
returns (CryptoKeyVersion) {
option (google.api.http) = {
patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
body: "crypto_key_version"
};
option (google.api.method_signature) = "crypto_key_version,update_mask";
}
// Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that
// will be used in
// [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
//
// Returns an error if called on a key whose purpose is not
// [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest)
returns (CryptoKey) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion"
body: "*"
};
option (google.api.method_signature) = "name,crypto_key_version_id";
}
// Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
// destruction.
//
// Upon calling this method,
// [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will
// be set to
// [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED],
// and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
// be set to the time
// [destroy_scheduled_duration][google.cloud.kms.v1.CryptoKey.destroy_scheduled_duration]
// in the future. At that time, the
// [state][google.cloud.kms.v1.CryptoKeyVersion.state] will automatically
// change to
// [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
// and the key material will be irrevocably destroyed.
//
// Before the
// [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is
// reached,
// [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
// may be called to reverse the process.
rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest)
returns (CryptoKeyVersion) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy"
body: "*"
};
option (google.api.method_signature) = "name";
}
// Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
// [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
// state.
//
// Upon restoration of the CryptoKeyVersion,
// [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
// [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
// and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
// be cleared.
rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest)
returns (CryptoKeyVersion) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore"
body: "*"
};
option (google.api.method_signature) = "name";
}
// Encrypts data, so that it can only be recovered by a call to
// [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
// [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
// [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
rpc Encrypt(EncryptRequest) returns (EncryptResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt"
body: "*"
};
option (google.api.method_signature) = "name,plaintext";
}
// Decrypts data that was protected by
// [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
// [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
// [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
rpc Decrypt(DecryptRequest) returns (DecryptResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt"
body: "*"
};
option (google.api.method_signature) = "name,ciphertext";
}
// Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
// with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
// ASYMMETRIC_SIGN, producing a signature that can be verified with the public
// key retrieved from
// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign"
body: "*"
};
option (google.api.method_signature) = "name,digest";
}
// Decrypts data that was encrypted with a public key retrieved from
// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
// corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
// with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
// ASYMMETRIC_DECRYPT.
rpc AsymmetricDecrypt(AsymmetricDecryptRequest)
returns (AsymmetricDecryptResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt"
body: "*"
};
option (google.api.method_signature) = "name,ciphertext";
}
// Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
// with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC,
// producing a tag that can be verified by another source with the same key.
rpc MacSign(MacSignRequest) returns (MacSignResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macSign"
body: "*"
};
option (google.api.method_signature) = "name,data";
}
// Verifies MAC tag using a
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
// [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns
// a response that indicates whether or not the verification was successful.
rpc MacVerify(MacVerifyRequest) returns (MacVerifyResponse) {
option (google.api.http) = {
post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macVerify"
body: "*"
};
option (google.api.method_signature) = "name,data,mac";
}
// Generate random bytes using the Cloud KMS randomness source in the provided
// location.
rpc GenerateRandomBytes(GenerateRandomBytesRequest)
returns (GenerateRandomBytesResponse) {
option (google.api.http) = {
post: "/v1/{location=projects/*/locations/*}:generateRandomBytes"
body: "*"
};
option (google.api.method_signature) =
"location,length_bytes,protection_level";
}
}
// Request message for
// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
message ListKeyRingsRequest {
// Required. The resource name of the location associated with the
// [KeyRings][google.cloud.kms.v1.KeyRing], in the format
// `projects/*/locations/*`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "locations.googleapis.com/Location"
}
];
// Optional. Optional limit on the number of
// [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further
// [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
// including the
// [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
// in a subsequent request. If unspecified, the server will pick an
// appropriate default.
int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. Optional pagination token, returned earlier via
// [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
// Optional. Only include resources that match the filter in the response. For
// more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string filter = 4 [(google.api.field_behavior) = OPTIONAL];
// Optional. Specify how the results should be sorted. If not specified, the
// results will be sorted in the default order. For more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
message ListCryptoKeysRequest {
// Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
// to list, in the format `projects/*/locations/*/keyRings/*`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/KeyRing"
}
];
// Optional. Optional limit on the number of
// [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response.
// Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be
// obtained by including the
// [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
// in a subsequent request. If unspecified, the server will pick an
// appropriate default.
int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. Optional pagination token, returned earlier via
// [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
// The fields of the primary version to include in the response.
CryptoKeyVersion.CryptoKeyVersionView version_view = 4;
// Optional. Only include resources that match the filter in the response. For
// more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string filter = 5 [(google.api.field_behavior) = OPTIONAL];
// Optional. Specify how the results should be sorted. If not specified, the
// results will be sorted in the default order. For more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
message ListCryptoKeyVersionsRequest {
// Required. The resource name of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
// `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKey"
}
];
// Optional. Optional limit on the number of
// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the
// response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
// can subsequently be obtained by including the
// [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
// in a subsequent request. If unspecified, the server will pick an
// appropriate default.
int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. Optional pagination token, returned earlier via
// [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
// The fields to include in the response.
CryptoKeyVersion.CryptoKeyVersionView view = 4;
// Optional. Only include resources that match the filter in the response. For
// more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string filter = 5 [(google.api.field_behavior) = OPTIONAL];
// Optional. Specify how the results should be sorted. If not specified, the
// results will be sorted in the default order. For more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
message ListImportJobsRequest {
// Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
// to list, in the format `projects/*/locations/*/keyRings/*`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/KeyRing"
}
];
// Optional. Optional limit on the number of
// [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response.
// Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be
// obtained by including the
// [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
// in a subsequent request. If unspecified, the server will pick an
// appropriate default.
int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
// Optional. Optional pagination token, returned earlier via
// [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
// Optional. Only include resources that match the filter in the response. For
// more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string filter = 4 [(google.api.field_behavior) = OPTIONAL];
// Optional. Specify how the results should be sorted. If not specified, the
// results will be sorted in the default order. For more information, see
// [Sorting and filtering list
// results](https://cloud.google.com/kms/docs/sorting-and-filtering).
string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}
// Response message for
// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
message ListKeyRingsResponse {
// The list of [KeyRings][google.cloud.kms.v1.KeyRing].
repeated KeyRing key_rings = 1;
// A token to retrieve next page of results. Pass this value in
// [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
// to retrieve the next page of results.
string next_page_token = 2;
// The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched
// the query.
int32 total_size = 3;
}
// Response message for
// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
message ListCryptoKeysResponse {
// The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
repeated CryptoKey crypto_keys = 1;
// A token to retrieve next page of results. Pass this value in
// [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
// to retrieve the next page of results.
string next_page_token = 2;
// The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that
// matched the query.
int32 total_size = 3;
}
// Response message for
// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
message ListCryptoKeyVersionsResponse {
// The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
repeated CryptoKeyVersion crypto_key_versions = 1;
// A token to retrieve next page of results. Pass this value in
// [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
// to retrieve the next page of results.
string next_page_token = 2;
// The total number of
// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
// query.
int32 total_size = 3;
}
// Response message for
// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
message ListImportJobsResponse {
// The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
repeated ImportJob import_jobs = 1;
// A token to retrieve next page of results. Pass this value in
// [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
// to retrieve the next page of results.
string next_page_token = 2;
// The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that
// matched the query.
int32 total_size = 3;
}
// Request message for
// [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
message GetKeyRingRequest {
// Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
// [KeyRing][google.cloud.kms.v1.KeyRing] to get.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/KeyRing"
}
];
}
// Request message for
// [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
message GetCryptoKeyRequest {
// Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKey"
}
];
}
// Request message for
// [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
message GetCryptoKeyVersionRequest {
// Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
}
// Request message for
// [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
message GetPublicKeyRequest {
// Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
}
// Request message for
// [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
message GetImportJobRequest {
// Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
// [ImportJob][google.cloud.kms.v1.ImportJob] to get.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/ImportJob"
}
];
}
// Request message for
// [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
message CreateKeyRingRequest {
// Required. The resource name of the location associated with the
// [KeyRings][google.cloud.kms.v1.KeyRing], in the format
// `projects/*/locations/*`.
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "locations.googleapis.com/Location"
}
];
// Required. It must be unique within a location and match the regular
// expression `[a-zA-Z0-9_-]{1,63}`
string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED];
// Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
// values.
KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for
// [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
message CreateCryptoKeyRequest {
// Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
// associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/KeyRing"
}
];
// Required. It must be unique within a KeyRing and match the regular
// expression `[a-zA-Z0-9_-]{1,63}`
string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED];
// Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
// values.
CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED];
// If set to true, the request will create a
// [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must
// manually call
// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
// or
// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
// before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
bool skip_initial_version_creation = 5;
}
// Request message for
// [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
message CreateCryptoKeyVersionRequest {
// Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKey"
}
];
// Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
// initial field values.
CryptoKeyVersion crypto_key_version = 2
[(google.api.field_behavior) = REQUIRED];
}
// Request message for
// [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
message ImportCryptoKeyVersionRequest {
// Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
//
// The create permission is only required on this key when creating a new
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKey"
}
];
// Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of
// an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
// target for an import operation. If this field is not present, a new
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the
// supplied key material is created.
//
// If this field is present, the supplied key material is imported into
// the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To
// import into an existing
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of
// [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent],
// have been previously created via [ImportCryptoKeyVersion][], and be in
// [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]
// or
// [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]
// state. The key material and algorithm must match the previous
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained
// key material.
string crypto_key_version = 6 [
(google.api.field_behavior) = OPTIONAL,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
// Required. The
// [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
// of the key being imported. This does not need to match the
// [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2
[(google.api.field_behavior) = REQUIRED];
// Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
// [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
// material.
string import_job = 4 [(google.api.field_behavior) = REQUIRED];
// Optional. The wrapped key material to import.
//
// Before wrapping, key material must be formatted. If importing symmetric key
// material, the expected key material format is plain bytes. If importing
// asymmetric key material, the expected key material format is PKCS#8-encoded
// DER (the PrivateKeyInfo structure from RFC 5208).
//
// When wrapping with import methods
// ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
// or
// [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
// or
// [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
// or
// [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
//
// this field must contain the concatenation of:
//
// - An ephemeral AES-256 wrapping key wrapped with the
// [public_key][google.cloud.kms.v1.ImportJob.public_key] using
// RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
// label.
//
// - The formatted key to be imported, wrapped with the ephemeral AES-256
// key using AES-KWP (RFC 5649).
//
//
//
// This format is the same as the format produced by PKCS#11 mechanism
// CKM_RSA_AES_KEY_WRAP.
//
// When wrapping with import methods
// ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
// or
// [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
//
// this field must contain the formatted key to be imported, wrapped with the
// [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
// with SHA-256, MGF1 with SHA-256, and an empty label.
bytes wrapped_key = 8 [(google.api.field_behavior) = OPTIONAL];
// This field is legacy. Use the field
// [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key]
// instead.
oneof wrapped_key_material {
// Optional. This field has the same meaning as
// [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
// Prefer to use that field in new work. Either that field or this field
// (but not both) must be specified.
bytes rsa_aes_wrapped_key = 5 [(google.api.field_behavior) = OPTIONAL];
}
}
// Request message for
// [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
message CreateImportJobRequest {
// Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
// [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
// [ImportJobs][google.cloud.kms.v1.ImportJob].
string parent = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/KeyRing"
}
];
// Required. It must be unique within a KeyRing and match the regular
// expression `[a-zA-Z0-9_-]{1,63}`
string import_job_id = 2 [(google.api.field_behavior) = REQUIRED];
// Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
// values.
ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED];
}
// Request message for
// [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
message UpdateCryptoKeyRequest {
// Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED];
// Required. List of fields to be updated in this request.
google.protobuf.FieldMask update_mask = 2
[(google.api.field_behavior) = REQUIRED];
}
// Request message for
// [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
message UpdateCryptoKeyVersionRequest {
// Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
// updated values.
CryptoKeyVersion crypto_key_version = 1
[(google.api.field_behavior) = REQUIRED];
// Required. List of fields to be updated in this request.
google.protobuf.FieldMask update_mask = 2
[(google.api.field_behavior) = REQUIRED];
}
// Request message for
// [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
message UpdateCryptoKeyPrimaryVersionRequest {
// Required. The resource name of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKey"
}
];
// Required. The id of the child
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED];
}
// Request message for
// [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
message DestroyCryptoKeyVersionRequest {
// Required. The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
}
// Request message for
// [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
message RestoreCryptoKeyVersionRequest {
// Required. The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
}
// Request message for
// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
message EncryptRequest {
// Required. The resource name of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] or
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
// encryption.
//
// If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
// will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = { type: "*" }
];
// Required. The data to encrypt. Must be no larger than 64KiB.
//
// The maximum size depends on the key version's
// [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
// For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
// [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
// plaintext must be no larger than 64KiB. For
// [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
// the plaintext and additional_authenticated_data fields must be no larger
// than 8KiB.
bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED];
// Optional. Optional data that, if specified, must also be provided during
// decryption through
// [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
//
// The maximum size depends on the key version's
// [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
// For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
// [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
// AAD must be no larger than 64KiB. For
// [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
// the plaintext and additional_authenticated_data fields must be no larger
// than 8KiB.
bytes additional_authenticated_data = 3
[(google.api.field_behavior) = OPTIONAL];
// Optional. An optional CRC32C checksum of the
// [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
// is equal to
// [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value plaintext_crc32c = 7
[(google.api.field_behavior) = OPTIONAL];
// Optional. An optional CRC32C checksum of the
// [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
// is equal to
// [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value additional_authenticated_data_crc32c = 8
[(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
message DecryptRequest {
// Required. The resource name of the
// [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
// server will choose the appropriate version.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKey"
}
];
// Required. The encrypted data originally returned in
// [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED];
// Optional. Optional data that must match the data originally supplied in
// [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
bytes additional_authenticated_data = 3
[(google.api.field_behavior) = OPTIONAL];
// Optional. An optional CRC32C checksum of the
// [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
// is equal to
// [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value ciphertext_crc32c = 5
[(google.api.field_behavior) = OPTIONAL];
// Optional. An optional CRC32C checksum of the
// [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
// is equal to
// [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value additional_authenticated_data_crc32c = 6
[(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
message AsymmetricSignRequest {
// Required. The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
// signing.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
// Optional. The digest of the data to sign. The digest must be produced with
// the same digest algorithm as specified by the key version's
// [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
//
// This field may not be supplied if
// [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
// is supplied.
Digest digest = 3 [(google.api.field_behavior) = OPTIONAL];
// Optional. An optional CRC32C checksum of the
// [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
// is equal to
// [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value digest_crc32c = 4
[(google.api.field_behavior) = OPTIONAL];
// Optional. The data to sign.
// It can't be supplied if
// [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
// is supplied.
bytes data = 6 [(google.api.field_behavior) = OPTIONAL];
// Optional. An optional CRC32C checksum of the
// [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
// is equal to
// [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value data_crc32c = 7
[(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
message AsymmetricDecryptRequest {
// Required. The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
// decryption.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
// Required. The data encrypted with the named
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
// OAEP.
bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED];
// Optional. An optional CRC32C checksum of the
// [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
// If specified,
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// verify the integrity of the received
// [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
// using this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
// is equal to
// [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value ciphertext_crc32c = 4
[(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
message MacSignRequest {
// Required. The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
// signing.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
// Required. The data to sign. The MAC tag is computed over this data field
// based on the specific algorithm.
bytes data = 2 [(google.api.field_behavior) = REQUIRED];
// Optional. An optional CRC32C checksum of the
// [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
// specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
// will verify the integrity of the received
// [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
// checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
// will report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
// equal to
// [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value data_crc32c = 3
[(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
message MacVerifyRequest {
// Required. The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
// verification.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
type: "cloudkms.googleapis.com/CryptoKeyVersion"
}
];
// Required. The data used previously as a
// [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
// the MAC tag.
bytes data = 2 [(google.api.field_behavior) = REQUIRED];
// Optional. An optional CRC32C checksum of the
// [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
// specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
// will verify the integrity of the received
// [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
// this checksum.
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
// report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
// is equal to
// [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value data_crc32c = 3
[(google.api.field_behavior) = OPTIONAL];
// Required. The signature to verify.
bytes mac = 4 [(google.api.field_behavior) = REQUIRED];
// Optional. An optional CRC32C checksum of the
// [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
// specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
// will verify the integrity of the received
// [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
// checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
// will report an error if the checksum verification fails. If you receive a
// checksum error, your client should verify that
// CRC32C([MacVerifyRequest.tag][]) is equal to
// [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
// and if so, perform a limited number of retries. A persistent mismatch may
// indicate an issue in your computation of the CRC32C checksum. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value mac_crc32c = 5
[(google.api.field_behavior) = OPTIONAL];
}
// Request message for
// [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
message GenerateRandomBytesRequest {
// The project-specific location in which to generate random bytes.
// For example, "projects/my-project/locations/us-central1".
string location = 1;
// The length in bytes of the amount of randomness to retrieve. Minimum 8
// bytes, maximum 1024 bytes.
int32 length_bytes = 2;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
// generating the random data. Currently, only
// [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
// supported.
ProtectionLevel protection_level = 3;
}
// Response message for
// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
message EncryptResponse {
// The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
// encryption. Check this field to verify that the intended resource was used
// for encryption.
string name = 1;
// The encrypted data.
bytes ciphertext = 2;
// Integrity verification field. A CRC32C checksum of the returned
// [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
// An integrity check of
// [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
// can be performed by computing the CRC32C checksum of
// [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
// and comparing your results to this field. Discard the response in case of
// non-matching checksum values, and perform a limited number of retries. A
// persistent mismatch may indicate an issue in your computation of the CRC32C
// checksum. Note: This field is defined as int64 for reasons of compatibility
// across different languages. However, it is a non-negative integer, which
// will never exceed 2^32-1, and can be safely downconverted to uint32 in
// languages that support this type.
google.protobuf.Int64Value ciphertext_crc32c = 4;
// Integrity verification field. A flag indicating whether
// [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of
// this field indicates either that
// [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_plaintext_crc32c = 5;
// Integrity verification field. A flag indicating whether
// [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A
// false value of this field indicates either that
// [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_additional_authenticated_data_crc32c = 6;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
// encryption.
ProtectionLevel protection_level = 7;
}
// Response message for
// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
message DecryptResponse {
// The decrypted data originally supplied in
// [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
bytes plaintext = 1;
// Integrity verification field. A CRC32C checksum of the returned
// [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
// An integrity check of
// [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
// can be performed by computing the CRC32C checksum of
// [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
// and comparing your results to this field. Discard the response in case of
// non-matching checksum values, and perform a limited number of retries. A
// persistent mismatch may indicate an issue in your computation of the CRC32C
// checksum. Note: receiving this response message indicates that
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
// successfully decrypt the
// [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
// field is defined as int64 for reasons of compatibility across different
// languages. However, it is a non-negative integer, which will never exceed
// 2^32-1, and can be safely downconverted to uint32 in languages that support
// this type.
google.protobuf.Int64Value plaintext_crc32c = 2;
// Whether the Decryption was performed using the primary key version.
bool used_primary = 3;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
// decryption.
ProtectionLevel protection_level = 4;
}
// Response message for
// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
message AsymmetricSignResponse {
// The created signature.
bytes signature = 1;
// Integrity verification field. A CRC32C checksum of the returned
// [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
// An integrity check of
// [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
// can be performed by computing the CRC32C checksum of
// [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
// and comparing your results to this field. Discard the response in case of
// non-matching checksum values, and perform a limited number of retries. A
// persistent mismatch may indicate an issue in your computation of the CRC32C
// checksum. Note: This field is defined as int64 for reasons of compatibility
// across different languages. However, it is a non-negative integer, which
// will never exceed 2^32-1, and can be safely downconverted to uint32 in
// languages that support this type.
google.protobuf.Int64Value signature_crc32c = 2;
// Integrity verification field. A flag indicating whether
// [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value
// of this field indicates either that
// [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_digest_crc32c = 3;
// The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
// Check this field to verify that the intended resource was used for signing.
string name = 4;
// Integrity verification field. A flag indicating whether
// [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of
// this field indicates either that
// [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_data_crc32c = 5;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
ProtectionLevel protection_level = 6;
}
// Response message for
// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
message AsymmetricDecryptResponse {
// The decrypted data originally encrypted with the matching public key.
bytes plaintext = 1;
// Integrity verification field. A CRC32C checksum of the returned
// [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
// An integrity check of
// [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
// can be performed by computing the CRC32C checksum of
// [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
// and comparing your results to this field. Discard the response in case of
// non-matching checksum values, and perform a limited number of retries. A
// persistent mismatch may indicate an issue in your computation of the CRC32C
// checksum. Note: This field is defined as int64 for reasons of compatibility
// across different languages. However, it is a non-negative integer, which
// will never exceed 2^32-1, and can be safely downconverted to uint32 in
// languages that support this type.
google.protobuf.Int64Value plaintext_crc32c = 2;
// Integrity verification field. A flag indicating whether
// [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A
// false value of this field indicates either that
// [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_ciphertext_crc32c = 3;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
// decryption.
ProtectionLevel protection_level = 4;
}
// Response message for
// [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
message MacSignResponse {
// The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
// Check this field to verify that the intended resource was used for signing.
string name = 1;
// The created signature.
bytes mac = 2;
// Integrity verification field. A CRC32C checksum of the returned
// [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
// integrity check of
// [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
// performed by computing the CRC32C checksum of
// [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
// comparing your results to this field. Discard the response in case of
// non-matching checksum values, and perform a limited number of retries. A
// persistent mismatch may indicate an issue in your computation of the CRC32C
// checksum. Note: This field is defined as int64 for reasons of compatibility
// across different languages. However, it is a non-negative integer, which
// will never exceed 2^32-1, and can be safely downconverted to uint32 in
// languages that support this type.
google.protobuf.Int64Value mac_crc32c = 3;
// Integrity verification field. A flag indicating whether
// [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this
// field indicates either that
// [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_data_crc32c = 4;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
ProtectionLevel protection_level = 5;
}
// Response message for
// [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
message MacVerifyResponse {
// The resource name of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
// verification. Check this field to verify that the intended resource was
// used for verification.
string name = 1;
// This field indicates whether or not the verification operation for
// [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over
// [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was
// successful.
bool success = 2;
// Integrity verification field. A flag indicating whether
// [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this
// field indicates either that
// [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_data_crc32c = 3;
// Integrity verification field. A flag indicating whether
// [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
// was received by
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
// for the integrity verification of the
// [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this
// field indicates either that
// [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
// was left unset or that it was not delivered to
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
// set
// [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
// but this field is still false, discard the response and perform a limited
// number of retries.
bool verified_mac_crc32c = 4;
// Integrity verification field. This value is used for the integrity
// verification of [MacVerifyResponse.success]. If the value of this field
// contradicts the value of [MacVerifyResponse.success], discard the response
// and perform a limited number of retries.
bool verified_success_integrity = 5;
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
// verification.
ProtectionLevel protection_level = 6;
}
// Response message for
// [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
message GenerateRandomBytesResponse {
// The generated data.
bytes data = 1;
// Integrity verification field. A CRC32C checksum of the returned
// [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
// An integrity check of
// [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
// can be performed by computing the CRC32C checksum of
// [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
// and comparing your results to this field. Discard the response in case of
// non-matching checksum values, and perform a limited number of retries. A
// persistent mismatch may indicate an issue in your computation of the CRC32C
// checksum. Note: This field is defined as int64 for reasons of compatibility
// across different languages. However, it is a non-negative integer, which
// will never exceed 2^32-1, and can be safely downconverted to uint32 in
// languages that support this type.
google.protobuf.Int64Value data_crc32c = 3;
}
// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
message Digest {
// Required. The message digest.
oneof digest {
// A message digest produced with the SHA-256 algorithm.
bytes sha256 = 1;
// A message digest produced with the SHA-384 algorithm.
bytes sha384 = 2;
// A message digest produced with the SHA-512 algorithm.
bytes sha512 = 3;
}
}
// Cloud KMS metadata for the given
// [google.cloud.location.Location][google.cloud.location.Location].
message LocationMetadata {
// Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
// [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
// [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this
// location.
bool hsm_available = 1;
// Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
// [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
// this location.
bool ekm_available = 2;
}