123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101 |
- // Copyright 2021 Google LLC
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- syntax = "proto3";
- package google.cloud.kms.v1;
- import "google/api/annotations.proto";
- import "google/api/client.proto";
- import "google/api/field_behavior.proto";
- import "google/api/resource.proto";
- import "google/cloud/kms/v1/resources.proto";
- import "google/protobuf/field_mask.proto";
- import "google/protobuf/wrappers.proto";
- option cc_enable_arenas = true;
- option csharp_namespace = "Google.Cloud.Kms.V1";
- option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
- option java_multiple_files = true;
- option java_outer_classname = "KmsProto";
- option java_package = "com.google.cloud.kms.v1";
- option php_namespace = "Google\\Cloud\\Kms\\V1";
- // Google Cloud Key Management Service
- //
- // Manages cryptographic keys and operations using those keys. Implements a REST
- // model with the following objects:
- //
- // * [KeyRing][google.cloud.kms.v1.KeyRing]
- // * [CryptoKey][google.cloud.kms.v1.CryptoKey]
- // * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
- // * [ImportJob][google.cloud.kms.v1.ImportJob]
- //
- // If you are using manual gRPC libraries, see
- // [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
- service KeyManagementService {
- option (google.api.default_host) = "cloudkms.googleapis.com";
- option (google.api.oauth_scopes) =
- "https://www.googleapis.com/auth/cloud-platform,"
- "https://www.googleapis.com/auth/cloudkms";
- // Lists [KeyRings][google.cloud.kms.v1.KeyRing].
- rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*}/keyRings"
- };
- option (google.api.method_signature) = "parent";
- }
- // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
- };
- option (google.api.method_signature) = "parent";
- }
- // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
- rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) returns (ListCryptoKeyVersionsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
- };
- option (google.api.method_signature) = "parent";
- }
- // Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
- rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) {
- option (google.api.http) = {
- get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
- };
- option (google.api.method_signature) = "parent";
- }
- // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
- rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/keyRings/*}"
- };
- option (google.api.method_signature) = "name";
- }
- // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as well as its
- // [primary][google.cloud.kms.v1.CryptoKey.primary] [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
- rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
- };
- option (google.api.method_signature) = "name";
- }
- // Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
- rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
- };
- option (google.api.method_signature) = "name";
- }
- // Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
- // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
- // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or
- // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
- rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey"
- };
- option (google.api.method_signature) = "name";
- }
- // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
- rpc GetImportJob(GetImportJobRequest) returns (ImportJob) {
- option (google.api.http) = {
- get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}"
- };
- option (google.api.method_signature) = "name";
- }
- // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
- rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/locations/*}/keyRings"
- body: "key_ring"
- };
- option (google.api.method_signature) = "parent,key_ring_id,key_ring";
- }
- // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
- //
- // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
- // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
- // are required.
- rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
- body: "crypto_key"
- };
- option (google.api.method_signature) = "parent,crypto_key_id,crypto_key";
- }
- // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
- //
- // The server will assign the next sequential id. If unset,
- // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
- // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
- rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
- body: "crypto_key_version"
- };
- option (google.api.method_signature) = "parent,crypto_key_version";
- }
- // Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the
- // wrapped key material provided in the request.
- //
- // The version ID will be assigned the next sequential id within the
- // [CryptoKey][google.cloud.kms.v1.CryptoKey].
- rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import"
- body: "*"
- };
- }
- // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a [KeyRing][google.cloud.kms.v1.KeyRing].
- //
- // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is required.
- rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) {
- option (google.api.http) = {
- post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
- body: "import_job"
- };
- option (google.api.method_signature) = "parent,import_job_id,import_job";
- }
- // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
- rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) {
- option (google.api.http) = {
- patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
- body: "crypto_key"
- };
- option (google.api.method_signature) = "crypto_key,update_mask";
- }
- // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s metadata.
- //
- // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
- // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] and
- // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] using this
- // method. See [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] and [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] to
- // move between other states.
- rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
- option (google.api.http) = {
- patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
- body: "crypto_key_version"
- };
- option (google.api.method_signature) = "crypto_key_version,update_mask";
- }
- // Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
- // The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
- // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- rpc Encrypt(EncryptRequest) returns (EncryptResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt"
- body: "*"
- };
- option (google.api.method_signature) = "name,plaintext";
- }
- // Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
- // must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- rpc Decrypt(DecryptRequest) returns (DecryptResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt"
- body: "*"
- };
- option (google.api.method_signature) = "name,ciphertext";
- }
- // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
- // ASYMMETRIC_SIGN, producing a signature that can be verified with the public
- // key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
- rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign"
- body: "*"
- };
- option (google.api.method_signature) = "name,digest";
- }
- // Decrypts data that was encrypted with a public key retrieved from
- // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
- // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
- rpc AsymmetricDecrypt(AsymmetricDecryptRequest) returns (AsymmetricDecryptResponse) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt"
- body: "*"
- };
- option (google.api.method_signature) = "name,ciphertext";
- }
- // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
- //
- // Returns an error if called on a key whose purpose is not
- // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
- rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) returns (CryptoKey) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion"
- body: "*"
- };
- option (google.api.method_signature) = "name,crypto_key_version_id";
- }
- // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
- //
- // Upon calling this method, [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
- // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
- // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be set to a time 24
- // hours in the future, at which point the [state][google.cloud.kms.v1.CryptoKeyVersion.state]
- // will be changed to
- // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], and the key
- // material will be irrevocably destroyed.
- //
- // Before the [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is reached,
- // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
- rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy"
- body: "*"
- };
- option (google.api.method_signature) = "name";
- }
- // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
- // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
- // state.
- //
- // Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state]
- // will be set to [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
- // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will be cleared.
- rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) returns (CryptoKeyVersion) {
- option (google.api.http) = {
- post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore"
- body: "*"
- };
- option (google.api.method_signature) = "name";
- }
- }
- // Request message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
- message ListKeyRingsRequest {
- // Required. The resource name of the location associated with the
- // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "locations.googleapis.com/Location"
- }
- ];
- // Optional. Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to include in the
- // response. Further [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
- // including the [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] in a subsequent
- // request. If unspecified, the server will pick an appropriate default.
- int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Optional pagination token, returned earlier via
- // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
- string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Only include resources that match the filter in the response. For
- // more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string filter = 4 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Specify how the results should be sorted. If not specified, the
- // results will be sorted in the default order. For more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
- }
- // Request message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
- message ListCryptoKeysRequest {
- // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
- // `projects/*/locations/*/keyRings/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/KeyRing"
- }
- ];
- // Optional. Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the
- // response. Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by
- // including the [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] in a subsequent
- // request. If unspecified, the server will pick an appropriate default.
- int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Optional pagination token, returned earlier via
- // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
- string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
- // The fields of the primary version to include in the response.
- CryptoKeyVersion.CryptoKeyVersionView version_view = 4;
- // Optional. Only include resources that match the filter in the response. For
- // more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string filter = 5 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Specify how the results should be sorted. If not specified, the
- // results will be sorted in the default order. For more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
- }
- // Request message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
- message ListCryptoKeyVersionsRequest {
- // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
- // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKey"
- }
- ];
- // Optional. Optional limit on the number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to
- // include in the response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can
- // subsequently be obtained by including the
- // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] in a subsequent request.
- // If unspecified, the server will pick an appropriate default.
- int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Optional pagination token, returned earlier via
- // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
- string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
- // The fields to include in the response.
- CryptoKeyVersion.CryptoKeyVersionView view = 4;
- // Optional. Only include resources that match the filter in the response. For
- // more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string filter = 5 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Specify how the results should be sorted. If not specified, the
- // results will be sorted in the default order. For more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
- }
- // Request message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
- message ListImportJobsRequest {
- // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] to list, in the format
- // `projects/*/locations/*/keyRings/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/KeyRing"
- }
- ];
- // Optional. Optional limit on the number of [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the
- // response. Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be obtained by
- // including the [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] in a subsequent
- // request. If unspecified, the server will pick an appropriate default.
- int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Optional pagination token, returned earlier via
- // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
- string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Only include resources that match the filter in the response. For
- // more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string filter = 4 [(google.api.field_behavior) = OPTIONAL];
- // Optional. Specify how the results should be sorted. If not specified, the
- // results will be sorted in the default order. For more information, see
- // [Sorting and filtering list
- // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
- string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
- }
- // Response message for [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
- message ListKeyRingsResponse {
- // The list of [KeyRings][google.cloud.kms.v1.KeyRing].
- repeated KeyRing key_rings = 1;
- // A token to retrieve next page of results. Pass this value in
- // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] to retrieve the next page of results.
- string next_page_token = 2;
- // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched the query.
- int32 total_size = 3;
- }
- // Response message for [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
- message ListCryptoKeysResponse {
- // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- repeated CryptoKey crypto_keys = 1;
- // A token to retrieve next page of results. Pass this value in
- // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] to retrieve the next page of results.
- string next_page_token = 2;
- // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that matched the query.
- int32 total_size = 3;
- }
- // Response message for [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
- message ListCryptoKeyVersionsResponse {
- // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
- repeated CryptoKeyVersion crypto_key_versions = 1;
- // A token to retrieve next page of results. Pass this value in
- // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] to retrieve the next page of
- // results.
- string next_page_token = 2;
- // The total number of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
- // query.
- int32 total_size = 3;
- }
- // Response message for [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
- message ListImportJobsResponse {
- // The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
- repeated ImportJob import_jobs = 1;
- // A token to retrieve next page of results. Pass this value in
- // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] to retrieve the next page of results.
- string next_page_token = 2;
- // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that matched the query.
- int32 total_size = 3;
- }
- // Request message for [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
- message GetKeyRingRequest {
- // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] to get.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/KeyRing"
- }
- ];
- }
- // Request message for [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
- message GetCryptoKeyRequest {
- // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKey"
- }
- ];
- }
- // Request message for [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
- message GetCryptoKeyVersionRequest {
- // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKeyVersion"
- }
- ];
- }
- // Request message for [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
- message GetPublicKeyRequest {
- // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to
- // get.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKeyVersion"
- }
- ];
- }
- // Request message for [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
- message GetImportJobRequest {
- // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] to get.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/ImportJob"
- }
- ];
- }
- // Request message for [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
- message CreateKeyRingRequest {
- // Required. The resource name of the location associated with the
- // [KeyRings][google.cloud.kms.v1.KeyRing], in the format `projects/*/locations/*`.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "locations.googleapis.com/Location"
- }
- ];
- // Required. It must be unique within a location and match the regular
- // expression `[a-zA-Z0-9_-]{1,63}`
- string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED];
- // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values.
- KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED];
- }
- // Request message for [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
- message CreateCryptoKeyRequest {
- // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing associated with the
- // [CryptoKeys][google.cloud.kms.v1.CryptoKey].
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/KeyRing"
- }
- ];
- // Required. It must be unique within a KeyRing and match the regular
- // expression `[a-zA-Z0-9_-]{1,63}`
- string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED];
- // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values.
- CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED];
- // If set to true, the request will create a [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
- // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must manually call
- // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
- // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
- // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
- bool skip_initial_version_creation = 5;
- }
- // Request message for [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
- message CreateCryptoKeyVersionRequest {
- // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with
- // the [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKey"
- }
- ];
- // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial field values.
- CryptoKeyVersion crypto_key_version = 2 [(google.api.field_behavior) = REQUIRED];
- }
- // Request message for [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
- message ImportCryptoKeyVersionRequest {
- // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to
- // be imported into.
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKey"
- }
- ];
- // Required. The [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] of
- // the key being imported. This does not need to match the
- // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the [CryptoKey][google.cloud.kms.v1.CryptoKey] this
- // version imports into.
- CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 [(google.api.field_behavior) = REQUIRED];
- // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the [ImportJob][google.cloud.kms.v1.ImportJob] that was used to
- // wrap this key material.
- string import_job = 4 [(google.api.field_behavior) = REQUIRED];
- // Required. The incoming wrapped key material that is to be imported.
- oneof wrapped_key_material {
- // Wrapped key material produced with
- // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
- // or
- // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256].
- //
- // This field contains the concatenation of two wrapped keys:
- // <ol>
- // <li>An ephemeral AES-256 wrapping key wrapped with the
- // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP with SHA-1,
- // MGF1 with SHA-1, and an empty label.
- // </li>
- // <li>The key to be imported, wrapped with the ephemeral AES-256 key
- // using AES-KWP (RFC 5649).
- // </li>
- // </ol>
- //
- // If importing symmetric key material, it is expected that the unwrapped
- // key contains plain bytes. If importing asymmetric key material, it is
- // expected that the unwrapped key is in PKCS#8-encoded DER format (the
- // PrivateKeyInfo structure from RFC 5208).
- //
- // This format is the same as the format produced by PKCS#11 mechanism
- // CKM_RSA_AES_KEY_WRAP.
- bytes rsa_aes_wrapped_key = 5;
- }
- }
- // Request message for [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
- message CreateImportJobRequest {
- // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
- // [ImportJobs][google.cloud.kms.v1.ImportJob].
- string parent = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/KeyRing"
- }
- ];
- // Required. It must be unique within a KeyRing and match the regular
- // expression `[a-zA-Z0-9_-]{1,63}`
- string import_job_id = 2 [(google.api.field_behavior) = REQUIRED];
- // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field values.
- ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED];
- }
- // Request message for [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
- message UpdateCryptoKeyRequest {
- // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
- CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED];
- // Required. List of fields to be updated in this request.
- google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
- }
- // Request message for [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
- message UpdateCryptoKeyVersionRequest {
- // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated values.
- CryptoKeyVersion crypto_key_version = 1 [(google.api.field_behavior) = REQUIRED];
- // Required. List of fields to be updated in this request.
- google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
- }
- // Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
- message EncryptRequest {
- // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] or [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
- // to use for encryption.
- //
- // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server will use its
- // [primary version][google.cloud.kms.v1.CryptoKey.primary].
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "*"
- }
- ];
- // Required. The data to encrypt. Must be no larger than 64KiB.
- //
- // The maximum size depends on the key version's
- // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For
- // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the plaintext must be no larger
- // than 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the
- // plaintext and additional_authenticated_data fields must be no larger than
- // 8KiB.
- bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED];
- // Optional. Optional data that, if specified, must also be provided during decryption
- // through [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
- //
- // The maximum size depends on the key version's
- // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. For
- // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD must be no larger than
- // 64KiB. For [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of the
- // plaintext and additional_authenticated_data fields must be no larger than
- // 8KiB.
- bytes additional_authenticated_data = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. An optional CRC32C checksum of the [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. If
- // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
- // received [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext] using this checksum.
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
- // fails. If you receive a checksum error, your client should verify that
- // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]) is equal to
- // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c], and if so, perform a limited number of
- // retries. A persistent mismatch may indicate an issue in your computation of
- // the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value plaintext_crc32c = 7 [(google.api.field_behavior) = OPTIONAL];
- // Optional. An optional CRC32C checksum of the
- // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. If specified,
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the received
- // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data] using this checksum.
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
- // fails. If you receive a checksum error, your client should verify that
- // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]) is equal to
- // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c], and if so, perform
- // a limited number of retries. A persistent mismatch may indicate an issue in
- // your computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 [(google.api.field_behavior) = OPTIONAL];
- }
- // Request message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
- message DecryptRequest {
- // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption.
- // The server will choose the appropriate version.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKey"
- }
- ];
- // Required. The encrypted data originally returned in
- // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
- bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED];
- // Optional. Optional data that must match the data originally supplied in
- // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
- bytes additional_authenticated_data = 3 [(google.api.field_behavior) = OPTIONAL];
- // Optional. An optional CRC32C checksum of the [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. If
- // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
- // received [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext] using this checksum.
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
- // fails. If you receive a checksum error, your client should verify that
- // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]) is equal to
- // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c], and if so, perform a limited number
- // of retries. A persistent mismatch may indicate an issue in your computation
- // of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value ciphertext_crc32c = 5 [(google.api.field_behavior) = OPTIONAL];
- // Optional. An optional CRC32C checksum of the
- // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. If specified,
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the received
- // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data] using this checksum.
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
- // fails. If you receive a checksum error, your client should verify that
- // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]) is equal to
- // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c], and if so, perform
- // a limited number of retries. A persistent mismatch may indicate an issue in
- // your computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 [(google.api.field_behavior) = OPTIONAL];
- }
- // Request message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
- message AsymmetricSignRequest {
- // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for signing.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKeyVersion"
- }
- ];
- // Required. The digest of the data to sign. The digest must be produced with
- // the same digest algorithm as specified by the key version's
- // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
- Digest digest = 3 [(google.api.field_behavior) = REQUIRED];
- // Optional. An optional CRC32C checksum of the [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. If
- // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
- // received [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] using this checksum.
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
- // fails. If you receive a checksum error, your client should verify that
- // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]) is equal to
- // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c], and if so, perform a limited
- // number of retries. A persistent mismatch may indicate an issue in your
- // computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value digest_crc32c = 4 [(google.api.field_behavior) = OPTIONAL];
- }
- // Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
- message AsymmetricDecryptRequest {
- // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
- // decryption.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKeyVersion"
- }
- ];
- // Required. The data encrypted with the named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public
- // key using OAEP.
- bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED];
- // Optional. An optional CRC32C checksum of the [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
- // If specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
- // received [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext] using this checksum.
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
- // fails. If you receive a checksum error, your client should verify that
- // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]) is equal to
- // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c], and if so, perform a
- // limited number of retries. A persistent mismatch may indicate an issue in
- // your computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value ciphertext_crc32c = 4 [(google.api.field_behavior) = OPTIONAL];
- }
- // Response message for [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
- message DecryptResponse {
- // The decrypted data originally supplied in [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
- bytes plaintext = 1;
- // Integrity verification field. A CRC32C checksum of the returned
- // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. An integrity check of
- // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] can be performed by computing the CRC32C
- // checksum of [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] and comparing your results to
- // this field. Discard the response in case of non-matching checksum values,
- // and perform a limited number of retries. A persistent mismatch may indicate
- // an issue in your computation of the CRC32C checksum. Note: receiving this
- // response message indicates that [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
- // successfully decrypt the [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value plaintext_crc32c = 2;
- }
- // Response message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
- message EncryptResponse {
- // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in encryption. Check
- // this field to verify that the intended resource was used for encryption.
- string name = 1;
- // The encrypted data.
- bytes ciphertext = 2;
- // Integrity verification field. A CRC32C checksum of the returned
- // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. An integrity check of
- // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] can be performed by computing the CRC32C
- // checksum of [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] and comparing your results to
- // this field. Discard the response in case of non-matching checksum values,
- // and perform a limited number of retries. A persistent mismatch may indicate
- // an issue in your computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value ciphertext_crc32c = 4;
- // Integrity verification field. A flag indicating whether
- // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] was received by
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
- // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of this field
- // indicates either that [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] was left unset or
- // that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've set
- // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] but this field is still false, discard
- // the response and perform a limited number of retries.
- //
- // NOTE: This field is in Beta.
- bool verified_plaintext_crc32c = 5;
- // Integrity verification field. A flag indicating whether
- // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] was received by
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
- // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A false value of this
- // field indicates either that
- // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] was left unset or
- // that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've set
- // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] but this field is
- // still false, discard the response and perform a limited number of retries.
- //
- // NOTE: This field is in Beta.
- bool verified_additional_authenticated_data_crc32c = 6;
- }
- // Response message for [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
- message AsymmetricSignResponse {
- // The created signature.
- bytes signature = 1;
- // Integrity verification field. A CRC32C checksum of the returned
- // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]. An integrity check of
- // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] can be performed by computing the
- // CRC32C checksum of [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] and comparing your
- // results to this field. Discard the response in case of non-matching
- // checksum values, and perform a limited number of retries. A persistent
- // mismatch may indicate an issue in your computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value signature_crc32c = 2;
- // Integrity verification field. A flag indicating whether
- // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] was received by
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
- // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value of this field
- // indicates either that [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] was left
- // unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
- // set [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] but this field is still false,
- // discard the response and perform a limited number of retries.
- //
- // NOTE: This field is in Beta.
- bool verified_digest_crc32c = 3;
- // The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. Check
- // this field to verify that the intended resource was used for signing.
- //
- // NOTE: This field is in Beta.
- string name = 4;
- }
- // Response message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
- message AsymmetricDecryptResponse {
- // The decrypted data originally encrypted with the matching public key.
- bytes plaintext = 1;
- // Integrity verification field. A CRC32C checksum of the returned
- // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]. An integrity check of
- // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] can be performed by computing the
- // CRC32C checksum of [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] and comparing
- // your results to this field. Discard the response in case of non-matching
- // checksum values, and perform a limited number of retries. A persistent
- // mismatch may indicate an issue in your computation of the CRC32C checksum.
- // Note: This field is defined as int64 for reasons of compatibility across
- // different languages. However, it is a non-negative integer, which will
- // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
- // that support this type.
- //
- // NOTE: This field is in Beta.
- google.protobuf.Int64Value plaintext_crc32c = 2;
- // Integrity verification field. A flag indicating whether
- // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] was received by
- // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
- // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A false value of this
- // field indicates either that [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
- // was left unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If
- // you've set [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] but this field is
- // still false, discard the response and perform a limited number of retries.
- //
- // NOTE: This field is in Beta.
- bool verified_ciphertext_crc32c = 3;
- }
- // Request message for [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
- message UpdateCryptoKeyPrimaryVersionRequest {
- // Required. The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKey"
- }
- ];
- // Required. The id of the child [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
- string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED];
- }
- // Request message for [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
- message DestroyCryptoKeyVersionRequest {
- // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKeyVersion"
- }
- ];
- }
- // Request message for [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
- message RestoreCryptoKeyVersionRequest {
- // Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
- string name = 1 [
- (google.api.field_behavior) = REQUIRED,
- (google.api.resource_reference) = {
- type: "cloudkms.googleapis.com/CryptoKeyVersion"
- }
- ];
- }
- // A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
- message Digest {
- // Required. The message digest.
- oneof digest {
- // A message digest produced with the SHA-256 algorithm.
- bytes sha256 = 1;
- // A message digest produced with the SHA-384 algorithm.
- bytes sha384 = 2;
- // A message digest produced with the SHA-512 algorithm.
- bytes sha512 = 3;
- }
- }
- // Cloud KMS metadata for the given [google.cloud.location.Location][google.cloud.location.Location].
- message LocationMetadata {
- // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
- // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
- // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this location.
- bool hsm_available = 1;
- // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
- // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
- // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in this location.
- bool ekm_available = 2;
- }
|