1*d5c09012SAndroid Build Coastguard Worker// Copyright 2023 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.cloud.kms.v1; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workerimport "google/api/field_behavior.proto"; 20*d5c09012SAndroid Build Coastguard Workerimport "google/api/resource.proto"; 21*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/duration.proto"; 22*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/timestamp.proto"; 23*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/wrappers.proto"; 24*d5c09012SAndroid Build Coastguard Worker 25*d5c09012SAndroid Build Coastguard Workeroption cc_enable_arenas = true; 26*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.Kms.V1"; 27*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb"; 28*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 29*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "KmsResourcesProto"; 30*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.cloud.kms.v1"; 31*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\Kms\\V1"; 32*d5c09012SAndroid Build Coastguard Worker 33*d5c09012SAndroid Build Coastguard Worker// A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of 34*d5c09012SAndroid Build Coastguard Worker// [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 35*d5c09012SAndroid Build Coastguard Workermessage KeyRing { 36*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 37*d5c09012SAndroid Build Coastguard Worker type: "cloudkms.googleapis.com/KeyRing" 38*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}" 39*d5c09012SAndroid Build Coastguard Worker }; 40*d5c09012SAndroid Build Coastguard Worker 41*d5c09012SAndroid Build Coastguard Worker // Output only. The resource name for the 42*d5c09012SAndroid Build Coastguard Worker // [KeyRing][google.cloud.kms.v1.KeyRing] in the format 43*d5c09012SAndroid Build Coastguard Worker // `projects/*/locations/*/keyRings/*`. 44*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 45*d5c09012SAndroid Build Coastguard Worker 46*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] 47*d5c09012SAndroid Build Coastguard Worker // was created. 48*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp create_time = 2 49*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 50*d5c09012SAndroid Build Coastguard Worker} 51*d5c09012SAndroid Build Coastguard Worker 52*d5c09012SAndroid Build Coastguard Worker// A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that 53*d5c09012SAndroid Build Coastguard Worker// can be used for cryptographic operations. 54*d5c09012SAndroid Build Coastguard Worker// 55*d5c09012SAndroid Build Coastguard Worker// A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more 56*d5c09012SAndroid Build Coastguard Worker// [versions][google.cloud.kms.v1.CryptoKeyVersion], which represent the actual 57*d5c09012SAndroid Build Coastguard Worker// key material used in cryptographic operations. 58*d5c09012SAndroid Build Coastguard Workermessage CryptoKey { 59*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 60*d5c09012SAndroid Build Coastguard Worker type: "cloudkms.googleapis.com/CryptoKey" 61*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" 62*d5c09012SAndroid Build Coastguard Worker }; 63*d5c09012SAndroid Build Coastguard Worker 64*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] 65*d5c09012SAndroid Build Coastguard Worker // describes the cryptographic capabilities of a 66*d5c09012SAndroid Build Coastguard Worker // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used 67*d5c09012SAndroid Build Coastguard Worker // for the operations allowed by its purpose. For more information, see [Key 68*d5c09012SAndroid Build Coastguard Worker // purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes). 69*d5c09012SAndroid Build Coastguard Worker enum CryptoKeyPurpose { 70*d5c09012SAndroid Build Coastguard Worker // Not specified. 71*d5c09012SAndroid Build Coastguard Worker CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0; 72*d5c09012SAndroid Build Coastguard Worker 73*d5c09012SAndroid Build Coastguard Worker // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 74*d5c09012SAndroid Build Coastguard Worker // with [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and 75*d5c09012SAndroid Build Coastguard Worker // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 76*d5c09012SAndroid Build Coastguard Worker ENCRYPT_DECRYPT = 1; 77*d5c09012SAndroid Build Coastguard Worker 78*d5c09012SAndroid Build Coastguard Worker // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 79*d5c09012SAndroid Build Coastguard Worker // with 80*d5c09012SAndroid Build Coastguard Worker // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] 81*d5c09012SAndroid Build Coastguard Worker // and 82*d5c09012SAndroid Build Coastguard Worker // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 83*d5c09012SAndroid Build Coastguard Worker ASYMMETRIC_SIGN = 5; 84*d5c09012SAndroid Build Coastguard Worker 85*d5c09012SAndroid Build Coastguard Worker // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 86*d5c09012SAndroid Build Coastguard Worker // with 87*d5c09012SAndroid Build Coastguard Worker // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] 88*d5c09012SAndroid Build Coastguard Worker // and 89*d5c09012SAndroid Build Coastguard Worker // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 90*d5c09012SAndroid Build Coastguard Worker ASYMMETRIC_DECRYPT = 6; 91*d5c09012SAndroid Build Coastguard Worker 92*d5c09012SAndroid Build Coastguard Worker // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 93*d5c09012SAndroid Build Coastguard Worker // with [RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt] 94*d5c09012SAndroid Build Coastguard Worker // and [RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt]. 95*d5c09012SAndroid Build Coastguard Worker // This purpose is meant to be used for interoperable symmetric 96*d5c09012SAndroid Build Coastguard Worker // encryption and does not support automatic CryptoKey rotation. 97*d5c09012SAndroid Build Coastguard Worker RAW_ENCRYPT_DECRYPT = 7; 98*d5c09012SAndroid Build Coastguard Worker 99*d5c09012SAndroid Build Coastguard Worker // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used 100*d5c09012SAndroid Build Coastguard Worker // with [MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. 101*d5c09012SAndroid Build Coastguard Worker MAC = 9; 102*d5c09012SAndroid Build Coastguard Worker } 103*d5c09012SAndroid Build Coastguard Worker 104*d5c09012SAndroid Build Coastguard Worker // Output only. The resource name for this 105*d5c09012SAndroid Build Coastguard Worker // [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format 106*d5c09012SAndroid Build Coastguard Worker // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 107*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 108*d5c09012SAndroid Build Coastguard Worker 109*d5c09012SAndroid Build Coastguard Worker // Output only. A copy of the "primary" 110*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used 111*d5c09012SAndroid Build Coastguard Worker // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this 112*d5c09012SAndroid Build Coastguard Worker // [CryptoKey][google.cloud.kms.v1.CryptoKey] is given in 113*d5c09012SAndroid Build Coastguard Worker // [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name]. 114*d5c09012SAndroid Build Coastguard Worker // 115*d5c09012SAndroid Build Coastguard Worker // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be 116*d5c09012SAndroid Build Coastguard Worker // updated via 117*d5c09012SAndroid Build Coastguard Worker // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. 118*d5c09012SAndroid Build Coastguard Worker // 119*d5c09012SAndroid Build Coastguard Worker // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 120*d5c09012SAndroid Build Coastguard Worker // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 121*d5c09012SAndroid Build Coastguard Worker // may have a primary. For other keys, this field will be omitted. 122*d5c09012SAndroid Build Coastguard Worker CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 123*d5c09012SAndroid Build Coastguard Worker 124*d5c09012SAndroid Build Coastguard Worker // Immutable. The immutable purpose of this 125*d5c09012SAndroid Build Coastguard Worker // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 126*d5c09012SAndroid Build Coastguard Worker CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE]; 127*d5c09012SAndroid Build Coastguard Worker 128*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which this 129*d5c09012SAndroid Build Coastguard Worker // [CryptoKey][google.cloud.kms.v1.CryptoKey] was created. 130*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp create_time = 5 131*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 132*d5c09012SAndroid Build Coastguard Worker 133*d5c09012SAndroid Build Coastguard Worker // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], 134*d5c09012SAndroid Build Coastguard Worker // the Key Management Service will automatically: 135*d5c09012SAndroid Build Coastguard Worker // 136*d5c09012SAndroid Build Coastguard Worker // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 137*d5c09012SAndroid Build Coastguard Worker // 2. Mark the new version as primary. 138*d5c09012SAndroid Build Coastguard Worker // 139*d5c09012SAndroid Build Coastguard Worker // Key rotations performed manually via 140*d5c09012SAndroid Build Coastguard Worker // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 141*d5c09012SAndroid Build Coastguard Worker // and 142*d5c09012SAndroid Build Coastguard Worker // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion] 143*d5c09012SAndroid Build Coastguard Worker // do not affect 144*d5c09012SAndroid Build Coastguard Worker // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time]. 145*d5c09012SAndroid Build Coastguard Worker // 146*d5c09012SAndroid Build Coastguard Worker // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 147*d5c09012SAndroid Build Coastguard Worker // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 148*d5c09012SAndroid Build Coastguard Worker // support automatic rotation. For other keys, this field must be omitted. 149*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp next_rotation_time = 7; 150*d5c09012SAndroid Build Coastguard Worker 151*d5c09012SAndroid Build Coastguard Worker // Controls the rate of automatic rotation. 152*d5c09012SAndroid Build Coastguard Worker oneof rotation_schedule { 153*d5c09012SAndroid Build Coastguard Worker // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] 154*d5c09012SAndroid Build Coastguard Worker // will be advanced by this period when the service automatically rotates a 155*d5c09012SAndroid Build Coastguard Worker // key. Must be at least 24 hours and at most 876,000 hours. 156*d5c09012SAndroid Build Coastguard Worker // 157*d5c09012SAndroid Build Coastguard Worker // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is 158*d5c09012SAndroid Build Coastguard Worker // set, 159*d5c09012SAndroid Build Coastguard Worker // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] 160*d5c09012SAndroid Build Coastguard Worker // must also be set. 161*d5c09012SAndroid Build Coastguard Worker // 162*d5c09012SAndroid Build Coastguard Worker // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose] 163*d5c09012SAndroid Build Coastguard Worker // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] 164*d5c09012SAndroid Build Coastguard Worker // support automatic rotation. For other keys, this field must be omitted. 165*d5c09012SAndroid Build Coastguard Worker google.protobuf.Duration rotation_period = 8; 166*d5c09012SAndroid Build Coastguard Worker } 167*d5c09012SAndroid Build Coastguard Worker 168*d5c09012SAndroid Build Coastguard Worker // A template describing settings for new 169*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances. The 170*d5c09012SAndroid Build Coastguard Worker // properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 171*d5c09012SAndroid Build Coastguard Worker // instances created by either 172*d5c09012SAndroid Build Coastguard Worker // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 173*d5c09012SAndroid Build Coastguard Worker // or auto-rotation are controlled by this template. 174*d5c09012SAndroid Build Coastguard Worker CryptoKeyVersionTemplate version_template = 11; 175*d5c09012SAndroid Build Coastguard Worker 176*d5c09012SAndroid Build Coastguard Worker // Labels with user-defined metadata. For more information, see 177*d5c09012SAndroid Build Coastguard Worker // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys). 178*d5c09012SAndroid Build Coastguard Worker map<string, string> labels = 10; 179*d5c09012SAndroid Build Coastguard Worker 180*d5c09012SAndroid Build Coastguard Worker // Immutable. Whether this key may contain imported versions only. 181*d5c09012SAndroid Build Coastguard Worker bool import_only = 13 [(google.api.field_behavior) = IMMUTABLE]; 182*d5c09012SAndroid Build Coastguard Worker 183*d5c09012SAndroid Build Coastguard Worker // Immutable. The period of time that versions of this key spend in the 184*d5c09012SAndroid Build Coastguard Worker // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] 185*d5c09012SAndroid Build Coastguard Worker // state before transitioning to 186*d5c09012SAndroid Build Coastguard Worker // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 187*d5c09012SAndroid Build Coastguard Worker // If not specified at creation time, the default duration is 24 hours. 188*d5c09012SAndroid Build Coastguard Worker google.protobuf.Duration destroy_scheduled_duration = 14 189*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = IMMUTABLE]; 190*d5c09012SAndroid Build Coastguard Worker 191*d5c09012SAndroid Build Coastguard Worker // Immutable. The resource name of the backend environment where the key 192*d5c09012SAndroid Build Coastguard Worker // material for all [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] 193*d5c09012SAndroid Build Coastguard Worker // associated with this [CryptoKey][google.cloud.kms.v1.CryptoKey] reside and 194*d5c09012SAndroid Build Coastguard Worker // where all related cryptographic operations are performed. Only applicable 195*d5c09012SAndroid Build Coastguard Worker // if [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] have a 196*d5c09012SAndroid Build Coastguard Worker // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of 197*d5c09012SAndroid Build Coastguard Worker // [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], with the 198*d5c09012SAndroid Build Coastguard Worker // resource name in the format `projects/*/locations/*/ekmConnections/*`. 199*d5c09012SAndroid Build Coastguard Worker // Note, this list is non-exhaustive and may apply to additional 200*d5c09012SAndroid Build Coastguard Worker // [ProtectionLevels][google.cloud.kms.v1.ProtectionLevel] in the future. 201*d5c09012SAndroid Build Coastguard Worker string crypto_key_backend = 15 [ 202*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = IMMUTABLE, 203*d5c09012SAndroid Build Coastguard Worker (google.api.resource_reference) = { type: "*" } 204*d5c09012SAndroid Build Coastguard Worker ]; 205*d5c09012SAndroid Build Coastguard Worker} 206*d5c09012SAndroid Build Coastguard Worker 207*d5c09012SAndroid Build Coastguard Worker// A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] 208*d5c09012SAndroid Build Coastguard Worker// specifies the properties to use when creating a new 209*d5c09012SAndroid Build Coastguard Worker// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually 210*d5c09012SAndroid Build Coastguard Worker// with 211*d5c09012SAndroid Build Coastguard Worker// [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 212*d5c09012SAndroid Build Coastguard Worker// or automatically as a result of auto-rotation. 213*d5c09012SAndroid Build Coastguard Workermessage CryptoKeyVersionTemplate { 214*d5c09012SAndroid Build Coastguard Worker // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating 215*d5c09012SAndroid Build Coastguard Worker // a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this 216*d5c09012SAndroid Build Coastguard Worker // template. Immutable. Defaults to 217*d5c09012SAndroid Build Coastguard Worker // [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. 218*d5c09012SAndroid Build Coastguard Worker ProtectionLevel protection_level = 1; 219*d5c09012SAndroid Build Coastguard Worker 220*d5c09012SAndroid Build Coastguard Worker // Required. 221*d5c09012SAndroid Build Coastguard Worker // [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 222*d5c09012SAndroid Build Coastguard Worker // to use when creating a 223*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this 224*d5c09012SAndroid Build Coastguard Worker // template. 225*d5c09012SAndroid Build Coastguard Worker // 226*d5c09012SAndroid Build Coastguard Worker // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both 227*d5c09012SAndroid Build Coastguard Worker // this field is omitted and 228*d5c09012SAndroid Build Coastguard Worker // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is 229*d5c09012SAndroid Build Coastguard Worker // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 230*d5c09012SAndroid Build Coastguard Worker CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 231*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = REQUIRED]; 232*d5c09012SAndroid Build Coastguard Worker} 233*d5c09012SAndroid Build Coastguard Worker 234*d5c09012SAndroid Build Coastguard Worker// Contains an HSM-generated attestation about a key operation. For more 235*d5c09012SAndroid Build Coastguard Worker// information, see [Verifying attestations] 236*d5c09012SAndroid Build Coastguard Worker// (https://cloud.google.com/kms/docs/attest-key). 237*d5c09012SAndroid Build Coastguard Workermessage KeyOperationAttestation { 238*d5c09012SAndroid Build Coastguard Worker // Attestation formats provided by the HSM. 239*d5c09012SAndroid Build Coastguard Worker enum AttestationFormat { 240*d5c09012SAndroid Build Coastguard Worker // Not specified. 241*d5c09012SAndroid Build Coastguard Worker ATTESTATION_FORMAT_UNSPECIFIED = 0; 242*d5c09012SAndroid Build Coastguard Worker 243*d5c09012SAndroid Build Coastguard Worker // Cavium HSM attestation compressed with gzip. Note that this format is 244*d5c09012SAndroid Build Coastguard Worker // defined by Cavium and subject to change at any time. 245*d5c09012SAndroid Build Coastguard Worker // 246*d5c09012SAndroid Build Coastguard Worker // See 247*d5c09012SAndroid Build Coastguard Worker // https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html. 248*d5c09012SAndroid Build Coastguard Worker CAVIUM_V1_COMPRESSED = 3; 249*d5c09012SAndroid Build Coastguard Worker 250*d5c09012SAndroid Build Coastguard Worker // Cavium HSM attestation V2 compressed with gzip. This is a new format 251*d5c09012SAndroid Build Coastguard Worker // introduced in Cavium's version 3.2-08. 252*d5c09012SAndroid Build Coastguard Worker CAVIUM_V2_COMPRESSED = 4; 253*d5c09012SAndroid Build Coastguard Worker } 254*d5c09012SAndroid Build Coastguard Worker 255*d5c09012SAndroid Build Coastguard Worker // Certificate chains needed to verify the attestation. 256*d5c09012SAndroid Build Coastguard Worker // Certificates in chains are PEM-encoded and are ordered based on 257*d5c09012SAndroid Build Coastguard Worker // https://tools.ietf.org/html/rfc5246#section-7.4.2. 258*d5c09012SAndroid Build Coastguard Worker message CertificateChains { 259*d5c09012SAndroid Build Coastguard Worker // Cavium certificate chain corresponding to the attestation. 260*d5c09012SAndroid Build Coastguard Worker repeated string cavium_certs = 1; 261*d5c09012SAndroid Build Coastguard Worker 262*d5c09012SAndroid Build Coastguard Worker // Google card certificate chain corresponding to the attestation. 263*d5c09012SAndroid Build Coastguard Worker repeated string google_card_certs = 2; 264*d5c09012SAndroid Build Coastguard Worker 265*d5c09012SAndroid Build Coastguard Worker // Google partition certificate chain corresponding to the attestation. 266*d5c09012SAndroid Build Coastguard Worker repeated string google_partition_certs = 3; 267*d5c09012SAndroid Build Coastguard Worker } 268*d5c09012SAndroid Build Coastguard Worker 269*d5c09012SAndroid Build Coastguard Worker // Output only. The format of the attestation data. 270*d5c09012SAndroid Build Coastguard Worker AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 271*d5c09012SAndroid Build Coastguard Worker 272*d5c09012SAndroid Build Coastguard Worker // Output only. The attestation data provided by the HSM when the key 273*d5c09012SAndroid Build Coastguard Worker // operation was performed. 274*d5c09012SAndroid Build Coastguard Worker bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 275*d5c09012SAndroid Build Coastguard Worker 276*d5c09012SAndroid Build Coastguard Worker // Output only. The certificate chains needed to validate the attestation 277*d5c09012SAndroid Build Coastguard Worker CertificateChains cert_chains = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 278*d5c09012SAndroid Build Coastguard Worker} 279*d5c09012SAndroid Build Coastguard Worker 280*d5c09012SAndroid Build Coastguard Worker// A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an 281*d5c09012SAndroid Build Coastguard Worker// individual cryptographic key, and the associated key material. 282*d5c09012SAndroid Build Coastguard Worker// 283*d5c09012SAndroid Build Coastguard Worker// An 284*d5c09012SAndroid Build Coastguard Worker// [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 285*d5c09012SAndroid Build Coastguard Worker// version can be used for cryptographic operations. 286*d5c09012SAndroid Build Coastguard Worker// 287*d5c09012SAndroid Build Coastguard Worker// For security reasons, the raw cryptographic key material represented by a 288*d5c09012SAndroid Build Coastguard Worker// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed 289*d5c09012SAndroid Build Coastguard Worker// or exported. It can only be used to encrypt, decrypt, or sign data when an 290*d5c09012SAndroid Build Coastguard Worker// authorized user or application invokes Cloud KMS. 291*d5c09012SAndroid Build Coastguard Workermessage CryptoKeyVersion { 292*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 293*d5c09012SAndroid Build Coastguard Worker type: "cloudkms.googleapis.com/CryptoKeyVersion" 294*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}" 295*d5c09012SAndroid Build Coastguard Worker }; 296*d5c09012SAndroid Build Coastguard Worker 297*d5c09012SAndroid Build Coastguard Worker // The algorithm of the 298*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what 299*d5c09012SAndroid Build Coastguard Worker // parameters must be used for each cryptographic operation. 300*d5c09012SAndroid Build Coastguard Worker // 301*d5c09012SAndroid Build Coastguard Worker // The 302*d5c09012SAndroid Build Coastguard Worker // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION] 303*d5c09012SAndroid Build Coastguard Worker // algorithm is usable with 304*d5c09012SAndroid Build Coastguard Worker // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 305*d5c09012SAndroid Build Coastguard Worker // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 306*d5c09012SAndroid Build Coastguard Worker // 307*d5c09012SAndroid Build Coastguard Worker // Algorithms beginning with `RSA_SIGN_` are usable with 308*d5c09012SAndroid Build Coastguard Worker // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 309*d5c09012SAndroid Build Coastguard Worker // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 310*d5c09012SAndroid Build Coastguard Worker // 311*d5c09012SAndroid Build Coastguard Worker // The fields in the name after `RSA_SIGN_` correspond to the following 312*d5c09012SAndroid Build Coastguard Worker // parameters: padding algorithm, modulus bit length, and digest algorithm. 313*d5c09012SAndroid Build Coastguard Worker // 314*d5c09012SAndroid Build Coastguard Worker // For PSS, the salt length used is equal to the length of digest 315*d5c09012SAndroid Build Coastguard Worker // algorithm. For example, 316*d5c09012SAndroid Build Coastguard Worker // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256] 317*d5c09012SAndroid Build Coastguard Worker // will use PSS with a salt length of 256 bits or 32 bytes. 318*d5c09012SAndroid Build Coastguard Worker // 319*d5c09012SAndroid Build Coastguard Worker // Algorithms beginning with `RSA_DECRYPT_` are usable with 320*d5c09012SAndroid Build Coastguard Worker // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 321*d5c09012SAndroid Build Coastguard Worker // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. 322*d5c09012SAndroid Build Coastguard Worker // 323*d5c09012SAndroid Build Coastguard Worker // The fields in the name after `RSA_DECRYPT_` correspond to the following 324*d5c09012SAndroid Build Coastguard Worker // parameters: padding algorithm, modulus bit length, and digest algorithm. 325*d5c09012SAndroid Build Coastguard Worker // 326*d5c09012SAndroid Build Coastguard Worker // Algorithms beginning with `EC_SIGN_` are usable with 327*d5c09012SAndroid Build Coastguard Worker // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 328*d5c09012SAndroid Build Coastguard Worker // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]. 329*d5c09012SAndroid Build Coastguard Worker // 330*d5c09012SAndroid Build Coastguard Worker // The fields in the name after `EC_SIGN_` correspond to the following 331*d5c09012SAndroid Build Coastguard Worker // parameters: elliptic curve, digest algorithm. 332*d5c09012SAndroid Build Coastguard Worker // 333*d5c09012SAndroid Build Coastguard Worker // Algorithms beginning with `HMAC_` are usable with 334*d5c09012SAndroid Build Coastguard Worker // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 335*d5c09012SAndroid Build Coastguard Worker // [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC]. 336*d5c09012SAndroid Build Coastguard Worker // 337*d5c09012SAndroid Build Coastguard Worker // The suffix following `HMAC_` corresponds to the hash algorithm being used 338*d5c09012SAndroid Build Coastguard Worker // (eg. SHA256). 339*d5c09012SAndroid Build Coastguard Worker // 340*d5c09012SAndroid Build Coastguard Worker // For more information, see [Key purposes and algorithms] 341*d5c09012SAndroid Build Coastguard Worker // (https://cloud.google.com/kms/docs/algorithms). 342*d5c09012SAndroid Build Coastguard Worker enum CryptoKeyVersionAlgorithm { 343*d5c09012SAndroid Build Coastguard Worker // Not specified. 344*d5c09012SAndroid Build Coastguard Worker CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0; 345*d5c09012SAndroid Build Coastguard Worker 346*d5c09012SAndroid Build Coastguard Worker // Creates symmetric encryption keys. 347*d5c09012SAndroid Build Coastguard Worker GOOGLE_SYMMETRIC_ENCRYPTION = 1; 348*d5c09012SAndroid Build Coastguard Worker 349*d5c09012SAndroid Build Coastguard Worker // AES-GCM (Galois Counter Mode) using 128-bit keys. 350*d5c09012SAndroid Build Coastguard Worker AES_128_GCM = 41; 351*d5c09012SAndroid Build Coastguard Worker 352*d5c09012SAndroid Build Coastguard Worker // AES-GCM (Galois Counter Mode) using 256-bit keys. 353*d5c09012SAndroid Build Coastguard Worker AES_256_GCM = 19; 354*d5c09012SAndroid Build Coastguard Worker 355*d5c09012SAndroid Build Coastguard Worker // AES-CBC (Cipher Block Chaining Mode) using 128-bit keys. 356*d5c09012SAndroid Build Coastguard Worker AES_128_CBC = 42; 357*d5c09012SAndroid Build Coastguard Worker 358*d5c09012SAndroid Build Coastguard Worker // AES-CBC (Cipher Block Chaining Mode) using 256-bit keys. 359*d5c09012SAndroid Build Coastguard Worker AES_256_CBC = 43; 360*d5c09012SAndroid Build Coastguard Worker 361*d5c09012SAndroid Build Coastguard Worker // AES-CTR (Counter Mode) using 128-bit keys. 362*d5c09012SAndroid Build Coastguard Worker AES_128_CTR = 44; 363*d5c09012SAndroid Build Coastguard Worker 364*d5c09012SAndroid Build Coastguard Worker // AES-CTR (Counter Mode) using 256-bit keys. 365*d5c09012SAndroid Build Coastguard Worker AES_256_CTR = 45; 366*d5c09012SAndroid Build Coastguard Worker 367*d5c09012SAndroid Build Coastguard Worker // RSASSA-PSS 2048 bit key with a SHA256 digest. 368*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PSS_2048_SHA256 = 2; 369*d5c09012SAndroid Build Coastguard Worker 370*d5c09012SAndroid Build Coastguard Worker // RSASSA-PSS 3072 bit key with a SHA256 digest. 371*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PSS_3072_SHA256 = 3; 372*d5c09012SAndroid Build Coastguard Worker 373*d5c09012SAndroid Build Coastguard Worker // RSASSA-PSS 4096 bit key with a SHA256 digest. 374*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PSS_4096_SHA256 = 4; 375*d5c09012SAndroid Build Coastguard Worker 376*d5c09012SAndroid Build Coastguard Worker // RSASSA-PSS 4096 bit key with a SHA512 digest. 377*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PSS_4096_SHA512 = 15; 378*d5c09012SAndroid Build Coastguard Worker 379*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. 380*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PKCS1_2048_SHA256 = 5; 381*d5c09012SAndroid Build Coastguard Worker 382*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. 383*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PKCS1_3072_SHA256 = 6; 384*d5c09012SAndroid Build Coastguard Worker 385*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. 386*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PKCS1_4096_SHA256 = 7; 387*d5c09012SAndroid Build Coastguard Worker 388*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. 389*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_PKCS1_4096_SHA512 = 16; 390*d5c09012SAndroid Build Coastguard Worker 391*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key. 392*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_RAW_PKCS1_2048 = 28; 393*d5c09012SAndroid Build Coastguard Worker 394*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key. 395*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_RAW_PKCS1_3072 = 29; 396*d5c09012SAndroid Build Coastguard Worker 397*d5c09012SAndroid Build Coastguard Worker // RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key. 398*d5c09012SAndroid Build Coastguard Worker RSA_SIGN_RAW_PKCS1_4096 = 30; 399*d5c09012SAndroid Build Coastguard Worker 400*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 2048 bit key with a SHA256 digest. 401*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_2048_SHA256 = 8; 402*d5c09012SAndroid Build Coastguard Worker 403*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 3072 bit key with a SHA256 digest. 404*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_3072_SHA256 = 9; 405*d5c09012SAndroid Build Coastguard Worker 406*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 4096 bit key with a SHA256 digest. 407*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_4096_SHA256 = 10; 408*d5c09012SAndroid Build Coastguard Worker 409*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 4096 bit key with a SHA512 digest. 410*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_4096_SHA512 = 17; 411*d5c09012SAndroid Build Coastguard Worker 412*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 2048 bit key with a SHA1 digest. 413*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_2048_SHA1 = 37; 414*d5c09012SAndroid Build Coastguard Worker 415*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 3072 bit key with a SHA1 digest. 416*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_3072_SHA1 = 38; 417*d5c09012SAndroid Build Coastguard Worker 418*d5c09012SAndroid Build Coastguard Worker // RSAES-OAEP 4096 bit key with a SHA1 digest. 419*d5c09012SAndroid Build Coastguard Worker RSA_DECRYPT_OAEP_4096_SHA1 = 39; 420*d5c09012SAndroid Build Coastguard Worker 421*d5c09012SAndroid Build Coastguard Worker // ECDSA on the NIST P-256 curve with a SHA256 digest. 422*d5c09012SAndroid Build Coastguard Worker // Other hash functions can also be used: 423*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 424*d5c09012SAndroid Build Coastguard Worker EC_SIGN_P256_SHA256 = 12; 425*d5c09012SAndroid Build Coastguard Worker 426*d5c09012SAndroid Build Coastguard Worker // ECDSA on the NIST P-384 curve with a SHA384 digest. 427*d5c09012SAndroid Build Coastguard Worker // Other hash functions can also be used: 428*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 429*d5c09012SAndroid Build Coastguard Worker EC_SIGN_P384_SHA384 = 13; 430*d5c09012SAndroid Build Coastguard Worker 431*d5c09012SAndroid Build Coastguard Worker // ECDSA on the non-NIST secp256k1 curve. This curve is only supported for 432*d5c09012SAndroid Build Coastguard Worker // HSM protection level. 433*d5c09012SAndroid Build Coastguard Worker // Other hash functions can also be used: 434*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/kms/docs/create-validate-signatures#ecdsa_support_for_other_hash_algorithms 435*d5c09012SAndroid Build Coastguard Worker EC_SIGN_SECP256K1_SHA256 = 31; 436*d5c09012SAndroid Build Coastguard Worker 437*d5c09012SAndroid Build Coastguard Worker // HMAC-SHA256 signing with a 256 bit key. 438*d5c09012SAndroid Build Coastguard Worker HMAC_SHA256 = 32; 439*d5c09012SAndroid Build Coastguard Worker 440*d5c09012SAndroid Build Coastguard Worker // HMAC-SHA1 signing with a 160 bit key. 441*d5c09012SAndroid Build Coastguard Worker HMAC_SHA1 = 33; 442*d5c09012SAndroid Build Coastguard Worker 443*d5c09012SAndroid Build Coastguard Worker // HMAC-SHA384 signing with a 384 bit key. 444*d5c09012SAndroid Build Coastguard Worker HMAC_SHA384 = 34; 445*d5c09012SAndroid Build Coastguard Worker 446*d5c09012SAndroid Build Coastguard Worker // HMAC-SHA512 signing with a 512 bit key. 447*d5c09012SAndroid Build Coastguard Worker HMAC_SHA512 = 35; 448*d5c09012SAndroid Build Coastguard Worker 449*d5c09012SAndroid Build Coastguard Worker // HMAC-SHA224 signing with a 224 bit key. 450*d5c09012SAndroid Build Coastguard Worker HMAC_SHA224 = 36; 451*d5c09012SAndroid Build Coastguard Worker 452*d5c09012SAndroid Build Coastguard Worker // Algorithm representing symmetric encryption by an external key manager. 453*d5c09012SAndroid Build Coastguard Worker EXTERNAL_SYMMETRIC_ENCRYPTION = 18; 454*d5c09012SAndroid Build Coastguard Worker } 455*d5c09012SAndroid Build Coastguard Worker 456*d5c09012SAndroid Build Coastguard Worker // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], 457*d5c09012SAndroid Build Coastguard Worker // indicating if it can be used. 458*d5c09012SAndroid Build Coastguard Worker enum CryptoKeyVersionState { 459*d5c09012SAndroid Build Coastguard Worker // Not specified. 460*d5c09012SAndroid Build Coastguard Worker CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0; 461*d5c09012SAndroid Build Coastguard Worker 462*d5c09012SAndroid Build Coastguard Worker // This version is still being generated. It may not be used, enabled, 463*d5c09012SAndroid Build Coastguard Worker // disabled, or destroyed yet. Cloud KMS will automatically mark this 464*d5c09012SAndroid Build Coastguard Worker // version 465*d5c09012SAndroid Build Coastguard Worker // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 466*d5c09012SAndroid Build Coastguard Worker // as soon as the version is ready. 467*d5c09012SAndroid Build Coastguard Worker PENDING_GENERATION = 5; 468*d5c09012SAndroid Build Coastguard Worker 469*d5c09012SAndroid Build Coastguard Worker // This version may be used for cryptographic operations. 470*d5c09012SAndroid Build Coastguard Worker ENABLED = 1; 471*d5c09012SAndroid Build Coastguard Worker 472*d5c09012SAndroid Build Coastguard Worker // This version may not be used, but the key material is still available, 473*d5c09012SAndroid Build Coastguard Worker // and the version can be placed back into the 474*d5c09012SAndroid Build Coastguard Worker // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 475*d5c09012SAndroid Build Coastguard Worker // state. 476*d5c09012SAndroid Build Coastguard Worker DISABLED = 2; 477*d5c09012SAndroid Build Coastguard Worker 478*d5c09012SAndroid Build Coastguard Worker // This version is destroyed, and the key material is no longer stored. 479*d5c09012SAndroid Build Coastguard Worker // This version may only become 480*d5c09012SAndroid Build Coastguard Worker // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 481*d5c09012SAndroid Build Coastguard Worker // again if this version is 482*d5c09012SAndroid Build Coastguard Worker // [reimport_eligible][google.cloud.kms.v1.CryptoKeyVersion.reimport_eligible] 483*d5c09012SAndroid Build Coastguard Worker // and the original key material is reimported with a call to 484*d5c09012SAndroid Build Coastguard Worker // [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 485*d5c09012SAndroid Build Coastguard Worker DESTROYED = 3; 486*d5c09012SAndroid Build Coastguard Worker 487*d5c09012SAndroid Build Coastguard Worker // This version is scheduled for destruction, and will be destroyed soon. 488*d5c09012SAndroid Build Coastguard Worker // Call 489*d5c09012SAndroid Build Coastguard Worker // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 490*d5c09012SAndroid Build Coastguard Worker // to put it back into the 491*d5c09012SAndroid Build Coastguard Worker // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] 492*d5c09012SAndroid Build Coastguard Worker // state. 493*d5c09012SAndroid Build Coastguard Worker DESTROY_SCHEDULED = 4; 494*d5c09012SAndroid Build Coastguard Worker 495*d5c09012SAndroid Build Coastguard Worker // This version is still being imported. It may not be used, enabled, 496*d5c09012SAndroid Build Coastguard Worker // disabled, or destroyed yet. Cloud KMS will automatically mark this 497*d5c09012SAndroid Build Coastguard Worker // version 498*d5c09012SAndroid Build Coastguard Worker // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 499*d5c09012SAndroid Build Coastguard Worker // as soon as the version is ready. 500*d5c09012SAndroid Build Coastguard Worker PENDING_IMPORT = 6; 501*d5c09012SAndroid Build Coastguard Worker 502*d5c09012SAndroid Build Coastguard Worker // This version was not imported successfully. It may not be used, enabled, 503*d5c09012SAndroid Build Coastguard Worker // disabled, or destroyed. The submitted key material has been discarded. 504*d5c09012SAndroid Build Coastguard Worker // Additional details can be found in 505*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason]. 506*d5c09012SAndroid Build Coastguard Worker IMPORT_FAILED = 7; 507*d5c09012SAndroid Build Coastguard Worker 508*d5c09012SAndroid Build Coastguard Worker // This version was not generated successfully. It may not be used, enabled, 509*d5c09012SAndroid Build Coastguard Worker // disabled, or destroyed. Additional details can be found in 510*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion.generation_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.generation_failure_reason]. 511*d5c09012SAndroid Build Coastguard Worker GENERATION_FAILED = 8; 512*d5c09012SAndroid Build Coastguard Worker 513*d5c09012SAndroid Build Coastguard Worker // This version was destroyed, and it may not be used or enabled again. 514*d5c09012SAndroid Build Coastguard Worker // Cloud KMS is waiting for the corresponding key material residing in an 515*d5c09012SAndroid Build Coastguard Worker // external key manager to be destroyed. 516*d5c09012SAndroid Build Coastguard Worker PENDING_EXTERNAL_DESTRUCTION = 9; 517*d5c09012SAndroid Build Coastguard Worker 518*d5c09012SAndroid Build Coastguard Worker // This version was destroyed, and it may not be used or enabled again. 519*d5c09012SAndroid Build Coastguard Worker // However, Cloud KMS could not confirm that the corresponding key material 520*d5c09012SAndroid Build Coastguard Worker // residing in an external key manager was destroyed. Additional details can 521*d5c09012SAndroid Build Coastguard Worker // be found in 522*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion.external_destruction_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.external_destruction_failure_reason]. 523*d5c09012SAndroid Build Coastguard Worker EXTERNAL_DESTRUCTION_FAILED = 10; 524*d5c09012SAndroid Build Coastguard Worker } 525*d5c09012SAndroid Build Coastguard Worker 526*d5c09012SAndroid Build Coastguard Worker // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. 527*d5c09012SAndroid Build Coastguard Worker // Controls the level of detail returned for 528*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in 529*d5c09012SAndroid Build Coastguard Worker // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] 530*d5c09012SAndroid Build Coastguard Worker // and 531*d5c09012SAndroid Build Coastguard Worker // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 532*d5c09012SAndroid Build Coastguard Worker enum CryptoKeyVersionView { 533*d5c09012SAndroid Build Coastguard Worker // Default view for each 534*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not 535*d5c09012SAndroid Build Coastguard Worker // include the 536*d5c09012SAndroid Build Coastguard Worker // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field. 537*d5c09012SAndroid Build Coastguard Worker CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0; 538*d5c09012SAndroid Build Coastguard Worker 539*d5c09012SAndroid Build Coastguard Worker // Provides all fields in each 540*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the 541*d5c09012SAndroid Build Coastguard Worker // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation]. 542*d5c09012SAndroid Build Coastguard Worker FULL = 1; 543*d5c09012SAndroid Build Coastguard Worker } 544*d5c09012SAndroid Build Coastguard Worker 545*d5c09012SAndroid Build Coastguard Worker // Output only. The resource name for this 546*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format 547*d5c09012SAndroid Build Coastguard Worker // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 548*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 549*d5c09012SAndroid Build Coastguard Worker 550*d5c09012SAndroid Build Coastguard Worker // The current state of the 551*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 552*d5c09012SAndroid Build Coastguard Worker CryptoKeyVersionState state = 3; 553*d5c09012SAndroid Build Coastguard Worker 554*d5c09012SAndroid Build Coastguard Worker // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] 555*d5c09012SAndroid Build Coastguard Worker // describing how crypto operations are performed with this 556*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 557*d5c09012SAndroid Build Coastguard Worker ProtectionLevel protection_level = 7 558*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 559*d5c09012SAndroid Build Coastguard Worker 560*d5c09012SAndroid Build Coastguard Worker // Output only. The 561*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 562*d5c09012SAndroid Build Coastguard Worker // that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 563*d5c09012SAndroid Build Coastguard Worker // supports. 564*d5c09012SAndroid Build Coastguard Worker CryptoKeyVersionAlgorithm algorithm = 10 565*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 566*d5c09012SAndroid Build Coastguard Worker 567*d5c09012SAndroid Build Coastguard Worker // Output only. Statement that was generated and signed by the HSM at key 568*d5c09012SAndroid Build Coastguard Worker // creation time. Use this statement to verify attributes of the key as stored 569*d5c09012SAndroid Build Coastguard Worker // on the HSM, independently of Google. Only provided for key versions with 570*d5c09012SAndroid Build Coastguard Worker // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] 571*d5c09012SAndroid Build Coastguard Worker // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 572*d5c09012SAndroid Build Coastguard Worker KeyOperationAttestation attestation = 8 573*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 574*d5c09012SAndroid Build Coastguard Worker 575*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which this 576*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created. 577*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp create_time = 4 578*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 579*d5c09012SAndroid Build Coastguard Worker 580*d5c09012SAndroid Build Coastguard Worker // Output only. The time this 581*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 582*d5c09012SAndroid Build Coastguard Worker // generated. 583*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp generate_time = 11 584*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 585*d5c09012SAndroid Build Coastguard Worker 586*d5c09012SAndroid Build Coastguard Worker // Output only. The time this 587*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is 588*d5c09012SAndroid Build Coastguard Worker // scheduled for destruction. Only present if 589*d5c09012SAndroid Build Coastguard Worker // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 590*d5c09012SAndroid Build Coastguard Worker // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]. 591*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp destroy_time = 5 592*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 593*d5c09012SAndroid Build Coastguard Worker 594*d5c09012SAndroid Build Coastguard Worker // Output only. The time this CryptoKeyVersion's key material was 595*d5c09012SAndroid Build Coastguard Worker // destroyed. Only present if 596*d5c09012SAndroid Build Coastguard Worker // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 597*d5c09012SAndroid Build Coastguard Worker // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. 598*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp destroy_event_time = 6 599*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 600*d5c09012SAndroid Build Coastguard Worker 601*d5c09012SAndroid Build Coastguard Worker // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] 602*d5c09012SAndroid Build Coastguard Worker // used in the most recent import of this 603*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if 604*d5c09012SAndroid Build Coastguard Worker // the underlying key material was imported. 605*d5c09012SAndroid Build Coastguard Worker string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 606*d5c09012SAndroid Build Coastguard Worker 607*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which this 608*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was 609*d5c09012SAndroid Build Coastguard Worker // most recently imported. 610*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp import_time = 15 611*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 612*d5c09012SAndroid Build Coastguard Worker 613*d5c09012SAndroid Build Coastguard Worker // Output only. The root cause of the most recent import failure. Only present 614*d5c09012SAndroid Build Coastguard Worker // if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 615*d5c09012SAndroid Build Coastguard Worker // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]. 616*d5c09012SAndroid Build Coastguard Worker string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; 617*d5c09012SAndroid Build Coastguard Worker 618*d5c09012SAndroid Build Coastguard Worker // Output only. The root cause of the most recent generation failure. Only 619*d5c09012SAndroid Build Coastguard Worker // present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 620*d5c09012SAndroid Build Coastguard Worker // [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED]. 621*d5c09012SAndroid Build Coastguard Worker string generation_failure_reason = 19 622*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 623*d5c09012SAndroid Build Coastguard Worker 624*d5c09012SAndroid Build Coastguard Worker // Output only. The root cause of the most recent external destruction 625*d5c09012SAndroid Build Coastguard Worker // failure. Only present if 626*d5c09012SAndroid Build Coastguard Worker // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is 627*d5c09012SAndroid Build Coastguard Worker // [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED]. 628*d5c09012SAndroid Build Coastguard Worker string external_destruction_failure_reason = 20 629*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 630*d5c09012SAndroid Build Coastguard Worker 631*d5c09012SAndroid Build Coastguard Worker // ExternalProtectionLevelOptions stores a group of additional fields for 632*d5c09012SAndroid Build Coastguard Worker // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that 633*d5c09012SAndroid Build Coastguard Worker // are specific to the 634*d5c09012SAndroid Build Coastguard Worker // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level 635*d5c09012SAndroid Build Coastguard Worker // and [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] 636*d5c09012SAndroid Build Coastguard Worker // protection levels. 637*d5c09012SAndroid Build Coastguard Worker ExternalProtectionLevelOptions external_protection_level_options = 17; 638*d5c09012SAndroid Build Coastguard Worker 639*d5c09012SAndroid Build Coastguard Worker // Output only. Whether or not this key version is eligible for reimport, by 640*d5c09012SAndroid Build Coastguard Worker // being specified as a target in 641*d5c09012SAndroid Build Coastguard Worker // [ImportCryptoKeyVersionRequest.crypto_key_version][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.crypto_key_version]. 642*d5c09012SAndroid Build Coastguard Worker bool reimport_eligible = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; 643*d5c09012SAndroid Build Coastguard Worker} 644*d5c09012SAndroid Build Coastguard Worker 645*d5c09012SAndroid Build Coastguard Worker// The public keys for a given 646*d5c09012SAndroid Build Coastguard Worker// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via 647*d5c09012SAndroid Build Coastguard Worker// [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 648*d5c09012SAndroid Build Coastguard Workermessage PublicKey { 649*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 650*d5c09012SAndroid Build Coastguard Worker type: "cloudkms.googleapis.com/PublicKey" 651*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey" 652*d5c09012SAndroid Build Coastguard Worker }; 653*d5c09012SAndroid Build Coastguard Worker 654*d5c09012SAndroid Build Coastguard Worker // The public key, encoded in PEM format. For more information, see the 655*d5c09012SAndroid Build Coastguard Worker // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for 656*d5c09012SAndroid Build Coastguard Worker // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 657*d5c09012SAndroid Build Coastguard Worker // [Textual Encoding of Subject Public Key Info] 658*d5c09012SAndroid Build Coastguard Worker // (https://tools.ietf.org/html/rfc7468#section-13). 659*d5c09012SAndroid Build Coastguard Worker string pem = 1; 660*d5c09012SAndroid Build Coastguard Worker 661*d5c09012SAndroid Build Coastguard Worker // The 662*d5c09012SAndroid Build Coastguard Worker // [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 663*d5c09012SAndroid Build Coastguard Worker // associated with this key. 664*d5c09012SAndroid Build Coastguard Worker CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2; 665*d5c09012SAndroid Build Coastguard Worker 666*d5c09012SAndroid Build Coastguard Worker // Integrity verification field. A CRC32C checksum of the returned 667*d5c09012SAndroid Build Coastguard Worker // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of 668*d5c09012SAndroid Build Coastguard Worker // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed by 669*d5c09012SAndroid Build Coastguard Worker // computing the CRC32C checksum of 670*d5c09012SAndroid Build Coastguard Worker // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and comparing your 671*d5c09012SAndroid Build Coastguard Worker // results to this field. Discard the response in case of non-matching 672*d5c09012SAndroid Build Coastguard Worker // checksum values, and perform a limited number of retries. A persistent 673*d5c09012SAndroid Build Coastguard Worker // mismatch may indicate an issue in your computation of the CRC32C checksum. 674*d5c09012SAndroid Build Coastguard Worker // Note: This field is defined as int64 for reasons of compatibility across 675*d5c09012SAndroid Build Coastguard Worker // different languages. However, it is a non-negative integer, which will 676*d5c09012SAndroid Build Coastguard Worker // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 677*d5c09012SAndroid Build Coastguard Worker // that support this type. 678*d5c09012SAndroid Build Coastguard Worker // 679*d5c09012SAndroid Build Coastguard Worker // NOTE: This field is in Beta. 680*d5c09012SAndroid Build Coastguard Worker google.protobuf.Int64Value pem_crc32c = 3; 681*d5c09012SAndroid Build Coastguard Worker 682*d5c09012SAndroid Build Coastguard Worker // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 683*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 684*d5c09012SAndroid Build Coastguard Worker // Provided here for verification. 685*d5c09012SAndroid Build Coastguard Worker // 686*d5c09012SAndroid Build Coastguard Worker // NOTE: This field is in Beta. 687*d5c09012SAndroid Build Coastguard Worker string name = 4; 688*d5c09012SAndroid Build Coastguard Worker 689*d5c09012SAndroid Build Coastguard Worker // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 690*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key. 691*d5c09012SAndroid Build Coastguard Worker ProtectionLevel protection_level = 5; 692*d5c09012SAndroid Build Coastguard Worker} 693*d5c09012SAndroid Build Coastguard Worker 694*d5c09012SAndroid Build Coastguard Worker// An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create 695*d5c09012SAndroid Build Coastguard Worker// [CryptoKeys][google.cloud.kms.v1.CryptoKey] and 696*d5c09012SAndroid Build Coastguard Worker// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing 697*d5c09012SAndroid Build Coastguard Worker// key material, generated outside of Cloud KMS. 698*d5c09012SAndroid Build Coastguard Worker// 699*d5c09012SAndroid Build Coastguard Worker// When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will 700*d5c09012SAndroid Build Coastguard Worker// generate a "wrapping key", which is a public/private key pair. You use the 701*d5c09012SAndroid Build Coastguard Worker// wrapping key to encrypt (also known as wrap) the pre-existing key material to 702*d5c09012SAndroid Build Coastguard Worker// protect it during the import process. The nature of the wrapping key depends 703*d5c09012SAndroid Build Coastguard Worker// on the choice of 704*d5c09012SAndroid Build Coastguard Worker// [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the 705*d5c09012SAndroid Build Coastguard Worker// wrapping key generation is complete, the 706*d5c09012SAndroid Build Coastguard Worker// [state][google.cloud.kms.v1.ImportJob.state] will be set to 707*d5c09012SAndroid Build Coastguard Worker// [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the 708*d5c09012SAndroid Build Coastguard Worker// [public_key][google.cloud.kms.v1.ImportJob.public_key] can be fetched. The 709*d5c09012SAndroid Build Coastguard Worker// fetched public key can then be used to wrap your pre-existing key material. 710*d5c09012SAndroid Build Coastguard Worker// 711*d5c09012SAndroid Build Coastguard Worker// Once the key material is wrapped, it can be imported into a new 712*d5c09012SAndroid Build Coastguard Worker// [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing 713*d5c09012SAndroid Build Coastguard Worker// [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling 714*d5c09012SAndroid Build Coastguard Worker// [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 715*d5c09012SAndroid Build Coastguard Worker// Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be 716*d5c09012SAndroid Build Coastguard Worker// imported with a single [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS 717*d5c09012SAndroid Build Coastguard Worker// uses the private key portion of the wrapping key to unwrap the key material. 718*d5c09012SAndroid Build Coastguard Worker// Only Cloud KMS has access to the private key. 719*d5c09012SAndroid Build Coastguard Worker// 720*d5c09012SAndroid Build Coastguard Worker// An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is 721*d5c09012SAndroid Build Coastguard Worker// created. Once expired, Cloud KMS will no longer be able to import or unwrap 722*d5c09012SAndroid Build Coastguard Worker// any key material that was wrapped with the 723*d5c09012SAndroid Build Coastguard Worker// [ImportJob][google.cloud.kms.v1.ImportJob]'s public key. 724*d5c09012SAndroid Build Coastguard Worker// 725*d5c09012SAndroid Build Coastguard Worker// For more information, see 726*d5c09012SAndroid Build Coastguard Worker// [Importing a key](https://cloud.google.com/kms/docs/importing-a-key). 727*d5c09012SAndroid Build Coastguard Workermessage ImportJob { 728*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 729*d5c09012SAndroid Build Coastguard Worker type: "cloudkms.googleapis.com/ImportJob" 730*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}" 731*d5c09012SAndroid Build Coastguard Worker }; 732*d5c09012SAndroid Build Coastguard Worker 733*d5c09012SAndroid Build Coastguard Worker // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the 734*d5c09012SAndroid Build Coastguard Worker // key wrapping method chosen for this 735*d5c09012SAndroid Build Coastguard Worker // [ImportJob][google.cloud.kms.v1.ImportJob]. 736*d5c09012SAndroid Build Coastguard Worker enum ImportMethod { 737*d5c09012SAndroid Build Coastguard Worker // Not specified. 738*d5c09012SAndroid Build Coastguard Worker IMPORT_METHOD_UNSPECIFIED = 0; 739*d5c09012SAndroid Build Coastguard Worker 740*d5c09012SAndroid Build Coastguard Worker // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 741*d5c09012SAndroid Build Coastguard Worker // scheme defined in the PKCS #11 standard. In summary, this involves 742*d5c09012SAndroid Build Coastguard Worker // wrapping the raw key with an ephemeral AES key, and wrapping the 743*d5c09012SAndroid Build Coastguard Worker // ephemeral AES key with a 3072 bit RSA key. For more details, see 744*d5c09012SAndroid Build Coastguard Worker // [RSA AES key wrap 745*d5c09012SAndroid Build Coastguard Worker // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 746*d5c09012SAndroid Build Coastguard Worker RSA_OAEP_3072_SHA1_AES_256 = 1; 747*d5c09012SAndroid Build Coastguard Worker 748*d5c09012SAndroid Build Coastguard Worker // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 749*d5c09012SAndroid Build Coastguard Worker // scheme defined in the PKCS #11 standard. In summary, this involves 750*d5c09012SAndroid Build Coastguard Worker // wrapping the raw key with an ephemeral AES key, and wrapping the 751*d5c09012SAndroid Build Coastguard Worker // ephemeral AES key with a 4096 bit RSA key. For more details, see 752*d5c09012SAndroid Build Coastguard Worker // [RSA AES key wrap 753*d5c09012SAndroid Build Coastguard Worker // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 754*d5c09012SAndroid Build Coastguard Worker RSA_OAEP_4096_SHA1_AES_256 = 2; 755*d5c09012SAndroid Build Coastguard Worker 756*d5c09012SAndroid Build Coastguard Worker // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 757*d5c09012SAndroid Build Coastguard Worker // scheme defined in the PKCS #11 standard. In summary, this involves 758*d5c09012SAndroid Build Coastguard Worker // wrapping the raw key with an ephemeral AES key, and wrapping the 759*d5c09012SAndroid Build Coastguard Worker // ephemeral AES key with a 3072 bit RSA key. For more details, see 760*d5c09012SAndroid Build Coastguard Worker // [RSA AES key wrap 761*d5c09012SAndroid Build Coastguard Worker // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 762*d5c09012SAndroid Build Coastguard Worker RSA_OAEP_3072_SHA256_AES_256 = 3; 763*d5c09012SAndroid Build Coastguard Worker 764*d5c09012SAndroid Build Coastguard Worker // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping 765*d5c09012SAndroid Build Coastguard Worker // scheme defined in the PKCS #11 standard. In summary, this involves 766*d5c09012SAndroid Build Coastguard Worker // wrapping the raw key with an ephemeral AES key, and wrapping the 767*d5c09012SAndroid Build Coastguard Worker // ephemeral AES key with a 4096 bit RSA key. For more details, see 768*d5c09012SAndroid Build Coastguard Worker // [RSA AES key wrap 769*d5c09012SAndroid Build Coastguard Worker // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). 770*d5c09012SAndroid Build Coastguard Worker RSA_OAEP_4096_SHA256_AES_256 = 4; 771*d5c09012SAndroid Build Coastguard Worker 772*d5c09012SAndroid Build Coastguard Worker // This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The 773*d5c09012SAndroid Build Coastguard Worker // key material to be imported is wrapped directly with the RSA key. Due 774*d5c09012SAndroid Build Coastguard Worker // to technical limitations of RSA wrapping, this method cannot be used to 775*d5c09012SAndroid Build Coastguard Worker // wrap RSA keys for import. 776*d5c09012SAndroid Build Coastguard Worker RSA_OAEP_3072_SHA256 = 5; 777*d5c09012SAndroid Build Coastguard Worker 778*d5c09012SAndroid Build Coastguard Worker // This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The 779*d5c09012SAndroid Build Coastguard Worker // key material to be imported is wrapped directly with the RSA key. Due 780*d5c09012SAndroid Build Coastguard Worker // to technical limitations of RSA wrapping, this method cannot be used to 781*d5c09012SAndroid Build Coastguard Worker // wrap RSA keys for import. 782*d5c09012SAndroid Build Coastguard Worker RSA_OAEP_4096_SHA256 = 6; 783*d5c09012SAndroid Build Coastguard Worker } 784*d5c09012SAndroid Build Coastguard Worker 785*d5c09012SAndroid Build Coastguard Worker // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if 786*d5c09012SAndroid Build Coastguard Worker // it can be used. 787*d5c09012SAndroid Build Coastguard Worker enum ImportJobState { 788*d5c09012SAndroid Build Coastguard Worker // Not specified. 789*d5c09012SAndroid Build Coastguard Worker IMPORT_JOB_STATE_UNSPECIFIED = 0; 790*d5c09012SAndroid Build Coastguard Worker 791*d5c09012SAndroid Build Coastguard Worker // The wrapping key for this job is still being generated. It may not be 792*d5c09012SAndroid Build Coastguard Worker // used. Cloud KMS will automatically mark this job as 793*d5c09012SAndroid Build Coastguard Worker // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as 794*d5c09012SAndroid Build Coastguard Worker // the wrapping key is generated. 795*d5c09012SAndroid Build Coastguard Worker PENDING_GENERATION = 1; 796*d5c09012SAndroid Build Coastguard Worker 797*d5c09012SAndroid Build Coastguard Worker // This job may be used in 798*d5c09012SAndroid Build Coastguard Worker // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] 799*d5c09012SAndroid Build Coastguard Worker // and 800*d5c09012SAndroid Build Coastguard Worker // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 801*d5c09012SAndroid Build Coastguard Worker // requests. 802*d5c09012SAndroid Build Coastguard Worker ACTIVE = 2; 803*d5c09012SAndroid Build Coastguard Worker 804*d5c09012SAndroid Build Coastguard Worker // This job can no longer be used and may not leave this state once entered. 805*d5c09012SAndroid Build Coastguard Worker EXPIRED = 3; 806*d5c09012SAndroid Build Coastguard Worker } 807*d5c09012SAndroid Build Coastguard Worker 808*d5c09012SAndroid Build Coastguard Worker // The public key component of the wrapping key. For details of the type of 809*d5c09012SAndroid Build Coastguard Worker // key this public key corresponds to, see the 810*d5c09012SAndroid Build Coastguard Worker // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod]. 811*d5c09012SAndroid Build Coastguard Worker message WrappingPublicKey { 812*d5c09012SAndroid Build Coastguard Worker // The public key, encoded in PEM format. For more information, see the [RFC 813*d5c09012SAndroid Build Coastguard Worker // 7468](https://tools.ietf.org/html/rfc7468) sections for [General 814*d5c09012SAndroid Build Coastguard Worker // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and 815*d5c09012SAndroid Build Coastguard Worker // [Textual Encoding of Subject Public Key Info] 816*d5c09012SAndroid Build Coastguard Worker // (https://tools.ietf.org/html/rfc7468#section-13). 817*d5c09012SAndroid Build Coastguard Worker string pem = 1; 818*d5c09012SAndroid Build Coastguard Worker } 819*d5c09012SAndroid Build Coastguard Worker 820*d5c09012SAndroid Build Coastguard Worker // Output only. The resource name for this 821*d5c09012SAndroid Build Coastguard Worker // [ImportJob][google.cloud.kms.v1.ImportJob] in the format 822*d5c09012SAndroid Build Coastguard Worker // `projects/*/locations/*/keyRings/*/importJobs/*`. 823*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 824*d5c09012SAndroid Build Coastguard Worker 825*d5c09012SAndroid Build Coastguard Worker // Required. Immutable. The wrapping method to be used for incoming key 826*d5c09012SAndroid Build Coastguard Worker // material. 827*d5c09012SAndroid Build Coastguard Worker ImportMethod import_method = 2 [ 828*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 829*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = IMMUTABLE 830*d5c09012SAndroid Build Coastguard Worker ]; 831*d5c09012SAndroid Build Coastguard Worker 832*d5c09012SAndroid Build Coastguard Worker // Required. Immutable. The protection level of the 833*d5c09012SAndroid Build Coastguard Worker // [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the 834*d5c09012SAndroid Build Coastguard Worker // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 835*d5c09012SAndroid Build Coastguard Worker // of the [version_template][google.cloud.kms.v1.CryptoKey.version_template] 836*d5c09012SAndroid Build Coastguard Worker // on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you attempt to import 837*d5c09012SAndroid Build Coastguard Worker // into. 838*d5c09012SAndroid Build Coastguard Worker ProtectionLevel protection_level = 9 [ 839*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = REQUIRED, 840*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = IMMUTABLE 841*d5c09012SAndroid Build Coastguard Worker ]; 842*d5c09012SAndroid Build Coastguard Worker 843*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which this 844*d5c09012SAndroid Build Coastguard Worker // [ImportJob][google.cloud.kms.v1.ImportJob] was created. 845*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp create_time = 3 846*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 847*d5c09012SAndroid Build Coastguard Worker 848*d5c09012SAndroid Build Coastguard Worker // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key 849*d5c09012SAndroid Build Coastguard Worker // material was generated. 850*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp generate_time = 4 851*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 852*d5c09012SAndroid Build Coastguard Worker 853*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which this 854*d5c09012SAndroid Build Coastguard Worker // [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for expiration and 855*d5c09012SAndroid Build Coastguard Worker // can no longer be used to import key material. 856*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp expire_time = 5 857*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 858*d5c09012SAndroid Build Coastguard Worker 859*d5c09012SAndroid Build Coastguard Worker // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] 860*d5c09012SAndroid Build Coastguard Worker // expired. Only present if [state][google.cloud.kms.v1.ImportJob.state] is 861*d5c09012SAndroid Build Coastguard Worker // [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED]. 862*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp expire_event_time = 10 863*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 864*d5c09012SAndroid Build Coastguard Worker 865*d5c09012SAndroid Build Coastguard Worker // Output only. The current state of the 866*d5c09012SAndroid Build Coastguard Worker // [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used. 867*d5c09012SAndroid Build Coastguard Worker ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 868*d5c09012SAndroid Build Coastguard Worker 869*d5c09012SAndroid Build Coastguard Worker // Output only. The public key with which to wrap key material prior to 870*d5c09012SAndroid Build Coastguard Worker // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is 871*d5c09012SAndroid Build Coastguard Worker // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE]. 872*d5c09012SAndroid Build Coastguard Worker WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 873*d5c09012SAndroid Build Coastguard Worker 874*d5c09012SAndroid Build Coastguard Worker // Output only. Statement that was generated and signed by the key creator 875*d5c09012SAndroid Build Coastguard Worker // (for example, an HSM) at key creation time. Use this statement to verify 876*d5c09012SAndroid Build Coastguard Worker // attributes of the key as stored on the HSM, independently of Google. 877*d5c09012SAndroid Build Coastguard Worker // Only present if the chosen 878*d5c09012SAndroid Build Coastguard Worker // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a 879*d5c09012SAndroid Build Coastguard Worker // protection level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM]. 880*d5c09012SAndroid Build Coastguard Worker KeyOperationAttestation attestation = 8 881*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 882*d5c09012SAndroid Build Coastguard Worker} 883*d5c09012SAndroid Build Coastguard Worker 884*d5c09012SAndroid Build Coastguard Worker// ExternalProtectionLevelOptions stores a group of additional fields for 885*d5c09012SAndroid Build Coastguard Worker// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that 886*d5c09012SAndroid Build Coastguard Worker// are specific to the [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] 887*d5c09012SAndroid Build Coastguard Worker// protection level and 888*d5c09012SAndroid Build Coastguard Worker// [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] protection 889*d5c09012SAndroid Build Coastguard Worker// levels. 890*d5c09012SAndroid Build Coastguard Workermessage ExternalProtectionLevelOptions { 891*d5c09012SAndroid Build Coastguard Worker // The URI for an external resource that this 892*d5c09012SAndroid Build Coastguard Worker // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents. 893*d5c09012SAndroid Build Coastguard Worker string external_key_uri = 1; 894*d5c09012SAndroid Build Coastguard Worker 895*d5c09012SAndroid Build Coastguard Worker // The path to the external key material on the EKM when using 896*d5c09012SAndroid Build Coastguard Worker // [EkmConnection][google.cloud.kms.v1.EkmConnection] e.g., "v0/my/key". Set 897*d5c09012SAndroid Build Coastguard Worker // this field instead of external_key_uri when using an 898*d5c09012SAndroid Build Coastguard Worker // [EkmConnection][google.cloud.kms.v1.EkmConnection]. 899*d5c09012SAndroid Build Coastguard Worker string ekm_connection_key_path = 2; 900*d5c09012SAndroid Build Coastguard Worker} 901*d5c09012SAndroid Build Coastguard Worker 902*d5c09012SAndroid Build Coastguard Worker// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how 903*d5c09012SAndroid Build Coastguard Worker// cryptographic operations are performed. For more information, see [Protection 904*d5c09012SAndroid Build Coastguard Worker// levels] (https://cloud.google.com/kms/docs/algorithms#protection_levels). 905*d5c09012SAndroid Build Coastguard Workerenum ProtectionLevel { 906*d5c09012SAndroid Build Coastguard Worker // Not specified. 907*d5c09012SAndroid Build Coastguard Worker PROTECTION_LEVEL_UNSPECIFIED = 0; 908*d5c09012SAndroid Build Coastguard Worker 909*d5c09012SAndroid Build Coastguard Worker // Crypto operations are performed in software. 910*d5c09012SAndroid Build Coastguard Worker SOFTWARE = 1; 911*d5c09012SAndroid Build Coastguard Worker 912*d5c09012SAndroid Build Coastguard Worker // Crypto operations are performed in a Hardware Security Module. 913*d5c09012SAndroid Build Coastguard Worker HSM = 2; 914*d5c09012SAndroid Build Coastguard Worker 915*d5c09012SAndroid Build Coastguard Worker // Crypto operations are performed by an external key manager. 916*d5c09012SAndroid Build Coastguard Worker EXTERNAL = 3; 917*d5c09012SAndroid Build Coastguard Worker 918*d5c09012SAndroid Build Coastguard Worker // Crypto operations are performed in an EKM-over-VPC backend. 919*d5c09012SAndroid Build Coastguard Worker EXTERNAL_VPC = 4; 920*d5c09012SAndroid Build Coastguard Worker} 921