1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.kms.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/cloud/kms/v1/resources.proto"; 24import "google/protobuf/field_mask.proto"; 25import "google/protobuf/wrappers.proto"; 26 27option cc_enable_arenas = true; 28option csharp_namespace = "Google.Cloud.Kms.V1"; 29option go_package = "cloud.google.com/go/kms/apiv1/kmspb;kmspb"; 30option java_multiple_files = true; 31option java_outer_classname = "KmsProto"; 32option java_package = "com.google.cloud.kms.v1"; 33option php_namespace = "Google\\Cloud\\Kms\\V1"; 34 35// Google Cloud Key Management Service 36// 37// Manages cryptographic keys and operations using those keys. Implements a REST 38// model with the following objects: 39// 40// * [KeyRing][google.cloud.kms.v1.KeyRing] 41// * [CryptoKey][google.cloud.kms.v1.CryptoKey] 42// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 43// * [ImportJob][google.cloud.kms.v1.ImportJob] 44// 45// If you are using manual gRPC libraries, see 46// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc). 47service KeyManagementService { 48 option (google.api.default_host) = "cloudkms.googleapis.com"; 49 option (google.api.oauth_scopes) = 50 "https://www.googleapis.com/auth/cloud-platform," 51 "https://www.googleapis.com/auth/cloudkms"; 52 53 // Lists [KeyRings][google.cloud.kms.v1.KeyRing]. 54 rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) { 55 option (google.api.http) = { 56 get: "/v1/{parent=projects/*/locations/*}/keyRings" 57 }; 58 option (google.api.method_signature) = "parent"; 59 } 60 61 // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 62 rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) { 63 option (google.api.http) = { 64 get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" 65 }; 66 option (google.api.method_signature) = "parent"; 67 } 68 69 // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. 70 rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) 71 returns (ListCryptoKeyVersionsResponse) { 72 option (google.api.http) = { 73 get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" 74 }; 75 option (google.api.method_signature) = "parent"; 76 } 77 78 // Lists [ImportJobs][google.cloud.kms.v1.ImportJob]. 79 rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) { 80 option (google.api.http) = { 81 get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" 82 }; 83 option (google.api.method_signature) = "parent"; 84 } 85 86 // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing]. 87 rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) { 88 option (google.api.http) = { 89 get: "/v1/{name=projects/*/locations/*/keyRings/*}" 90 }; 91 option (google.api.method_signature) = "name"; 92 } 93 94 // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as 95 // well as its [primary][google.cloud.kms.v1.CryptoKey.primary] 96 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 97 rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) { 98 option (google.api.http) = { 99 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" 100 }; 101 option (google.api.method_signature) = "name"; 102 } 103 104 // Returns metadata for a given 105 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 106 rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) 107 returns (CryptoKeyVersion) { 108 option (google.api.http) = { 109 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" 110 }; 111 option (google.api.method_signature) = "name"; 112 } 113 114 // Returns the public key for the given 115 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The 116 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 117 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] 118 // or 119 // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. 120 rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) { 121 option (google.api.http) = { 122 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey" 123 }; 124 option (google.api.method_signature) = "name"; 125 } 126 127 // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob]. 128 rpc GetImportJob(GetImportJobRequest) returns (ImportJob) { 129 option (google.api.http) = { 130 get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}" 131 }; 132 option (google.api.method_signature) = "name"; 133 } 134 135 // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and 136 // Location. 137 rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) { 138 option (google.api.http) = { 139 post: "/v1/{parent=projects/*/locations/*}/keyRings" 140 body: "key_ring" 141 }; 142 option (google.api.method_signature) = "parent,key_ring_id,key_ring"; 143 } 144 145 // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a 146 // [KeyRing][google.cloud.kms.v1.KeyRing]. 147 // 148 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and 149 // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] 150 // are required. 151 rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) { 152 option (google.api.http) = { 153 post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" 154 body: "crypto_key" 155 }; 156 option (google.api.method_signature) = "parent,crypto_key_id,crypto_key"; 157 } 158 159 // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a 160 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 161 // 162 // The server will assign the next sequential id. If unset, 163 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to 164 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]. 165 rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) 166 returns (CryptoKeyVersion) { 167 option (google.api.http) = { 168 post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" 169 body: "crypto_key_version" 170 }; 171 option (google.api.method_signature) = "parent,crypto_key_version"; 172 } 173 174 // Import wrapped key material into a 175 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 176 // 177 // All requests must specify a [CryptoKey][google.cloud.kms.v1.CryptoKey]. If 178 // a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] is additionally 179 // specified in the request, key material will be reimported into that 180 // version. Otherwise, a new version will be created, and will be assigned the 181 // next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey]. 182 rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) 183 returns (CryptoKeyVersion) { 184 option (google.api.http) = { 185 post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import" 186 body: "*" 187 }; 188 } 189 190 // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a 191 // [KeyRing][google.cloud.kms.v1.KeyRing]. 192 // 193 // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is 194 // required. 195 rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) { 196 option (google.api.http) = { 197 post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" 198 body: "import_job" 199 }; 200 option (google.api.method_signature) = "parent,import_job_id,import_job"; 201 } 202 203 // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey]. 204 rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) { 205 option (google.api.http) = { 206 patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" 207 body: "crypto_key" 208 }; 209 option (google.api.method_signature) = "crypto_key,update_mask"; 210 } 211 212 // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s 213 // metadata. 214 // 215 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between 216 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 217 // and 218 // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] 219 // using this method. See 220 // [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] 221 // and 222 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 223 // to move between other states. 224 rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) 225 returns (CryptoKeyVersion) { 226 option (google.api.http) = { 227 patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" 228 body: "crypto_key_version" 229 }; 230 option (google.api.method_signature) = "crypto_key_version,update_mask"; 231 } 232 233 // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that 234 // will be used in 235 // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. 236 // 237 // Returns an error if called on a key whose purpose is not 238 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 239 rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) 240 returns (CryptoKey) { 241 option (google.api.http) = { 242 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion" 243 body: "*" 244 }; 245 option (google.api.method_signature) = "name,crypto_key_version_id"; 246 } 247 248 // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for 249 // destruction. 250 // 251 // Upon calling this method, 252 // [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will 253 // be set to 254 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED], 255 // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will 256 // be set to the time 257 // [destroy_scheduled_duration][google.cloud.kms.v1.CryptoKey.destroy_scheduled_duration] 258 // in the future. At that time, the 259 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will automatically 260 // change to 261 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], 262 // and the key material will be irrevocably destroyed. 263 // 264 // Before the 265 // [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is 266 // reached, 267 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 268 // may be called to reverse the process. 269 rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) 270 returns (CryptoKeyVersion) { 271 option (google.api.http) = { 272 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy" 273 body: "*" 274 }; 275 option (google.api.method_signature) = "name"; 276 } 277 278 // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the 279 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] 280 // state. 281 // 282 // Upon restoration of the CryptoKeyVersion, 283 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to 284 // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], 285 // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will 286 // be cleared. 287 rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) 288 returns (CryptoKeyVersion) { 289 option (google.api.http) = { 290 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore" 291 body: "*" 292 }; 293 option (google.api.method_signature) = "name"; 294 } 295 296 // Encrypts data, so that it can only be recovered by a call to 297 // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The 298 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 299 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 300 rpc Encrypt(EncryptRequest) returns (EncryptResponse) { 301 option (google.api.http) = { 302 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt" 303 body: "*" 304 }; 305 option (google.api.method_signature) = "name,plaintext"; 306 } 307 308 // Decrypts data that was protected by 309 // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The 310 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 311 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 312 rpc Decrypt(DecryptRequest) returns (DecryptResponse) { 313 option (google.api.http) = { 314 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt" 315 body: "*" 316 }; 317 option (google.api.method_signature) = "name,ciphertext"; 318 } 319 320 // Encrypts data using portable cryptographic primitives. Most users should 321 // choose [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and 322 // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt] rather than 323 // their raw counterparts. The 324 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 325 // [RAW_ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.RAW_ENCRYPT_DECRYPT]. 326 rpc RawEncrypt(RawEncryptRequest) returns (RawEncryptResponse) { 327 option (google.api.http) = { 328 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:rawEncrypt" 329 body: "*" 330 }; 331 } 332 333 // Decrypts data that was originally encrypted using a raw cryptographic 334 // mechanism. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 335 // must be 336 // [RAW_ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.RAW_ENCRYPT_DECRYPT]. 337 rpc RawDecrypt(RawDecryptRequest) returns (RawDecryptResponse) { 338 option (google.api.http) = { 339 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:rawDecrypt" 340 body: "*" 341 }; 342 } 343 344 // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 345 // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 346 // ASYMMETRIC_SIGN, producing a signature that can be verified with the public 347 // key retrieved from 348 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 349 rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) { 350 option (google.api.http) = { 351 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign" 352 body: "*" 353 }; 354 option (google.api.method_signature) = "name,digest"; 355 } 356 357 // Decrypts data that was encrypted with a public key retrieved from 358 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] 359 // corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 360 // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 361 // ASYMMETRIC_DECRYPT. 362 rpc AsymmetricDecrypt(AsymmetricDecryptRequest) 363 returns (AsymmetricDecryptResponse) { 364 option (google.api.http) = { 365 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt" 366 body: "*" 367 }; 368 option (google.api.method_signature) = "name,ciphertext"; 369 } 370 371 // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 372 // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, 373 // producing a tag that can be verified by another source with the same key. 374 rpc MacSign(MacSignRequest) returns (MacSignResponse) { 375 option (google.api.http) = { 376 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macSign" 377 body: "*" 378 }; 379 option (google.api.method_signature) = "name,data"; 380 } 381 382 // Verifies MAC tag using a 383 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with 384 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns 385 // a response that indicates whether or not the verification was successful. 386 rpc MacVerify(MacVerifyRequest) returns (MacVerifyResponse) { 387 option (google.api.http) = { 388 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macVerify" 389 body: "*" 390 }; 391 option (google.api.method_signature) = "name,data,mac"; 392 } 393 394 // Generate random bytes using the Cloud KMS randomness source in the provided 395 // location. 396 rpc GenerateRandomBytes(GenerateRandomBytesRequest) 397 returns (GenerateRandomBytesResponse) { 398 option (google.api.http) = { 399 post: "/v1/{location=projects/*/locations/*}:generateRandomBytes" 400 body: "*" 401 }; 402 option (google.api.method_signature) = 403 "location,length_bytes,protection_level"; 404 } 405} 406 407// Request message for 408// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. 409message ListKeyRingsRequest { 410 // Required. The resource name of the location associated with the 411 // [KeyRings][google.cloud.kms.v1.KeyRing], in the format 412 // `projects/*/locations/*`. 413 string parent = 1 [ 414 (google.api.field_behavior) = REQUIRED, 415 (google.api.resource_reference) = { 416 type: "locations.googleapis.com/Location" 417 } 418 ]; 419 420 // Optional. Optional limit on the number of 421 // [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further 422 // [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by 423 // including the 424 // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] 425 // in a subsequent request. If unspecified, the server will pick an 426 // appropriate default. 427 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 428 429 // Optional. Optional pagination token, returned earlier via 430 // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]. 431 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 432 433 // Optional. Only include resources that match the filter in the response. For 434 // more information, see 435 // [Sorting and filtering list 436 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 437 string filter = 4 [(google.api.field_behavior) = OPTIONAL]; 438 439 // Optional. Specify how the results should be sorted. If not specified, the 440 // results will be sorted in the default order. For more information, see 441 // [Sorting and filtering list 442 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 443 string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; 444} 445 446// Request message for 447// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 448message ListCryptoKeysRequest { 449 // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] 450 // to list, in the format `projects/*/locations/*/keyRings/*`. 451 string parent = 1 [ 452 (google.api.field_behavior) = REQUIRED, 453 (google.api.resource_reference) = { 454 type: "cloudkms.googleapis.com/KeyRing" 455 } 456 ]; 457 458 // Optional. Optional limit on the number of 459 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. 460 // Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be 461 // obtained by including the 462 // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] 463 // in a subsequent request. If unspecified, the server will pick an 464 // appropriate default. 465 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 466 467 // Optional. Optional pagination token, returned earlier via 468 // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]. 469 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 470 471 // The fields of the primary version to include in the response. 472 CryptoKeyVersion.CryptoKeyVersionView version_view = 4; 473 474 // Optional. Only include resources that match the filter in the response. For 475 // more information, see 476 // [Sorting and filtering list 477 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 478 string filter = 5 [(google.api.field_behavior) = OPTIONAL]; 479 480 // Optional. Specify how the results should be sorted. If not specified, the 481 // results will be sorted in the default order. For more information, see 482 // [Sorting and filtering list 483 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 484 string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; 485} 486 487// Request message for 488// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. 489message ListCryptoKeyVersionsRequest { 490 // Required. The resource name of the 491 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format 492 // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 493 string parent = 1 [ 494 (google.api.field_behavior) = REQUIRED, 495 (google.api.resource_reference) = { 496 type: "cloudkms.googleapis.com/CryptoKey" 497 } 498 ]; 499 500 // Optional. Optional limit on the number of 501 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the 502 // response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] 503 // can subsequently be obtained by including the 504 // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] 505 // in a subsequent request. If unspecified, the server will pick an 506 // appropriate default. 507 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 508 509 // Optional. Optional pagination token, returned earlier via 510 // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]. 511 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 512 513 // The fields to include in the response. 514 CryptoKeyVersion.CryptoKeyVersionView view = 4; 515 516 // Optional. Only include resources that match the filter in the response. For 517 // more information, see 518 // [Sorting and filtering list 519 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 520 string filter = 5 [(google.api.field_behavior) = OPTIONAL]; 521 522 // Optional. Specify how the results should be sorted. If not specified, the 523 // results will be sorted in the default order. For more information, see 524 // [Sorting and filtering list 525 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 526 string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; 527} 528 529// Request message for 530// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. 531message ListImportJobsRequest { 532 // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] 533 // to list, in the format `projects/*/locations/*/keyRings/*`. 534 string parent = 1 [ 535 (google.api.field_behavior) = REQUIRED, 536 (google.api.resource_reference) = { 537 type: "cloudkms.googleapis.com/KeyRing" 538 } 539 ]; 540 541 // Optional. Optional limit on the number of 542 // [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response. 543 // Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be 544 // obtained by including the 545 // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] 546 // in a subsequent request. If unspecified, the server will pick an 547 // appropriate default. 548 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 549 550 // Optional. Optional pagination token, returned earlier via 551 // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]. 552 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 553 554 // Optional. Only include resources that match the filter in the response. For 555 // more information, see 556 // [Sorting and filtering list 557 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 558 string filter = 4 [(google.api.field_behavior) = OPTIONAL]; 559 560 // Optional. Specify how the results should be sorted. If not specified, the 561 // results will be sorted in the default order. For more information, see 562 // [Sorting and filtering list 563 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 564 string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; 565} 566 567// Response message for 568// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. 569message ListKeyRingsResponse { 570 // The list of [KeyRings][google.cloud.kms.v1.KeyRing]. 571 repeated KeyRing key_rings = 1; 572 573 // A token to retrieve next page of results. Pass this value in 574 // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] 575 // to retrieve the next page of results. 576 string next_page_token = 2; 577 578 // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched 579 // the query. 580 int32 total_size = 3; 581} 582 583// Response message for 584// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 585message ListCryptoKeysResponse { 586 // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 587 repeated CryptoKey crypto_keys = 1; 588 589 // A token to retrieve next page of results. Pass this value in 590 // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] 591 // to retrieve the next page of results. 592 string next_page_token = 2; 593 594 // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that 595 // matched the query. 596 int32 total_size = 3; 597} 598 599// Response message for 600// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. 601message ListCryptoKeyVersionsResponse { 602 // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. 603 repeated CryptoKeyVersion crypto_key_versions = 1; 604 605 // A token to retrieve next page of results. Pass this value in 606 // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] 607 // to retrieve the next page of results. 608 string next_page_token = 2; 609 610 // The total number of 611 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the 612 // query. 613 int32 total_size = 3; 614} 615 616// Response message for 617// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. 618message ListImportJobsResponse { 619 // The list of [ImportJobs][google.cloud.kms.v1.ImportJob]. 620 repeated ImportJob import_jobs = 1; 621 622 // A token to retrieve next page of results. Pass this value in 623 // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] 624 // to retrieve the next page of results. 625 string next_page_token = 2; 626 627 // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that 628 // matched the query. 629 int32 total_size = 3; 630} 631 632// Request message for 633// [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing]. 634message GetKeyRingRequest { 635 // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the 636 // [KeyRing][google.cloud.kms.v1.KeyRing] to get. 637 string name = 1 [ 638 (google.api.field_behavior) = REQUIRED, 639 (google.api.resource_reference) = { 640 type: "cloudkms.googleapis.com/KeyRing" 641 } 642 ]; 643} 644 645// Request message for 646// [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey]. 647message GetCryptoKeyRequest { 648 // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the 649 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. 650 string name = 1 [ 651 (google.api.field_behavior) = REQUIRED, 652 (google.api.resource_reference) = { 653 type: "cloudkms.googleapis.com/CryptoKey" 654 } 655 ]; 656} 657 658// Request message for 659// [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion]. 660message GetCryptoKeyVersionRequest { 661 // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 662 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. 663 string name = 1 [ 664 (google.api.field_behavior) = REQUIRED, 665 (google.api.resource_reference) = { 666 type: "cloudkms.googleapis.com/CryptoKeyVersion" 667 } 668 ]; 669} 670 671// Request message for 672// [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 673message GetPublicKeyRequest { 674 // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 675 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. 676 string name = 1 [ 677 (google.api.field_behavior) = REQUIRED, 678 (google.api.resource_reference) = { 679 type: "cloudkms.googleapis.com/CryptoKeyVersion" 680 } 681 ]; 682} 683 684// Request message for 685// [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob]. 686message GetImportJobRequest { 687 // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the 688 // [ImportJob][google.cloud.kms.v1.ImportJob] to get. 689 string name = 1 [ 690 (google.api.field_behavior) = REQUIRED, 691 (google.api.resource_reference) = { 692 type: "cloudkms.googleapis.com/ImportJob" 693 } 694 ]; 695} 696 697// Request message for 698// [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing]. 699message CreateKeyRingRequest { 700 // Required. The resource name of the location associated with the 701 // [KeyRings][google.cloud.kms.v1.KeyRing], in the format 702 // `projects/*/locations/*`. 703 string parent = 1 [ 704 (google.api.field_behavior) = REQUIRED, 705 (google.api.resource_reference) = { 706 type: "locations.googleapis.com/Location" 707 } 708 ]; 709 710 // Required. It must be unique within a location and match the regular 711 // expression `[a-zA-Z0-9_-]{1,63}` 712 string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED]; 713 714 // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field 715 // values. 716 KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED]; 717} 718 719// Request message for 720// [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey]. 721message CreateCryptoKeyRequest { 722 // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing 723 // associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 724 string parent = 1 [ 725 (google.api.field_behavior) = REQUIRED, 726 (google.api.resource_reference) = { 727 type: "cloudkms.googleapis.com/KeyRing" 728 } 729 ]; 730 731 // Required. It must be unique within a KeyRing and match the regular 732 // expression `[a-zA-Z0-9_-]{1,63}` 733 string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED]; 734 735 // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field 736 // values. 737 CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED]; 738 739 // If set to true, the request will create a 740 // [CryptoKey][google.cloud.kms.v1.CryptoKey] without any 741 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must 742 // manually call 743 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 744 // or 745 // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion] 746 // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 747 bool skip_initial_version_creation = 5; 748} 749 750// Request message for 751// [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]. 752message CreateCryptoKeyVersionRequest { 753 // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the 754 // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the 755 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. 756 string parent = 1 [ 757 (google.api.field_behavior) = REQUIRED, 758 (google.api.resource_reference) = { 759 type: "cloudkms.googleapis.com/CryptoKey" 760 } 761 ]; 762 763 // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with 764 // initial field values. 765 CryptoKeyVersion crypto_key_version = 2 766 [(google.api.field_behavior) = REQUIRED]; 767} 768 769// Request message for 770// [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 771message ImportCryptoKeyVersionRequest { 772 // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the 773 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into. 774 // 775 // The create permission is only required on this key when creating a new 776 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 777 string parent = 1 [ 778 (google.api.field_behavior) = REQUIRED, 779 (google.api.resource_reference) = { 780 type: "cloudkms.googleapis.com/CryptoKey" 781 } 782 ]; 783 784 // Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of 785 // an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to 786 // target for an import operation. If this field is not present, a new 787 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the 788 // supplied key material is created. 789 // 790 // If this field is present, the supplied key material is imported into 791 // the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To 792 // import into an existing 793 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the 794 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of 795 // [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent], 796 // have been previously created via [ImportCryptoKeyVersion][], and be in 797 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED] 798 // or 799 // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED] 800 // state. The key material and algorithm must match the previous 801 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the 802 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained 803 // key material. 804 string crypto_key_version = 6 [ 805 (google.api.field_behavior) = OPTIONAL, 806 (google.api.resource_reference) = { 807 type: "cloudkms.googleapis.com/CryptoKeyVersion" 808 } 809 ]; 810 811 // Required. The 812 // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 813 // of the key being imported. This does not need to match the 814 // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the 815 // [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into. 816 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 817 [(google.api.field_behavior) = REQUIRED]; 818 819 // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the 820 // [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key 821 // material. 822 string import_job = 4 [(google.api.field_behavior) = REQUIRED]; 823 824 // Optional. The wrapped key material to import. 825 // 826 // Before wrapping, key material must be formatted. If importing symmetric key 827 // material, the expected key material format is plain bytes. If importing 828 // asymmetric key material, the expected key material format is PKCS#8-encoded 829 // DER (the PrivateKeyInfo structure from RFC 5208). 830 // 831 // When wrapping with import methods 832 // ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] 833 // or 834 // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256] 835 // or 836 // [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256] 837 // or 838 // [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]), 839 // 840 // this field must contain the concatenation of: 841 // <ol> 842 // <li>An ephemeral AES-256 wrapping key wrapped with the 843 // [public_key][google.cloud.kms.v1.ImportJob.public_key] using 844 // RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty 845 // label. 846 // </li> 847 // <li>The formatted key to be imported, wrapped with the ephemeral AES-256 848 // key using AES-KWP (RFC 5649). 849 // </li> 850 // </ol> 851 // 852 // This format is the same as the format produced by PKCS#11 mechanism 853 // CKM_RSA_AES_KEY_WRAP. 854 // 855 // When wrapping with import methods 856 // ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256] 857 // or 858 // [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]), 859 // 860 // this field must contain the formatted key to be imported, wrapped with the 861 // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP 862 // with SHA-256, MGF1 with SHA-256, and an empty label. 863 bytes wrapped_key = 8 [(google.api.field_behavior) = OPTIONAL]; 864 865 // This field is legacy. Use the field 866 // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key] 867 // instead. 868 oneof wrapped_key_material { 869 // Optional. This field has the same meaning as 870 // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key]. 871 // Prefer to use that field in new work. Either that field or this field 872 // (but not both) must be specified. 873 bytes rsa_aes_wrapped_key = 5 [(google.api.field_behavior) = OPTIONAL]; 874 } 875} 876 877// Request message for 878// [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob]. 879message CreateImportJobRequest { 880 // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the 881 // [KeyRing][google.cloud.kms.v1.KeyRing] associated with the 882 // [ImportJobs][google.cloud.kms.v1.ImportJob]. 883 string parent = 1 [ 884 (google.api.field_behavior) = REQUIRED, 885 (google.api.resource_reference) = { 886 type: "cloudkms.googleapis.com/KeyRing" 887 } 888 ]; 889 890 // Required. It must be unique within a KeyRing and match the regular 891 // expression `[a-zA-Z0-9_-]{1,63}` 892 string import_job_id = 2 [(google.api.field_behavior) = REQUIRED]; 893 894 // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field 895 // values. 896 ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED]; 897} 898 899// Request message for 900// [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey]. 901message UpdateCryptoKeyRequest { 902 // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values. 903 CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED]; 904 905 // Required. List of fields to be updated in this request. 906 google.protobuf.FieldMask update_mask = 2 907 [(google.api.field_behavior) = REQUIRED]; 908} 909 910// Request message for 911// [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion]. 912message UpdateCryptoKeyVersionRequest { 913 // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with 914 // updated values. 915 CryptoKeyVersion crypto_key_version = 1 916 [(google.api.field_behavior) = REQUIRED]; 917 918 // Required. List of fields to be updated in this request. 919 google.protobuf.FieldMask update_mask = 2 920 [(google.api.field_behavior) = REQUIRED]; 921} 922 923// Request message for 924// [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. 925message UpdateCryptoKeyPrimaryVersionRequest { 926 // Required. The resource name of the 927 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. 928 string name = 1 [ 929 (google.api.field_behavior) = REQUIRED, 930 (google.api.resource_reference) = { 931 type: "cloudkms.googleapis.com/CryptoKey" 932 } 933 ]; 934 935 // Required. The id of the child 936 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary. 937 string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED]; 938} 939 940// Request message for 941// [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. 942message DestroyCryptoKeyVersionRequest { 943 // Required. The resource name of the 944 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. 945 string name = 1 [ 946 (google.api.field_behavior) = REQUIRED, 947 (google.api.resource_reference) = { 948 type: "cloudkms.googleapis.com/CryptoKeyVersion" 949 } 950 ]; 951} 952 953// Request message for 954// [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. 955message RestoreCryptoKeyVersionRequest { 956 // Required. The resource name of the 957 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. 958 string name = 1 [ 959 (google.api.field_behavior) = REQUIRED, 960 (google.api.resource_reference) = { 961 type: "cloudkms.googleapis.com/CryptoKeyVersion" 962 } 963 ]; 964} 965 966// Request message for 967// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. 968message EncryptRequest { 969 // Required. The resource name of the 970 // [CryptoKey][google.cloud.kms.v1.CryptoKey] or 971 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 972 // encryption. 973 // 974 // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server 975 // will use its [primary version][google.cloud.kms.v1.CryptoKey.primary]. 976 string name = 1 [ 977 (google.api.field_behavior) = REQUIRED, 978 (google.api.resource_reference) = { type: "*" } 979 ]; 980 981 // Required. The data to encrypt. Must be no larger than 64KiB. 982 // 983 // The maximum size depends on the key version's 984 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. 985 // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE], 986 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and 987 // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the 988 // plaintext must be no larger than 64KiB. For 989 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of 990 // the plaintext and additional_authenticated_data fields must be no larger 991 // than 8KiB. 992 bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED]; 993 994 // Optional. Optional data that, if specified, must also be provided during 995 // decryption through 996 // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. 997 // 998 // The maximum size depends on the key version's 999 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. 1000 // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE], 1001 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and 1002 // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the 1003 // AAD must be no larger than 64KiB. For 1004 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of 1005 // the plaintext and additional_authenticated_data fields must be no larger 1006 // than 8KiB. 1007 bytes additional_authenticated_data = 3 1008 [(google.api.field_behavior) = OPTIONAL]; 1009 1010 // Optional. An optional CRC32C checksum of the 1011 // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. 1012 // If specified, 1013 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1014 // verify the integrity of the received 1015 // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext] 1016 // using this checksum. 1017 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1018 // report an error if the checksum verification fails. If you receive a 1019 // checksum error, your client should verify that 1020 // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]) 1021 // is equal to 1022 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c], 1023 // and if so, perform a limited number of retries. A persistent mismatch may 1024 // indicate an issue in your computation of the CRC32C checksum. Note: This 1025 // field is defined as int64 for reasons of compatibility across different 1026 // languages. However, it is a non-negative integer, which will never exceed 1027 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1028 // this type. 1029 google.protobuf.Int64Value plaintext_crc32c = 7 1030 [(google.api.field_behavior) = OPTIONAL]; 1031 1032 // Optional. An optional CRC32C checksum of the 1033 // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. 1034 // If specified, 1035 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1036 // verify the integrity of the received 1037 // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data] 1038 // using this checksum. 1039 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1040 // report an error if the checksum verification fails. If you receive a 1041 // checksum error, your client should verify that 1042 // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]) 1043 // is equal to 1044 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c], 1045 // and if so, perform a limited number of retries. A persistent mismatch may 1046 // indicate an issue in your computation of the CRC32C checksum. Note: This 1047 // field is defined as int64 for reasons of compatibility across different 1048 // languages. However, it is a non-negative integer, which will never exceed 1049 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1050 // this type. 1051 google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 1052 [(google.api.field_behavior) = OPTIONAL]; 1053} 1054 1055// Request message for 1056// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 1057message DecryptRequest { 1058 // Required. The resource name of the 1059 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The 1060 // server will choose the appropriate version. 1061 string name = 1 [ 1062 (google.api.field_behavior) = REQUIRED, 1063 (google.api.resource_reference) = { 1064 type: "cloudkms.googleapis.com/CryptoKey" 1065 } 1066 ]; 1067 1068 // Required. The encrypted data originally returned in 1069 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. 1070 bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED]; 1071 1072 // Optional. Optional data that must match the data originally supplied in 1073 // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. 1074 bytes additional_authenticated_data = 3 1075 [(google.api.field_behavior) = OPTIONAL]; 1076 1077 // Optional. An optional CRC32C checksum of the 1078 // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. 1079 // If specified, 1080 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1081 // verify the integrity of the received 1082 // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext] 1083 // using this checksum. 1084 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1085 // report an error if the checksum verification fails. If you receive a 1086 // checksum error, your client should verify that 1087 // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]) 1088 // is equal to 1089 // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c], 1090 // and if so, perform a limited number of retries. A persistent mismatch may 1091 // indicate an issue in your computation of the CRC32C checksum. Note: This 1092 // field is defined as int64 for reasons of compatibility across different 1093 // languages. However, it is a non-negative integer, which will never exceed 1094 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1095 // this type. 1096 google.protobuf.Int64Value ciphertext_crc32c = 5 1097 [(google.api.field_behavior) = OPTIONAL]; 1098 1099 // Optional. An optional CRC32C checksum of the 1100 // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. 1101 // If specified, 1102 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1103 // verify the integrity of the received 1104 // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data] 1105 // using this checksum. 1106 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1107 // report an error if the checksum verification fails. If you receive a 1108 // checksum error, your client should verify that 1109 // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]) 1110 // is equal to 1111 // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c], 1112 // and if so, perform a limited number of retries. A persistent mismatch may 1113 // indicate an issue in your computation of the CRC32C checksum. Note: This 1114 // field is defined as int64 for reasons of compatibility across different 1115 // languages. However, it is a non-negative integer, which will never exceed 1116 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1117 // this type. 1118 google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 1119 [(google.api.field_behavior) = OPTIONAL]; 1120} 1121 1122// Request message for 1123// [KeyManagementService.RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt]. 1124message RawEncryptRequest { 1125 // Required. The resource name of the 1126 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1127 // encryption. 1128 string name = 1 [(google.api.field_behavior) = REQUIRED]; 1129 1130 // Required. The data to encrypt. Must be no larger than 64KiB. 1131 // 1132 // The maximum size depends on the key version's 1133 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. 1134 // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the 1135 // plaintext must be no larger than 64KiB. For 1136 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of 1137 // the plaintext and additional_authenticated_data fields must be no larger 1138 // than 8KiB. 1139 bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED]; 1140 1141 // Optional. Optional data that, if specified, must also be provided during 1142 // decryption through 1143 // [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data]. 1144 // 1145 // This field may only be used in conjunction with an 1146 // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm] that accepts 1147 // additional authenticated data (for example, AES-GCM). 1148 // 1149 // The maximum size depends on the key version's 1150 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. 1151 // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the 1152 // plaintext must be no larger than 64KiB. For 1153 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of 1154 // the plaintext and additional_authenticated_data fields must be no larger 1155 // than 8KiB. 1156 bytes additional_authenticated_data = 3 1157 [(google.api.field_behavior) = OPTIONAL]; 1158 1159 // Optional. An optional CRC32C checksum of the 1160 // [RawEncryptRequest.plaintext][google.cloud.kms.v1.RawEncryptRequest.plaintext]. 1161 // If specified, 1162 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1163 // verify the integrity of the received plaintext using this checksum. 1164 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1165 // report an error if the checksum verification fails. If you receive a 1166 // checksum error, your client should verify that CRC32C(plaintext) is equal 1167 // to plaintext_crc32c, and if so, perform a limited number of retries. A 1168 // persistent mismatch may indicate an issue in your computation of the CRC32C 1169 // checksum. Note: This field is defined as int64 for reasons of compatibility 1170 // across different languages. However, it is a non-negative integer, which 1171 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1172 // languages that support this type. 1173 google.protobuf.Int64Value plaintext_crc32c = 4 1174 [(google.api.field_behavior) = OPTIONAL]; 1175 1176 // Optional. An optional CRC32C checksum of the 1177 // [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data]. 1178 // If specified, 1179 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1180 // verify the integrity of the received additional_authenticated_data using 1181 // this checksum. 1182 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1183 // report an error if the checksum verification fails. If you receive a 1184 // checksum error, your client should verify that 1185 // CRC32C(additional_authenticated_data) is equal to 1186 // additional_authenticated_data_crc32c, and if so, perform 1187 // a limited number of retries. A persistent mismatch may indicate an issue in 1188 // your computation of the CRC32C checksum. 1189 // Note: This field is defined as int64 for reasons of compatibility across 1190 // different languages. However, it is a non-negative integer, which will 1191 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 1192 // that support this type. 1193 google.protobuf.Int64Value additional_authenticated_data_crc32c = 5 1194 [(google.api.field_behavior) = OPTIONAL]; 1195 1196 // Optional. A customer-supplied initialization vector that will be used for 1197 // encryption. If it is not provided for AES-CBC and AES-CTR, one will be 1198 // generated. It will be returned in 1199 // [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector]. 1200 bytes initialization_vector = 6 [(google.api.field_behavior) = OPTIONAL]; 1201 1202 // Optional. An optional CRC32C checksum of the 1203 // [RawEncryptRequest.initialization_vector][google.cloud.kms.v1.RawEncryptRequest.initialization_vector]. 1204 // If specified, 1205 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1206 // verify the integrity of the received initialization_vector using this 1207 // checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1208 // will report an error if the checksum verification fails. If you receive a 1209 // checksum error, your client should verify that 1210 // CRC32C(initialization_vector) is equal to 1211 // initialization_vector_crc32c, and if so, perform 1212 // a limited number of retries. A persistent mismatch may indicate an issue in 1213 // your computation of the CRC32C checksum. 1214 // Note: This field is defined as int64 for reasons of compatibility across 1215 // different languages. However, it is a non-negative integer, which will 1216 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 1217 // that support this type. 1218 google.protobuf.Int64Value initialization_vector_crc32c = 7 1219 [(google.api.field_behavior) = OPTIONAL]; 1220} 1221 1222// Request message for 1223// [KeyManagementService.RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt]. 1224message RawDecryptRequest { 1225 // Required. The resource name of the 1226 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1227 // decryption. 1228 string name = 1 [(google.api.field_behavior) = REQUIRED]; 1229 1230 // Required. The encrypted data originally returned in 1231 // [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext]. 1232 bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED]; 1233 1234 // Optional. Optional data that must match the data originally supplied in 1235 // [RawEncryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data]. 1236 bytes additional_authenticated_data = 3 1237 [(google.api.field_behavior) = OPTIONAL]; 1238 1239 // Required. The initialization vector (IV) used during encryption, which must 1240 // match the data originally provided in 1241 // [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector]. 1242 bytes initialization_vector = 4 [(google.api.field_behavior) = REQUIRED]; 1243 1244 // The length of the authentication tag that is appended to the end of 1245 // the ciphertext. If unspecified (0), the default value for the key's 1246 // algorithm will be used (for AES-GCM, the default value is 16). 1247 int32 tag_length = 5; 1248 1249 // Optional. An optional CRC32C checksum of the 1250 // [RawDecryptRequest.ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext]. 1251 // If specified, 1252 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1253 // verify the integrity of the received ciphertext using this checksum. 1254 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1255 // report an error if the checksum verification fails. If you receive a 1256 // checksum error, your client should verify that CRC32C(ciphertext) is equal 1257 // to ciphertext_crc32c, and if so, perform a limited number of retries. A 1258 // persistent mismatch may indicate an issue in your computation of the CRC32C 1259 // checksum. Note: This field is defined as int64 for reasons of compatibility 1260 // across different languages. However, it is a non-negative integer, which 1261 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1262 // languages that support this type. 1263 google.protobuf.Int64Value ciphertext_crc32c = 6 1264 [(google.api.field_behavior) = OPTIONAL]; 1265 1266 // Optional. An optional CRC32C checksum of the 1267 // [RawDecryptRequest.additional_authenticated_data][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data]. 1268 // If specified, 1269 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1270 // verify the integrity of the received additional_authenticated_data using 1271 // this checksum. 1272 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1273 // report an error if the checksum verification fails. If you receive a 1274 // checksum error, your client should verify that 1275 // CRC32C(additional_authenticated_data) is equal to 1276 // additional_authenticated_data_crc32c, and if so, perform 1277 // a limited number of retries. A persistent mismatch may indicate an issue in 1278 // your computation of the CRC32C checksum. 1279 // Note: This field is defined as int64 for reasons of compatibility across 1280 // different languages. However, it is a non-negative integer, which will 1281 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 1282 // that support this type. 1283 google.protobuf.Int64Value additional_authenticated_data_crc32c = 7 1284 [(google.api.field_behavior) = OPTIONAL]; 1285 1286 // Optional. An optional CRC32C checksum of the 1287 // [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector]. 1288 // If specified, 1289 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1290 // verify the integrity of the received initialization_vector using this 1291 // checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1292 // will report an error if the checksum verification fails. If you receive a 1293 // checksum error, your client should verify that 1294 // CRC32C(initialization_vector) is equal to initialization_vector_crc32c, and 1295 // if so, perform a limited number of retries. A persistent mismatch may 1296 // indicate an issue in your computation of the CRC32C checksum. 1297 // Note: This field is defined as int64 for reasons of compatibility across 1298 // different languages. However, it is a non-negative integer, which will 1299 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 1300 // that support this type. 1301 google.protobuf.Int64Value initialization_vector_crc32c = 8 1302 [(google.api.field_behavior) = OPTIONAL]; 1303} 1304 1305// Request message for 1306// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. 1307message AsymmetricSignRequest { 1308 // Required. The resource name of the 1309 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1310 // signing. 1311 string name = 1 [ 1312 (google.api.field_behavior) = REQUIRED, 1313 (google.api.resource_reference) = { 1314 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1315 } 1316 ]; 1317 1318 // Optional. The digest of the data to sign. The digest must be produced with 1319 // the same digest algorithm as specified by the key version's 1320 // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. 1321 // 1322 // This field may not be supplied if 1323 // [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data] 1324 // is supplied. 1325 Digest digest = 3 [(google.api.field_behavior) = OPTIONAL]; 1326 1327 // Optional. An optional CRC32C checksum of the 1328 // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. 1329 // If specified, 1330 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1331 // verify the integrity of the received 1332 // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] 1333 // using this checksum. 1334 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1335 // report an error if the checksum verification fails. If you receive a 1336 // checksum error, your client should verify that 1337 // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]) 1338 // is equal to 1339 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c], 1340 // and if so, perform a limited number of retries. A persistent mismatch may 1341 // indicate an issue in your computation of the CRC32C checksum. Note: This 1342 // field is defined as int64 for reasons of compatibility across different 1343 // languages. However, it is a non-negative integer, which will never exceed 1344 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1345 // this type. 1346 google.protobuf.Int64Value digest_crc32c = 4 1347 [(google.api.field_behavior) = OPTIONAL]; 1348 1349 // Optional. The data to sign. 1350 // It can't be supplied if 1351 // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] 1352 // is supplied. 1353 bytes data = 6 [(google.api.field_behavior) = OPTIONAL]; 1354 1355 // Optional. An optional CRC32C checksum of the 1356 // [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]. 1357 // If specified, 1358 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1359 // verify the integrity of the received 1360 // [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data] 1361 // using this checksum. 1362 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1363 // report an error if the checksum verification fails. If you receive a 1364 // checksum error, your client should verify that 1365 // CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]) 1366 // is equal to 1367 // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c], 1368 // and if so, perform a limited number of retries. A persistent mismatch may 1369 // indicate an issue in your computation of the CRC32C checksum. Note: This 1370 // field is defined as int64 for reasons of compatibility across different 1371 // languages. However, it is a non-negative integer, which will never exceed 1372 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1373 // this type. 1374 google.protobuf.Int64Value data_crc32c = 7 1375 [(google.api.field_behavior) = OPTIONAL]; 1376} 1377 1378// Request message for 1379// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. 1380message AsymmetricDecryptRequest { 1381 // Required. The resource name of the 1382 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1383 // decryption. 1384 string name = 1 [ 1385 (google.api.field_behavior) = REQUIRED, 1386 (google.api.resource_reference) = { 1387 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1388 } 1389 ]; 1390 1391 // Required. The data encrypted with the named 1392 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using 1393 // OAEP. 1394 bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED]; 1395 1396 // Optional. An optional CRC32C checksum of the 1397 // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. 1398 // If specified, 1399 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1400 // verify the integrity of the received 1401 // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext] 1402 // using this checksum. 1403 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1404 // report an error if the checksum verification fails. If you receive a 1405 // checksum error, your client should verify that 1406 // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]) 1407 // is equal to 1408 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c], 1409 // and if so, perform a limited number of retries. A persistent mismatch may 1410 // indicate an issue in your computation of the CRC32C checksum. Note: This 1411 // field is defined as int64 for reasons of compatibility across different 1412 // languages. However, it is a non-negative integer, which will never exceed 1413 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1414 // this type. 1415 google.protobuf.Int64Value ciphertext_crc32c = 4 1416 [(google.api.field_behavior) = OPTIONAL]; 1417} 1418 1419// Request message for 1420// [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. 1421message MacSignRequest { 1422 // Required. The resource name of the 1423 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1424 // signing. 1425 string name = 1 [ 1426 (google.api.field_behavior) = REQUIRED, 1427 (google.api.resource_reference) = { 1428 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1429 } 1430 ]; 1431 1432 // Required. The data to sign. The MAC tag is computed over this data field 1433 // based on the specific algorithm. 1434 bytes data = 2 [(google.api.field_behavior) = REQUIRED]; 1435 1436 // Optional. An optional CRC32C checksum of the 1437 // [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If 1438 // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1439 // will verify the integrity of the received 1440 // [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this 1441 // checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1442 // will report an error if the checksum verification fails. If you receive a 1443 // checksum error, your client should verify that 1444 // CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is 1445 // equal to 1446 // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c], 1447 // and if so, perform a limited number of retries. A persistent mismatch may 1448 // indicate an issue in your computation of the CRC32C checksum. Note: This 1449 // field is defined as int64 for reasons of compatibility across different 1450 // languages. However, it is a non-negative integer, which will never exceed 1451 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1452 // this type. 1453 google.protobuf.Int64Value data_crc32c = 3 1454 [(google.api.field_behavior) = OPTIONAL]; 1455} 1456 1457// Request message for 1458// [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. 1459message MacVerifyRequest { 1460 // Required. The resource name of the 1461 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1462 // verification. 1463 string name = 1 [ 1464 (google.api.field_behavior) = REQUIRED, 1465 (google.api.resource_reference) = { 1466 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1467 } 1468 ]; 1469 1470 // Required. The data used previously as a 1471 // [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate 1472 // the MAC tag. 1473 bytes data = 2 [(google.api.field_behavior) = REQUIRED]; 1474 1475 // Optional. An optional CRC32C checksum of the 1476 // [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If 1477 // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1478 // will verify the integrity of the received 1479 // [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using 1480 // this checksum. 1481 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1482 // report an error if the checksum verification fails. If you receive a 1483 // checksum error, your client should verify that 1484 // CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]) 1485 // is equal to 1486 // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c], 1487 // and if so, perform a limited number of retries. A persistent mismatch may 1488 // indicate an issue in your computation of the CRC32C checksum. Note: This 1489 // field is defined as int64 for reasons of compatibility across different 1490 // languages. However, it is a non-negative integer, which will never exceed 1491 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1492 // this type. 1493 google.protobuf.Int64Value data_crc32c = 3 1494 [(google.api.field_behavior) = OPTIONAL]; 1495 1496 // Required. The signature to verify. 1497 bytes mac = 4 [(google.api.field_behavior) = REQUIRED]; 1498 1499 // Optional. An optional CRC32C checksum of the 1500 // [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If 1501 // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1502 // will verify the integrity of the received 1503 // [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this 1504 // checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService] 1505 // will report an error if the checksum verification fails. If you receive a 1506 // checksum error, your client should verify that 1507 // CRC32C([MacVerifyRequest.tag][]) is equal to 1508 // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c], 1509 // and if so, perform a limited number of retries. A persistent mismatch may 1510 // indicate an issue in your computation of the CRC32C checksum. Note: This 1511 // field is defined as int64 for reasons of compatibility across different 1512 // languages. However, it is a non-negative integer, which will never exceed 1513 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1514 // this type. 1515 google.protobuf.Int64Value mac_crc32c = 5 1516 [(google.api.field_behavior) = OPTIONAL]; 1517} 1518 1519// Request message for 1520// [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. 1521message GenerateRandomBytesRequest { 1522 // The project-specific location in which to generate random bytes. 1523 // For example, "projects/my-project/locations/us-central1". 1524 string location = 1; 1525 1526 // The length in bytes of the amount of randomness to retrieve. Minimum 8 1527 // bytes, maximum 1024 bytes. 1528 int32 length_bytes = 2; 1529 1530 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when 1531 // generating the random data. Currently, only 1532 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is 1533 // supported. 1534 ProtectionLevel protection_level = 3; 1535} 1536 1537// Response message for 1538// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. 1539message EncryptResponse { 1540 // The resource name of the 1541 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1542 // encryption. Check this field to verify that the intended resource was used 1543 // for encryption. 1544 string name = 1; 1545 1546 // The encrypted data. 1547 bytes ciphertext = 2; 1548 1549 // Integrity verification field. A CRC32C checksum of the returned 1550 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. 1551 // An integrity check of 1552 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] 1553 // can be performed by computing the CRC32C checksum of 1554 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] 1555 // and comparing your results to this field. Discard the response in case of 1556 // non-matching checksum values, and perform a limited number of retries. A 1557 // persistent mismatch may indicate an issue in your computation of the CRC32C 1558 // checksum. Note: This field is defined as int64 for reasons of compatibility 1559 // across different languages. However, it is a non-negative integer, which 1560 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1561 // languages that support this type. 1562 google.protobuf.Int64Value ciphertext_crc32c = 4; 1563 1564 // Integrity verification field. A flag indicating whether 1565 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] 1566 // was received by 1567 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1568 // for the integrity verification of the 1569 // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of 1570 // this field indicates either that 1571 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] 1572 // was left unset or that it was not delivered to 1573 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1574 // set 1575 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] 1576 // but this field is still false, discard the response and perform a limited 1577 // number of retries. 1578 bool verified_plaintext_crc32c = 5; 1579 1580 // Integrity verification field. A flag indicating whether 1581 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] 1582 // was received by 1583 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1584 // for the integrity verification of the 1585 // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A 1586 // false value of this field indicates either that 1587 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] 1588 // was left unset or that it was not delivered to 1589 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1590 // set 1591 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] 1592 // but this field is still false, discard the response and perform a limited 1593 // number of retries. 1594 bool verified_additional_authenticated_data_crc32c = 6; 1595 1596 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1597 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1598 // encryption. 1599 ProtectionLevel protection_level = 7; 1600} 1601 1602// Response message for 1603// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 1604message DecryptResponse { 1605 // The decrypted data originally supplied in 1606 // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. 1607 bytes plaintext = 1; 1608 1609 // Integrity verification field. A CRC32C checksum of the returned 1610 // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. 1611 // An integrity check of 1612 // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] 1613 // can be performed by computing the CRC32C checksum of 1614 // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] 1615 // and comparing your results to this field. Discard the response in case of 1616 // non-matching checksum values, and perform a limited number of retries. A 1617 // persistent mismatch may indicate an issue in your computation of the CRC32C 1618 // checksum. Note: receiving this response message indicates that 1619 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to 1620 // successfully decrypt the 1621 // [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This 1622 // field is defined as int64 for reasons of compatibility across different 1623 // languages. However, it is a non-negative integer, which will never exceed 1624 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1625 // this type. 1626 google.protobuf.Int64Value plaintext_crc32c = 2; 1627 1628 // Whether the Decryption was performed using the primary key version. 1629 bool used_primary = 3; 1630 1631 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1632 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1633 // decryption. 1634 ProtectionLevel protection_level = 4; 1635} 1636 1637// Response message for 1638// [KeyManagementService.RawEncrypt][google.cloud.kms.v1.KeyManagementService.RawEncrypt]. 1639message RawEncryptResponse { 1640 // The encrypted data. In the case of AES-GCM, the authentication tag 1641 // is the [tag_length][google.cloud.kms.v1.RawEncryptResponse.tag_length] 1642 // bytes at the end of this field. 1643 bytes ciphertext = 1; 1644 1645 // The initialization vector (IV) generated by the service during 1646 // encryption. This value must be stored and provided in 1647 // [RawDecryptRequest.initialization_vector][google.cloud.kms.v1.RawDecryptRequest.initialization_vector] 1648 // at decryption time. 1649 bytes initialization_vector = 2; 1650 1651 // The length of the authentication tag that is appended to 1652 // the end of the ciphertext. 1653 int32 tag_length = 3; 1654 1655 // Integrity verification field. A CRC32C checksum of the returned 1656 // [RawEncryptResponse.ciphertext][google.cloud.kms.v1.RawEncryptResponse.ciphertext]. 1657 // An integrity check of ciphertext can be performed by computing the CRC32C 1658 // checksum of ciphertext and comparing your results to this field. Discard 1659 // the response in case of non-matching checksum values, and perform a limited 1660 // number of retries. A persistent mismatch may indicate an issue in your 1661 // computation of the CRC32C checksum. Note: This field is defined as int64 1662 // for reasons of compatibility across different languages. However, it is a 1663 // non-negative integer, which will never exceed 2^32-1, and can be safely 1664 // downconverted to uint32 in languages that support this type. 1665 google.protobuf.Int64Value ciphertext_crc32c = 4; 1666 1667 // Integrity verification field. A CRC32C checksum of the returned 1668 // [RawEncryptResponse.initialization_vector][google.cloud.kms.v1.RawEncryptResponse.initialization_vector]. 1669 // An integrity check of initialization_vector can be performed by computing 1670 // the CRC32C checksum of initialization_vector and comparing your results to 1671 // this field. Discard the response in case of non-matching checksum values, 1672 // and perform a limited number of retries. A persistent mismatch may indicate 1673 // an issue in your computation of the CRC32C checksum. Note: This field is 1674 // defined as int64 for reasons of compatibility across different languages. 1675 // However, it is a non-negative integer, which will never exceed 2^32-1, and 1676 // can be safely downconverted to uint32 in languages that support this type. 1677 google.protobuf.Int64Value initialization_vector_crc32c = 5; 1678 1679 // Integrity verification field. A flag indicating whether 1680 // [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c] 1681 // was received by 1682 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1683 // for the integrity verification of the plaintext. A false value of this 1684 // field indicates either that 1685 // [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c] 1686 // was left unset or that it was not delivered to 1687 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1688 // set 1689 // [RawEncryptRequest.plaintext_crc32c][google.cloud.kms.v1.RawEncryptRequest.plaintext_crc32c] 1690 // but this field is still false, discard the response and perform a limited 1691 // number of retries. 1692 bool verified_plaintext_crc32c = 6; 1693 1694 // Integrity verification field. A flag indicating whether 1695 // [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c] 1696 // was received by 1697 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1698 // for the integrity verification of additional_authenticated_data. A false 1699 // value of this field indicates either that // 1700 // [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c] 1701 // was left unset or that it was not delivered to 1702 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1703 // set 1704 // [RawEncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawEncryptRequest.additional_authenticated_data_crc32c] 1705 // but this field is still false, discard the response and perform a limited 1706 // number of retries. 1707 bool verified_additional_authenticated_data_crc32c = 7; 1708 1709 // Integrity verification field. A flag indicating whether 1710 // [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c] 1711 // was received by 1712 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1713 // for the integrity verification of initialization_vector. A false value of 1714 // this field indicates either that 1715 // [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c] 1716 // was left unset or that it was not delivered to 1717 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1718 // set 1719 // [RawEncryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawEncryptRequest.initialization_vector_crc32c] 1720 // but this field is still false, discard the response and perform a limited 1721 // number of retries. 1722 bool verified_initialization_vector_crc32c = 10; 1723 1724 // The resource name of the 1725 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1726 // encryption. Check this field to verify that the intended resource was used 1727 // for encryption. 1728 string name = 8; 1729 1730 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1731 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1732 // encryption. 1733 ProtectionLevel protection_level = 9; 1734} 1735 1736// Response message for 1737// [KeyManagementService.RawDecrypt][google.cloud.kms.v1.KeyManagementService.RawDecrypt]. 1738message RawDecryptResponse { 1739 // The decrypted data. 1740 bytes plaintext = 1; 1741 1742 // Integrity verification field. A CRC32C checksum of the returned 1743 // [RawDecryptResponse.plaintext][google.cloud.kms.v1.RawDecryptResponse.plaintext]. 1744 // An integrity check of plaintext can be performed by computing the CRC32C 1745 // checksum of plaintext and comparing your results to this field. Discard the 1746 // response in case of non-matching checksum values, and perform a limited 1747 // number of retries. A persistent mismatch may indicate an issue in your 1748 // computation of the CRC32C checksum. Note: receiving this response message 1749 // indicates that 1750 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to 1751 // successfully decrypt the 1752 // [ciphertext][google.cloud.kms.v1.RawDecryptRequest.ciphertext]. 1753 // Note: This field is defined as int64 for reasons of compatibility across 1754 // different languages. However, it is a non-negative integer, which will 1755 // never exceed 2^32-1, and can be safely downconverted to uint32 in languages 1756 // that support this type. 1757 google.protobuf.Int64Value plaintext_crc32c = 2; 1758 1759 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1760 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1761 // decryption. 1762 ProtectionLevel protection_level = 3; 1763 1764 // Integrity verification field. A flag indicating whether 1765 // [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c] 1766 // was received by 1767 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1768 // for the integrity verification of the ciphertext. A false value of this 1769 // field indicates either that 1770 // [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c] 1771 // was left unset or that it was not delivered to 1772 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1773 // set 1774 // [RawDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.RawDecryptRequest.ciphertext_crc32c] 1775 // but this field is still false, discard the response and perform a limited 1776 // number of retries. 1777 bool verified_ciphertext_crc32c = 4; 1778 1779 // Integrity verification field. A flag indicating whether 1780 // [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c] 1781 // was received by 1782 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1783 // for the integrity verification of additional_authenticated_data. A false 1784 // value of this field indicates either that // 1785 // [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c] 1786 // was left unset or that it was not delivered to 1787 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1788 // set 1789 // [RawDecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.RawDecryptRequest.additional_authenticated_data_crc32c] 1790 // but this field is still false, discard the response and perform a limited 1791 // number of retries. 1792 bool verified_additional_authenticated_data_crc32c = 5; 1793 1794 // Integrity verification field. A flag indicating whether 1795 // [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c] 1796 // was received by 1797 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1798 // for the integrity verification of initialization_vector. A false value of 1799 // this field indicates either that 1800 // [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c] 1801 // was left unset or that it was not delivered to 1802 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1803 // set 1804 // [RawDecryptRequest.initialization_vector_crc32c][google.cloud.kms.v1.RawDecryptRequest.initialization_vector_crc32c] 1805 // but this field is still false, discard the response and perform a limited 1806 // number of retries. 1807 bool verified_initialization_vector_crc32c = 6; 1808} 1809 1810// Response message for 1811// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. 1812message AsymmetricSignResponse { 1813 // The created signature. 1814 bytes signature = 1; 1815 1816 // Integrity verification field. A CRC32C checksum of the returned 1817 // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]. 1818 // An integrity check of 1819 // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] 1820 // can be performed by computing the CRC32C checksum of 1821 // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] 1822 // and comparing your results to this field. Discard the response in case of 1823 // non-matching checksum values, and perform a limited number of retries. A 1824 // persistent mismatch may indicate an issue in your computation of the CRC32C 1825 // checksum. Note: This field is defined as int64 for reasons of compatibility 1826 // across different languages. However, it is a non-negative integer, which 1827 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1828 // languages that support this type. 1829 google.protobuf.Int64Value signature_crc32c = 2; 1830 1831 // Integrity verification field. A flag indicating whether 1832 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] 1833 // was received by 1834 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1835 // for the integrity verification of the 1836 // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value 1837 // of this field indicates either that 1838 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] 1839 // was left unset or that it was not delivered to 1840 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1841 // set 1842 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] 1843 // but this field is still false, discard the response and perform a limited 1844 // number of retries. 1845 bool verified_digest_crc32c = 3; 1846 1847 // The resource name of the 1848 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. 1849 // Check this field to verify that the intended resource was used for signing. 1850 string name = 4; 1851 1852 // Integrity verification field. A flag indicating whether 1853 // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] 1854 // was received by 1855 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1856 // for the integrity verification of the 1857 // [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of 1858 // this field indicates either that 1859 // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] 1860 // was left unset or that it was not delivered to 1861 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1862 // set 1863 // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] 1864 // but this field is still false, discard the response and perform a limited 1865 // number of retries. 1866 bool verified_data_crc32c = 5; 1867 1868 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1869 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. 1870 ProtectionLevel protection_level = 6; 1871} 1872 1873// Response message for 1874// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. 1875message AsymmetricDecryptResponse { 1876 // The decrypted data originally encrypted with the matching public key. 1877 bytes plaintext = 1; 1878 1879 // Integrity verification field. A CRC32C checksum of the returned 1880 // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]. 1881 // An integrity check of 1882 // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] 1883 // can be performed by computing the CRC32C checksum of 1884 // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] 1885 // and comparing your results to this field. Discard the response in case of 1886 // non-matching checksum values, and perform a limited number of retries. A 1887 // persistent mismatch may indicate an issue in your computation of the CRC32C 1888 // checksum. Note: This field is defined as int64 for reasons of compatibility 1889 // across different languages. However, it is a non-negative integer, which 1890 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1891 // languages that support this type. 1892 google.protobuf.Int64Value plaintext_crc32c = 2; 1893 1894 // Integrity verification field. A flag indicating whether 1895 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] 1896 // was received by 1897 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1898 // for the integrity verification of the 1899 // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A 1900 // false value of this field indicates either that 1901 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] 1902 // was left unset or that it was not delivered to 1903 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1904 // set 1905 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] 1906 // but this field is still false, discard the response and perform a limited 1907 // number of retries. 1908 bool verified_ciphertext_crc32c = 3; 1909 1910 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1911 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1912 // decryption. 1913 ProtectionLevel protection_level = 4; 1914} 1915 1916// Response message for 1917// [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. 1918message MacSignResponse { 1919 // The resource name of the 1920 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. 1921 // Check this field to verify that the intended resource was used for signing. 1922 string name = 1; 1923 1924 // The created signature. 1925 bytes mac = 2; 1926 1927 // Integrity verification field. A CRC32C checksum of the returned 1928 // [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An 1929 // integrity check of 1930 // [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be 1931 // performed by computing the CRC32C checksum of 1932 // [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and 1933 // comparing your results to this field. Discard the response in case of 1934 // non-matching checksum values, and perform a limited number of retries. A 1935 // persistent mismatch may indicate an issue in your computation of the CRC32C 1936 // checksum. Note: This field is defined as int64 for reasons of compatibility 1937 // across different languages. However, it is a non-negative integer, which 1938 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1939 // languages that support this type. 1940 google.protobuf.Int64Value mac_crc32c = 3; 1941 1942 // Integrity verification field. A flag indicating whether 1943 // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c] 1944 // was received by 1945 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1946 // for the integrity verification of the 1947 // [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this 1948 // field indicates either that 1949 // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c] 1950 // was left unset or that it was not delivered to 1951 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1952 // set 1953 // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c] 1954 // but this field is still false, discard the response and perform a limited 1955 // number of retries. 1956 bool verified_data_crc32c = 4; 1957 1958 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 1959 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. 1960 ProtectionLevel protection_level = 5; 1961} 1962 1963// Response message for 1964// [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. 1965message MacVerifyResponse { 1966 // The resource name of the 1967 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for 1968 // verification. Check this field to verify that the intended resource was 1969 // used for verification. 1970 string name = 1; 1971 1972 // This field indicates whether or not the verification operation for 1973 // [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over 1974 // [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was 1975 // successful. 1976 bool success = 2; 1977 1978 // Integrity verification field. A flag indicating whether 1979 // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c] 1980 // was received by 1981 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1982 // for the integrity verification of the 1983 // [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this 1984 // field indicates either that 1985 // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c] 1986 // was left unset or that it was not delivered to 1987 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1988 // set 1989 // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c] 1990 // but this field is still false, discard the response and perform a limited 1991 // number of retries. 1992 bool verified_data_crc32c = 3; 1993 1994 // Integrity verification field. A flag indicating whether 1995 // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c] 1996 // was received by 1997 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1998 // for the integrity verification of the 1999 // [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this 2000 // field indicates either that 2001 // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c] 2002 // was left unset or that it was not delivered to 2003 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 2004 // set 2005 // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c] 2006 // but this field is still false, discard the response and perform a limited 2007 // number of retries. 2008 bool verified_mac_crc32c = 4; 2009 2010 // Integrity verification field. This value is used for the integrity 2011 // verification of [MacVerifyResponse.success]. If the value of this field 2012 // contradicts the value of [MacVerifyResponse.success], discard the response 2013 // and perform a limited number of retries. 2014 bool verified_success_integrity = 5; 2015 2016 // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the 2017 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for 2018 // verification. 2019 ProtectionLevel protection_level = 6; 2020} 2021 2022// Response message for 2023// [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. 2024message GenerateRandomBytesResponse { 2025 // The generated data. 2026 bytes data = 1; 2027 2028 // Integrity verification field. A CRC32C checksum of the returned 2029 // [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]. 2030 // An integrity check of 2031 // [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data] 2032 // can be performed by computing the CRC32C checksum of 2033 // [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data] 2034 // and comparing your results to this field. Discard the response in case of 2035 // non-matching checksum values, and perform a limited number of retries. A 2036 // persistent mismatch may indicate an issue in your computation of the CRC32C 2037 // checksum. Note: This field is defined as int64 for reasons of compatibility 2038 // across different languages. However, it is a non-negative integer, which 2039 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 2040 // languages that support this type. 2041 google.protobuf.Int64Value data_crc32c = 3; 2042} 2043 2044// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest. 2045message Digest { 2046 // Required. The message digest. 2047 oneof digest { 2048 // A message digest produced with the SHA-256 algorithm. 2049 bytes sha256 = 1; 2050 2051 // A message digest produced with the SHA-384 algorithm. 2052 bytes sha384 = 2; 2053 2054 // A message digest produced with the SHA-512 algorithm. 2055 bytes sha512 = 3; 2056 } 2057} 2058 2059// Cloud KMS metadata for the given 2060// [google.cloud.location.Location][google.cloud.location.Location]. 2061message LocationMetadata { 2062 // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with 2063 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 2064 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this 2065 // location. 2066 bool hsm_available = 1; 2067 2068 // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with 2069 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 2070 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in 2071 // this location. 2072 bool ekm_available = 2; 2073} 2074