1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.kms.v1; 18 19import "google/api/annotations.proto"; 20import "google/iam/v1/iam_policy.proto"; 21import "google/iam/v1/policy.proto"; 22import "google/api/client.proto"; 23import "google/api/field_behavior.proto"; 24import "google/api/resource.proto"; 25import "google/protobuf/field_mask.proto"; 26import "google/protobuf/wrappers.proto"; 27import "test/integration/apis/kms/v1/resources.proto"; 28 29option cc_enable_arenas = true; 30option csharp_namespace = "Google.Cloud.Kms.V1"; 31option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; 32option java_multiple_files = true; 33option java_outer_classname = "KmsProto"; 34option java_package = "com.google.cloud.kms.v1"; 35option php_namespace = "Google\\Cloud\\Kms\\V1"; 36 37// Google Cloud Key Management Service 38// 39// Manages cryptographic keys and operations using those keys. Implements a REST 40// model with the following objects: 41// 42// * [KeyRing][google.cloud.kms.v1.KeyRing] 43// * [CryptoKey][google.cloud.kms.v1.CryptoKey] 44// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 45// * [ImportJob][google.cloud.kms.v1.ImportJob] 46// 47// If you are using manual gRPC libraries, see 48// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc). 49service KeyManagementService { 50 option (google.api.default_host) = "cloudkms.googleapis.com"; 51 option (google.api.oauth_scopes) = 52 "https://www.googleapis.com/auth/cloud-platform," 53 "https://www.googleapis.com/auth/cloudkms"; 54 55 // Lists [KeyRings][google.cloud.kms.v1.KeyRing]. 56 rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) { 57 option (google.api.http) = { 58 get: "/v1/{parent=projects/*/locations/*}/keyRings" 59 }; 60 option (google.api.method_signature) = "parent"; 61 } 62 63 // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 64 rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) { 65 option (google.api.http) = { 66 get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" 67 }; 68 option (google.api.method_signature) = "parent"; 69 } 70 71 // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. 72 rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) 73 returns (ListCryptoKeyVersionsResponse) { 74 option (google.api.http) = { 75 get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" 76 }; 77 option (google.api.method_signature) = "parent"; 78 } 79 80 // Lists [ImportJobs][google.cloud.kms.v1.ImportJob]. 81 rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) { 82 option (google.api.http) = { 83 get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" 84 }; 85 option (google.api.method_signature) = "parent"; 86 } 87 88 // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing]. 89 rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) { 90 option (google.api.http) = { 91 get: "/v1/{name=projects/*/locations/*/keyRings/*}" 92 }; 93 option (google.api.method_signature) = "name"; 94 } 95 96 // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as 97 // well as its [primary][google.cloud.kms.v1.CryptoKey.primary] 98 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 99 rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) { 100 option (google.api.http) = { 101 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" 102 }; 103 option (google.api.method_signature) = "name"; 104 } 105 106 // Returns metadata for a given 107 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. 108 rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) 109 returns (CryptoKeyVersion) { 110 option (google.api.http) = { 111 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" 112 }; 113 option (google.api.method_signature) = "name"; 114 } 115 116 // Returns the public key for the given 117 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The 118 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 119 // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] 120 // or 121 // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. 122 rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) { 123 option (google.api.http) = { 124 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey" 125 }; 126 option (google.api.method_signature) = "name"; 127 } 128 129 // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob]. 130 rpc GetImportJob(GetImportJobRequest) returns (ImportJob) { 131 option (google.api.http) = { 132 get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}" 133 }; 134 option (google.api.method_signature) = "name"; 135 } 136 137 // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and 138 // Location. 139 rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) { 140 option (google.api.http) = { 141 post: "/v1/{parent=projects/*/locations/*}/keyRings" 142 body: "key_ring" 143 }; 144 option (google.api.method_signature) = "parent,key_ring_id,key_ring"; 145 } 146 147 // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a 148 // [KeyRing][google.cloud.kms.v1.KeyRing]. 149 // 150 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and 151 // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] 152 // are required. 153 rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) { 154 option (google.api.http) = { 155 post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" 156 body: "crypto_key" 157 }; 158 option (google.api.method_signature) = "parent,crypto_key_id,crypto_key"; 159 } 160 161 // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a 162 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 163 // 164 // The server will assign the next sequential id. If unset, 165 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to 166 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]. 167 rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) 168 returns (CryptoKeyVersion) { 169 option (google.api.http) = { 170 post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" 171 body: "crypto_key_version" 172 }; 173 option (google.api.method_signature) = "parent,crypto_key_version"; 174 } 175 176 // Imports a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] into 177 // an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] using the wrapped 178 // key material provided in the request. 179 // 180 // The version ID will be assigned the next sequential id within the 181 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 182 rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest) 183 returns (CryptoKeyVersion) { 184 option (google.api.http) = { 185 post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import" 186 body: "*" 187 }; 188 } 189 190 // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a 191 // [KeyRing][google.cloud.kms.v1.KeyRing]. 192 // 193 // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is 194 // required. 195 rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) { 196 option (google.api.http) = { 197 post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs" 198 body: "import_job" 199 }; 200 option (google.api.method_signature) = "parent,import_job_id,import_job"; 201 } 202 203 // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey]. 204 rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) { 205 option (google.api.http) = { 206 patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" 207 body: "crypto_key" 208 }; 209 option (google.api.method_signature) = "crypto_key,update_mask"; 210 } 211 212 // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s 213 // metadata. 214 // 215 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between 216 // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] 217 // and 218 // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] 219 // using this method. See 220 // [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] 221 // and 222 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 223 // to move between other states. 224 rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) 225 returns (CryptoKeyVersion) { 226 option (google.api.http) = { 227 patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" 228 body: "crypto_key_version" 229 }; 230 option (google.api.method_signature) = "crypto_key_version,update_mask"; 231 } 232 233 // Encrypts data, so that it can only be recovered by a call to 234 // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The 235 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 236 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 237 rpc Encrypt(EncryptRequest) returns (EncryptResponse) { 238 option (google.api.http) = { 239 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt" 240 body: "*" 241 }; 242 option (google.api.method_signature) = "name,plaintext"; 243 } 244 245 // Decrypts data that was protected by 246 // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The 247 // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be 248 // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. 249 rpc Decrypt(DecryptRequest) returns (DecryptResponse) { 250 option (google.api.http) = { 251 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt" 252 body: "*" 253 }; 254 option (google.api.method_signature) = "name,ciphertext"; 255 } 256 257 // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 258 // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 259 // ASYMMETRIC_SIGN, producing a signature that can be verified with the public 260 // key retrieved from 261 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 262 rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) { 263 option (google.api.http) = { 264 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign" 265 body: "*" 266 }; 267 option (google.api.method_signature) = "name,digest"; 268 } 269 270 // Decrypts data that was encrypted with a public key retrieved from 271 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] 272 // corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] 273 // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] 274 // ASYMMETRIC_DECRYPT. 275 rpc AsymmetricDecrypt(AsymmetricDecryptRequest) 276 returns (AsymmetricDecryptResponse) { 277 option (google.api.http) = { 278 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt" 279 body: "*" 280 }; 281 option (google.api.method_signature) = "name,ciphertext"; 282 } 283 284 // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that 285 // will be used in 286 // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. 287 // 288 // Returns an error if called on an asymmetric key. 289 rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) 290 returns (CryptoKey) { 291 option (google.api.http) = { 292 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion" 293 body: "*" 294 }; 295 option (google.api.method_signature) = "name,crypto_key_version_id"; 296 } 297 298 // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for 299 // destruction. 300 // 301 // Upon calling this method, 302 // [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will 303 // be set to 304 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] 305 // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will 306 // be set to a time 24 hours in the future, at which point the 307 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to 308 // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], 309 // and the key material will be irrevocably destroyed. 310 // 311 // Before the 312 // [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is 313 // reached, 314 // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] 315 // may be called to reverse the process. 316 rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) 317 returns (CryptoKeyVersion) { 318 option (google.api.http) = { 319 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy" 320 body: "*" 321 }; 322 option (google.api.method_signature) = "name"; 323 } 324 325 // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the 326 // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] 327 // state. 328 // 329 // Upon restoration of the CryptoKeyVersion, 330 // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to 331 // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], 332 // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will 333 // be cleared. 334 rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) 335 returns (CryptoKeyVersion) { 336 option (google.api.http) = { 337 post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore" 338 body: "*" 339 }; 340 option (google.api.method_signature) = "name"; 341 } 342 343 // Gets the access control policy for a resource. ADDED ONLY FOR MIXIN TESTS. 344 // Returns an empty policy if the resource exists and does not have a policy 345 // set. 346 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) 347 returns (google.iam.v1.Policy) { 348 option (google.api.http) = { 349 post: "/v1/{resource=**}:getIamPolicy" 350 body: "*" 351 }; 352 } 353} 354 355// Request message for 356// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. 357message ListKeyRingsRequest { 358 // Required. The resource name of the location associated with the 359 // [KeyRings][google.cloud.kms.v1.KeyRing], in the format 360 // `projects/*/locations/*`. 361 string parent = 1 [ 362 (google.api.field_behavior) = REQUIRED, 363 (google.api.resource_reference) = { 364 type: "locations.googleapis.com/Location" 365 } 366 ]; 367 368 // Optional. Optional limit on the number of 369 // [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further 370 // [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by 371 // including the 372 // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] 373 // in a subsequent request. If unspecified, the server will pick an 374 // appropriate default. 375 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 376 377 // Optional. Optional pagination token, returned earlier via 378 // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]. 379 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 380 381 // Optional. Only include resources that match the filter in the response. For 382 // more information, see 383 // [Sorting and filtering list 384 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 385 string filter = 4 [(google.api.field_behavior) = OPTIONAL]; 386 387 // Optional. Specify how the results should be sorted. If not specified, the 388 // results will be sorted in the default order. For more information, see 389 // [Sorting and filtering list 390 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 391 string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; 392} 393 394// Request message for 395// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 396message ListCryptoKeysRequest { 397 // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] 398 // to list, in the format `projects/*/locations/*/keyRings/*`. 399 string parent = 1 [ 400 (google.api.field_behavior) = REQUIRED, 401 (google.api.resource_reference) = { 402 type: "cloudkms.googleapis.com/KeyRing" 403 } 404 ]; 405 406 // Optional. Optional limit on the number of 407 // [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response. 408 // Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be 409 // obtained by including the 410 // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] 411 // in a subsequent request. If unspecified, the server will pick an 412 // appropriate default. 413 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 414 415 // Optional. Optional pagination token, returned earlier via 416 // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]. 417 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 418 419 // The fields of the primary version to include in the response. 420 CryptoKeyVersion.CryptoKeyVersionView version_view = 4; 421 422 // Optional. Only include resources that match the filter in the response. For 423 // more information, see 424 // [Sorting and filtering list 425 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 426 string filter = 5 [(google.api.field_behavior) = OPTIONAL]; 427 428 // Optional. Specify how the results should be sorted. If not specified, the 429 // results will be sorted in the default order. For more information, see 430 // [Sorting and filtering list 431 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 432 string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; 433} 434 435// Request message for 436// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. 437message ListCryptoKeyVersionsRequest { 438 // Required. The resource name of the 439 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format 440 // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 441 string parent = 1 [ 442 (google.api.field_behavior) = REQUIRED, 443 (google.api.resource_reference) = { 444 type: "cloudkms.googleapis.com/CryptoKey" 445 } 446 ]; 447 448 // Optional. Optional limit on the number of 449 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the 450 // response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] 451 // can subsequently be obtained by including the 452 // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] 453 // in a subsequent request. If unspecified, the server will pick an 454 // appropriate default. 455 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 456 457 // Optional. Optional pagination token, returned earlier via 458 // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]. 459 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 460 461 // The fields to include in the response. 462 CryptoKeyVersion.CryptoKeyVersionView view = 4; 463 464 // Optional. Only include resources that match the filter in the response. For 465 // more information, see 466 // [Sorting and filtering list 467 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 468 string filter = 5 [(google.api.field_behavior) = OPTIONAL]; 469 470 // Optional. Specify how the results should be sorted. If not specified, the 471 // results will be sorted in the default order. For more information, see 472 // [Sorting and filtering list 473 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 474 string order_by = 6 [(google.api.field_behavior) = OPTIONAL]; 475} 476 477// Request message for 478// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. 479message ListImportJobsRequest { 480 // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] 481 // to list, in the format `projects/*/locations/*/keyRings/*`. 482 string parent = 1 [ 483 (google.api.field_behavior) = REQUIRED, 484 (google.api.resource_reference) = { 485 type: "cloudkms.googleapis.com/KeyRing" 486 } 487 ]; 488 489 // Optional. Optional limit on the number of 490 // [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response. 491 // Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be 492 // obtained by including the 493 // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token] 494 // in a subsequent request. If unspecified, the server will pick an 495 // appropriate default. 496 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 497 498 // Optional. Optional pagination token, returned earlier via 499 // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]. 500 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 501 502 // Optional. Only include resources that match the filter in the response. For 503 // more information, see 504 // [Sorting and filtering list 505 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 506 string filter = 4 [(google.api.field_behavior) = OPTIONAL]; 507 508 // Optional. Specify how the results should be sorted. If not specified, the 509 // results will be sorted in the default order. For more information, see 510 // [Sorting and filtering list 511 // results](https://cloud.google.com/kms/docs/sorting-and-filtering). 512 string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; 513} 514 515// Response message for 516// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. 517message ListKeyRingsResponse { 518 // The list of [KeyRings][google.cloud.kms.v1.KeyRing]. 519 repeated KeyRing key_rings = 1; 520 521 // A token to retrieve next page of results. Pass this value in 522 // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] 523 // to retrieve the next page of results. 524 string next_page_token = 2; 525 526 // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched 527 // the query. 528 int32 total_size = 3; 529} 530 531// Response message for 532// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. 533message ListCryptoKeysResponse { 534 // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 535 repeated CryptoKey crypto_keys = 1; 536 537 // A token to retrieve next page of results. Pass this value in 538 // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] 539 // to retrieve the next page of results. 540 string next_page_token = 2; 541 542 // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that 543 // matched the query. 544 int32 total_size = 3; 545} 546 547// Response message for 548// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. 549message ListCryptoKeyVersionsResponse { 550 // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. 551 repeated CryptoKeyVersion crypto_key_versions = 1; 552 553 // A token to retrieve next page of results. Pass this value in 554 // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] 555 // to retrieve the next page of results. 556 string next_page_token = 2; 557 558 // The total number of 559 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the 560 // query. 561 int32 total_size = 3; 562} 563 564// Response message for 565// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs]. 566message ListImportJobsResponse { 567 // The list of [ImportJobs][google.cloud.kms.v1.ImportJob]. 568 repeated ImportJob import_jobs = 1; 569 570 // A token to retrieve next page of results. Pass this value in 571 // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token] 572 // to retrieve the next page of results. 573 string next_page_token = 2; 574 575 // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that 576 // matched the query. 577 int32 total_size = 3; 578} 579 580// Request message for 581// [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing]. 582message GetKeyRingRequest { 583 // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the 584 // [KeyRing][google.cloud.kms.v1.KeyRing] to get. 585 string name = 1 [ 586 (google.api.field_behavior) = REQUIRED, 587 (google.api.resource_reference) = { 588 type: "cloudkms.googleapis.com/KeyRing" 589 } 590 ]; 591} 592 593// Request message for 594// [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey]. 595message GetCryptoKeyRequest { 596 // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the 597 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. 598 string name = 1 [ 599 (google.api.field_behavior) = REQUIRED, 600 (google.api.resource_reference) = { 601 type: "cloudkms.googleapis.com/CryptoKey" 602 } 603 ]; 604} 605 606// Request message for 607// [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion]. 608message GetCryptoKeyVersionRequest { 609 // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 610 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. 611 string name = 1 [ 612 (google.api.field_behavior) = REQUIRED, 613 (google.api.resource_reference) = { 614 type: "cloudkms.googleapis.com/CryptoKeyVersion" 615 } 616 ]; 617} 618 619// Request message for 620// [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. 621message GetPublicKeyRequest { 622 // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the 623 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. 624 string name = 1 [ 625 (google.api.field_behavior) = REQUIRED, 626 (google.api.resource_reference) = { 627 type: "cloudkms.googleapis.com/CryptoKeyVersion" 628 } 629 ]; 630} 631 632// Request message for 633// [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob]. 634message GetImportJobRequest { 635 // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the 636 // [ImportJob][google.cloud.kms.v1.ImportJob] to get. 637 string name = 1 [ 638 (google.api.field_behavior) = REQUIRED, 639 (google.api.resource_reference) = { 640 type: "cloudkms.googleapis.com/ImportJob" 641 } 642 ]; 643} 644 645// Request message for 646// [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing]. 647message CreateKeyRingRequest { 648 // Required. The resource name of the location associated with the 649 // [KeyRings][google.cloud.kms.v1.KeyRing], in the format 650 // `projects/*/locations/*`. 651 string parent = 1 [ 652 (google.api.field_behavior) = REQUIRED, 653 (google.api.resource_reference) = { 654 type: "locations.googleapis.com/Location" 655 } 656 ]; 657 658 // Required. It must be unique within a location and match the regular 659 // expression `[a-zA-Z0-9_-]{1,63}` 660 string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED]; 661 662 // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field 663 // values. 664 KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED]; 665} 666 667// Request message for 668// [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey]. 669message CreateCryptoKeyRequest { 670 // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing 671 // associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. 672 string parent = 1 [ 673 (google.api.field_behavior) = REQUIRED, 674 (google.api.resource_reference) = { 675 type: "cloudkms.googleapis.com/KeyRing" 676 } 677 ]; 678 679 // Required. It must be unique within a KeyRing and match the regular 680 // expression `[a-zA-Z0-9_-]{1,63}` 681 string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED]; 682 683 // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field 684 // values. 685 CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED]; 686 687 // If set to true, the request will create a 688 // [CryptoKey][google.cloud.kms.v1.CryptoKey] without any 689 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must 690 // manually call 691 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] 692 // or 693 // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion] 694 // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey]. 695 bool skip_initial_version_creation = 5; 696} 697 698// Request message for 699// [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]. 700message CreateCryptoKeyVersionRequest { 701 // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the 702 // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the 703 // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. 704 string parent = 1 [ 705 (google.api.field_behavior) = REQUIRED, 706 (google.api.resource_reference) = { 707 type: "cloudkms.googleapis.com/CryptoKey" 708 } 709 ]; 710 711 // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with 712 // initial field values. 713 CryptoKeyVersion crypto_key_version = 2 714 [(google.api.field_behavior) = REQUIRED]; 715} 716 717// Request message for 718// [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]. 719message ImportCryptoKeyVersionRequest { 720 // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the 721 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into. 722 string parent = 1 [ 723 (google.api.field_behavior) = REQUIRED, 724 (google.api.resource_reference) = { 725 type: "cloudkms.googleapis.com/CryptoKey" 726 } 727 ]; 728 729 // Required. The 730 // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 731 // of the key being imported. This does not need to match the 732 // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the 733 // [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into. 734 CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2 735 [(google.api.field_behavior) = REQUIRED]; 736 737 // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the 738 // [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key 739 // material. 740 string import_job = 4 [(google.api.field_behavior) = REQUIRED]; 741 742 // Required. The incoming wrapped key material that is to be imported. 743 oneof wrapped_key_material { 744 // Wrapped key material produced with 745 // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] 746 // or 747 // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]. 748 // 749 // This field contains the concatenation of two wrapped keys: 750 // <ol> 751 // <li>An ephemeral AES-256 wrapping key wrapped with the 752 // [public_key][google.cloud.kms.v1.ImportJob.public_key] using 753 // RSAES-OAEP with SHA-1, MGF1 with SHA-1, and an empty label. 754 // </li> 755 // <li>The key to be imported, wrapped with the ephemeral AES-256 key 756 // using AES-KWP (RFC 5649). 757 // </li> 758 // </ol> 759 // 760 // If importing symmetric key material, it is expected that the unwrapped 761 // key contains plain bytes. If importing asymmetric key material, it is 762 // expected that the unwrapped key is in PKCS#8-encoded DER format (the 763 // PrivateKeyInfo structure from RFC 5208). 764 // 765 // This format is the same as the format produced by PKCS#11 mechanism 766 // CKM_RSA_AES_KEY_WRAP. 767 bytes rsa_aes_wrapped_key = 5; 768 } 769} 770 771// Request message for 772// [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob]. 773message CreateImportJobRequest { 774 // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the 775 // [KeyRing][google.cloud.kms.v1.KeyRing] associated with the 776 // [ImportJobs][google.cloud.kms.v1.ImportJob]. 777 string parent = 1 [ 778 (google.api.field_behavior) = REQUIRED, 779 (google.api.resource_reference) = { 780 type: "cloudkms.googleapis.com/KeyRing" 781 } 782 ]; 783 784 // Required. It must be unique within a KeyRing and match the regular 785 // expression `[a-zA-Z0-9_-]{1,63}` 786 string import_job_id = 2 [(google.api.field_behavior) = REQUIRED]; 787 788 // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field 789 // values. 790 ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED]; 791} 792 793// Request message for 794// [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey]. 795message UpdateCryptoKeyRequest { 796 // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values. 797 CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED]; 798 799 // Required. List of fields to be updated in this request. 800 google.protobuf.FieldMask update_mask = 2 801 [(google.api.field_behavior) = REQUIRED]; 802} 803 804// Request message for 805// [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion]. 806message UpdateCryptoKeyVersionRequest { 807 // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with 808 // updated values. 809 CryptoKeyVersion crypto_key_version = 1 810 [(google.api.field_behavior) = REQUIRED]; 811 812 // Required. List of fields to be updated in this request. 813 google.protobuf.FieldMask update_mask = 2 814 [(google.api.field_behavior) = REQUIRED]; 815} 816 817// Request message for 818// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. 819message EncryptRequest { 820 // Required. The resource name of the 821 // [CryptoKey][google.cloud.kms.v1.CryptoKey] or 822 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 823 // encryption. 824 // 825 // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server 826 // will use its [primary version][google.cloud.kms.v1.CryptoKey.primary]. 827 string name = 1 [ 828 (google.api.field_behavior) = REQUIRED, 829 (google.api.resource_reference) = { type: "*" } 830 ]; 831 832 // Required. The data to encrypt. Must be no larger than 64KiB. 833 // 834 // The maximum size depends on the key version's 835 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. 836 // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the 837 // plaintext must be no larger than 64KiB. For 838 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of 839 // the plaintext and additional_authenticated_data fields must be no larger 840 // than 8KiB. 841 bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED]; 842 843 // Optional. Optional data that, if specified, must also be provided during 844 // decryption through 845 // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. 846 // 847 // The maximum size depends on the key version's 848 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. 849 // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD 850 // must be no larger than 64KiB. For 851 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of 852 // the plaintext and additional_authenticated_data fields must be no larger 853 // than 8KiB. 854 bytes additional_authenticated_data = 3 855 [(google.api.field_behavior) = OPTIONAL]; 856 857 // Optional. An optional CRC32C checksum of the 858 // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. 859 // If specified, 860 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 861 // verify the integrity of the received 862 // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext] 863 // using this checksum. 864 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 865 // report an error if the checksum verification fails. If you receive a 866 // checksum error, your client should verify that 867 // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]) 868 // is equal to 869 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c], 870 // and if so, perform a limited number of retries. A persistent mismatch may 871 // indicate an issue in your computation of the CRC32C checksum. Note: This 872 // field is defined as int64 for reasons of compatibility across different 873 // languages. However, it is a non-negative integer, which will never exceed 874 // 2^32-1, and can be safely downconverted to uint32 in languages that support 875 // this type. 876 // 877 // NOTE: This field is in Beta. 878 google.protobuf.Int64Value plaintext_crc32c = 7 879 [(google.api.field_behavior) = OPTIONAL]; 880 881 // Optional. An optional CRC32C checksum of the 882 // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. 883 // If specified, 884 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 885 // verify the integrity of the received 886 // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data] 887 // using this checksum. 888 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 889 // report an error if the checksum verification fails. If you receive a 890 // checksum error, your client should verify that 891 // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]) 892 // is equal to 893 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c], 894 // and if so, perform a limited number of retries. A persistent mismatch may 895 // indicate an issue in your computation of the CRC32C checksum. Note: This 896 // field is defined as int64 for reasons of compatibility across different 897 // languages. However, it is a non-negative integer, which will never exceed 898 // 2^32-1, and can be safely downconverted to uint32 in languages that support 899 // this type. 900 // 901 // NOTE: This field is in Beta. 902 google.protobuf.Int64Value additional_authenticated_data_crc32c = 8 903 [(google.api.field_behavior) = OPTIONAL]; 904} 905 906// Request message for 907// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 908message DecryptRequest { 909 // Required. The resource name of the 910 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The 911 // server will choose the appropriate version. 912 string name = 1 [ 913 (google.api.field_behavior) = REQUIRED, 914 (google.api.resource_reference) = { 915 type: "cloudkms.googleapis.com/CryptoKey" 916 } 917 ]; 918 919 // Required. The encrypted data originally returned in 920 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. 921 bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED]; 922 923 // Optional. Optional data that must match the data originally supplied in 924 // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. 925 bytes additional_authenticated_data = 3 926 [(google.api.field_behavior) = OPTIONAL]; 927 928 // Optional. An optional CRC32C checksum of the 929 // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. 930 // If specified, 931 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 932 // verify the integrity of the received 933 // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext] 934 // using this checksum. 935 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 936 // report an error if the checksum verification fails. If you receive a 937 // checksum error, your client should verify that 938 // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]) 939 // is equal to 940 // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c], 941 // and if so, perform a limited number of retries. A persistent mismatch may 942 // indicate an issue in your computation of the CRC32C checksum. Note: This 943 // field is defined as int64 for reasons of compatibility across different 944 // languages. However, it is a non-negative integer, which will never exceed 945 // 2^32-1, and can be safely downconverted to uint32 in languages that support 946 // this type. 947 // 948 // NOTE: This field is in Beta. 949 google.protobuf.Int64Value ciphertext_crc32c = 5 950 [(google.api.field_behavior) = OPTIONAL]; 951 952 // Optional. An optional CRC32C checksum of the 953 // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. 954 // If specified, 955 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 956 // verify the integrity of the received 957 // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data] 958 // using this checksum. 959 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 960 // report an error if the checksum verification fails. If you receive a 961 // checksum error, your client should verify that 962 // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]) 963 // is equal to 964 // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c], 965 // and if so, perform a limited number of retries. A persistent mismatch may 966 // indicate an issue in your computation of the CRC32C checksum. Note: This 967 // field is defined as int64 for reasons of compatibility across different 968 // languages. However, it is a non-negative integer, which will never exceed 969 // 2^32-1, and can be safely downconverted to uint32 in languages that support 970 // this type. 971 // 972 // NOTE: This field is in Beta. 973 google.protobuf.Int64Value additional_authenticated_data_crc32c = 6 974 [(google.api.field_behavior) = OPTIONAL]; 975} 976 977// Request message for 978// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. 979message AsymmetricSignRequest { 980 // Required. The resource name of the 981 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 982 // signing. 983 string name = 1 [ 984 (google.api.field_behavior) = REQUIRED, 985 (google.api.resource_reference) = { 986 type: "cloudkms.googleapis.com/CryptoKeyVersion" 987 } 988 ]; 989 990 // Required. The digest of the data to sign. The digest must be produced with 991 // the same digest algorithm as specified by the key version's 992 // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. 993 Digest digest = 3 [(google.api.field_behavior) = REQUIRED]; 994 995 // Optional. An optional CRC32C checksum of the 996 // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. 997 // If specified, 998 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 999 // verify the integrity of the received 1000 // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest] 1001 // using this checksum. 1002 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1003 // report an error if the checksum verification fails. If you receive a 1004 // checksum error, your client should verify that 1005 // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]) 1006 // is equal to 1007 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c], 1008 // and if so, perform a limited number of retries. A persistent mismatch may 1009 // indicate an issue in your computation of the CRC32C checksum. Note: This 1010 // field is defined as int64 for reasons of compatibility across different 1011 // languages. However, it is a non-negative integer, which will never exceed 1012 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1013 // this type. 1014 // 1015 // NOTE: This field is in Beta. 1016 google.protobuf.Int64Value digest_crc32c = 4 1017 [(google.api.field_behavior) = OPTIONAL]; 1018} 1019 1020// Request message for 1021// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. 1022message AsymmetricDecryptRequest { 1023 // Required. The resource name of the 1024 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for 1025 // decryption. 1026 string name = 1 [ 1027 (google.api.field_behavior) = REQUIRED, 1028 (google.api.resource_reference) = { 1029 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1030 } 1031 ]; 1032 1033 // Required. The data encrypted with the named 1034 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using 1035 // OAEP. 1036 bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED]; 1037 1038 // Optional. An optional CRC32C checksum of the 1039 // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. 1040 // If specified, 1041 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1042 // verify the integrity of the received 1043 // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext] 1044 // using this checksum. 1045 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will 1046 // report an error if the checksum verification fails. If you receive a 1047 // checksum error, your client should verify that 1048 // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]) 1049 // is equal to 1050 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c], 1051 // and if so, perform a limited number of retries. A persistent mismatch may 1052 // indicate an issue in your computation of the CRC32C checksum. Note: This 1053 // field is defined as int64 for reasons of compatibility across different 1054 // languages. However, it is a non-negative integer, which will never exceed 1055 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1056 // this type. 1057 // 1058 // NOTE: This field is in Beta. 1059 google.protobuf.Int64Value ciphertext_crc32c = 4 1060 [(google.api.field_behavior) = OPTIONAL]; 1061} 1062 1063// Response message for 1064// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. 1065message DecryptResponse { 1066 // The decrypted data originally supplied in 1067 // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. 1068 bytes plaintext = 1; 1069 1070 // Integrity verification field. A CRC32C checksum of the returned 1071 // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. 1072 // An integrity check of 1073 // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] 1074 // can be performed by computing the CRC32C checksum of 1075 // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] 1076 // and comparing your results to this field. Discard the response in case of 1077 // non-matching checksum values, and perform a limited number of retries. A 1078 // persistent mismatch may indicate an issue in your computation of the CRC32C 1079 // checksum. Note: receiving this response message indicates that 1080 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to 1081 // successfully decrypt the 1082 // [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This 1083 // field is defined as int64 for reasons of compatibility across different 1084 // languages. However, it is a non-negative integer, which will never exceed 1085 // 2^32-1, and can be safely downconverted to uint32 in languages that support 1086 // this type. 1087 // 1088 // NOTE: This field is in Beta. 1089 google.protobuf.Int64Value plaintext_crc32c = 2; 1090} 1091 1092// Response message for 1093// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. 1094message EncryptResponse { 1095 // The resource name of the 1096 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in 1097 // encryption. Check this field to verify that the intended resource was used 1098 // for encryption. 1099 string name = 1; 1100 1101 // The encrypted data. 1102 bytes ciphertext = 2; 1103 1104 // Integrity verification field. A CRC32C checksum of the returned 1105 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. 1106 // An integrity check of 1107 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] 1108 // can be performed by computing the CRC32C checksum of 1109 // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext] 1110 // and comparing your results to this field. Discard the response in case of 1111 // non-matching checksum values, and perform a limited number of retries. A 1112 // persistent mismatch may indicate an issue in your computation of the CRC32C 1113 // checksum. Note: This field is defined as int64 for reasons of compatibility 1114 // across different languages. However, it is a non-negative integer, which 1115 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1116 // languages that support this type. 1117 // 1118 // NOTE: This field is in Beta. 1119 google.protobuf.Int64Value ciphertext_crc32c = 4; 1120 1121 // Integrity verification field. A flag indicating whether 1122 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] 1123 // was received by 1124 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1125 // for the integrity verification of the 1126 // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of 1127 // this field indicates either that 1128 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] 1129 // was left unset or that it was not delivered to 1130 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1131 // set 1132 // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] 1133 // but this field is still false, discard the response and perform a limited 1134 // number of retries. 1135 // 1136 // NOTE: This field is in Beta. 1137 bool verified_plaintext_crc32c = 5; 1138 1139 // Integrity verification field. A flag indicating whether 1140 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] 1141 // was received by 1142 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1143 // for the integrity verification of the 1144 // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A 1145 // false value of this field indicates either that 1146 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] 1147 // was left unset or that it was not delivered to 1148 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1149 // set 1150 // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] 1151 // but this field is still false, discard the response and perform a limited 1152 // number of retries. 1153 // 1154 // NOTE: This field is in Beta. 1155 bool verified_additional_authenticated_data_crc32c = 6; 1156} 1157 1158// Response message for 1159// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. 1160message AsymmetricSignResponse { 1161 // The created signature. 1162 bytes signature = 1; 1163 1164 // Integrity verification field. A CRC32C checksum of the returned 1165 // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]. 1166 // An integrity check of 1167 // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] 1168 // can be performed by computing the CRC32C checksum of 1169 // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature] 1170 // and comparing your results to this field. Discard the response in case of 1171 // non-matching checksum values, and perform a limited number of retries. A 1172 // persistent mismatch may indicate an issue in your computation of the CRC32C 1173 // checksum. Note: This field is defined as int64 for reasons of compatibility 1174 // across different languages. However, it is a non-negative integer, which 1175 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1176 // languages that support this type. 1177 // 1178 // NOTE: This field is in Beta. 1179 google.protobuf.Int64Value signature_crc32c = 2; 1180 1181 // Integrity verification field. A flag indicating whether 1182 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] 1183 // was received by 1184 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1185 // for the integrity verification of the 1186 // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value 1187 // of this field indicates either that 1188 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] 1189 // was left unset or that it was not delivered to 1190 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1191 // set 1192 // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] 1193 // but this field is still false, discard the response and perform a limited 1194 // number of retries. 1195 // 1196 // NOTE: This field is in Beta. 1197 bool verified_digest_crc32c = 3; 1198 1199 // The resource name of the 1200 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. 1201 // Check this field to verify that the intended resource was used for signing. 1202 // 1203 // NOTE: This field is in Beta. 1204 string name = 4; 1205} 1206 1207// Response message for 1208// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. 1209message AsymmetricDecryptResponse { 1210 // The decrypted data originally encrypted with the matching public key. 1211 bytes plaintext = 1; 1212 1213 // Integrity verification field. A CRC32C checksum of the returned 1214 // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]. 1215 // An integrity check of 1216 // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] 1217 // can be performed by computing the CRC32C checksum of 1218 // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext] 1219 // and comparing your results to this field. Discard the response in case of 1220 // non-matching checksum values, and perform a limited number of retries. A 1221 // persistent mismatch may indicate an issue in your computation of the CRC32C 1222 // checksum. Note: This field is defined as int64 for reasons of compatibility 1223 // across different languages. However, it is a non-negative integer, which 1224 // will never exceed 2^32-1, and can be safely downconverted to uint32 in 1225 // languages that support this type. 1226 // 1227 // NOTE: This field is in Beta. 1228 google.protobuf.Int64Value plaintext_crc32c = 2; 1229 1230 // Integrity verification field. A flag indicating whether 1231 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] 1232 // was received by 1233 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used 1234 // for the integrity verification of the 1235 // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A 1236 // false value of this field indicates either that 1237 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] 1238 // was left unset or that it was not delivered to 1239 // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've 1240 // set 1241 // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] 1242 // but this field is still false, discard the response and perform a limited 1243 // number of retries. 1244 // 1245 // NOTE: This field is in Beta. 1246 bool verified_ciphertext_crc32c = 3; 1247} 1248 1249// Request message for 1250// [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. 1251message UpdateCryptoKeyPrimaryVersionRequest { 1252 // Required. The resource name of the 1253 // [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. 1254 string name = 1 [ 1255 (google.api.field_behavior) = REQUIRED, 1256 (google.api.resource_reference) = { 1257 type: "cloudkms.googleapis.com/CryptoKey" 1258 } 1259 ]; 1260 1261 // Required. The id of the child 1262 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary. 1263 string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED]; 1264} 1265 1266// Request message for 1267// [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. 1268message DestroyCryptoKeyVersionRequest { 1269 // Required. The resource name of the 1270 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. 1271 string name = 1 [ 1272 (google.api.field_behavior) = REQUIRED, 1273 (google.api.resource_reference) = { 1274 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1275 } 1276 ]; 1277} 1278 1279// Request message for 1280// [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. 1281message RestoreCryptoKeyVersionRequest { 1282 // Required. The resource name of the 1283 // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. 1284 string name = 1 [ 1285 (google.api.field_behavior) = REQUIRED, 1286 (google.api.resource_reference) = { 1287 type: "cloudkms.googleapis.com/CryptoKeyVersion" 1288 } 1289 ]; 1290} 1291 1292// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest. 1293message Digest { 1294 // Required. The message digest. 1295 oneof digest { 1296 // A message digest produced with the SHA-256 algorithm. 1297 bytes sha256 = 1; 1298 1299 // A message digest produced with the SHA-384 algorithm. 1300 bytes sha384 = 2; 1301 1302 // A message digest produced with the SHA-512 algorithm. 1303 bytes sha512 = 3; 1304 } 1305} 1306 1307// Cloud KMS metadata for the given 1308// [google.cloud.location.Location][google.cloud.location.Location]. 1309message LocationMetadata { 1310 // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with 1311 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 1312 // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this 1313 // location. 1314 bool hsm_available = 1; 1315 1316 // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with 1317 // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] 1318 // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in 1319 // this location. 1320 bool ekm_available = 2; 1321} 1322