diff options
Diffstat (limited to 'google/cloud/kms/v1/service.proto')
-rw-r--r-- | google/cloud/kms/v1/service.proto | 656 |
1 files changed, 656 insertions, 0 deletions
diff --git a/google/cloud/kms/v1/service.proto b/google/cloud/kms/v1/service.proto new file mode 100644 index 000000000..81e22c25f --- /dev/null +++ b/google/cloud/kms/v1/service.proto @@ -0,0 +1,656 @@ +// Copyright 2018 Google LLC. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package google.cloud.kms.v1; + +import "google/api/annotations.proto"; +import "google/cloud/kms/v1/resources.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +option cc_enable_arenas = true; +option csharp_namespace = "Google.Cloud.Kms.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms"; +option java_multiple_files = true; +option java_outer_classname = "KmsProto"; +option java_package = "com.google.cloud.kms.v1"; +option php_namespace = "Google\\Cloud\\Kms\\V1"; + +// Google Cloud Key Management Service +// +// Manages cryptographic keys and operations using those keys. Implements a REST +// model with the following objects: +// +// * [KeyRing][google.cloud.kms.v1.KeyRing] +// * [CryptoKey][google.cloud.kms.v1.CryptoKey] +// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] +// +// If you are using manual gRPC libraries, see +// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc). +service KeyManagementService { + // Lists [KeyRings][google.cloud.kms.v1.KeyRing]. + rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*}/keyRings" + }; + } + + // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey]. + rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" + }; + } + + // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. + rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest) + returns (ListCryptoKeyVersionsResponse) { + option (google.api.http) = { + get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" + }; + } + + // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing]. + rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*}" + }; + } + + // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as + // well as its [primary][google.cloud.kms.v1.CryptoKey.primary] + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. + rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" + }; + } + + // Returns metadata for a given + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. + rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" + }; + } + + // Returns the public key for the given + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be + // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] + // or + // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT]. + rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) { + option (google.api.http) = { + get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey" + }; + } + + // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and + // Location. + rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*}/keyRings" + body: "key_ring" + }; + } + + // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a + // [KeyRing][google.cloud.kms.v1.KeyRing]. + // + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and + // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm] + // are required. + rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys" + body: "crypto_key" + }; + } + + // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a + // [CryptoKey][google.cloud.kms.v1.CryptoKey]. + // + // The server will assign the next sequential id. If unset, + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to + // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]. + rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions" + body: "crypto_key_version" + }; + } + + // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey]. + rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) { + option (google.api.http) = { + patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}" + body: "crypto_key" + }; + } + + // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s + // metadata. + // + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between + // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] + // and + // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] + // using this method. See + // [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion] + // and + // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + // to move between other states. + rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}" + body: "crypto_key_version" + }; + } + + // Encrypts data, so that it can only be recovered by a call to + // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + rpc Encrypt(EncryptRequest) returns (EncryptResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt" + body: "*" + }; + } + + // Decrypts data that was protected by + // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The + // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be + // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + rpc Decrypt(DecryptRequest) returns (DecryptResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt" + body: "*" + }; + } + + // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // ASYMMETRIC_SIGN, producing a signature that can be verified with the public + // key retrieved from + // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. + rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign" + body: "*" + }; + } + + // Decrypts data that was encrypted with a public key retrieved from + // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] + // corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + // ASYMMETRIC_DECRYPT. + rpc AsymmetricDecrypt(AsymmetricDecryptRequest) + returns (AsymmetricDecryptResponse) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt" + body: "*" + }; + } + + // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that + // will be used in + // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + // + // Returns an error if called on an asymmetric key. + rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest) + returns (CryptoKey) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion" + body: "*" + }; + } + + // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for + // destruction. + // + // Upon calling this method, + // [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will + // be set to + // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will + // be set to a time 24 hours in the future, at which point the + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be changed to + // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], + // and the key material will be irrevocably destroyed. + // + // Before the + // [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is + // reached, + // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + // may be called to reverse the process. + rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy" + body: "*" + }; + } + + // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the + // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + // state. + // + // Upon restoration of the CryptoKeyVersion, + // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to + // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], + // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will + // be cleared. + rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest) + returns (CryptoKeyVersion) { + option (google.api.http) = { + post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore" + body: "*" + }; + } +} + +// Request message for +// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. +message ListKeyRingsRequest { + // Required. The resource name of the location associated with the + // [KeyRings][google.cloud.kms.v1.KeyRing], in the format + // `projects/*/locations/*`. + string parent = 1; + + // Optional limit on the number of [KeyRings][google.cloud.kms.v1.KeyRing] to + // include in the response. Further [KeyRings][google.cloud.kms.v1.KeyRing] + // can subsequently be obtained by including the + // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2; + + // Optional pagination token, returned earlier via + // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]. + string page_token = 3; +} + +// Request message for +// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. +message ListCryptoKeysRequest { + // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing] + // to list, in the format `projects/*/locations/*/keyRings/*`. + string parent = 1; + + // Optional limit on the number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] + // to include in the response. Further + // [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be obtained by + // including the + // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2; + + // Optional pagination token, returned earlier via + // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]. + string page_token = 3; + + // The fields of the primary version to include in the response. + CryptoKeyVersion.CryptoKeyVersionView version_view = 4; +} + +// Request message for +// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. +message ListCryptoKeyVersionsRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format + // `projects/*/locations/*/keyRings/*/cryptoKeys/*`. + string parent = 1; + + // Optional limit on the number of + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the + // response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] + // can subsequently be obtained by including the + // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token] + // in a subsequent request. If unspecified, the server will pick an + // appropriate default. + int32 page_size = 2; + + // Optional pagination token, returned earlier via + // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]. + string page_token = 3; + + // The fields to include in the response. + CryptoKeyVersion.CryptoKeyVersionView view = 4; +} + +// Response message for +// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings]. +message ListKeyRingsResponse { + // The list of [KeyRings][google.cloud.kms.v1.KeyRing]. + repeated KeyRing key_rings = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched + // the query. + int32 total_size = 3; +} + +// Response message for +// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys]. +message ListCryptoKeysResponse { + // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey]. + repeated CryptoKey crypto_keys = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that + // matched the query. + int32 total_size = 3; +} + +// Response message for +// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions]. +message ListCryptoKeyVersionsResponse { + // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. + repeated CryptoKeyVersion crypto_key_versions = 1; + + // A token to retrieve next page of results. Pass this value in + // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token] + // to retrieve the next page of results. + string next_page_token = 2; + + // The total number of + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the + // query. + int32 total_size = 3; +} + +// Request message for +// [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing]. +message GetKeyRingRequest { + // The [name][google.cloud.kms.v1.KeyRing.name] of the + // [KeyRing][google.cloud.kms.v1.KeyRing] to get. + string name = 1; +} + +// Request message for +// [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey]. +message GetCryptoKeyRequest { + // The [name][google.cloud.kms.v1.CryptoKey.name] of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to get. + string name = 1; +} + +// Request message for +// [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion]. +message GetCryptoKeyVersionRequest { + // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get. + string name = 1; +} + +// Request message for +// [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]. +message GetPublicKeyRequest { + // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get. + string name = 1; +} + +// Request message for +// [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing]. +message CreateKeyRingRequest { + // Required. The resource name of the location associated with the + // [KeyRings][google.cloud.kms.v1.KeyRing], in the format + // `projects/*/locations/*`. + string parent = 1; + + // Required. It must be unique within a location and match the regular + // expression `[a-zA-Z0-9_-]{1,63}` + string key_ring_id = 2; + + // A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field values. + KeyRing key_ring = 3; +} + +// Request message for +// [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey]. +message CreateCryptoKeyRequest { + // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing + // associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey]. + string parent = 1; + + // Required. It must be unique within a KeyRing and match the regular + // expression `[a-zA-Z0-9_-]{1,63}` + string crypto_key_id = 2; + + // A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field values. + CryptoKey crypto_key = 3; +} + +// Request message for +// [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]. +message CreateCryptoKeyVersionRequest { + // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the + // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. + string parent = 1; + + // A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with initial + // field values. + CryptoKeyVersion crypto_key_version = 2; +} + +// Request message for +// [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey]. +message UpdateCryptoKeyRequest { + // [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values. + CryptoKey crypto_key = 1; + + // Required list of fields to be updated in this request. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for +// [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion]. +message UpdateCryptoKeyVersionRequest { + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with updated + // values. + CryptoKeyVersion crypto_key_version = 1; + + // Required list of fields to be updated in this request. + google.protobuf.FieldMask update_mask = 2; +} + +// Request message for +// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. +message EncryptRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] or + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for + // encryption. + // + // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server + // will use its [primary version][google.cloud.kms.v1.CryptoKey.primary]. + string name = 1; + + // Required. The data to encrypt. Must be no larger than 64KiB. + // + // The maximum size depends on the key version's + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. + // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the + // plaintext must be no larger than 64KiB. For + // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of + // the plaintext and additional_authenticated_data fields must be no larger + // than 8KiB. + bytes plaintext = 2; + + // Optional data that, if specified, must also be provided during decryption + // through + // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. + // + // The maximum size depends on the key version's + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. + // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD + // must be no larger than 64KiB. For + // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of + // the plaintext and additional_authenticated_data fields must be no larger + // than 8KiB. + bytes additional_authenticated_data = 3; +} + +// Request message for +// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. +message DecryptRequest { + // Required. The resource name of the + // [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The + // server will choose the appropriate version. + string name = 1; + + // Required. The encrypted data originally returned in + // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]. + bytes ciphertext = 2; + + // Optional data that must match the data originally supplied in + // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. + bytes additional_authenticated_data = 3; +} + +// Request message for +// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. +message AsymmetricSignRequest { + // Required. The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for + // signing. + string name = 1; + + // Required. The digest of the data to sign. The digest must be produced with + // the same digest algorithm as specified by the key version's + // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm]. + Digest digest = 3; +} + +// Request message for +// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. +message AsymmetricDecryptRequest { + // Required. The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for + // decryption. + string name = 1; + + // Required. The data encrypted with the named + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using + // OAEP. + bytes ciphertext = 3; +} + +// Response message for +// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. +message DecryptResponse { + // The decrypted data originally supplied in + // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. + bytes plaintext = 1; +} + +// Response message for +// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. +message EncryptResponse { + // The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in + // encryption. + string name = 1; + + // The encrypted data. + bytes ciphertext = 2; +} + +// Response message for +// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign]. +message AsymmetricSignResponse { + // The created signature. + bytes signature = 1; +} + +// Response message for +// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt]. +message AsymmetricDecryptResponse { + // The decrypted data originally encrypted with the matching public key. + bytes plaintext = 1; +} + +// Request message for +// [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. +message UpdateCryptoKeyPrimaryVersionRequest { + // The resource name of the [CryptoKey][google.cloud.kms.v1.CryptoKey] to + // update. + string name = 1; + + // The id of the child + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary. + string crypto_key_version_id = 2; +} + +// Request message for +// [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. +message DestroyCryptoKeyVersionRequest { + // The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy. + string name = 1; +} + +// Request message for +// [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. +message RestoreCryptoKeyVersionRequest { + // The resource name of the + // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore. + string name = 1; +} + +// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest. +message Digest { + // Required. The message digest. + oneof digest { + // A message digest produced with the SHA-256 algorithm. + bytes sha256 = 1; + + // A message digest produced with the SHA-384 algorithm. + bytes sha384 = 2; + + // A message digest produced with the SHA-512 algorithm. + bytes sha512 = 3; + } +} + +// Cloud KMS metadata for the given +// [google.cloud.location.Location][google.cloud.location.Location]. +message LocationMetadata { + // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with + // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] + // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this + // location. + bool hsm_available = 1; +} |