diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto
index de8669dbf3d..c179d4a6c35 100644
--- a/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto
+++ b/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -85,7 +85,8 @@ service EkmService {
}
}
-// Request message for [KeyManagementService.ListEkmConnections][].
+// Request message for
+// [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].
message ListEkmConnectionsRequest {
// Required. The resource name of the location associated with the
// [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
@@ -123,7 +124,8 @@ message ListEkmConnectionsRequest {
string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}
-// Response message for [KeyManagementService.ListEkmConnections][].
+// Response message for
+// [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].
message ListEkmConnectionsResponse {
// The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
repeated EkmConnection ekm_connections = 1;
@@ -138,7 +140,8 @@ message ListEkmConnectionsResponse {
int32 total_size = 3;
}
-// Request message for [KeyManagementService.GetEkmConnection][].
+// Request message for
+// [EkmService.GetEkmConnection][google.cloud.kms.v1.EkmService.GetEkmConnection].
message GetEkmConnectionRequest {
// Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
// [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
@@ -150,7 +153,8 @@ message GetEkmConnectionRequest {
];
}
-// Request message for [KeyManagementService.CreateEkmConnection][].
+// Request message for
+// [EkmService.CreateEkmConnection][google.cloud.kms.v1.EkmService.CreateEkmConnection].
message CreateEkmConnectionRequest {
// Required. The resource name of the location associated with the
// [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
@@ -171,7 +175,8 @@ message CreateEkmConnectionRequest {
EkmConnection ekm_connection = 3 [(google.api.field_behavior) = REQUIRED];
}
-// Request message for [KeyManagementService.UpdateEkmConnection][].
+// Request message for
+// [EkmService.UpdateEkmConnection][google.cloud.kms.v1.EkmService.UpdateEkmConnection].
message UpdateEkmConnectionRequest {
// Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
// values.
@@ -263,7 +268,8 @@ message EkmConnection {
string hostname = 3 [(google.api.field_behavior) = REQUIRED];
// Required. A list of leaf server certificates used to authenticate HTTPS
- // connections to the EKM replica.
+ // connections to the EKM replica. Currently, a maximum of 10
+ // [Certificate][google.cloud.kms.v1.Certificate] is supported.
repeated Certificate server_certificates = 4
[(google.api.field_behavior) = REQUIRED];
}
@@ -286,8 +292,7 @@ message EkmConnection {
// supported.
repeated ServiceResolver service_resolvers = 3;
- // This checksum is computed by the server based on the value of other fields,
- // and may be sent on update requests to ensure the client has an up-to-date
- // value before proceeding.
- string etag = 5;
+ // Optional. Etag of the currently stored
+ // [EkmConnection][google.cloud.kms.v1.EkmConnection].
+ string etag = 5 [(google.api.field_behavior) = OPTIONAL];
}
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto
index 5029f3e0348..fa89122c8a0 100644
--- a/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto
+++ b/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -235,6 +235,9 @@ message KeyOperationAttestation {
// Cavium HSM attestation compressed with gzip. Note that this format is
// defined by Cavium and subject to change at any time.
+ //
+ // See
+ // https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html.
CAVIUM_V1_COMPRESSED = 3;
// Cavium HSM attestation V2 compressed with gzip. This is a new format
@@ -403,6 +406,18 @@ message CryptoKeyVersion {
// HMAC-SHA256 signing with a 256 bit key.
HMAC_SHA256 = 32;
+ // HMAC-SHA1 signing with a 160 bit key.
+ HMAC_SHA1 = 33;
+
+ // HMAC-SHA384 signing with a 384 bit key.
+ HMAC_SHA384 = 34;
+
+ // HMAC-SHA512 signing with a 512 bit key.
+ HMAC_SHA512 = 35;
+
+ // HMAC-SHA224 signing with a 224 bit key.
+ HMAC_SHA224 = 36;
+
// Algorithm representing symmetric encryption by an external key manager.
EXTERNAL_SYMMETRIC_ENCRYPTION = 18;
}
@@ -676,6 +691,34 @@ message ImportJob {
// [RSA AES key wrap
// mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
RSA_OAEP_4096_SHA1_AES_256 = 2;
+
+ // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+ // scheme defined in the PKCS #11 standard. In summary, this involves
+ // wrapping the raw key with an ephemeral AES key, and wrapping the
+ // ephemeral AES key with a 3072 bit RSA key. For more details, see
+ // [RSA AES key wrap
+ // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+ RSA_OAEP_3072_SHA256_AES_256 = 3;
+
+ // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+ // scheme defined in the PKCS #11 standard. In summary, this involves
+ // wrapping the raw key with an ephemeral AES key, and wrapping the
+ // ephemeral AES key with a 4096 bit RSA key. For more details, see
+ // [RSA AES key wrap
+ // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+ RSA_OAEP_4096_SHA256_AES_256 = 4;
+
+ // This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The
+ // key material to be imported is wrapped directly with the RSA key. Due
+ // to technical limitations of RSA wrapping, this method cannot be used to
+ // wrap RSA keys for import.
+ RSA_OAEP_3072_SHA256 = 5;
+
+ // This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The
+ // key material to be imported is wrapped directly with the RSA key. Due
+ // to technical limitations of RSA wrapping, this method cannot be used to
+ // wrap RSA keys for import.
+ RSA_OAEP_4096_SHA256 = 6;
}
// The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto
index 565678da32c..938f1e2550e 100644
--- a/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto
+++ b/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -797,33 +797,56 @@ message ImportCryptoKeyVersionRequest {
// material.
string import_job = 4 [(google.api.field_behavior) = REQUIRED];
- // Required. The incoming wrapped key material that is to be imported.
+ // Optional. The wrapped key material to import.
+ //
+ // Before wrapping, key material must be formatted. If importing symmetric key
+ // material, the expected key material format is plain bytes. If importing
+ // asymmetric key material, the expected key material format is PKCS#8-encoded
+ // DER (the PrivateKeyInfo structure from RFC 5208).
+ //
+ // When wrapping with import methods
+ // ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+ // or
+ // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
+ // or
+ // [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
+ // or
+ // [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
+ //
+ // this field must contain the concatenation of:
+ //
+ // - An ephemeral AES-256 wrapping key wrapped with the
+ // [public_key][google.cloud.kms.v1.ImportJob.public_key] using
+ // RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+ // label.
+ //
+ // - The formatted key to be imported, wrapped with the ephemeral AES-256
+ // key using AES-KWP (RFC 5649).
+ //
+ //
+ //
+ // This format is the same as the format produced by PKCS#11 mechanism
+ // CKM_RSA_AES_KEY_WRAP.
+ //
+ // When wrapping with import methods
+ // ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
+ // or
+ // [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
+ //
+ // this field must contain the formatted key to be imported, wrapped with the
+ // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
+ // with SHA-256, MGF1 with SHA-256, and an empty label.
+ bytes wrapped_key = 8 [(google.api.field_behavior) = OPTIONAL];
+
+ // This field is legacy. Use the field
+ // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key]
+ // instead.
oneof wrapped_key_material {
- // Wrapped key material produced with
- // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
- // or
- // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256].
- //
- // This field contains the concatenation of two wrapped keys:
- //
- // - An ephemeral AES-256 wrapping key wrapped with the
- // [public_key][google.cloud.kms.v1.ImportJob.public_key] using
- // RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an
- // empty label.
- //
- // - The key to be imported, wrapped with the ephemeral AES-256 key
- // using AES-KWP (RFC 5649).
- //
- //
- //
- // If importing symmetric key material, it is expected that the unwrapped
- // key contains plain bytes. If importing asymmetric key material, it is
- // expected that the unwrapped key is in PKCS#8-encoded DER format (the
- // PrivateKeyInfo structure from RFC 5208).
- //
- // This format is the same as the format produced by PKCS#11 mechanism
- // CKM_RSA_AES_KEY_WRAP.
- bytes rsa_aes_wrapped_key = 5;
+ // Optional. This field has the same meaning as
+ // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
+ // Prefer to use that field in new work. Either that field or this field
+ // (but not both) must be specified.
+ bytes rsa_aes_wrapped_key = 5 [(google.api.field_behavior) = OPTIONAL];
}
}
@@ -935,7 +958,9 @@ message EncryptRequest {
//
// The maximum size depends on the key version's
// [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
- // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+ // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+ // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+ // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
// plaintext must be no larger than 64KiB. For
// [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
// the plaintext and additional_authenticated_data fields must be no larger
@@ -948,8 +973,10 @@ message EncryptRequest {
//
// The maximum size depends on the key version's
// [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
- // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD
- // must be no larger than 64KiB. For
+ // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+ // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+ // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
+ // AAD must be no larger than 64KiB. For
// [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
// the plaintext and additional_authenticated_data fields must be no larger
// than 8KiB.
diff --git a/packages/google-cloud-kms/protos/protos.d.ts b/packages/google-cloud-kms/protos/protos.d.ts
index 6b1a2b361e7..ae793a2ee75 100644
--- a/packages/google-cloud-kms/protos/protos.d.ts
+++ b/packages/google-cloud-kms/protos/protos.d.ts
@@ -1860,6 +1860,10 @@ export namespace google {
EC_SIGN_P384_SHA384 = 13,
EC_SIGN_SECP256K1_SHA256 = 31,
HMAC_SHA256 = 32,
+ HMAC_SHA1 = 33,
+ HMAC_SHA384 = 34,
+ HMAC_SHA512 = 35,
+ HMAC_SHA224 = 36,
EXTERNAL_SYMMETRIC_ENCRYPTION = 18
}
@@ -2160,7 +2164,11 @@ export namespace google {
enum ImportMethod {
IMPORT_METHOD_UNSPECIFIED = 0,
RSA_OAEP_3072_SHA1_AES_256 = 1,
- RSA_OAEP_4096_SHA1_AES_256 = 2
+ RSA_OAEP_4096_SHA1_AES_256 = 2,
+ RSA_OAEP_3072_SHA256_AES_256 = 3,
+ RSA_OAEP_4096_SHA256_AES_256 = 4,
+ RSA_OAEP_3072_SHA256 = 5,
+ RSA_OAEP_4096_SHA256 = 6
}
/** ImportJobState enum. */
@@ -4710,6 +4718,9 @@ export namespace google {
/** ImportCryptoKeyVersionRequest importJob */
importJob?: (string|null);
+ /** ImportCryptoKeyVersionRequest wrappedKey */
+ wrappedKey?: (Uint8Array|string|null);
+
/** ImportCryptoKeyVersionRequest rsaAesWrappedKey */
rsaAesWrappedKey?: (Uint8Array|string|null);
}
@@ -4735,6 +4746,9 @@ export namespace google {
/** ImportCryptoKeyVersionRequest importJob. */
public importJob: string;
+ /** ImportCryptoKeyVersionRequest wrappedKey. */
+ public wrappedKey: (Uint8Array|string);
+
/** ImportCryptoKeyVersionRequest rsaAesWrappedKey. */
public rsaAesWrappedKey?: (Uint8Array|string|null);
diff --git a/packages/google-cloud-kms/protos/protos.js b/packages/google-cloud-kms/protos/protos.js
index 0bf83f9066c..a2fc64162af 100644
--- a/packages/google-cloud-kms/protos/protos.js
+++ b/packages/google-cloud-kms/protos/protos.js
@@ -3506,6 +3506,10 @@
case 13:
case 31:
case 32:
+ case 33:
+ case 34:
+ case 35:
+ case 36:
case 18:
break;
}
@@ -3655,6 +3659,22 @@
case 32:
message.algorithm = 32;
break;
+ case "HMAC_SHA1":
+ case 33:
+ message.algorithm = 33;
+ break;
+ case "HMAC_SHA384":
+ case 34:
+ message.algorithm = 34;
+ break;
+ case "HMAC_SHA512":
+ case 35:
+ message.algorithm = 35;
+ break;
+ case "HMAC_SHA224":
+ case 36:
+ message.algorithm = 36;
+ break;
case "EXTERNAL_SYMMETRIC_ENCRYPTION":
case 18:
message.algorithm = 18;
@@ -4700,6 +4720,10 @@
case 13:
case 31:
case 32:
+ case 33:
+ case 34:
+ case 35:
+ case 36:
case 18:
break;
}
@@ -4935,6 +4959,22 @@
case 32:
message.algorithm = 32;
break;
+ case "HMAC_SHA1":
+ case 33:
+ message.algorithm = 33;
+ break;
+ case "HMAC_SHA384":
+ case 34:
+ message.algorithm = 34;
+ break;
+ case "HMAC_SHA512":
+ case 35:
+ message.algorithm = 35;
+ break;
+ case "HMAC_SHA224":
+ case 36:
+ message.algorithm = 36;
+ break;
case "EXTERNAL_SYMMETRIC_ENCRYPTION":
case 18:
message.algorithm = 18;
@@ -5098,6 +5138,10 @@
* @property {number} EC_SIGN_P384_SHA384=13 EC_SIGN_P384_SHA384 value
* @property {number} EC_SIGN_SECP256K1_SHA256=31 EC_SIGN_SECP256K1_SHA256 value
* @property {number} HMAC_SHA256=32 HMAC_SHA256 value
+ * @property {number} HMAC_SHA1=33 HMAC_SHA1 value
+ * @property {number} HMAC_SHA384=34 HMAC_SHA384 value
+ * @property {number} HMAC_SHA512=35 HMAC_SHA512 value
+ * @property {number} HMAC_SHA224=36 HMAC_SHA224 value
* @property {number} EXTERNAL_SYMMETRIC_ENCRYPTION=18 EXTERNAL_SYMMETRIC_ENCRYPTION value
*/
CryptoKeyVersion.CryptoKeyVersionAlgorithm = (function() {
@@ -5126,6 +5170,10 @@
values[valuesById[13] = "EC_SIGN_P384_SHA384"] = 13;
values[valuesById[31] = "EC_SIGN_SECP256K1_SHA256"] = 31;
values[valuesById[32] = "HMAC_SHA256"] = 32;
+ values[valuesById[33] = "HMAC_SHA1"] = 33;
+ values[valuesById[34] = "HMAC_SHA384"] = 34;
+ values[valuesById[35] = "HMAC_SHA512"] = 35;
+ values[valuesById[36] = "HMAC_SHA224"] = 36;
values[valuesById[18] = "EXTERNAL_SYMMETRIC_ENCRYPTION"] = 18;
return values;
})();
@@ -5395,6 +5443,10 @@
case 13:
case 31:
case 32:
+ case 33:
+ case 34:
+ case 35:
+ case 36:
case 18:
break;
}
@@ -5537,6 +5589,22 @@
case 32:
message.algorithm = 32;
break;
+ case "HMAC_SHA1":
+ case 33:
+ message.algorithm = 33;
+ break;
+ case "HMAC_SHA384":
+ case 34:
+ message.algorithm = 34;
+ break;
+ case "HMAC_SHA512":
+ case 35:
+ message.algorithm = 35;
+ break;
+ case "HMAC_SHA224":
+ case 36:
+ message.algorithm = 36;
+ break;
case "EXTERNAL_SYMMETRIC_ENCRYPTION":
case 18:
message.algorithm = 18;
@@ -5918,6 +5986,10 @@
case 0:
case 1:
case 2:
+ case 3:
+ case 4:
+ case 5:
+ case 6:
break;
}
if (message.protectionLevel != null && message.hasOwnProperty("protectionLevel"))
@@ -6007,6 +6079,22 @@
case 2:
message.importMethod = 2;
break;
+ case "RSA_OAEP_3072_SHA256_AES_256":
+ case 3:
+ message.importMethod = 3;
+ break;
+ case "RSA_OAEP_4096_SHA256_AES_256":
+ case 4:
+ message.importMethod = 4;
+ break;
+ case "RSA_OAEP_3072_SHA256":
+ case 5:
+ message.importMethod = 5;
+ break;
+ case "RSA_OAEP_4096_SHA256":
+ case 6:
+ message.importMethod = 6;
+ break;
}
switch (object.protectionLevel) {
default:
@@ -6174,12 +6262,20 @@
* @property {number} IMPORT_METHOD_UNSPECIFIED=0 IMPORT_METHOD_UNSPECIFIED value
* @property {number} RSA_OAEP_3072_SHA1_AES_256=1 RSA_OAEP_3072_SHA1_AES_256 value
* @property {number} RSA_OAEP_4096_SHA1_AES_256=2 RSA_OAEP_4096_SHA1_AES_256 value
+ * @property {number} RSA_OAEP_3072_SHA256_AES_256=3 RSA_OAEP_3072_SHA256_AES_256 value
+ * @property {number} RSA_OAEP_4096_SHA256_AES_256=4 RSA_OAEP_4096_SHA256_AES_256 value
+ * @property {number} RSA_OAEP_3072_SHA256=5 RSA_OAEP_3072_SHA256 value
+ * @property {number} RSA_OAEP_4096_SHA256=6 RSA_OAEP_4096_SHA256 value
*/
ImportJob.ImportMethod = (function() {
var valuesById = {}, values = Object.create(valuesById);
values[valuesById[0] = "IMPORT_METHOD_UNSPECIFIED"] = 0;
values[valuesById[1] = "RSA_OAEP_3072_SHA1_AES_256"] = 1;
values[valuesById[2] = "RSA_OAEP_4096_SHA1_AES_256"] = 2;
+ values[valuesById[3] = "RSA_OAEP_3072_SHA256_AES_256"] = 3;
+ values[valuesById[4] = "RSA_OAEP_4096_SHA256_AES_256"] = 4;
+ values[valuesById[5] = "RSA_OAEP_3072_SHA256"] = 5;
+ values[valuesById[6] = "RSA_OAEP_4096_SHA256"] = 6;
return values;
})();
@@ -11693,6 +11789,7 @@
* @property {string|null} [cryptoKeyVersion] ImportCryptoKeyVersionRequest cryptoKeyVersion
* @property {google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm|null} [algorithm] ImportCryptoKeyVersionRequest algorithm
* @property {string|null} [importJob] ImportCryptoKeyVersionRequest importJob
+ * @property {Uint8Array|null} [wrappedKey] ImportCryptoKeyVersionRequest wrappedKey
* @property {Uint8Array|null} [rsaAesWrappedKey] ImportCryptoKeyVersionRequest rsaAesWrappedKey
*/
@@ -11743,6 +11840,14 @@
*/
ImportCryptoKeyVersionRequest.prototype.importJob = "";
+ /**
+ * ImportCryptoKeyVersionRequest wrappedKey.
+ * @member {Uint8Array} wrappedKey
+ * @memberof google.cloud.kms.v1.ImportCryptoKeyVersionRequest
+ * @instance
+ */
+ ImportCryptoKeyVersionRequest.prototype.wrappedKey = $util.newBuffer([]);
+
/**
* ImportCryptoKeyVersionRequest rsaAesWrappedKey.
* @member {Uint8Array|null|undefined} rsaAesWrappedKey
@@ -11799,6 +11904,8 @@
writer.uint32(/* id 5, wireType 2 =*/42).bytes(message.rsaAesWrappedKey);
if (message.cryptoKeyVersion != null && Object.hasOwnProperty.call(message, "cryptoKeyVersion"))
writer.uint32(/* id 6, wireType 2 =*/50).string(message.cryptoKeyVersion);
+ if (message.wrappedKey != null && Object.hasOwnProperty.call(message, "wrappedKey"))
+ writer.uint32(/* id 8, wireType 2 =*/66).bytes(message.wrappedKey);
return writer;
};
@@ -11849,6 +11956,10 @@
message.importJob = reader.string();
break;
}
+ case 8: {
+ message.wrappedKey = reader.bytes();
+ break;
+ }
case 5: {
message.rsaAesWrappedKey = reader.bytes();
break;
@@ -11923,12 +12034,19 @@
case 13:
case 31:
case 32:
+ case 33:
+ case 34:
+ case 35:
+ case 36:
case 18:
break;
}
if (message.importJob != null && message.hasOwnProperty("importJob"))
if (!$util.isString(message.importJob))
return "importJob: string expected";
+ if (message.wrappedKey != null && message.hasOwnProperty("wrappedKey"))
+ if (!(message.wrappedKey && typeof message.wrappedKey.length === "number" || $util.isString(message.wrappedKey)))
+ return "wrappedKey: buffer expected";
if (message.rsaAesWrappedKey != null && message.hasOwnProperty("rsaAesWrappedKey")) {
properties.wrappedKeyMaterial = 1;
if (!(message.rsaAesWrappedKey && typeof message.rsaAesWrappedKey.length === "number" || $util.isString(message.rsaAesWrappedKey)))
@@ -12056,6 +12174,22 @@
case 32:
message.algorithm = 32;
break;
+ case "HMAC_SHA1":
+ case 33:
+ message.algorithm = 33;
+ break;
+ case "HMAC_SHA384":
+ case 34:
+ message.algorithm = 34;
+ break;
+ case "HMAC_SHA512":
+ case 35:
+ message.algorithm = 35;
+ break;
+ case "HMAC_SHA224":
+ case 36:
+ message.algorithm = 36;
+ break;
case "EXTERNAL_SYMMETRIC_ENCRYPTION":
case 18:
message.algorithm = 18;
@@ -12063,6 +12197,11 @@
}
if (object.importJob != null)
message.importJob = String(object.importJob);
+ if (object.wrappedKey != null)
+ if (typeof object.wrappedKey === "string")
+ $util.base64.decode(object.wrappedKey, message.wrappedKey = $util.newBuffer($util.base64.length(object.wrappedKey)), 0);
+ else if (object.wrappedKey.length >= 0)
+ message.wrappedKey = object.wrappedKey;
if (object.rsaAesWrappedKey != null)
if (typeof object.rsaAesWrappedKey === "string")
$util.base64.decode(object.rsaAesWrappedKey, message.rsaAesWrappedKey = $util.newBuffer($util.base64.length(object.rsaAesWrappedKey)), 0);
@@ -12089,6 +12228,13 @@
object.algorithm = options.enums === String ? "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED" : 0;
object.importJob = "";
object.cryptoKeyVersion = "";
+ if (options.bytes === String)
+ object.wrappedKey = "";
+ else {
+ object.wrappedKey = [];
+ if (options.bytes !== Array)
+ object.wrappedKey = $util.newBuffer(object.wrappedKey);
+ }
}
if (message.parent != null && message.hasOwnProperty("parent"))
object.parent = message.parent;
@@ -12103,6 +12249,8 @@
}
if (message.cryptoKeyVersion != null && message.hasOwnProperty("cryptoKeyVersion"))
object.cryptoKeyVersion = message.cryptoKeyVersion;
+ if (message.wrappedKey != null && message.hasOwnProperty("wrappedKey"))
+ object.wrappedKey = options.bytes === String ? $util.base64.encode(message.wrappedKey, 0, message.wrappedKey.length) : options.bytes === Array ? Array.prototype.slice.call(message.wrappedKey) : message.wrappedKey;
return object;
};
diff --git a/packages/google-cloud-kms/protos/protos.json b/packages/google-cloud-kms/protos/protos.json
index f9ebdff52ea..b532f93ffe5 100644
--- a/packages/google-cloud-kms/protos/protos.json
+++ b/packages/google-cloud-kms/protos/protos.json
@@ -311,7 +311,10 @@
},
"etag": {
"type": "string",
- "id": 5
+ "id": 5,
+ "options": {
+ "(google.api.field_behavior)": "OPTIONAL"
+ }
}
},
"nested": {
@@ -660,6 +663,10 @@
"EC_SIGN_P384_SHA384": 13,
"EC_SIGN_SECP256K1_SHA256": 31,
"HMAC_SHA256": 32,
+ "HMAC_SHA1": 33,
+ "HMAC_SHA384": 34,
+ "HMAC_SHA512": 35,
+ "HMAC_SHA224": 36,
"EXTERNAL_SYMMETRIC_ENCRYPTION": 18
}
},
@@ -793,7 +800,11 @@
"values": {
"IMPORT_METHOD_UNSPECIFIED": 0,
"RSA_OAEP_3072_SHA1_AES_256": 1,
- "RSA_OAEP_4096_SHA1_AES_256": 2
+ "RSA_OAEP_4096_SHA1_AES_256": 2,
+ "RSA_OAEP_3072_SHA256_AES_256": 3,
+ "RSA_OAEP_4096_SHA256_AES_256": 4,
+ "RSA_OAEP_3072_SHA256": 5,
+ "RSA_OAEP_4096_SHA256": 6
}
},
"ImportJobState": {
@@ -1751,9 +1762,19 @@
"(google.api.field_behavior)": "REQUIRED"
}
},
+ "wrappedKey": {
+ "type": "bytes",
+ "id": 8,
+ "options": {
+ "(google.api.field_behavior)": "OPTIONAL"
+ }
+ },
"rsaAesWrappedKey": {
"type": "bytes",
- "id": 5
+ "id": 5,
+ "options": {
+ "(google.api.field_behavior)": "OPTIONAL"
+ }
}
}
},
diff --git a/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js b/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js
index b3a69376f2b..d2ef7f91727 100644
--- a/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js
+++ b/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js
@@ -41,7 +41,9 @@ function main(name, plaintext) {
* Required. The data to encrypt. Must be no larger than 64KiB.
* The maximum size depends on the key version's
* protection_level google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level.
- * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE keys, the
+ * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE,
+ * EXTERNAL google.cloud.kms.v1.ProtectionLevel.EXTERNAL, and
+ * EXTERNAL_VPC google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC keys, the
* plaintext must be no larger than 64KiB. For
* HSM google.cloud.kms.v1.ProtectionLevel.HSM keys, the combined length of
* the plaintext and additional_authenticated_data fields must be no larger
@@ -54,8 +56,10 @@ function main(name, plaintext) {
* DecryptRequest.additional_authenticated_data google.cloud.kms.v1.DecryptRequest.additional_authenticated_data.
* The maximum size depends on the key version's
* protection_level google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level.
- * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE keys, the AAD
- * must be no larger than 64KiB. For
+ * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE,
+ * EXTERNAL google.cloud.kms.v1.ProtectionLevel.EXTERNAL, and
+ * EXTERNAL_VPC google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC keys the
+ * AAD must be no larger than 64KiB. For
* HSM google.cloud.kms.v1.ProtectionLevel.HSM keys, the combined length of
* the plaintext and additional_authenticated_data fields must be no larger
* than 8KiB.
diff --git a/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js b/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js
index 9aa2b37b0b8..cf94f199960 100644
--- a/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js
+++ b/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js
@@ -72,27 +72,46 @@ function main(parent, algorithm, importJob) {
*/
// const importJob = 'abc123'
/**
- * Wrapped key material produced with
- * RSA_OAEP_3072_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
+ * Optional. The wrapped key material to import.
+ * Before wrapping, key material must be formatted. If importing symmetric key
+ * material, the expected key material format is plain bytes. If importing
+ * asymmetric key material, the expected key material format is PKCS#8-encoded
+ * DER (the PrivateKeyInfo structure from RFC 5208).
+ * When wrapping with import methods
+ * (RSA_OAEP_3072_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256
* or
- * RSA_OAEP_4096_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256.
- * This field contains the concatenation of two wrapped keys:
+ * RSA_OAEP_4096_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256
+ * or
+ * RSA_OAEP_3072_SHA256_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256
+ * or
+ * RSA_OAEP_4096_SHA256_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256),
+ * this field must contain the concatenation of:
*
* - An ephemeral AES-256 wrapping key wrapped with the
* public_key google.cloud.kms.v1.ImportJob.public_key using
- * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an
- * empty label.
+ * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+ * label.
*
- * - The key to be imported, wrapped with the ephemeral AES-256 key
- * using AES-KWP (RFC 5649).
+ *
- The formatted key to be imported, wrapped with the ephemeral AES-256
+ * key using AES-KWP (RFC 5649).
*
*
- * If importing symmetric key material, it is expected that the unwrapped
- * key contains plain bytes. If importing asymmetric key material, it is
- * expected that the unwrapped key is in PKCS#8-encoded DER format (the
- * PrivateKeyInfo structure from RFC 5208).
* This format is the same as the format produced by PKCS#11 mechanism
* CKM_RSA_AES_KEY_WRAP.
+ * When wrapping with import methods
+ * (RSA_OAEP_3072_SHA256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256
+ * or
+ * RSA_OAEP_4096_SHA256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256),
+ * this field must contain the formatted key to be imported, wrapped with the
+ * public_key google.cloud.kms.v1.ImportJob.public_key using RSAES-OAEP
+ * with SHA-256, MGF1 with SHA-256, and an empty label.
+ */
+ // const wrappedKey = 'Buffer.from('string')'
+ /**
+ * Optional. This field has the same meaning as
+ * wrapped_key google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key.
+ * Prefer to use that field in new work. Either that field or this field
+ * (but not both) must be specified.
*/
// const rsaAesWrappedKey = 'Buffer.from('string')'
diff --git a/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json b/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json
index f243bc07aa5..e09dfdc8809 100644
--- a/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json
+++ b/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json
@@ -786,7 +786,7 @@
"segments": [
{
"start": 25,
- "end": 118,
+ "end": 137,
"type": "FULL"
}
],
@@ -811,6 +811,10 @@
"name": "import_job",
"type": "TYPE_STRING"
},
+ {
+ "name": "wrapped_key",
+ "type": "TYPE_BYTES"
+ },
{
"name": "rsa_aes_wrapped_key",
"type": "TYPE_BYTES"
@@ -1102,7 +1106,7 @@
"segments": [
{
"start": 25,
- "end": 127,
+ "end": 131,
"type": "FULL"
}
],
diff --git a/packages/google-cloud-kms/src/v1/key_management_service_client.ts b/packages/google-cloud-kms/src/v1/key_management_service_client.ts
index 6ef11fde1a0..e67b0362b26 100644
--- a/packages/google-cloud-kms/src/v1/key_management_service_client.ts
+++ b/packages/google-cloud-kms/src/v1/key_management_service_client.ts
@@ -1189,31 +1189,51 @@ export class KeyManagementServiceClient {
* Required. The {@link google.cloud.kms.v1.ImportJob.name|name} of the
* {@link google.cloud.kms.v1.ImportJob|ImportJob} that was used to wrap this key
* material.
- * @param {Buffer} request.rsaAesWrappedKey
- * Wrapped key material produced with
- * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256|RSA_OAEP_3072_SHA1_AES_256}
+ * @param {Buffer} [request.wrappedKey]
+ * Optional. The wrapped key material to import.
+ *
+ * Before wrapping, key material must be formatted. If importing symmetric key
+ * material, the expected key material format is plain bytes. If importing
+ * asymmetric key material, the expected key material format is PKCS#8-encoded
+ * DER (the PrivateKeyInfo structure from RFC 5208).
+ *
+ * When wrapping with import methods
+ * ({@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256|RSA_OAEP_3072_SHA1_AES_256}
+ * or
+ * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256|RSA_OAEP_4096_SHA1_AES_256}
+ * or
+ * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256|RSA_OAEP_3072_SHA256_AES_256}
* or
- * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256|RSA_OAEP_4096_SHA1_AES_256}.
+ * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256|RSA_OAEP_4096_SHA256_AES_256}),
*
- * This field contains the concatenation of two wrapped keys:
+ * this field must contain the concatenation of:
*
* - An ephemeral AES-256 wrapping key wrapped with the
* {@link google.cloud.kms.v1.ImportJob.public_key|public_key} using
- * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an
- * empty label.
+ * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+ * label.
*
- * - The key to be imported, wrapped with the ephemeral AES-256 key
- * using AES-KWP (RFC 5649).
+ *
- The formatted key to be imported, wrapped with the ephemeral AES-256
+ * key using AES-KWP (RFC 5649).
*
*
*
- * If importing symmetric key material, it is expected that the unwrapped
- * key contains plain bytes. If importing asymmetric key material, it is
- * expected that the unwrapped key is in PKCS#8-encoded DER format (the
- * PrivateKeyInfo structure from RFC 5208).
- *
* This format is the same as the format produced by PKCS#11 mechanism
* CKM_RSA_AES_KEY_WRAP.
+ *
+ * When wrapping with import methods
+ * ({@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256|RSA_OAEP_3072_SHA256}
+ * or
+ * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256|RSA_OAEP_4096_SHA256}),
+ *
+ * this field must contain the formatted key to be imported, wrapped with the
+ * {@link google.cloud.kms.v1.ImportJob.public_key|public_key} using RSAES-OAEP
+ * with SHA-256, MGF1 with SHA-256, and an empty label.
+ * @param {Buffer} [request.rsaAesWrappedKey]
+ * Optional. This field has the same meaning as
+ * {@link google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key|wrapped_key}.
+ * Prefer to use that field in new work. Either that field or this field
+ * (but not both) must be specified.
* @param {object} [options]
* Call options. See {@link https://googleapis.dev/nodejs/google-gax/latest/interfaces/CallOptions.html|CallOptions} for more details.
* @returns {Promise} - The promise which resolves to an array.
@@ -1942,7 +1962,9 @@ export class KeyManagementServiceClient {
*
* The maximum size depends on the key version's
* {@link google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level|protection_level}.
- * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE} keys, the
+ * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE},
+ * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL|EXTERNAL}, and
+ * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC|EXTERNAL_VPC} keys, the
* plaintext must be no larger than 64KiB. For
* {@link google.cloud.kms.v1.ProtectionLevel.HSM|HSM} keys, the combined length of
* the plaintext and additional_authenticated_data fields must be no larger
@@ -1954,8 +1976,10 @@ export class KeyManagementServiceClient {
*
* The maximum size depends on the key version's
* {@link google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level|protection_level}.
- * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE} keys, the AAD
- * must be no larger than 64KiB. For
+ * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE},
+ * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL|EXTERNAL}, and
+ * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC|EXTERNAL_VPC} keys the
+ * AAD must be no larger than 64KiB. For
* {@link google.cloud.kms.v1.ProtectionLevel.HSM|HSM} keys, the combined length of
* the plaintext and additional_authenticated_data fields must be no larger
* than 8KiB.