google-cloud-kms-v1 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. checksums.yaml +7 -0
  2. data/.yardopts +12 -0
  3. data/AUTHENTICATION.md +169 -0
  4. data/LICENSE.md +203 -0
  5. data/README.md +71 -0
  6. data/lib/google-cloud-kms-v1.rb +21 -0
  7. data/lib/google/cloud/kms/v1.rb +36 -0
  8. data/lib/google/cloud/kms/v1/iam_policy.rb +72 -0
  9. data/lib/google/cloud/kms/v1/iam_policy/client.rb +557 -0
  10. data/lib/google/cloud/kms/v1/iam_policy/credentials.rb +52 -0
  11. data/lib/google/cloud/kms/v1/key_management_service.rb +60 -0
  12. data/lib/google/cloud/kms/v1/key_management_service/client.rb +2393 -0
  13. data/lib/google/cloud/kms/v1/key_management_service/credentials.rb +52 -0
  14. data/lib/google/cloud/kms/v1/key_management_service/paths.rb +134 -0
  15. data/lib/google/cloud/kms/v1/resources_pb.rb +162 -0
  16. data/lib/google/cloud/kms/v1/service_pb.rb +210 -0
  17. data/lib/google/cloud/kms/v1/service_services_pb.rb +150 -0
  18. data/lib/google/cloud/kms/v1/version.rb +28 -0
  19. data/lib/google/iam/v1/iam_policy_services_pb.rb +81 -0
  20. data/proto_docs/README.md +4 -0
  21. data/proto_docs/google/api/field_behavior.rb +59 -0
  22. data/proto_docs/google/api/resource.rb +247 -0
  23. data/proto_docs/google/cloud/kms/v1/resources.rb +580 -0
  24. data/proto_docs/google/cloud/kms/v1/service.rb +594 -0
  25. data/proto_docs/google/iam/v1/iam_policy.rb +80 -0
  26. data/proto_docs/google/iam/v1/options.rb +40 -0
  27. data/proto_docs/google/iam/v1/policy.rb +248 -0
  28. data/proto_docs/google/protobuf/duration.rb +98 -0
  29. data/proto_docs/google/protobuf/field_mask.rb +229 -0
  30. data/proto_docs/google/protobuf/timestamp.rb +120 -0
  31. data/proto_docs/google/type/expr.rb +52 -0
  32. metadata +205 -0
@@ -0,0 +1,580 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2020 Google LLC
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # https://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
18
+
19
+
20
+ module Google
21
+ module Cloud
22
+ module Kms
23
+ module V1
24
+ # A {Google::Cloud::Kms::V1::KeyRing KeyRing} is a toplevel logical grouping of {Google::Cloud::Kms::V1::CryptoKey CryptoKeys}.
25
+ # @!attribute [r] name
26
+ # @return [String]
27
+ # Output only. The resource name for the {Google::Cloud::Kms::V1::KeyRing KeyRing} in the format
28
+ # `projects/*/locations/*/keyRings/*`.
29
+ # @!attribute [r] create_time
30
+ # @return [Google::Protobuf::Timestamp]
31
+ # Output only. The time at which this {Google::Cloud::Kms::V1::KeyRing KeyRing} was created.
32
+ class KeyRing
33
+ include Google::Protobuf::MessageExts
34
+ extend Google::Protobuf::MessageExts::ClassMethods
35
+ end
36
+
37
+ # A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} represents a logical key that can be used for cryptographic
38
+ # operations.
39
+ #
40
+ # A {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is made up of one or more {Google::Cloud::Kms::V1::CryptoKeyVersion versions}, which
41
+ # represent the actual key material used in cryptographic operations.
42
+ # @!attribute [r] name
43
+ # @return [String]
44
+ # Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} in the format
45
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
46
+ # @!attribute [r] primary
47
+ # @return [Google::Cloud::Kms::V1::CryptoKeyVersion]
48
+ # Output only. A copy of the "primary" {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that will be used
49
+ # by {Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} when this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} is given
50
+ # in {Google::Cloud::Kms::V1::EncryptRequest#name EncryptRequest.name}.
51
+ #
52
+ # The {Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be updated via
53
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}.
54
+ #
55
+ # Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
56
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} may have a
57
+ # primary. For other keys, this field will be omitted.
58
+ # @!attribute [rw] purpose
59
+ # @return [Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
60
+ # Immutable. The immutable purpose of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
61
+ # @!attribute [r] create_time
62
+ # @return [Google::Protobuf::Timestamp]
63
+ # Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
64
+ # @!attribute [rw] next_rotation_time
65
+ # @return [Google::Protobuf::Timestamp]
66
+ # At {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}, the Key Management Service will automatically:
67
+ #
68
+ # 1. Create a new version of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
69
+ # 2. Mark the new version as primary.
70
+ #
71
+ # Key rotations performed manually via
72
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} and
73
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#update_crypto_key_primary_version UpdateCryptoKeyPrimaryVersion}
74
+ # do not affect {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
75
+ #
76
+ # Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
77
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
78
+ # automatic rotation. For other keys, this field must be omitted.
79
+ # @!attribute [rw] rotation_period
80
+ # @return [Google::Protobuf::Duration]
81
+ # {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} will be advanced by this period when the service
82
+ # automatically rotates a key. Must be at least 24 hours and at most
83
+ # 876,000 hours.
84
+ #
85
+ # If {Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is set, {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} must also be set.
86
+ #
87
+ # Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
88
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
89
+ # automatic rotation. For other keys, this field must be omitted.
90
+ # @!attribute [rw] version_template
91
+ # @return [Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
92
+ # A template describing settings for new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances.
93
+ # The properties of new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances created by either
94
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
95
+ # auto-rotation are controlled by this template.
96
+ # @!attribute [rw] labels
97
+ # @return [Google::Protobuf::Map{String => String}]
98
+ # Labels with user-defined metadata. For more information, see
99
+ # [Labeling Keys](/kms/docs/labeling-keys).
100
+ class CryptoKey
101
+ include Google::Protobuf::MessageExts
102
+ extend Google::Protobuf::MessageExts::ClassMethods
103
+
104
+ # @!attribute [rw] key
105
+ # @return [String]
106
+ # @!attribute [rw] value
107
+ # @return [String]
108
+ class LabelsEntry
109
+ include Google::Protobuf::MessageExts
110
+ extend Google::Protobuf::MessageExts::ClassMethods
111
+ end
112
+
113
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the cryptographic capabilities of a
114
+ # {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used for the operations allowed by
115
+ # its purpose. For more information, see
116
+ # [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
117
+ module CryptoKeyPurpose
118
+ # Not specified.
119
+ CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
120
+
121
+ # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
122
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#encrypt Encrypt} and
123
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#decrypt Decrypt}.
124
+ ENCRYPT_DECRYPT = 1
125
+
126
+ # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
127
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_sign AsymmetricSign} and
128
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
129
+ ASYMMETRIC_SIGN = 5
130
+
131
+ # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
132
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#asymmetric_decrypt AsymmetricDecrypt} and
133
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
134
+ ASYMMETRIC_DECRYPT = 6
135
+ end
136
+ end
137
+
138
+ # A {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate} specifies the properties to use when creating
139
+ # a new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually with
140
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion} or
141
+ # automatically as a result of auto-rotation.
142
+ # @!attribute [rw] protection_level
143
+ # @return [Google::Cloud::Kms::V1::ProtectionLevel]
144
+ # {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on
145
+ # this template. Immutable. Defaults to {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
146
+ # @!attribute [rw] algorithm
147
+ # @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
148
+ # Required. {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} to use
149
+ # when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this template.
150
+ #
151
+ # For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
152
+ # this field is omitted and {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose} is
153
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
154
+ class CryptoKeyVersionTemplate
155
+ include Google::Protobuf::MessageExts
156
+ extend Google::Protobuf::MessageExts::ClassMethods
157
+ end
158
+
159
+ # Contains an HSM-generated attestation about a key operation. For more
160
+ # information, see [Verifying attestations]
161
+ # (https://cloud.google.com/kms/docs/attest-key).
162
+ # @!attribute [r] format
163
+ # @return [Google::Cloud::Kms::V1::KeyOperationAttestation::AttestationFormat]
164
+ # Output only. The format of the attestation data.
165
+ # @!attribute [r] content
166
+ # @return [String]
167
+ # Output only. The attestation data provided by the HSM when the key
168
+ # operation was performed.
169
+ class KeyOperationAttestation
170
+ include Google::Protobuf::MessageExts
171
+ extend Google::Protobuf::MessageExts::ClassMethods
172
+
173
+ # Attestation formats provided by the HSM.
174
+ module AttestationFormat
175
+ # Not specified.
176
+ ATTESTATION_FORMAT_UNSPECIFIED = 0
177
+
178
+ # Cavium HSM attestation compressed with gzip. Note that this format is
179
+ # defined by Cavium and subject to change at any time.
180
+ CAVIUM_V1_COMPRESSED = 3
181
+
182
+ # Cavium HSM attestation V2 compressed with gzip. This is a new format
183
+ # introduced in Cavium's version 3.2-08.
184
+ CAVIUM_V2_COMPRESSED = 4
185
+ end
186
+ end
187
+
188
+ # A {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an individual cryptographic key, and the
189
+ # associated key material.
190
+ #
191
+ # An {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} version can be
192
+ # used for cryptographic operations.
193
+ #
194
+ # For security reasons, the raw cryptographic key material represented by a
195
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed or exported. It can only be used to
196
+ # encrypt, decrypt, or sign data when an authorized user or application invokes
197
+ # Cloud KMS.
198
+ # @!attribute [r] name
199
+ # @return [String]
200
+ # Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
201
+ # `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
202
+ # @!attribute [rw] state
203
+ # @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
204
+ # The current state of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
205
+ # @!attribute [r] protection_level
206
+ # @return [Google::Cloud::Kms::V1::ProtectionLevel]
207
+ # Output only. The {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} describing how crypto operations are
208
+ # performed with this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
209
+ # @!attribute [r] algorithm
210
+ # @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
211
+ # Output only. The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm} that this
212
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} supports.
213
+ # @!attribute [r] attestation
214
+ # @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
215
+ # Output only. Statement that was generated and signed by the HSM at key
216
+ # creation time. Use this statement to verify attributes of the key as stored
217
+ # on the HSM, independently of Google. Only provided for key versions with
218
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level} {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
219
+ # @!attribute [r] create_time
220
+ # @return [Google::Protobuf::Timestamp]
221
+ # Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
222
+ # @!attribute [r] generate_time
223
+ # @return [Google::Protobuf::Timestamp]
224
+ # Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
225
+ # generated.
226
+ # @!attribute [r] destroy_time
227
+ # @return [Google::Protobuf::Timestamp]
228
+ # Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is scheduled
229
+ # for destruction. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
230
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}.
231
+ # @!attribute [r] destroy_event_time
232
+ # @return [Google::Protobuf::Timestamp]
233
+ # Output only. The time this CryptoKeyVersion's key material was
234
+ # destroyed. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
235
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
236
+ # @!attribute [r] import_job
237
+ # @return [String]
238
+ # Output only. The name of the {Google::Cloud::Kms::V1::ImportJob ImportJob} used to import this
239
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Only present if the underlying key material was
240
+ # imported.
241
+ # @!attribute [r] import_time
242
+ # @return [Google::Protobuf::Timestamp]
243
+ # Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material
244
+ # was imported.
245
+ # @!attribute [r] import_failure_reason
246
+ # @return [String]
247
+ # Output only. The root cause of an import failure. Only present if
248
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
249
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::IMPORT_FAILED IMPORT_FAILED}.
250
+ # @!attribute [rw] external_protection_level_options
251
+ # @return [Google::Cloud::Kms::V1::ExternalProtectionLevelOptions]
252
+ # ExternalProtectionLevelOptions stores a group of additional fields for
253
+ # configuring a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
254
+ # {Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
255
+ class CryptoKeyVersion
256
+ include Google::Protobuf::MessageExts
257
+ extend Google::Protobuf::MessageExts::ClassMethods
258
+
259
+ # The algorithm of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
260
+ # parameters must be used for each cryptographic operation.
261
+ #
262
+ # The
263
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
264
+ # algorithm is usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
265
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
266
+ #
267
+ # Algorithms beginning with "RSA_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
268
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
269
+ #
270
+ # The fields in the name after "RSA_SIGN_" correspond to the following
271
+ # parameters: padding algorithm, modulus bit length, and digest algorithm.
272
+ #
273
+ # For PSS, the salt length used is equal to the length of digest
274
+ # algorithm. For example,
275
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::RSA_SIGN_PSS_2048_SHA256 RSA_SIGN_PSS_2048_SHA256}
276
+ # will use PSS with a salt length of 256 bits or 32 bytes.
277
+ #
278
+ # Algorithms beginning with "RSA_DECRYPT_" are usable with
279
+ # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
280
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_DECRYPT ASYMMETRIC_DECRYPT}.
281
+ #
282
+ # The fields in the name after "RSA_DECRYPT_" correspond to the following
283
+ # parameters: padding algorithm, modulus bit length, and digest algorithm.
284
+ #
285
+ # Algorithms beginning with "EC_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey.purpose}
286
+ # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
287
+ #
288
+ # The fields in the name after "EC_SIGN_" correspond to the following
289
+ # parameters: elliptic curve, digest algorithm.
290
+ #
291
+ # For more information, see [Key purposes and algorithms]
292
+ # (https://cloud.google.com/kms/docs/algorithms).
293
+ module CryptoKeyVersionAlgorithm
294
+ # Not specified.
295
+ CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
296
+
297
+ # Creates symmetric encryption keys.
298
+ GOOGLE_SYMMETRIC_ENCRYPTION = 1
299
+
300
+ # RSASSA-PSS 2048 bit key with a SHA256 digest.
301
+ RSA_SIGN_PSS_2048_SHA256 = 2
302
+
303
+ # RSASSA-PSS 3072 bit key with a SHA256 digest.
304
+ RSA_SIGN_PSS_3072_SHA256 = 3
305
+
306
+ # RSASSA-PSS 4096 bit key with a SHA256 digest.
307
+ RSA_SIGN_PSS_4096_SHA256 = 4
308
+
309
+ # RSASSA-PSS 4096 bit key with a SHA512 digest.
310
+ RSA_SIGN_PSS_4096_SHA512 = 15
311
+
312
+ # RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
313
+ RSA_SIGN_PKCS1_2048_SHA256 = 5
314
+
315
+ # RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
316
+ RSA_SIGN_PKCS1_3072_SHA256 = 6
317
+
318
+ # RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
319
+ RSA_SIGN_PKCS1_4096_SHA256 = 7
320
+
321
+ # RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
322
+ RSA_SIGN_PKCS1_4096_SHA512 = 16
323
+
324
+ # RSAES-OAEP 2048 bit key with a SHA256 digest.
325
+ RSA_DECRYPT_OAEP_2048_SHA256 = 8
326
+
327
+ # RSAES-OAEP 3072 bit key with a SHA256 digest.
328
+ RSA_DECRYPT_OAEP_3072_SHA256 = 9
329
+
330
+ # RSAES-OAEP 4096 bit key with a SHA256 digest.
331
+ RSA_DECRYPT_OAEP_4096_SHA256 = 10
332
+
333
+ # RSAES-OAEP 4096 bit key with a SHA512 digest.
334
+ RSA_DECRYPT_OAEP_4096_SHA512 = 17
335
+
336
+ # ECDSA on the NIST P-256 curve with a SHA256 digest.
337
+ EC_SIGN_P256_SHA256 = 12
338
+
339
+ # ECDSA on the NIST P-384 curve with a SHA384 digest.
340
+ EC_SIGN_P384_SHA384 = 13
341
+
342
+ # Algorithm representing symmetric encryption by an external key manager.
343
+ EXTERNAL_SYMMETRIC_ENCRYPTION = 18
344
+ end
345
+
346
+ # The state of a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating if it can be used.
347
+ module CryptoKeyVersionState
348
+ # Not specified.
349
+ CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
350
+
351
+ # This version is still being generated. It may not be used, enabled,
352
+ # disabled, or destroyed yet. Cloud KMS will automatically mark this
353
+ # version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
354
+ PENDING_GENERATION = 5
355
+
356
+ # This version may be used for cryptographic operations.
357
+ ENABLED = 1
358
+
359
+ # This version may not be used, but the key material is still available,
360
+ # and the version can be placed back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} state.
361
+ DISABLED = 2
362
+
363
+ # This version is destroyed, and the key material is no longer stored.
364
+ # A version may not leave this state once entered.
365
+ DESTROYED = 3
366
+
367
+ # This version is scheduled for destruction, and will be destroyed soon.
368
+ # Call
369
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#restore_crypto_key_version RestoreCryptoKeyVersion}
370
+ # to put it back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED} state.
371
+ DESTROY_SCHEDULED = 4
372
+
373
+ # This version is still being imported. It may not be used, enabled,
374
+ # disabled, or destroyed yet. Cloud KMS will automatically mark this
375
+ # version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
376
+ PENDING_IMPORT = 6
377
+
378
+ # This version was not imported successfully. It may not be used, enabled,
379
+ # disabled, or destroyed. The submitted key material has been discarded.
380
+ # Additional details can be found in
381
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion#import_failure_reason CryptoKeyVersion.import_failure_reason}.
382
+ IMPORT_FAILED = 7
383
+ end
384
+
385
+ # A view for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s. Controls the level of detail returned
386
+ # for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
387
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_key_versions KeyManagementService.ListCryptoKeyVersions} and
388
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#list_crypto_keys KeyManagementService.ListCryptoKeys}.
389
+ module CryptoKeyVersionView
390
+ # Default view for each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not include
391
+ # the {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
392
+ CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
393
+
394
+ # Provides all fields in each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
395
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
396
+ FULL = 1
397
+ end
398
+ end
399
+
400
+ # The public key for a given {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
401
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#get_public_key GetPublicKey}.
402
+ # @!attribute [rw] pem
403
+ # @return [String]
404
+ # The public key, encoded in PEM format. For more information, see the
405
+ # [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
406
+ # [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
407
+ # [Textual Encoding of Subject Public Key Info]
408
+ # (https://tools.ietf.org/html/rfc7468#section-13).
409
+ # @!attribute [rw] algorithm
410
+ # @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
411
+ # The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} associated
412
+ # with this key.
413
+ class PublicKey
414
+ include Google::Protobuf::MessageExts
415
+ extend Google::Protobuf::MessageExts::ClassMethods
416
+ end
417
+
418
+ # An {Google::Cloud::Kms::V1::ImportJob ImportJob} can be used to create {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} and
419
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} using pre-existing key material,
420
+ # generated outside of Cloud KMS.
421
+ #
422
+ # When an {Google::Cloud::Kms::V1::ImportJob ImportJob} is created, Cloud KMS will generate a "wrapping key",
423
+ # which is a public/private key pair. You use the wrapping key to encrypt (also
424
+ # known as wrap) the pre-existing key material to protect it during the import
425
+ # process. The nature of the wrapping key depends on the choice of
426
+ # {Google::Cloud::Kms::V1::ImportJob#import_method import_method}. When the wrapping key generation
427
+ # is complete, the {Google::Cloud::Kms::V1::ImportJob#state state} will be set to
428
+ # {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} and the {Google::Cloud::Kms::V1::ImportJob#public_key public_key}
429
+ # can be fetched. The fetched public key can then be used to wrap your
430
+ # pre-existing key material.
431
+ #
432
+ # Once the key material is wrapped, it can be imported into a new
433
+ # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in an existing {Google::Cloud::Kms::V1::CryptoKey CryptoKey} by calling
434
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#import_crypto_key_version ImportCryptoKeyVersion}.
435
+ # Multiple {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} can be imported with a single
436
+ # {Google::Cloud::Kms::V1::ImportJob ImportJob}. Cloud KMS uses the private key portion of the wrapping key to
437
+ # unwrap the key material. Only Cloud KMS has access to the private key.
438
+ #
439
+ # An {Google::Cloud::Kms::V1::ImportJob ImportJob} expires 3 days after it is created. Once expired, Cloud KMS
440
+ # will no longer be able to import or unwrap any key material that was wrapped
441
+ # with the {Google::Cloud::Kms::V1::ImportJob ImportJob}'s public key.
442
+ #
443
+ # For more information, see
444
+ # [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
445
+ # @!attribute [r] name
446
+ # @return [String]
447
+ # Output only. The resource name for this {Google::Cloud::Kms::V1::ImportJob ImportJob} in the format
448
+ # `projects/*/locations/*/keyRings/*/importJobs/*`.
449
+ # @!attribute [rw] import_method
450
+ # @return [Google::Cloud::Kms::V1::ImportJob::ImportMethod]
451
+ # Required. Immutable. The wrapping method to be used for incoming key material.
452
+ # @!attribute [rw] protection_level
453
+ # @return [Google::Cloud::Kms::V1::ProtectionLevel]
454
+ # Required. Immutable. The protection level of the {Google::Cloud::Kms::V1::ImportJob ImportJob}. This must match the
455
+ # {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level} of the
456
+ # {Google::Cloud::Kms::V1::CryptoKey#version_template version_template} on the {Google::Cloud::Kms::V1::CryptoKey CryptoKey} you
457
+ # attempt to import into.
458
+ # @!attribute [r] create_time
459
+ # @return [Google::Protobuf::Timestamp]
460
+ # Output only. The time at which this {Google::Cloud::Kms::V1::ImportJob ImportJob} was created.
461
+ # @!attribute [r] generate_time
462
+ # @return [Google::Protobuf::Timestamp]
463
+ # Output only. The time this {Google::Cloud::Kms::V1::ImportJob ImportJob}'s key material was generated.
464
+ # @!attribute [r] expire_time
465
+ # @return [Google::Protobuf::Timestamp]
466
+ # Output only. The time at which this {Google::Cloud::Kms::V1::ImportJob ImportJob} is scheduled for
467
+ # expiration and can no longer be used to import key material.
468
+ # @!attribute [r] expire_event_time
469
+ # @return [Google::Protobuf::Timestamp]
470
+ # Output only. The time this {Google::Cloud::Kms::V1::ImportJob ImportJob} expired. Only present if
471
+ # {Google::Cloud::Kms::V1::ImportJob#state state} is {Google::Cloud::Kms::V1::ImportJob::ImportJobState::EXPIRED EXPIRED}.
472
+ # @!attribute [r] state
473
+ # @return [Google::Cloud::Kms::V1::ImportJob::ImportJobState]
474
+ # Output only. The current state of the {Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can
475
+ # be used.
476
+ # @!attribute [r] public_key
477
+ # @return [Google::Cloud::Kms::V1::ImportJob::WrappingPublicKey]
478
+ # Output only. The public key with which to wrap key material prior to
479
+ # import. Only returned if {Google::Cloud::Kms::V1::ImportJob#state state} is
480
+ # {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE}.
481
+ # @!attribute [r] attestation
482
+ # @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
483
+ # Output only. Statement that was generated and signed by the key creator
484
+ # (for example, an HSM) at key creation time. Use this statement to verify
485
+ # attributes of the key as stored on the HSM, independently of Google.
486
+ # Only present if the chosen {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} is one with a protection
487
+ # level of {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
488
+ class ImportJob
489
+ include Google::Protobuf::MessageExts
490
+ extend Google::Protobuf::MessageExts::ClassMethods
491
+
492
+ # The public key component of the wrapping key. For details of the type of
493
+ # key this public key corresponds to, see the {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod}.
494
+ # @!attribute [rw] pem
495
+ # @return [String]
496
+ # The public key, encoded in PEM format. For more information, see the [RFC
497
+ # 7468](https://tools.ietf.org/html/rfc7468) sections for [General
498
+ # Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
499
+ # [Textual Encoding of Subject Public Key Info]
500
+ # (https://tools.ietf.org/html/rfc7468#section-13).
501
+ class WrappingPublicKey
502
+ include Google::Protobuf::MessageExts
503
+ extend Google::Protobuf::MessageExts::ClassMethods
504
+ end
505
+
506
+ # {Google::Cloud::Kms::V1::ImportJob::ImportMethod ImportMethod} describes the key wrapping method chosen for this
507
+ # {Google::Cloud::Kms::V1::ImportJob ImportJob}.
508
+ module ImportMethod
509
+ # Not specified.
510
+ IMPORT_METHOD_UNSPECIFIED = 0
511
+
512
+ # This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
513
+ # scheme defined in the PKCS #11 standard. In summary, this involves
514
+ # wrapping the raw key with an ephemeral AES key, and wrapping the
515
+ # ephemeral AES key with a 3072 bit RSA key. For more details, see
516
+ # [RSA AES key wrap
517
+ # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
518
+ RSA_OAEP_3072_SHA1_AES_256 = 1
519
+
520
+ # This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
521
+ # scheme defined in the PKCS #11 standard. In summary, this involves
522
+ # wrapping the raw key with an ephemeral AES key, and wrapping the
523
+ # ephemeral AES key with a 4096 bit RSA key. For more details, see
524
+ # [RSA AES key wrap
525
+ # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
526
+ RSA_OAEP_4096_SHA1_AES_256 = 2
527
+ end
528
+
529
+ # The state of the {Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if it can be used.
530
+ module ImportJobState
531
+ # Not specified.
532
+ IMPORT_JOB_STATE_UNSPECIFIED = 0
533
+
534
+ # The wrapping key for this job is still being generated. It may not be
535
+ # used. Cloud KMS will automatically mark this job as
536
+ # {Google::Cloud::Kms::V1::ImportJob::ImportJobState::ACTIVE ACTIVE} as soon as the wrapping key is generated.
537
+ PENDING_GENERATION = 1
538
+
539
+ # This job may be used in
540
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key CreateCryptoKey} and
541
+ # {Google::Cloud::Kms::V1::KeyManagementService::Client#create_crypto_key_version CreateCryptoKeyVersion}
542
+ # requests.
543
+ ACTIVE = 2
544
+
545
+ # This job can no longer be used and may not leave this state once entered.
546
+ EXPIRED = 3
547
+ end
548
+ end
549
+
550
+ # ExternalProtectionLevelOptions stores a group of additional fields for
551
+ # configuring a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} that are specific to the
552
+ # {Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL} protection level.
553
+ # @!attribute [rw] external_key_uri
554
+ # @return [String]
555
+ # The URI for an external resource that this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents.
556
+ class ExternalProtectionLevelOptions
557
+ include Google::Protobuf::MessageExts
558
+ extend Google::Protobuf::MessageExts::ClassMethods
559
+ end
560
+
561
+ # {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how cryptographic operations are performed.
562
+ # For more information, see [Protection levels]
563
+ # (https://cloud.google.com/kms/docs/algorithms#protection_levels).
564
+ module ProtectionLevel
565
+ # Not specified.
566
+ PROTECTION_LEVEL_UNSPECIFIED = 0
567
+
568
+ # Crypto operations are performed in software.
569
+ SOFTWARE = 1
570
+
571
+ # Crypto operations are performed in a Hardware Security Module.
572
+ HSM = 2
573
+
574
+ # Crypto operations are performed by an external key manager.
575
+ EXTERNAL = 3
576
+ end
577
+ end
578
+ end
579
+ end
580
+ end