google-cloud-kms-v1 0.15.0 → 0.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 546f9054cef92ac65e6f3dfbbb4b143216271890a78c5b444c7e817bc0b65f75
-  data.tar.gz: bffdcb4e068aec1bb96999fcb513d309be1db9f8da0ba631e107a656c0c05315
+  metadata.gz: 88ccb6ea1616c6e3d3e167aaf3d0e81795d897a8f07922ceb7fccfe0be5c1baa
+  data.tar.gz: 2d635e795aef36e90ff5fa04ab772fc982e6ec30d3855a8741d358edbee26809
 SHA512:
-  metadata.gz: ddc11f68a8c8ca566b1d74af941f034f16c7911967bf0cd41c1fc5175386f4a0f70ea1e24827a7b01a094074e86ce472f2934cdfc423f591f6ed6000eb5bb670
-  data.tar.gz: f6ff0ad09cf0fa9a4007f5d10a904dee8c0373560facc48da2cd92e40a458e77f38f0bb6f22aaa149c92cb2c3021e48151d2da768d09854e413964fef5747cac
+  metadata.gz: ffcdda5aafc0cc3bef3e4b1dba6fea52819d282bf6af6a3d085802e2c447f5116c053d80fbc8978ee2540ed178ae5d9efbbf5316adf06f79ccfa641a30044e05
+  data.tar.gz: c16e58ed43dae8dbdafed46b687864cf1241dbc50ddec764406928cb9e702a30362d2862a63c6419f955f869bc28a8362fa1a1f51770acb79a6a075270927034

data/README.md

@@ -46,7 +46,7 @@ for general usage information.
 ## Enabling Logging
 
 To enable logging for this library, set the logger for the underlying [gRPC](https://github.com/grpc/grpc/tree/master/src/ruby) library.
-The logger that you set may be a Ruby stdlib [`Logger`](https://ruby-doc.org/stdlib/libdoc/logger/rdoc/Logger.html) as shown below,
+The logger that you set may be a Ruby stdlib [`Logger`](https://ruby-doc.org/current/stdlibs/logger/Logger.html) as shown below,
 or a [`Google::Cloud::Logging::Logger`](https://googleapis.dev/ruby/google-cloud-logging/latest)
 that will write logs to [Cloud Logging](https://cloud.google.com/logging/). See [grpc/logconfig.rb](https://github.com/grpc/grpc/blob/master/src/ruby/lib/grpc/logconfig.rb)
 and the gRPC [spec_helper.rb](https://github.com/grpc/grpc/blob/master/src/ruby/spec/spec_helper.rb) for additional information.

data/lib/google/cloud/kms/v1/key_management_service/client.rb

@@ -1522,7 +1522,7 @@ module Google
             #   @param options [::Gapic::CallOptions, ::Hash]
             #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
             #
-            # @overload import_crypto_key_version(parent: nil, crypto_key_version: nil, algorithm: nil, import_job: nil, rsa_aes_wrapped_key: nil)
+            # @overload import_crypto_key_version(parent: nil, crypto_key_version: nil, algorithm: nil, import_job: nil, wrapped_key: nil, rsa_aes_wrapped_key: nil)
             #   Pass arguments to `import_crypto_key_version` via keyword arguments. Note that at
             #   least one keyword argument is required. To specify no parameters, or to keep all
             #   the default parameter values, pass an empty Hash as a request object (see above).
@@ -1564,32 +1564,52 @@ module Google
             #     Required. The {::Google::Cloud::Kms::V1::ImportJob#name name} of the
             #     {::Google::Cloud::Kms::V1::ImportJob ImportJob} that was used to wrap this key
             #     material.
-            #   @param rsa_aes_wrapped_key [::String]
-            #     Wrapped key material produced with
-            #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA1_AES_256 RSA_OAEP_3072_SHA1_AES_256}
+            #   @param wrapped_key [::String]
+            #     Optional. The wrapped key material to import.
+            #
+            #     Before wrapping, key material must be formatted. If importing symmetric key
+            #     material, the expected key material format is plain bytes. If importing
+            #     asymmetric key material, the expected key material format is PKCS#8-encoded
+            #     DER (the PrivateKeyInfo structure from RFC 5208).
+            #
+            #     When wrapping with import methods
+            #     ({::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA1_AES_256 RSA_OAEP_3072_SHA1_AES_256}
+            #     or
+            #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA1_AES_256 RSA_OAEP_4096_SHA1_AES_256}
+            #     or
+            #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA256_AES_256 RSA_OAEP_3072_SHA256_AES_256}
             #     or
-            #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA1_AES_256 RSA_OAEP_4096_SHA1_AES_256}.
+            #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA256_AES_256 RSA_OAEP_4096_SHA256_AES_256}),
             #
-            #     This field contains the concatenation of two wrapped keys:
+            #     this field must contain the concatenation of:
             #     <ol>
             #       <li>An ephemeral AES-256 wrapping key wrapped with the
             #           {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} using
-            #           RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an
-            #           empty label.
+            #           RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+            #           label.
             #       </li>
-            #       <li>The key to be imported, wrapped with the ephemeral AES-256 key
-            #           using AES-KWP (RFC 5649).
+            #       <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+            #           key using AES-KWP (RFC 5649).
             #       </li>
             #     </ol>
             #
-            #     If importing symmetric key material, it is expected that the unwrapped
-            #     key contains plain bytes. If importing asymmetric key material, it is
-            #     expected that the unwrapped key is in PKCS#8-encoded DER format (the
-            #     PrivateKeyInfo structure from RFC 5208).
-            #
             #     This format is the same as the format produced by PKCS#11 mechanism
             #     CKM_RSA_AES_KEY_WRAP.
             #
+            #     When wrapping with import methods
+            #     ({::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA256 RSA_OAEP_3072_SHA256}
+            #     or
+            #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA256 RSA_OAEP_4096_SHA256}),
+            #
+            #     this field must contain the formatted key to be imported, wrapped with the
+            #     {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} using RSAES-OAEP
+            #     with SHA-256, MGF1 with SHA-256, and an empty label.
+            #   @param rsa_aes_wrapped_key [::String]
+            #     Optional. This field has the same meaning as
+            #     {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#wrapped_key wrapped_key}.
+            #     Prefer to use that field in new work. Either that field or this field
+            #     (but not both) must be specified.
+            #
             # @yield [response, operation] Access the result along with the RPC operation
             # @yieldparam response [::Google::Cloud::Kms::V1::CryptoKeyVersion]
             # @yieldparam operation [::GRPC::ActiveCall::Operation]
@@ -2265,7 +2285,9 @@ module Google
             #
             #     The maximum size depends on the key version's
             #     {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}.
-            #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the
+            #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE},
+            #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}, and
+            #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} keys, the
             #     plaintext must be no larger than 64KiB. For
             #     {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of
             #     the plaintext and additional_authenticated_data fields must be no larger
@@ -2277,8 +2299,10 @@ module Google
             #
             #     The maximum size depends on the key version's
             #     {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}.
-            #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the AAD
-            #     must be no larger than 64KiB. For
+            #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE},
+            #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}, and
+            #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} keys the
+            #     AAD must be no larger than 64KiB. For
             #     {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of
             #     the plaintext and additional_authenticated_data fields must be no larger
             #     than 8KiB.

data/lib/google/cloud/kms/v1/resources_pb.rb

@@ -143,6 +143,10 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       value :IMPORT_METHOD_UNSPECIFIED, 0
       value :RSA_OAEP_3072_SHA1_AES_256, 1
       value :RSA_OAEP_4096_SHA1_AES_256, 2
+      value :RSA_OAEP_3072_SHA256_AES_256, 3
+      value :RSA_OAEP_4096_SHA256_AES_256, 4
+      value :RSA_OAEP_3072_SHA256, 5
+      value :RSA_OAEP_4096_SHA256, 6
     end
     add_enum "google.cloud.kms.v1.ImportJob.ImportJobState" do
       value :IMPORT_JOB_STATE_UNSPECIFIED, 0

data/lib/google/cloud/kms/v1/service_pb.rb

@@ -98,6 +98,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :crypto_key_version, :string, 6
       optional :algorithm, :enum, 2, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm"
       optional :import_job, :string, 4
+      optional :wrapped_key, :bytes, 8
       oneof :wrapped_key_material do
         optional :rsa_aes_wrapped_key, :bytes, 5
       end

data/lib/google/cloud/kms/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module Kms
       module V1
-        VERSION = "0.15.0"
+        VERSION = "0.16.0"
       end
     end
   end

data/proto_docs/google/cloud/kms/v1/ekm_service.rb

@@ -21,7 +21,8 @@ module Google
   module Cloud
     module Kms
       module V1
-        # Request message for [KeyManagementService.ListEkmConnections][].
+        # Request message for
+        # {::Google::Cloud::Kms::V1::EkmService::Client#list_ekm_connections EkmService.ListEkmConnections}.
         # @!attribute [rw] parent
         #   @return [::String]
         #     Required. The resource name of the location associated with the
@@ -57,7 +58,8 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Response message for [KeyManagementService.ListEkmConnections][].
+        # Response message for
+        # {::Google::Cloud::Kms::V1::EkmService::Client#list_ekm_connections EkmService.ListEkmConnections}.
         # @!attribute [rw] ekm_connections
         #   @return [::Array<::Google::Cloud::Kms::V1::EkmConnection>]
         #     The list of {::Google::Cloud::Kms::V1::EkmConnection EkmConnections}.
@@ -75,7 +77,8 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Request message for [KeyManagementService.GetEkmConnection][].
+        # Request message for
+        # {::Google::Cloud::Kms::V1::EkmService::Client#get_ekm_connection EkmService.GetEkmConnection}.
         # @!attribute [rw] name
         #   @return [::String]
         #     Required. The {::Google::Cloud::Kms::V1::EkmConnection#name name} of the
@@ -85,7 +88,8 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Request message for [KeyManagementService.CreateEkmConnection][].
+        # Request message for
+        # {::Google::Cloud::Kms::V1::EkmService::Client#create_ekm_connection EkmService.CreateEkmConnection}.
         # @!attribute [rw] parent
         #   @return [::String]
         #     Required. The resource name of the location associated with the
@@ -104,7 +108,8 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # Request message for [KeyManagementService.UpdateEkmConnection][].
+        # Request message for
+        # {::Google::Cloud::Kms::V1::EkmService::Client#update_ekm_connection EkmService.UpdateEkmConnection}.
         # @!attribute [rw] ekm_connection
         #   @return [::Google::Cloud::Kms::V1::EkmConnection]
         #     Required. {::Google::Cloud::Kms::V1::EkmConnection EkmConnection} with updated
@@ -185,9 +190,8 @@ module Google
         #     supported.
         # @!attribute [rw] etag
         #   @return [::String]
-        #     This checksum is computed by the server based on the value of other fields,
-        #     and may be sent on update requests to ensure the client has an up-to-date
-        #     value before proceeding.
+        #     Optional. Etag of the currently stored
+        #     {::Google::Cloud::Kms::V1::EkmConnection EkmConnection}.
         class EkmConnection
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -214,7 +218,8 @@ module Google
           # @!attribute [rw] server_certificates
           #   @return [::Array<::Google::Cloud::Kms::V1::Certificate>]
           #     Required. A list of leaf server certificates used to authenticate HTTPS
-          #     connections to the EKM replica.
+          #     connections to the EKM replica. Currently, a maximum of 10
+          #     {::Google::Cloud::Kms::V1::Certificate Certificate} is supported.
           class ServiceResolver
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/kms/v1/resources.rb

@@ -254,6 +254,9 @@ module Google
 
             # Cavium HSM attestation compressed with gzip. Note that this format is
             # defined by Cavium and subject to change at any time.
+            #
+            # See
+            # https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html.
             CAVIUM_V1_COMPRESSED = 3
 
             # Cavium HSM attestation V2 compressed with gzip. This is a new format
@@ -736,6 +739,34 @@ module Google
             # [RSA AES key wrap
             # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
             RSA_OAEP_4096_SHA1_AES_256 = 2
+
+            # This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+            # scheme defined in the PKCS #11 standard. In summary, this involves
+            # wrapping the raw key with an ephemeral AES key, and wrapping the
+            # ephemeral AES key with a 3072 bit RSA key. For more details, see
+            # [RSA AES key wrap
+            # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+            RSA_OAEP_3072_SHA256_AES_256 = 3
+
+            # This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+            # scheme defined in the PKCS #11 standard. In summary, this involves
+            # wrapping the raw key with an ephemeral AES key, and wrapping the
+            # ephemeral AES key with a 4096 bit RSA key. For more details, see
+            # [RSA AES key wrap
+            # mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+            RSA_OAEP_4096_SHA256_AES_256 = 4
+
+            # This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The
+            # key material to be imported is wrapped directly with the RSA key. Due
+            # to technical limitations of RSA wrapping, this method cannot be used to
+            # wrap RSA keys for import.
+            RSA_OAEP_3072_SHA256 = 5
+
+            # This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The
+            # key material to be imported is wrapped directly with the RSA key. Due
+            # to technical limitations of RSA wrapping, this method cannot be used to
+            # wrap RSA keys for import.
+            RSA_OAEP_4096_SHA256 = 6
           end
 
           # The state of the {::Google::Cloud::Kms::V1::ImportJob ImportJob}, indicating if

data/proto_docs/google/cloud/kms/v1/service.rb

@@ -413,32 +413,53 @@ module Google
         #     Required. The {::Google::Cloud::Kms::V1::ImportJob#name name} of the
         #     {::Google::Cloud::Kms::V1::ImportJob ImportJob} that was used to wrap this key
         #     material.
-        # @!attribute [rw] rsa_aes_wrapped_key
+        # @!attribute [rw] wrapped_key
         #   @return [::String]
-        #     Wrapped key material produced with
-        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA1_AES_256 RSA_OAEP_3072_SHA1_AES_256}
+        #     Optional. The wrapped key material to import.
+        #
+        #     Before wrapping, key material must be formatted. If importing symmetric key
+        #     material, the expected key material format is plain bytes. If importing
+        #     asymmetric key material, the expected key material format is PKCS#8-encoded
+        #     DER (the PrivateKeyInfo structure from RFC 5208).
+        #
+        #     When wrapping with import methods
+        #     ({::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA1_AES_256 RSA_OAEP_3072_SHA1_AES_256}
         #     or
-        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA1_AES_256 RSA_OAEP_4096_SHA1_AES_256}.
+        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA1_AES_256 RSA_OAEP_4096_SHA1_AES_256}
+        #     or
+        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA256_AES_256 RSA_OAEP_3072_SHA256_AES_256}
+        #     or
+        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA256_AES_256 RSA_OAEP_4096_SHA256_AES_256}),
         #
-        #     This field contains the concatenation of two wrapped keys:
+        #     this field must contain the concatenation of:
         #     <ol>
         #       <li>An ephemeral AES-256 wrapping key wrapped with the
         #           {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} using
-        #           RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an
-        #           empty label.
+        #           RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+        #           label.
         #       </li>
-        #       <li>The key to be imported, wrapped with the ephemeral AES-256 key
-        #           using AES-KWP (RFC 5649).
+        #       <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+        #           key using AES-KWP (RFC 5649).
         #       </li>
         #     </ol>
         #
-        #     If importing symmetric key material, it is expected that the unwrapped
-        #     key contains plain bytes. If importing asymmetric key material, it is
-        #     expected that the unwrapped key is in PKCS#8-encoded DER format (the
-        #     PrivateKeyInfo structure from RFC 5208).
-        #
         #     This format is the same as the format produced by PKCS#11 mechanism
         #     CKM_RSA_AES_KEY_WRAP.
+        #
+        #     When wrapping with import methods
+        #     ({::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_3072_SHA256 RSA_OAEP_3072_SHA256}
+        #     or
+        #     {::Google::Cloud::Kms::V1::ImportJob::ImportMethod::RSA_OAEP_4096_SHA256 RSA_OAEP_4096_SHA256}),
+        #
+        #     this field must contain the formatted key to be imported, wrapped with the
+        #     {::Google::Cloud::Kms::V1::ImportJob#public_key public_key} using RSAES-OAEP
+        #     with SHA-256, MGF1 with SHA-256, and an empty label.
+        # @!attribute [rw] rsa_aes_wrapped_key
+        #   @return [::String]
+        #     Optional. This field has the same meaning as
+        #     {::Google::Cloud::Kms::V1::ImportCryptoKeyVersionRequest#wrapped_key wrapped_key}.
+        #     Prefer to use that field in new work. Either that field or this field
+        #     (but not both) must be specified.
         class ImportCryptoKeyVersionRequest
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -545,7 +566,9 @@ module Google
         #
         #     The maximum size depends on the key version's
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}.
-        #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the
+        #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE},
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}, and
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} keys, the
         #     plaintext must be no larger than 64KiB. For
         #     {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of
         #     the plaintext and additional_authenticated_data fields must be no larger
@@ -558,8 +581,10 @@ module Google
         #
         #     The maximum size depends on the key version's
         #     {::Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}.
-        #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the AAD
-        #     must be no larger than 64KiB. For
+        #     For {::Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE},
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL EXTERNAL}, and
+        #     {::Google::Cloud::Kms::V1::ProtectionLevel::EXTERNAL_VPC EXTERNAL_VPC} keys the
+        #     AAD must be no larger than 64KiB. For
         #     {::Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of
         #     the plaintext and additional_authenticated_data fields must be no larger
         #     than 8KiB.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-kms-v1
 version: !ruby/object:Gem::Version
-  version: 0.15.0
+  version: 0.16.0
 platform: ruby
 authors:
 - Google LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-11-16 00:00:00.000000000 Z
+date: 2022-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gapic-common