google-cloud-kms 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd3abb269ec04fc114467064d0c5eb206a471a379b7be28a084c5d39da9abb86
-  data.tar.gz: 770f440cb19a642e11d3238fcf50c2bc6be99e4684b817c158cbfe9447ce647b
+  metadata.gz: 443cec7ba32064b6cfc2b3715a78f0563932d642d9ddc224fbce3821a532ea87
+  data.tar.gz: e727cb3923b6cf46da6b7c93cd5dd7e8cd983942567e8d15202174d9948a6a1e
 SHA512:
-  metadata.gz: f5b8d2864052c66b6e6c9d529ddc2d537e2880b315d920080662412b75b947cbffcd2fde915cdd4b8c5836bcb7fbf0010f585044de8931b80d3f49d64ee06820
-  data.tar.gz: 1b9c2c96d27cb7c6d35b0fc8dd553e0cf19a2f54d40f18fb4e2024e4899ddf6bd87d1907711bdc1480afa9ce7e51c05abb8119a47c6b1ba196e2058523df8f05
+  metadata.gz: 437b87442fb5b3c80bb4ec2b03da2d2c1392290276abe9c726c545053e38a010fd099a91f024f6e57edb683b87ee3d503a15a6cebdc2d97ec640a69df1030865
+  data.tar.gz: 78f133c40894e362eaa47771480fed870f3fe7b6518272d25dee959ac65bbae8a0e7e9084c2c9b189d5bfc589fdccffe2507da28892a131da44e3366c0aca9f7

data/.yardopts

@@ -1,5 +1,5 @@
 --no-private
---title=Google Cloud Key Management Service (KMS) API
+--title=Cloud Key Management Service (KMS) API
 --exclude _pb\.rb$
 --markup markdown
 --markup-provider redcarpet

data/README.md

@@ -1,8 +1,8 @@
-# Ruby Client for Google Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
+# Ruby Client for Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
 
-[Google Cloud Key Management Service (KMS) API][Product Documentation]:
-Manages encryption for your cloud services the same way you do on-premises.
-You can generate, use, rotate, and destroy AES256 encryption keys.
+[Cloud Key Management Service (KMS) API][Product Documentation]:
+Manages keys and performs cryptographic operations in a central cloud
+service, for direct use by other cloud resources and applications.
 - [Client Library Documentation][]
 - [Product Documentation][]
 
@@ -12,7 +12,7 @@ steps:
 
 1. [Select or create a Cloud Platform project.](https://console.cloud.google.com/project)
 2. [Enable billing for your project.](https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_project)
-3. [Enable the Google Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
+3. [Enable the Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
 4. [Setup Authentication.](https://googlecloudplatform.github.io/google-cloud-ruby/#/docs/google-cloud/master/guides/authentication)
 
 ### Installation
@@ -21,9 +21,9 @@ $ gem install google-cloud-kms
 ```
 
 ### Next Steps
-- Read the [Client Library Documentation][] for Google Cloud Key Management Service (KMS) API
+- Read the [Client Library Documentation][] for Cloud Key Management Service (KMS) API
   to see other available methods on the client.
-- Read the [Google Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
+- Read the [Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
   to learn more about the product and see How-to Guides.
 - View this [repository's main README](https://github.com/GoogleCloudPlatform/google-cloud-ruby/blob/master/README.md)
   to see the full list of Cloud APIs that we cover.

data/lib/google/cloud/kms.rb

@@ -21,11 +21,11 @@ module Google
     # rubocop:disable LineLength
 
     ##
-    # # Ruby Client for Google Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
+    # # Ruby Client for Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
     #
-    # [Google Cloud Key Management Service (KMS) API][Product Documentation]:
-    # Manages encryption for your cloud services the same way you do on-premises.
-    # You can generate, use, rotate, and destroy AES256 encryption keys.
+    # [Cloud Key Management Service (KMS) API][Product Documentation]:
+    # Manages keys and performs cryptographic operations in a central cloud
+    # service, for direct use by other cloud resources and applications.
     # - [Product Documentation][]
     #
     # ## Quick Start
@@ -34,7 +34,7 @@ module Google
     #
     # 1. [Select or create a Cloud Platform project.](https://console.cloud.google.com/project)
     # 2. [Enable billing for your project.](https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_project)
-    # 3. [Enable the Google Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
+    # 3. [Enable the Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
     # 4. [Setup Authentication.](https://googlecloudplatform.github.io/google-cloud-ruby/#/docs/google-cloud/master/guides/authentication)
     #
     # ### Installation
@@ -43,7 +43,7 @@ module Google
     # ```
     #
     # ### Next Steps
-    # - Read the [Google Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
+    # - Read the [Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
     #   to learn more about the product and see How-to Guides.
     # - View this [repository's main README](https://github.com/GoogleCloudPlatform/google-cloud-ruby/blob/master/README.md)
     #   to see the full list of Cloud APIs that we cover.
@@ -97,6 +97,9 @@ module Google
       # * {Google::Cloud::Kms::V1::CryptoKey CryptoKey}
       # * {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
       #
+      # If you are using manual gRPC libraries, see
+      # [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
+      #
       # @param version [Symbol, String]
       #   The major version of the service to be used. By default :v1
       #   is used.

data/lib/google/cloud/kms/v1.rb

@@ -14,6 +14,7 @@
 
 
 require "google/cloud/kms/v1/key_management_service_client"
+require "google/cloud/kms/v1/service_pb"
 
 module Google
   module Cloud
@@ -21,11 +22,11 @@ module Google
       # rubocop:disable LineLength
 
       ##
-      # # Ruby Client for Google Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
+      # # Ruby Client for Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
       #
-      # [Google Cloud Key Management Service (KMS) API][Product Documentation]:
-      # Manages encryption for your cloud services the same way you do on-premises.
-      # You can generate, use, rotate, and destroy AES256 encryption keys.
+      # [Cloud Key Management Service (KMS) API][Product Documentation]:
+      # Manages keys and performs cryptographic operations in a central cloud
+      # service, for direct use by other cloud resources and applications.
       # - [Product Documentation][]
       #
       # ## Quick Start
@@ -34,7 +35,7 @@ module Google
       #
       # 1. [Select or create a Cloud Platform project.](https://console.cloud.google.com/project)
       # 2. [Enable billing for your project.](https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_project)
-      # 3. [Enable the Google Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
+      # 3. [Enable the Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
       # 4. [Setup Authentication.](https://googlecloudplatform.github.io/google-cloud-ruby/#/docs/google-cloud/master/guides/authentication)
       #
       # ### Installation
@@ -43,7 +44,7 @@ module Google
       # ```
       #
       # ### Next Steps
-      # - Read the [Google Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
+      # - Read the [Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
       #   to learn more about the product and see How-to Guides.
       # - View this [repository's main README](https://github.com/GoogleCloudPlatform/google-cloud-ruby/blob/master/README.md)
       #   to see the full list of Cloud APIs that we cover.
@@ -89,6 +90,9 @@ module Google
         # * {Google::Cloud::Kms::V1::CryptoKey CryptoKey}
         # * {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
         #
+        # If you are using manual gRPC libraries, see
+        # [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
+        #
         # @param credentials [Google::Auth::Credentials, String, Hash, GRPC::Core::Channel, GRPC::Core::ChannelCredentials, Proc]
         #   Provides the means for authenticating requests made by the client. This parameter can
         #   be many types.

data/lib/google/cloud/kms/v1/doc/google/cloud/kms/v1/resources.rb

@@ -44,10 +44,13 @@ module Google
         #
         #     The {Google::Cloud::Kms::V1::CryptoKey CryptoKey}'s primary version can be updated via
         #     {Google::Cloud::Kms::V1::KeyManagementService::UpdateCryptoKeyPrimaryVersion UpdateCryptoKeyPrimaryVersion}.
+        #
+        #     All keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} have a
+        #     primary. For other keys, this field will be omitted.
         # @!attribute [rw] purpose
         #   @return [Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose]
-        #     The immutable purpose of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. Currently, the only acceptable
-        #     purpose is {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
+        #     The immutable purpose of this {Google::Cloud::Kms::V1::CryptoKey CryptoKey}.
         # @!attribute [rw] create_time
         #   @return [Google::Protobuf::Timestamp]
         #     Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKey CryptoKey} was created.
@@ -62,20 +65,34 @@ module Google
         #     {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion} and
         #     {Google::Cloud::Kms::V1::KeyManagementService::UpdateCryptoKeyPrimaryVersion UpdateCryptoKeyPrimaryVersion}
         #     do not affect {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time}.
+        #
+        #     Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
+        #     automatic rotation. For other keys, this field must be omitted.
         # @!attribute [rw] rotation_period
         #   @return [Google::Protobuf::Duration]
         #     {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} will be advanced by this period when the service
         #     automatically rotates a key. Must be at least one day.
         #
         #     If {Google::Cloud::Kms::V1::CryptoKey#rotation_period rotation_period} is set, {Google::Cloud::Kms::V1::CryptoKey#next_rotation_time next_rotation_time} must also be set.
+        #
+        #     Keys with {Google::Cloud::Kms::V1::CryptoKey#purpose purpose}
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT} support
+        #     automatic rotation. For other keys, this field must be omitted.
+        # @!attribute [rw] version_template
+        #   @return [Google::Cloud::Kms::V1::CryptoKeyVersionTemplate]
+        #     A template describing settings for new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances.
+        #     The properties of new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} instances created by either
+        #     {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion} or
+        #     auto-rotation are controlled by this template.
         # @!attribute [rw] labels
         #   @return [Hash{String => String}]
         #     Labels with user-defined metadata. For more information, see
         #     [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
         class CryptoKey
-          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the capabilities of a {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. Two
-          # keys with the same purpose may use different underlying algorithms, but
-          # must support the same set of operations.
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose CryptoKeyPurpose} describes the cryptographic capabilities of a
+          # {Google::Cloud::Kms::V1::CryptoKey CryptoKey}. A given key can only be used for the operations allowed by
+          # its purpose.
           module CryptoKeyPurpose
             # Not specified.
             CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0
@@ -84,20 +101,66 @@ module Google
             # {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt} and
             # {Google::Cloud::Kms::V1::KeyManagementService::Decrypt Decrypt}.
             ENCRYPT_DECRYPT = 1
+
+            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
+            # {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricSign AsymmetricSign} and
+            # {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey GetPublicKey}.
+            ASYMMETRIC_SIGN = 5
+
+            # {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with this purpose may be used with
+            # {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricDecrypt AsymmetricDecrypt} and
+            # {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey GetPublicKey}.
+            ASYMMETRIC_DECRYPT = 6
+          end
+        end
+
+        # A {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate CryptoKeyVersionTemplate} specifies the properties to use when creating
+        # a new {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, either manually with
+        # {Google::Cloud::Kms::V1::KeyManagementService::CreateCryptoKeyVersion CreateCryptoKeyVersion} or
+        # automatically as a result of auto-rotation.
+        # @!attribute [rw] protection_level
+        #   @return [Google::Cloud::Kms::V1::ProtectionLevel]
+        #     {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} to use when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on
+        #     this template. Immutable. Defaults to {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE}.
+        # @!attribute [rw] algorithm
+        #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
+        #     Required. {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} to use
+        #     when creating a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} based on this template.
+        #
+        #     For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
+        #     this field is omitted and {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose} is
+        #     {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
+        class CryptoKeyVersionTemplate; end
+
+        # Contains an HSM-generated attestation about a key operation.
+        # @!attribute [rw] format
+        #   @return [Google::Cloud::Kms::V1::KeyOperationAttestation::AttestationFormat]
+        #     Output only. The format of the attestation data.
+        # @!attribute [rw] content
+        #   @return [String]
+        #     Output only. The attestation data provided by the HSM when the key
+        #     operation was performed.
+        class KeyOperationAttestation
+          # Attestion formats provided by the HSM.
+          module AttestationFormat
+            ATTESTATION_FORMAT_UNSPECIFIED = 0
+
+            # Cavium HSM attestation compressed with gzip. Note that this format is
+            # defined by Cavium and subject to change at any time.
+            CAVIUM_V1_COMPRESSED = 3
           end
         end
 
         # A {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} represents an individual cryptographic key, and the
         # associated key material.
         #
-        # It can be used for cryptographic operations either directly, or via its
-        # parent {Google::Cloud::Kms::V1::CryptoKey CryptoKey}, in which case the server will choose the appropriate
-        # version for the operation.
+        # An {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} version can be
+        # used for cryptographic operations.
         #
         # For security reasons, the raw cryptographic key material represented by a
         # {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} can never be viewed or exported. It can only be used to
-        # encrypt or decrypt data when an authorized user or application invokes Cloud
-        # KMS.
+        # encrypt, decrypt, or sign data when an authorized user or application invokes
+        # Cloud KMS.
         # @!attribute [rw] name
         #   @return [String]
         #     Output only. The resource name for this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the format
@@ -105,9 +168,27 @@ module Google
         # @!attribute [rw] state
         #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState]
         #     The current state of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        # @!attribute [rw] protection_level
+        #   @return [Google::Cloud::Kms::V1::ProtectionLevel]
+        #     Output only. The {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} describing how crypto operations are
+        #     performed with this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}.
+        # @!attribute [rw] algorithm
+        #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
+        #     Output only. The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm CryptoKeyVersionAlgorithm} that this
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} supports.
+        # @!attribute [rw] attestation
+        #   @return [Google::Cloud::Kms::V1::KeyOperationAttestation]
+        #     Output only. Statement that was generated and signed by the HSM at key
+        #     creation time. Use this statement to verify attributes of the key as stored
+        #     on the HSM, independently of Google. Only provided for key versions with
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#protection_level protection_level} {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM}.
         # @!attribute [rw] create_time
         #   @return [Google::Protobuf::Timestamp]
         #     Output only. The time at which this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} was created.
+        # @!attribute [rw] generate_time
+        #   @return [Google::Protobuf::Timestamp]
+        #     Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material was
+        #     generated.
         # @!attribute [rw] destroy_time
         #   @return [Google::Protobuf::Timestamp]
         #     Output only. The time this {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s key material is scheduled
@@ -119,13 +200,89 @@ module Google
         #     destroyed. Only present if {Google::Cloud::Kms::V1::CryptoKeyVersion#state state} is
         #     {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROYED DESTROYED}.
         class CryptoKeyVersion
+          # The algorithm of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating what
+          # parameters must be used for each cryptographic operation.
+          #
+          # The
+          # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::GOOGLE_SYMMETRIC_ENCRYPTION GOOGLE_SYMMETRIC_ENCRYPTION}
+          # algorithm is usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
+          #
+          # Algorithms beginning with "RSA_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
+          #
+          # The fields in the name after "RSA_SIGN_" correspond to the following
+          # parameters: padding algorithm, modulus bit length, and digest algorithm.
+          #
+          # For PSS, the salt length used is equal to the length of digest
+          # algorithm. For example,
+          # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm::RSA_SIGN_PSS_2048_SHA256 RSA_SIGN_PSS_2048_SHA256}
+          # will use PSS with a salt length of 256 bits or 32 bytes.
+          #
+          # Algorithms beginning with "RSA_DECRYPT_" are usable with
+          # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_DECRYPT ASYMMETRIC_DECRYPT}.
+          #
+          # The fields in the name after "RSA_DECRYPT_" correspond to the following
+          # parameters: padding algorithm, modulus bit length, and digest algorithm.
+          #
+          # Algorithms beginning with "EC_SIGN_" are usable with {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ASYMMETRIC_SIGN ASYMMETRIC_SIGN}.
+          #
+          # The fields in the name after "EC_SIGN_" correspond to the following
+          # parameters: elliptic curve, digest algorithm.
+          module CryptoKeyVersionAlgorithm
+            # Not specified.
+            CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
+
+            # Creates symmetric encryption keys.
+            GOOGLE_SYMMETRIC_ENCRYPTION = 1
+
+            # RSASSA-PSS 2048 bit key with a SHA256 digest.
+            RSA_SIGN_PSS_2048_SHA256 = 2
+
+            # RSASSA-PSS 3072 bit key with a SHA256 digest.
+            RSA_SIGN_PSS_3072_SHA256 = 3
+
+            # RSASSA-PSS 4096 bit key with a SHA256 digest.
+            RSA_SIGN_PSS_4096_SHA256 = 4
+
+            # RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
+            RSA_SIGN_PKCS1_2048_SHA256 = 5
+
+            # RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
+            RSA_SIGN_PKCS1_3072_SHA256 = 6
+
+            # RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
+            RSA_SIGN_PKCS1_4096_SHA256 = 7
+
+            # RSAES-OAEP 2048 bit key with a SHA256 digest.
+            RSA_DECRYPT_OAEP_2048_SHA256 = 8
+
+            # RSAES-OAEP 3072 bit key with a SHA256 digest.
+            RSA_DECRYPT_OAEP_3072_SHA256 = 9
+
+            # RSAES-OAEP 4096 bit key with a SHA256 digest.
+            RSA_DECRYPT_OAEP_4096_SHA256 = 10
+
+            # ECDSA on the NIST P-256 curve with a SHA256 digest.
+            EC_SIGN_P256_SHA256 = 12
+
+            # ECDSA on the NIST P-384 curve with a SHA384 digest.
+            EC_SIGN_P384_SHA384 = 13
+          end
+
           # The state of a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, indicating if it can be used.
           module CryptoKeyVersionState
             # Not specified.
             CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0
 
-            # This version may be used in {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt} and
-            # {Google::Cloud::Kms::V1::KeyManagementService::Decrypt Decrypt} requests.
+            # This version is still being generated. It may not be used, enabled,
+            # disabled, or destroyed yet. Cloud KMS will automatically mark this
+            # version {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::ENABLED ENABLED} as soon as the version is ready.
+            PENDING_GENERATION = 5
+
+            # This version may be used for cryptographic operations.
             ENABLED = 1
 
             # This version may not be used, but the key material is still available,
@@ -142,6 +299,47 @@ module Google
             # to put it back into the {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DISABLED DISABLED} state.
             DESTROY_SCHEDULED = 4
           end
+
+          # A view for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}s. Controls the level of detail returned
+          # for {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersions} in
+          # {Google::Cloud::Kms::V1::KeyManagementService::ListCryptoKeyVersions KeyManagementService::ListCryptoKeyVersions} and
+          # {Google::Cloud::Kms::V1::KeyManagementService::ListCryptoKeys KeyManagementService::ListCryptoKeys}.
+          module CryptoKeyVersionView
+            # Default view for each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Does not include
+            # the {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation} field.
+            CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0
+
+            # Provides all fields in each {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}, including the
+            # {Google::Cloud::Kms::V1::CryptoKeyVersion#attestation attestation}.
+            FULL = 1
+          end
+        end
+
+        # The public key for a given {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}. Obtained via
+        # {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey GetPublicKey}.
+        # @!attribute [rw] pem
+        #   @return [String]
+        #     The public key, encoded in PEM format. For more information, see the
+        #     [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
+        #     [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
+        #     [Textual Encoding of Subject Public Key Info]
+        #     (https://tools.ietf.org/html/rfc7468#section-13).
+        # @!attribute [rw] algorithm
+        #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm]
+        #     The {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionAlgorithm Algorithm} associated
+        #     with this key.
+        class PublicKey; end
+
+        # {Google::Cloud::Kms::V1::ProtectionLevel ProtectionLevel} specifies how cryptographic operations are performed.
+        module ProtectionLevel
+          # Not specified.
+          PROTECTION_LEVEL_UNSPECIFIED = 0
+
+          # Crypto operations are performed in software.
+          SOFTWARE = 1
+
+          # Crypto operations are performed in a Hardware Security Module.
+          HSM = 2
         end
       end
     end

data/lib/google/cloud/kms/v1/doc/google/cloud/kms/v1/service.rb

@@ -49,6 +49,9 @@ module Google
         #   @return [String]
         #     Optional pagination token, returned earlier via
         #     {Google::Cloud::Kms::V1::ListCryptoKeysResponse#next_page_token ListCryptoKeysResponse#next_page_token}.
+        # @!attribute [rw] version_view
+        #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionView]
+        #     The fields of the primary version to include in the response.
         class ListCryptoKeysRequest; end
 
         # Request message for {Google::Cloud::Kms::V1::KeyManagementService::ListCryptoKeyVersions KeyManagementService::ListCryptoKeyVersions}.
@@ -67,6 +70,9 @@ module Google
         #   @return [String]
         #     Optional pagination token, returned earlier via
         #     {Google::Cloud::Kms::V1::ListCryptoKeyVersionsResponse#next_page_token ListCryptoKeyVersionsResponse#next_page_token}.
+        # @!attribute [rw] view
+        #   @return [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionView]
+        #     The fields to include in the response.
         class ListCryptoKeyVersionsRequest; end
 
         # Response message for {Google::Cloud::Kms::V1::KeyManagementService::ListKeyRings KeyManagementService::ListKeyRings}.
@@ -128,6 +134,13 @@ module Google
         #     The {Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to get.
         class GetCryptoKeyVersionRequest; end
 
+        # Request message for {Google::Cloud::Kms::V1::KeyManagementService::GetPublicKey KeyManagementService::GetPublicKey}.
+        # @!attribute [rw] name
+        #   @return [String]
+        #     The {Google::Cloud::Kms::V1::CryptoKeyVersion#name name} of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} public key to
+        #     get.
+        class GetPublicKeyRequest; end
+
         # Request message for {Google::Cloud::Kms::V1::KeyManagementService::CreateKeyRing KeyManagementService::CreateKeyRing}.
         # @!attribute [rw] parent
         #   @return [String]
@@ -195,11 +208,24 @@ module Google
         # @!attribute [rw] plaintext
         #   @return [String]
         #     Required. The data to encrypt. Must be no larger than 64KiB.
+        #
+        #     The maximum size depends on the key version's
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}. For
+        #     {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the plaintext must be no larger
+        #     than 64KiB. For {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of the
+        #     plaintext and additional_authenticated_data fields must be no larger than
+        #     8KiB.
         # @!attribute [rw] additional_authenticated_data
         #   @return [String]
         #     Optional data that, if specified, must also be provided during decryption
-        #     through {Google::Cloud::Kms::V1::DecryptRequest#additional_authenticated_data DecryptRequest#additional_authenticated_data}.  Must be no
-        #     larger than 64KiB.
+        #     through {Google::Cloud::Kms::V1::DecryptRequest#additional_authenticated_data DecryptRequest#additional_authenticated_data}.
+        #
+        #     The maximum size depends on the key version's
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}. For
+        #     {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the AAD must be no larger than
+        #     64KiB. For {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of the
+        #     plaintext and additional_authenticated_data fields must be no larger than
+        #     8KiB.
         class EncryptRequest; end
 
         # Request message for {Google::Cloud::Kms::V1::KeyManagementService::Decrypt KeyManagementService::Decrypt}.
@@ -217,6 +243,28 @@ module Google
         #     {Google::Cloud::Kms::V1::EncryptRequest#additional_authenticated_data EncryptRequest#additional_authenticated_data}.
         class DecryptRequest; end
 
+        # Request message for {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricSign KeyManagementService::AsymmetricSign}.
+        # @!attribute [rw] name
+        #   @return [String]
+        #     Required. The resource name of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to use for signing.
+        # @!attribute [rw] digest
+        #   @return [Google::Cloud::Kms::V1::Digest]
+        #     Required. The digest of the data to sign. The digest must be produced with
+        #     the same digest algorithm as specified by the key version's
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersion#algorithm algorithm}.
+        class AsymmetricSignRequest; end
+
+        # Request message for {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricDecrypt KeyManagementService::AsymmetricDecrypt}.
+        # @!attribute [rw] name
+        #   @return [String]
+        #     Required. The resource name of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to use for
+        #     decryption.
+        # @!attribute [rw] ciphertext
+        #   @return [String]
+        #     Required. The data encrypted with the named {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}'s public
+        #     key using OAEP.
+        class AsymmetricDecryptRequest; end
+
         # Response message for {Google::Cloud::Kms::V1::KeyManagementService::Decrypt KeyManagementService::Decrypt}.
         # @!attribute [rw] plaintext
         #   @return [String]
@@ -232,6 +280,18 @@ module Google
         #     The encrypted data.
         class EncryptResponse; end
 
+        # Response message for {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricSign KeyManagementService::AsymmetricSign}.
+        # @!attribute [rw] signature
+        #   @return [String]
+        #     The created signature.
+        class AsymmetricSignResponse; end
+
+        # Response message for {Google::Cloud::Kms::V1::KeyManagementService::AsymmetricDecrypt KeyManagementService::AsymmetricDecrypt}.
+        # @!attribute [rw] plaintext
+        #   @return [String]
+        #     The decrypted data originally encrypted with the matching public key.
+        class AsymmetricDecryptResponse; end
+
         # Request message for {Google::Cloud::Kms::V1::KeyManagementService::UpdateCryptoKeyPrimaryVersion KeyManagementService::UpdateCryptoKeyPrimaryVersion}.
         # @!attribute [rw] name
         #   @return [String]
@@ -252,6 +312,26 @@ module Google
         #   @return [String]
         #     The resource name of the {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} to restore.
         class RestoreCryptoKeyVersionRequest; end
+
+        # A {Google::Cloud::Kms::V1::Digest Digest} holds a cryptographic message digest.
+        # @!attribute [rw] sha256
+        #   @return [String]
+        #     A message digest produced with the SHA-256 algorithm.
+        # @!attribute [rw] sha384
+        #   @return [String]
+        #     A message digest produced with the SHA-384 algorithm.
+        # @!attribute [rw] sha512
+        #   @return [String]
+        #     A message digest produced with the SHA-512 algorithm.
+        class Digest; end
+
+        # Cloud KMS metadata for the given {Google::Cloud::Location::Location}.
+        # @!attribute [rw] hsm_available
+        #   @return [true, false]
+        #     Indicates whether {Google::Cloud::Kms::V1::CryptoKey CryptoKeys} with
+        #     {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}
+        #     {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} can be created in this location.
+        class LocationMetadata; end
       end
     end
   end

data/lib/google/cloud/kms/v1/key_management_service_client.rb

@@ -42,6 +42,9 @@ module Google
         # * {Google::Cloud::Kms::V1::CryptoKey CryptoKey}
         # * {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
         #
+        # If you are using manual gRPC libraries, see
+        # [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
+        #
         # @!attribute [r] key_management_service_stub
         #   @return [Google::Cloud::Kms::V1::KeyManagementService::Stub]
         # @!attribute [r] iam_policy_stub
@@ -522,6 +525,8 @@ module Google
           #   parameter does not affect the return value. If page streaming is
           #   performed per-page, this determines the maximum number of
           #   resources in a page.
+          # @param version_view [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionView]
+          #   The fields of the primary version to include in the response.
           # @param options [Google::Gax::CallOptions]
           #   Overrides the default settings for this call, e.g, timeout,
           #   retries, etc.
@@ -556,11 +561,13 @@ module Google
           def list_crypto_keys \
               parent,
               page_size: nil,
+              version_view: nil,
               options: nil,
               &block
             req = {
               parent: parent,
-              page_size: page_size
+              page_size: page_size,
+              version_view: version_view
             }.delete_if { |_, v| v.nil? }
             req = Google::Gax::to_proto(req, Google::Cloud::Kms::V1::ListCryptoKeysRequest)
             @list_crypto_keys.call(req, options, &block)
@@ -577,6 +584,8 @@ module Google
           #   parameter does not affect the return value. If page streaming is
           #   performed per-page, this determines the maximum number of
           #   resources in a page.
+          # @param view [Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionView]
+          #   The fields to include in the response.
           # @param options [Google::Gax::CallOptions]
           #   Overrides the default settings for this call, e.g, timeout,
           #   retries, etc.
@@ -611,11 +620,13 @@ module Google
           def list_crypto_key_versions \
               parent,
               page_size: nil,
+              view: nil,
               options: nil,
               &block
             req = {
               parent: parent,
-              page_size: page_size
+              page_size: page_size,
+              view: view
             }.delete_if { |_, v| v.nil? }
             req = Google::Gax::to_proto(req, Google::Cloud::Kms::V1::ListCryptoKeyVersionsRequest)
             @list_crypto_key_versions.call(req, options, &block)
@@ -762,7 +773,9 @@ module Google
 
           # Create a new {Google::Cloud::Kms::V1::CryptoKey CryptoKey} within a {Google::Cloud::Kms::V1::KeyRing KeyRing}.
           #
-          # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose} is required.
+          # {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose} and
+          # {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#algorithm CryptoKey#version_template#algorithm}
+          # are required.
           #
           # @param parent [String]
           #   Required. The {Google::Cloud::Kms::V1::KeyRing#name name} of the KeyRing associated with the
@@ -952,6 +965,8 @@ module Google
           end
 
           # Encrypts data, so that it can only be recovered by a call to {Google::Cloud::Kms::V1::KeyManagementService::Decrypt Decrypt}.
+          # The {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose} must be
+          # {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
           #
           # @param name [String]
           #   Required. The resource name of the {Google::Cloud::Kms::V1::CryptoKey CryptoKey} or {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion}
@@ -961,10 +976,23 @@ module Google
           #   {Google::Cloud::Kms::V1::CryptoKey#primary primary version}.
           # @param plaintext [String]
           #   Required. The data to encrypt. Must be no larger than 64KiB.
+          #
+          #   The maximum size depends on the key version's
+          #   {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}. For
+          #   {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the plaintext must be no larger
+          #   than 64KiB. For {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of the
+          #   plaintext and additional_authenticated_data fields must be no larger than
+          #   8KiB.
           # @param additional_authenticated_data [String]
           #   Optional data that, if specified, must also be provided during decryption
-          #   through {Google::Cloud::Kms::V1::DecryptRequest#additional_authenticated_data DecryptRequest#additional_authenticated_data}.  Must be no
-          #   larger than 64KiB.
+          #   through {Google::Cloud::Kms::V1::DecryptRequest#additional_authenticated_data DecryptRequest#additional_authenticated_data}.
+          #
+          #   The maximum size depends on the key version's
+          #   {Google::Cloud::Kms::V1::CryptoKeyVersionTemplate#protection_level protection_level}. For
+          #   {Google::Cloud::Kms::V1::ProtectionLevel::SOFTWARE SOFTWARE} keys, the AAD must be no larger than
+          #   64KiB. For {Google::Cloud::Kms::V1::ProtectionLevel::HSM HSM} keys, the combined length of the
+          #   plaintext and additional_authenticated_data fields must be no larger than
+          #   8KiB.
           # @param options [Google::Gax::CallOptions]
           #   Overrides the default settings for this call, e.g, timeout,
           #   retries, etc.
@@ -998,7 +1026,8 @@ module Google
             @encrypt.call(req, options, &block)
           end
 
-          # Decrypts data that was protected by {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt}.
+          # Decrypts data that was protected by {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt}. The {Google::Cloud::Kms::V1::CryptoKey#purpose CryptoKey#purpose}
+          # must be {Google::Cloud::Kms::V1::CryptoKey::CryptoKeyPurpose::ENCRYPT_DECRYPT ENCRYPT_DECRYPT}.
           #
           # @param name [String]
           #   Required. The resource name of the {Google::Cloud::Kms::V1::CryptoKey CryptoKey} to use for decryption.
@@ -1042,7 +1071,9 @@ module Google
             @decrypt.call(req, options, &block)
           end
 
-          # Update the version of a {Google::Cloud::Kms::V1::CryptoKey CryptoKey} that will be used in {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt}
+          # Update the version of a {Google::Cloud::Kms::V1::CryptoKey CryptoKey} that will be used in {Google::Cloud::Kms::V1::KeyManagementService::Encrypt Encrypt}.
+          #
+          # Returns an error if called on an asymmetric key.
           #
           # @param name [String]
           #   The resource name of the {Google::Cloud::Kms::V1::CryptoKey CryptoKey} to update.
@@ -1121,7 +1152,7 @@ module Google
           end
 
           # Restore a {Google::Cloud::Kms::V1::CryptoKeyVersion CryptoKeyVersion} in the
-          # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED},
+          # {Google::Cloud::Kms::V1::CryptoKeyVersion::CryptoKeyVersionState::DESTROY_SCHEDULED DESTROY_SCHEDULED}
           # state.
           #
           # Upon restoration of the CryptoKeyVersion, {Google::Cloud::Kms::V1::CryptoKeyVersion#state state}

data/lib/google/cloud/kms/v1/resources_pb.rb

@@ -18,6 +18,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     optional :purpose, :enum, 3, "google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose"
     optional :create_time, :message, 5, "google.protobuf.Timestamp"
     optional :next_rotation_time, :message, 7, "google.protobuf.Timestamp"
+    optional :version_template, :message, 11, "google.cloud.kms.v1.CryptoKeyVersionTemplate"
     map :labels, :string, :string, 10
     oneof :rotation_schedule do
       optional :rotation_period, :message, 8, "google.protobuf.Duration"
@@ -26,21 +27,68 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
   add_enum "google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose" do
     value :CRYPTO_KEY_PURPOSE_UNSPECIFIED, 0
     value :ENCRYPT_DECRYPT, 1
+    value :ASYMMETRIC_SIGN, 5
+    value :ASYMMETRIC_DECRYPT, 6
+  end
+  add_message "google.cloud.kms.v1.CryptoKeyVersionTemplate" do
+    optional :protection_level, :enum, 1, "google.cloud.kms.v1.ProtectionLevel"
+    optional :algorithm, :enum, 3, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm"
+  end
+  add_message "google.cloud.kms.v1.KeyOperationAttestation" do
+    optional :format, :enum, 4, "google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat"
+    optional :content, :bytes, 5
+  end
+  add_enum "google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat" do
+    value :ATTESTATION_FORMAT_UNSPECIFIED, 0
+    value :CAVIUM_V1_COMPRESSED, 3
   end
   add_message "google.cloud.kms.v1.CryptoKeyVersion" do
     optional :name, :string, 1
     optional :state, :enum, 3, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState"
+    optional :protection_level, :enum, 7, "google.cloud.kms.v1.ProtectionLevel"
+    optional :algorithm, :enum, 10, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm"
+    optional :attestation, :message, 8, "google.cloud.kms.v1.KeyOperationAttestation"
     optional :create_time, :message, 4, "google.protobuf.Timestamp"
+    optional :generate_time, :message, 11, "google.protobuf.Timestamp"
     optional :destroy_time, :message, 5, "google.protobuf.Timestamp"
     optional :destroy_event_time, :message, 6, "google.protobuf.Timestamp"
   end
+  add_enum "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm" do
+    value :CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED, 0
+    value :GOOGLE_SYMMETRIC_ENCRYPTION, 1
+    value :RSA_SIGN_PSS_2048_SHA256, 2
+    value :RSA_SIGN_PSS_3072_SHA256, 3
+    value :RSA_SIGN_PSS_4096_SHA256, 4
+    value :RSA_SIGN_PKCS1_2048_SHA256, 5
+    value :RSA_SIGN_PKCS1_3072_SHA256, 6
+    value :RSA_SIGN_PKCS1_4096_SHA256, 7
+    value :RSA_DECRYPT_OAEP_2048_SHA256, 8
+    value :RSA_DECRYPT_OAEP_3072_SHA256, 9
+    value :RSA_DECRYPT_OAEP_4096_SHA256, 10
+    value :EC_SIGN_P256_SHA256, 12
+    value :EC_SIGN_P384_SHA384, 13
+  end
   add_enum "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState" do
     value :CRYPTO_KEY_VERSION_STATE_UNSPECIFIED, 0
+    value :PENDING_GENERATION, 5
     value :ENABLED, 1
     value :DISABLED, 2
     value :DESTROYED, 3
     value :DESTROY_SCHEDULED, 4
   end
+  add_enum "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView" do
+    value :CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED, 0
+    value :FULL, 1
+  end
+  add_message "google.cloud.kms.v1.PublicKey" do
+    optional :pem, :string, 1
+    optional :algorithm, :enum, 2, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm"
+  end
+  add_enum "google.cloud.kms.v1.ProtectionLevel" do
+    value :PROTECTION_LEVEL_UNSPECIFIED, 0
+    value :SOFTWARE, 1
+    value :HSM, 2
+  end
 end
 
 module Google
@@ -50,8 +98,15 @@ module Google
         KeyRing = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.KeyRing").msgclass
         CryptoKey = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKey").msgclass
         CryptoKey::CryptoKeyPurpose = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose").enummodule
+        CryptoKeyVersionTemplate = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKeyVersionTemplate").msgclass
+        KeyOperationAttestation = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.KeyOperationAttestation").msgclass
+        KeyOperationAttestation::AttestationFormat = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.KeyOperationAttestation.AttestationFormat").enummodule
         CryptoKeyVersion = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKeyVersion").msgclass
+        CryptoKeyVersion::CryptoKeyVersionAlgorithm = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm").enummodule
         CryptoKeyVersion::CryptoKeyVersionState = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState").enummodule
+        CryptoKeyVersion::CryptoKeyVersionView = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView").enummodule
+        PublicKey = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.PublicKey").msgclass
+        ProtectionLevel = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.ProtectionLevel").enummodule
       end
     end
   end

data/lib/google/cloud/kms/v1/service_pb.rb

@@ -19,11 +19,13 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     optional :parent, :string, 1
     optional :page_size, :int32, 2
     optional :page_token, :string, 3
+    optional :version_view, :enum, 4, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView"
   end
   add_message "google.cloud.kms.v1.ListCryptoKeyVersionsRequest" do
     optional :parent, :string, 1
     optional :page_size, :int32, 2
     optional :page_token, :string, 3
+    optional :view, :enum, 4, "google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionView"
   end
   add_message "google.cloud.kms.v1.ListKeyRingsResponse" do
     repeated :key_rings, :message, 1, "google.cloud.kms.v1.KeyRing"
@@ -49,6 +51,9 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
   add_message "google.cloud.kms.v1.GetCryptoKeyVersionRequest" do
     optional :name, :string, 1
   end
+  add_message "google.cloud.kms.v1.GetPublicKeyRequest" do
+    optional :name, :string, 1
+  end
   add_message "google.cloud.kms.v1.CreateKeyRingRequest" do
     optional :parent, :string, 1
     optional :key_ring_id, :string, 2
@@ -81,6 +86,14 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     optional :ciphertext, :bytes, 2
     optional :additional_authenticated_data, :bytes, 3
   end
+  add_message "google.cloud.kms.v1.AsymmetricSignRequest" do
+    optional :name, :string, 1
+    optional :digest, :message, 3, "google.cloud.kms.v1.Digest"
+  end
+  add_message "google.cloud.kms.v1.AsymmetricDecryptRequest" do
+    optional :name, :string, 1
+    optional :ciphertext, :bytes, 3
+  end
   add_message "google.cloud.kms.v1.DecryptResponse" do
     optional :plaintext, :bytes, 1
   end
@@ -88,6 +101,12 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     optional :name, :string, 1
     optional :ciphertext, :bytes, 2
   end
+  add_message "google.cloud.kms.v1.AsymmetricSignResponse" do
+    optional :signature, :bytes, 1
+  end
+  add_message "google.cloud.kms.v1.AsymmetricDecryptResponse" do
+    optional :plaintext, :bytes, 1
+  end
   add_message "google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest" do
     optional :name, :string, 1
     optional :crypto_key_version_id, :string, 2
@@ -98,6 +117,16 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
   add_message "google.cloud.kms.v1.RestoreCryptoKeyVersionRequest" do
     optional :name, :string, 1
   end
+  add_message "google.cloud.kms.v1.Digest" do
+    oneof :digest do
+      optional :sha256, :bytes, 1
+      optional :sha384, :bytes, 2
+      optional :sha512, :bytes, 3
+    end
+  end
+  add_message "google.cloud.kms.v1.LocationMetadata" do
+    optional :hsm_available, :bool, 1
+  end
 end
 
 module Google
@@ -113,6 +142,7 @@ module Google
         GetKeyRingRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.GetKeyRingRequest").msgclass
         GetCryptoKeyRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.GetCryptoKeyRequest").msgclass
         GetCryptoKeyVersionRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.GetCryptoKeyVersionRequest").msgclass
+        GetPublicKeyRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.GetPublicKeyRequest").msgclass
         CreateKeyRingRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CreateKeyRingRequest").msgclass
         CreateCryptoKeyRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CreateCryptoKeyRequest").msgclass
         CreateCryptoKeyVersionRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.CreateCryptoKeyVersionRequest").msgclass
@@ -120,11 +150,17 @@ module Google
         UpdateCryptoKeyVersionRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.UpdateCryptoKeyVersionRequest").msgclass
         EncryptRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.EncryptRequest").msgclass
         DecryptRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DecryptRequest").msgclass
+        AsymmetricSignRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricSignRequest").msgclass
+        AsymmetricDecryptRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricDecryptRequest").msgclass
         DecryptResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DecryptResponse").msgclass
         EncryptResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.EncryptResponse").msgclass
+        AsymmetricSignResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricSignResponse").msgclass
+        AsymmetricDecryptResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.AsymmetricDecryptResponse").msgclass
         UpdateCryptoKeyPrimaryVersionRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.UpdateCryptoKeyPrimaryVersionRequest").msgclass
         DestroyCryptoKeyVersionRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.DestroyCryptoKeyVersionRequest").msgclass
         RestoreCryptoKeyVersionRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.RestoreCryptoKeyVersionRequest").msgclass
+        Digest = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.Digest").msgclass
+        LocationMetadata = Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.kms.v1.LocationMetadata").msgclass
       end
     end
   end

data/lib/google/cloud/kms/v1/service_services_pb.rb

@@ -1,7 +1,7 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # Source: google/cloud/kms/v1/service.proto for package 'google.cloud.kms.v1'
 # Original file comments:
-# Copyright 2017 Google Inc.
+# Copyright 2018 Google LLC.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+#
 
 
 require 'grpc'
@@ -33,6 +34,9 @@ module Google
           # * [KeyRing][google.cloud.kms.v1.KeyRing]
           # * [CryptoKey][google.cloud.kms.v1.CryptoKey]
           # * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+          #
+          # If you are using manual gRPC libraries, see
+          # [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
           class Service
 
             include GRPC::GenericService
@@ -54,11 +58,18 @@ module Google
             rpc :GetCryptoKey, GetCryptoKeyRequest, CryptoKey
             # Returns metadata for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
             rpc :GetCryptoKeyVersion, GetCryptoKeyVersionRequest, CryptoKeyVersion
+            # Returns the public key for the given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
+            # [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+            # [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN] or
+            # [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
+            rpc :GetPublicKey, GetPublicKeyRequest, PublicKey
             # Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and Location.
             rpc :CreateKeyRing, CreateKeyRingRequest, KeyRing
             # Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a [KeyRing][google.cloud.kms.v1.KeyRing].
             #
-            # [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is required.
+            # [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
+            # [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
+            # are required.
             rpc :CreateCryptoKey, CreateCryptoKeyRequest, CryptoKey
             # Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a [CryptoKey][google.cloud.kms.v1.CryptoKey].
             #
@@ -77,10 +88,23 @@ module Google
             # move between other states.
             rpc :UpdateCryptoKeyVersion, UpdateCryptoKeyVersionRequest, CryptoKeyVersion
             # Encrypts data, so that it can only be recovered by a call to [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
+            # The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
+            # [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
             rpc :Encrypt, EncryptRequest, EncryptResponse
-            # Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+            # Decrypts data that was protected by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            # must be [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
             rpc :Decrypt, DecryptRequest, DecryptResponse
-            # Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]
+            # Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+            # ASYMMETRIC_SIGN, producing a signature that can be verified with the public
+            # key retrieved from [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
+            rpc :AsymmetricSign, AsymmetricSignRequest, AsymmetricSignResponse
+            # Decrypts data that was encrypted with a public key retrieved from
+            # [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey] corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
+            # [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] ASYMMETRIC_DECRYPT.
+            rpc :AsymmetricDecrypt, AsymmetricDecryptRequest, AsymmetricDecryptResponse
+            # Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
+            #
+            # Returns an error if called on an asymmetric key.
             rpc :UpdateCryptoKeyPrimaryVersion, UpdateCryptoKeyPrimaryVersionRequest, CryptoKey
             # Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for destruction.
             #
@@ -96,7 +120,7 @@ module Google
             # [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] may be called to reverse the process.
             rpc :DestroyCryptoKeyVersion, DestroyCryptoKeyVersionRequest, CryptoKeyVersion
             # Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
-            # [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED],
+            # [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
             # state.
             #
             # Upon restoration of the CryptoKeyVersion, [state][google.cloud.kms.v1.CryptoKeyVersion.state]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-kms
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Google LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-10 00:00:00.000000000 Z
+date: 2018-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-gax
@@ -108,8 +108,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
-description: google-cloud-kms is the official library for Google Cloud Key Management
-  Service (KMS) API.
+description: google-cloud-kms is the official library for Cloud Key Management Service
+  (KMS) API.
 email: googleapis-packages@google.com
 executables: []
 extensions: []
@@ -128,7 +128,6 @@ files:
 - lib/google/cloud/kms/v1/doc/google/protobuf/duration.rb
 - lib/google/cloud/kms/v1/doc/google/protobuf/field_mask.rb
 - lib/google/cloud/kms/v1/doc/google/protobuf/timestamp.rb
-- lib/google/cloud/kms/v1/doc/overview.rb
 - lib/google/cloud/kms/v1/key_management_service_client.rb
 - lib/google/cloud/kms/v1/key_management_service_client_config.json
 - lib/google/cloud/kms/v1/resources_pb.rb
@@ -157,5 +156,5 @@ rubyforge_project:
 rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
-summary: API Client library for Google Cloud Key Management Service (KMS) API
+summary: API Client library for Cloud Key Management Service (KMS) API
 test_files: []

data/lib/google/cloud/kms/v1/doc/overview.rb

@@ -1,81 +0,0 @@
-# Copyright 2018 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-module Google
-  module Cloud
-    # rubocop:disable LineLength
-
-    ##
-    # # Ruby Client for Google Cloud Key Management Service (KMS) API ([Alpha](https://github.com/GoogleCloudPlatform/google-cloud-ruby#versioning))
-    #
-    # [Google Cloud Key Management Service (KMS) API][Product Documentation]:
-    # Manages encryption for your cloud services the same way you do on-premises.
-    # You can generate, use, rotate, and destroy AES256 encryption keys.
-    # - [Product Documentation][]
-    #
-    # ## Quick Start
-    # In order to use this library, you first need to go through the following
-    # steps:
-    #
-    # 1. [Select or create a Cloud Platform project.](https://console.cloud.google.com/project)
-    # 2. [Enable billing for your project.](https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_project)
-    # 3. [Enable the Google Cloud Key Management Service (KMS) API.](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
-    # 4. [Setup Authentication.](https://googlecloudplatform.github.io/google-cloud-ruby/#/docs/google-cloud/master/guides/authentication)
-    #
-    # ### Installation
-    # ```
-    # $ gem install google-cloud-kms
-    # ```
-    #
-    # ### Next Steps
-    # - Read the [Google Cloud Key Management Service (KMS) API Product documentation][Product Documentation]
-    #   to learn more about the product and see How-to Guides.
-    # - View this [repository's main README](https://github.com/GoogleCloudPlatform/google-cloud-ruby/blob/master/README.md)
-    #   to see the full list of Cloud APIs that we cover.
-    #
-    # [Product Documentation]: https://cloud.google.com/kms
-    #
-    # ## Enabling Logging
-    #
-    # To enable logging for this library, set the logger for the underlying [gRPC](https://github.com/grpc/grpc/tree/master/src/ruby) library.
-    # The logger that you set may be a Ruby stdlib [`Logger`](https://ruby-doc.org/stdlib-2.5.0/libdoc/logger/rdoc/Logger.html) as shown below,
-    # or a [`Google::Cloud::Logging::Logger`](https://googlecloudplatform.github.io/google-cloud-ruby/#/docs/google-cloud-logging/latest/google/cloud/logging/logger)
-    # that will write logs to [Stackdriver Logging](https://cloud.google.com/logging/). See [grpc/logconfig.rb](https://github.com/grpc/grpc/blob/master/src/ruby/lib/grpc/logconfig.rb)
-    # and the gRPC [spec_helper.rb](https://github.com/grpc/grpc/blob/master/src/ruby/spec/spec_helper.rb) for additional information.
-    #
-    # Configuring a Ruby stdlib logger:
-    #
-    # ```ruby
-    # require "logger"
-    #
-    # module MyLogger
-    #   LOGGER = Logger.new $stderr, level: Logger::WARN
-    #   def logger
-    #     LOGGER
-    #   end
-    # end
-    #
-    # # Define a gRPC module-level logger method before grpc/logconfig.rb loads.
-    # module GRPC
-    #   extend MyLogger
-    # end
-    # ```
-    #
-    module Kms
-      module V1
-      end
-    end
-  end
-end