From 2bdc13c92d6818a3a7eb51209a4dbff321855bc6 Mon Sep 17 00:00:00 2001 From: "gcf-owl-bot[bot]" <78513119+gcf-owl-bot[bot]@users.noreply.github.com> Date: Tue, 29 Nov 2022 20:41:55 -0800 Subject: [PATCH] feat: add SHA-2 import methods (#3678) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add SHA-2 import methods PiperOrigin-RevId: 490250391 Source-Link: https://github.com/googleapis/googleapis/commit/4713c109a984e88155c7b0f6ba47739a05234d69 Source-Link: https://github.com/googleapis/googleapis-gen/commit/23c40fd800946befcc760f472e998db6b3b65d64 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy8uT3dsQm90LnlhbWwiLCJoIjoiMjNjNDBmZDgwMDk0NmJlZmNjNzYwZjQ3MmU5OThkYjZiM2I2NWQ2NCJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot Co-authored-by: sofisl <55454395+sofisl@users.noreply.github.com> --- .../google/cloud/kms/v1/ekm_service.proto | 27 ++-- .../google/cloud/kms/v1/resources.proto | 45 +++++- .../protos/google/cloud/kms/v1/service.proto | 87 ++++++---- packages/google-cloud-kms/protos/protos.d.ts | 16 +- packages/google-cloud-kms/protos/protos.js | 148 ++++++++++++++++++ packages/google-cloud-kms/protos/protos.json | 27 +++- .../v1/key_management_service.encrypt.js | 10 +- ...ement_service.import_crypto_key_version.js | 43 +++-- .../snippet_metadata.google.cloud.kms.v1.json | 8 +- .../src/v1/key_management_service_client.ts | 58 +++++-- 10 files changed, 389 insertions(+), 80 deletions(-) diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto index de8669dbf3d..c179d4a6c35 100644 --- a/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto +++ b/packages/google-cloud-kms/protos/google/cloud/kms/v1/ekm_service.proto @@ -1,4 +1,4 @@ -// Copyright 2021 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -85,7 +85,8 @@ service EkmService { } } -// Request message for [KeyManagementService.ListEkmConnections][]. +// Request message for +// [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections]. message ListEkmConnectionsRequest { // Required. The resource name of the location associated with the // [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format @@ -123,7 +124,8 @@ message ListEkmConnectionsRequest { string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; } -// Response message for [KeyManagementService.ListEkmConnections][]. +// Response message for +// [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections]. message ListEkmConnectionsResponse { // The list of [EkmConnections][google.cloud.kms.v1.EkmConnection]. repeated EkmConnection ekm_connections = 1; @@ -138,7 +140,8 @@ message ListEkmConnectionsResponse { int32 total_size = 3; } -// Request message for [KeyManagementService.GetEkmConnection][]. +// Request message for +// [EkmService.GetEkmConnection][google.cloud.kms.v1.EkmService.GetEkmConnection]. message GetEkmConnectionRequest { // Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the // [EkmConnection][google.cloud.kms.v1.EkmConnection] to get. @@ -150,7 +153,8 @@ message GetEkmConnectionRequest { ]; } -// Request message for [KeyManagementService.CreateEkmConnection][]. +// Request message for +// [EkmService.CreateEkmConnection][google.cloud.kms.v1.EkmService.CreateEkmConnection]. message CreateEkmConnectionRequest { // Required. The resource name of the location associated with the // [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format @@ -171,7 +175,8 @@ message CreateEkmConnectionRequest { EkmConnection ekm_connection = 3 [(google.api.field_behavior) = REQUIRED]; } -// Request message for [KeyManagementService.UpdateEkmConnection][]. +// Request message for +// [EkmService.UpdateEkmConnection][google.cloud.kms.v1.EkmService.UpdateEkmConnection]. message UpdateEkmConnectionRequest { // Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated // values. @@ -263,7 +268,8 @@ message EkmConnection { string hostname = 3 [(google.api.field_behavior) = REQUIRED]; // Required. A list of leaf server certificates used to authenticate HTTPS - // connections to the EKM replica. + // connections to the EKM replica. Currently, a maximum of 10 + // [Certificate][google.cloud.kms.v1.Certificate] is supported. repeated Certificate server_certificates = 4 [(google.api.field_behavior) = REQUIRED]; } @@ -286,8 +292,7 @@ message EkmConnection { // supported. repeated ServiceResolver service_resolvers = 3; - // This checksum is computed by the server based on the value of other fields, - // and may be sent on update requests to ensure the client has an up-to-date - // value before proceeding. - string etag = 5; + // Optional. Etag of the currently stored + // [EkmConnection][google.cloud.kms.v1.EkmConnection]. + string etag = 5 [(google.api.field_behavior) = OPTIONAL]; } diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto index 5029f3e0348..fa89122c8a0 100644 --- a/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto +++ b/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto @@ -1,4 +1,4 @@ -// Copyright 2021 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -235,6 +235,9 @@ message KeyOperationAttestation { // Cavium HSM attestation compressed with gzip. Note that this format is // defined by Cavium and subject to change at any time. + // + // See + // https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html. CAVIUM_V1_COMPRESSED = 3; // Cavium HSM attestation V2 compressed with gzip. This is a new format @@ -403,6 +406,18 @@ message CryptoKeyVersion { // HMAC-SHA256 signing with a 256 bit key. HMAC_SHA256 = 32; + // HMAC-SHA1 signing with a 160 bit key. + HMAC_SHA1 = 33; + + // HMAC-SHA384 signing with a 384 bit key. + HMAC_SHA384 = 34; + + // HMAC-SHA512 signing with a 512 bit key. + HMAC_SHA512 = 35; + + // HMAC-SHA224 signing with a 224 bit key. + HMAC_SHA224 = 36; + // Algorithm representing symmetric encryption by an external key manager. EXTERNAL_SYMMETRIC_ENCRYPTION = 18; } @@ -676,6 +691,34 @@ message ImportJob { // [RSA AES key wrap // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). RSA_OAEP_4096_SHA1_AES_256 = 2; + + // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping + // scheme defined in the PKCS #11 standard. In summary, this involves + // wrapping the raw key with an ephemeral AES key, and wrapping the + // ephemeral AES key with a 3072 bit RSA key. For more details, see + // [RSA AES key wrap + // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). + RSA_OAEP_3072_SHA256_AES_256 = 3; + + // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping + // scheme defined in the PKCS #11 standard. In summary, this involves + // wrapping the raw key with an ephemeral AES key, and wrapping the + // ephemeral AES key with a 4096 bit RSA key. For more details, see + // [RSA AES key wrap + // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908). + RSA_OAEP_4096_SHA256_AES_256 = 4; + + // This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The + // key material to be imported is wrapped directly with the RSA key. Due + // to technical limitations of RSA wrapping, this method cannot be used to + // wrap RSA keys for import. + RSA_OAEP_3072_SHA256 = 5; + + // This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The + // key material to be imported is wrapped directly with the RSA key. Due + // to technical limitations of RSA wrapping, this method cannot be used to + // wrap RSA keys for import. + RSA_OAEP_4096_SHA256 = 6; } // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto index 565678da32c..938f1e2550e 100644 --- a/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto +++ b/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto @@ -1,4 +1,4 @@ -// Copyright 2021 Google LLC +// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -797,33 +797,56 @@ message ImportCryptoKeyVersionRequest { // material. string import_job = 4 [(google.api.field_behavior) = REQUIRED]; - // Required. The incoming wrapped key material that is to be imported. + // Optional. The wrapped key material to import. + // + // Before wrapping, key material must be formatted. If importing symmetric key + // material, the expected key material format is plain bytes. If importing + // asymmetric key material, the expected key material format is PKCS#8-encoded + // DER (the PrivateKeyInfo structure from RFC 5208). + // + // When wrapping with import methods + // ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] + // or + // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256] + // or + // [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256] + // or + // [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]), + // + // this field must contain the concatenation of: + //
    + //
  1. An ephemeral AES-256 wrapping key wrapped with the + // [public_key][google.cloud.kms.v1.ImportJob.public_key] using + // RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty + // label. + //
    2. + //
  2. The formatted key to be imported, wrapped with the ephemeral AES-256 + // key using AES-KWP (RFC 5649). + //
    3. + //
+ // + // This format is the same as the format produced by PKCS#11 mechanism + // CKM_RSA_AES_KEY_WRAP. + // + // When wrapping with import methods + // ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256] + // or + // [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]), + // + // this field must contain the formatted key to be imported, wrapped with the + // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP + // with SHA-256, MGF1 with SHA-256, and an empty label. + bytes wrapped_key = 8 [(google.api.field_behavior) = OPTIONAL]; + + // This field is legacy. Use the field + // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key] + // instead. oneof wrapped_key_material { - // Wrapped key material produced with - // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256] - // or - // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]. - // - // This field contains the concatenation of two wrapped keys: - //
    - //
  1. An ephemeral AES-256 wrapping key wrapped with the - // [public_key][google.cloud.kms.v1.ImportJob.public_key] using - // RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an - // empty label. - //
    2. - //
  2. The key to be imported, wrapped with the ephemeral AES-256 key - // using AES-KWP (RFC 5649). - //
    3. - //
- // - // If importing symmetric key material, it is expected that the unwrapped - // key contains plain bytes. If importing asymmetric key material, it is - // expected that the unwrapped key is in PKCS#8-encoded DER format (the - // PrivateKeyInfo structure from RFC 5208). - // - // This format is the same as the format produced by PKCS#11 mechanism - // CKM_RSA_AES_KEY_WRAP. - bytes rsa_aes_wrapped_key = 5; + // Optional. This field has the same meaning as + // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key]. + // Prefer to use that field in new work. Either that field or this field + // (but not both) must be specified. + bytes rsa_aes_wrapped_key = 5 [(google.api.field_behavior) = OPTIONAL]; } } @@ -935,7 +958,9 @@ message EncryptRequest { // // The maximum size depends on the key version's // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. - // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the + // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE], + // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and + // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the // plaintext must be no larger than 64KiB. For // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of // the plaintext and additional_authenticated_data fields must be no larger @@ -948,8 +973,10 @@ message EncryptRequest { // // The maximum size depends on the key version's // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]. - // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD - // must be no larger than 64KiB. For + // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE], + // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and + // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the + // AAD must be no larger than 64KiB. For // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of // the plaintext and additional_authenticated_data fields must be no larger // than 8KiB. diff --git a/packages/google-cloud-kms/protos/protos.d.ts b/packages/google-cloud-kms/protos/protos.d.ts index 6b1a2b361e7..ae793a2ee75 100644 --- a/packages/google-cloud-kms/protos/protos.d.ts +++ b/packages/google-cloud-kms/protos/protos.d.ts @@ -1860,6 +1860,10 @@ export namespace google { EC_SIGN_P384_SHA384 = 13, EC_SIGN_SECP256K1_SHA256 = 31, HMAC_SHA256 = 32, + HMAC_SHA1 = 33, + HMAC_SHA384 = 34, + HMAC_SHA512 = 35, + HMAC_SHA224 = 36, EXTERNAL_SYMMETRIC_ENCRYPTION = 18 } @@ -2160,7 +2164,11 @@ export namespace google { enum ImportMethod { IMPORT_METHOD_UNSPECIFIED = 0, RSA_OAEP_3072_SHA1_AES_256 = 1, - RSA_OAEP_4096_SHA1_AES_256 = 2 + RSA_OAEP_4096_SHA1_AES_256 = 2, + RSA_OAEP_3072_SHA256_AES_256 = 3, + RSA_OAEP_4096_SHA256_AES_256 = 4, + RSA_OAEP_3072_SHA256 = 5, + RSA_OAEP_4096_SHA256 = 6 } /** ImportJobState enum. */ @@ -4710,6 +4718,9 @@ export namespace google { /** ImportCryptoKeyVersionRequest importJob */ importJob?: (string|null); + /** ImportCryptoKeyVersionRequest wrappedKey */ + wrappedKey?: (Uint8Array|string|null); + /** ImportCryptoKeyVersionRequest rsaAesWrappedKey */ rsaAesWrappedKey?: (Uint8Array|string|null); } @@ -4735,6 +4746,9 @@ export namespace google { /** ImportCryptoKeyVersionRequest importJob. */ public importJob: string; + /** ImportCryptoKeyVersionRequest wrappedKey. */ + public wrappedKey: (Uint8Array|string); + /** ImportCryptoKeyVersionRequest rsaAesWrappedKey. */ public rsaAesWrappedKey?: (Uint8Array|string|null); diff --git a/packages/google-cloud-kms/protos/protos.js b/packages/google-cloud-kms/protos/protos.js index 0bf83f9066c..a2fc64162af 100644 --- a/packages/google-cloud-kms/protos/protos.js +++ b/packages/google-cloud-kms/protos/protos.js @@ -3506,6 +3506,10 @@ case 13: case 31: case 32: + case 33: + case 34: + case 35: + case 36: case 18: break; } @@ -3655,6 +3659,22 @@ case 32: message.algorithm = 32; break; + case "HMAC_SHA1": + case 33: + message.algorithm = 33; + break; + case "HMAC_SHA384": + case 34: + message.algorithm = 34; + break; + case "HMAC_SHA512": + case 35: + message.algorithm = 35; + break; + case "HMAC_SHA224": + case 36: + message.algorithm = 36; + break; case "EXTERNAL_SYMMETRIC_ENCRYPTION": case 18: message.algorithm = 18; @@ -4700,6 +4720,10 @@ case 13: case 31: case 32: + case 33: + case 34: + case 35: + case 36: case 18: break; } @@ -4935,6 +4959,22 @@ case 32: message.algorithm = 32; break; + case "HMAC_SHA1": + case 33: + message.algorithm = 33; + break; + case "HMAC_SHA384": + case 34: + message.algorithm = 34; + break; + case "HMAC_SHA512": + case 35: + message.algorithm = 35; + break; + case "HMAC_SHA224": + case 36: + message.algorithm = 36; + break; case "EXTERNAL_SYMMETRIC_ENCRYPTION": case 18: message.algorithm = 18; @@ -5098,6 +5138,10 @@ * @property {number} EC_SIGN_P384_SHA384=13 EC_SIGN_P384_SHA384 value * @property {number} EC_SIGN_SECP256K1_SHA256=31 EC_SIGN_SECP256K1_SHA256 value * @property {number} HMAC_SHA256=32 HMAC_SHA256 value + * @property {number} HMAC_SHA1=33 HMAC_SHA1 value + * @property {number} HMAC_SHA384=34 HMAC_SHA384 value + * @property {number} HMAC_SHA512=35 HMAC_SHA512 value + * @property {number} HMAC_SHA224=36 HMAC_SHA224 value * @property {number} EXTERNAL_SYMMETRIC_ENCRYPTION=18 EXTERNAL_SYMMETRIC_ENCRYPTION value */ CryptoKeyVersion.CryptoKeyVersionAlgorithm = (function() { @@ -5126,6 +5170,10 @@ values[valuesById[13] = "EC_SIGN_P384_SHA384"] = 13; values[valuesById[31] = "EC_SIGN_SECP256K1_SHA256"] = 31; values[valuesById[32] = "HMAC_SHA256"] = 32; + values[valuesById[33] = "HMAC_SHA1"] = 33; + values[valuesById[34] = "HMAC_SHA384"] = 34; + values[valuesById[35] = "HMAC_SHA512"] = 35; + values[valuesById[36] = "HMAC_SHA224"] = 36; values[valuesById[18] = "EXTERNAL_SYMMETRIC_ENCRYPTION"] = 18; return values; })(); @@ -5395,6 +5443,10 @@ case 13: case 31: case 32: + case 33: + case 34: + case 35: + case 36: case 18: break; } @@ -5537,6 +5589,22 @@ case 32: message.algorithm = 32; break; + case "HMAC_SHA1": + case 33: + message.algorithm = 33; + break; + case "HMAC_SHA384": + case 34: + message.algorithm = 34; + break; + case "HMAC_SHA512": + case 35: + message.algorithm = 35; + break; + case "HMAC_SHA224": + case 36: + message.algorithm = 36; + break; case "EXTERNAL_SYMMETRIC_ENCRYPTION": case 18: message.algorithm = 18; @@ -5918,6 +5986,10 @@ case 0: case 1: case 2: + case 3: + case 4: + case 5: + case 6: break; } if (message.protectionLevel != null && message.hasOwnProperty("protectionLevel")) @@ -6007,6 +6079,22 @@ case 2: message.importMethod = 2; break; + case "RSA_OAEP_3072_SHA256_AES_256": + case 3: + message.importMethod = 3; + break; + case "RSA_OAEP_4096_SHA256_AES_256": + case 4: + message.importMethod = 4; + break; + case "RSA_OAEP_3072_SHA256": + case 5: + message.importMethod = 5; + break; + case "RSA_OAEP_4096_SHA256": + case 6: + message.importMethod = 6; + break; } switch (object.protectionLevel) { default: @@ -6174,12 +6262,20 @@ * @property {number} IMPORT_METHOD_UNSPECIFIED=0 IMPORT_METHOD_UNSPECIFIED value * @property {number} RSA_OAEP_3072_SHA1_AES_256=1 RSA_OAEP_3072_SHA1_AES_256 value * @property {number} RSA_OAEP_4096_SHA1_AES_256=2 RSA_OAEP_4096_SHA1_AES_256 value + * @property {number} RSA_OAEP_3072_SHA256_AES_256=3 RSA_OAEP_3072_SHA256_AES_256 value + * @property {number} RSA_OAEP_4096_SHA256_AES_256=4 RSA_OAEP_4096_SHA256_AES_256 value + * @property {number} RSA_OAEP_3072_SHA256=5 RSA_OAEP_3072_SHA256 value + * @property {number} RSA_OAEP_4096_SHA256=6 RSA_OAEP_4096_SHA256 value */ ImportJob.ImportMethod = (function() { var valuesById = {}, values = Object.create(valuesById); values[valuesById[0] = "IMPORT_METHOD_UNSPECIFIED"] = 0; values[valuesById[1] = "RSA_OAEP_3072_SHA1_AES_256"] = 1; values[valuesById[2] = "RSA_OAEP_4096_SHA1_AES_256"] = 2; + values[valuesById[3] = "RSA_OAEP_3072_SHA256_AES_256"] = 3; + values[valuesById[4] = "RSA_OAEP_4096_SHA256_AES_256"] = 4; + values[valuesById[5] = "RSA_OAEP_3072_SHA256"] = 5; + values[valuesById[6] = "RSA_OAEP_4096_SHA256"] = 6; return values; })(); @@ -11693,6 +11789,7 @@ * @property {string|null} [cryptoKeyVersion] ImportCryptoKeyVersionRequest cryptoKeyVersion * @property {google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm|null} [algorithm] ImportCryptoKeyVersionRequest algorithm * @property {string|null} [importJob] ImportCryptoKeyVersionRequest importJob + * @property {Uint8Array|null} [wrappedKey] ImportCryptoKeyVersionRequest wrappedKey * @property {Uint8Array|null} [rsaAesWrappedKey] ImportCryptoKeyVersionRequest rsaAesWrappedKey */ @@ -11743,6 +11840,14 @@ */ ImportCryptoKeyVersionRequest.prototype.importJob = ""; + /** + * ImportCryptoKeyVersionRequest wrappedKey. + * @member {Uint8Array} wrappedKey + * @memberof google.cloud.kms.v1.ImportCryptoKeyVersionRequest + * @instance + */ + ImportCryptoKeyVersionRequest.prototype.wrappedKey = $util.newBuffer([]); + /** * ImportCryptoKeyVersionRequest rsaAesWrappedKey. * @member {Uint8Array|null|undefined} rsaAesWrappedKey @@ -11799,6 +11904,8 @@ writer.uint32(/* id 5, wireType 2 =*/42).bytes(message.rsaAesWrappedKey); if (message.cryptoKeyVersion != null && Object.hasOwnProperty.call(message, "cryptoKeyVersion")) writer.uint32(/* id 6, wireType 2 =*/50).string(message.cryptoKeyVersion); + if (message.wrappedKey != null && Object.hasOwnProperty.call(message, "wrappedKey")) + writer.uint32(/* id 8, wireType 2 =*/66).bytes(message.wrappedKey); return writer; }; @@ -11849,6 +11956,10 @@ message.importJob = reader.string(); break; } + case 8: { + message.wrappedKey = reader.bytes(); + break; + } case 5: { message.rsaAesWrappedKey = reader.bytes(); break; @@ -11923,12 +12034,19 @@ case 13: case 31: case 32: + case 33: + case 34: + case 35: + case 36: case 18: break; } if (message.importJob != null && message.hasOwnProperty("importJob")) if (!$util.isString(message.importJob)) return "importJob: string expected"; + if (message.wrappedKey != null && message.hasOwnProperty("wrappedKey")) + if (!(message.wrappedKey && typeof message.wrappedKey.length === "number" || $util.isString(message.wrappedKey))) + return "wrappedKey: buffer expected"; if (message.rsaAesWrappedKey != null && message.hasOwnProperty("rsaAesWrappedKey")) { properties.wrappedKeyMaterial = 1; if (!(message.rsaAesWrappedKey && typeof message.rsaAesWrappedKey.length === "number" || $util.isString(message.rsaAesWrappedKey))) @@ -12056,6 +12174,22 @@ case 32: message.algorithm = 32; break; + case "HMAC_SHA1": + case 33: + message.algorithm = 33; + break; + case "HMAC_SHA384": + case 34: + message.algorithm = 34; + break; + case "HMAC_SHA512": + case 35: + message.algorithm = 35; + break; + case "HMAC_SHA224": + case 36: + message.algorithm = 36; + break; case "EXTERNAL_SYMMETRIC_ENCRYPTION": case 18: message.algorithm = 18; @@ -12063,6 +12197,11 @@ } if (object.importJob != null) message.importJob = String(object.importJob); + if (object.wrappedKey != null) + if (typeof object.wrappedKey === "string") + $util.base64.decode(object.wrappedKey, message.wrappedKey = $util.newBuffer($util.base64.length(object.wrappedKey)), 0); + else if (object.wrappedKey.length >= 0) + message.wrappedKey = object.wrappedKey; if (object.rsaAesWrappedKey != null) if (typeof object.rsaAesWrappedKey === "string") $util.base64.decode(object.rsaAesWrappedKey, message.rsaAesWrappedKey = $util.newBuffer($util.base64.length(object.rsaAesWrappedKey)), 0); @@ -12089,6 +12228,13 @@ object.algorithm = options.enums === String ? "CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED" : 0; object.importJob = ""; object.cryptoKeyVersion = ""; + if (options.bytes === String) + object.wrappedKey = ""; + else { + object.wrappedKey = []; + if (options.bytes !== Array) + object.wrappedKey = $util.newBuffer(object.wrappedKey); + } } if (message.parent != null && message.hasOwnProperty("parent")) object.parent = message.parent; @@ -12103,6 +12249,8 @@ } if (message.cryptoKeyVersion != null && message.hasOwnProperty("cryptoKeyVersion")) object.cryptoKeyVersion = message.cryptoKeyVersion; + if (message.wrappedKey != null && message.hasOwnProperty("wrappedKey")) + object.wrappedKey = options.bytes === String ? $util.base64.encode(message.wrappedKey, 0, message.wrappedKey.length) : options.bytes === Array ? Array.prototype.slice.call(message.wrappedKey) : message.wrappedKey; return object; }; diff --git a/packages/google-cloud-kms/protos/protos.json b/packages/google-cloud-kms/protos/protos.json index f9ebdff52ea..b532f93ffe5 100644 --- a/packages/google-cloud-kms/protos/protos.json +++ b/packages/google-cloud-kms/protos/protos.json @@ -311,7 +311,10 @@ }, "etag": { "type": "string", - "id": 5 + "id": 5, + "options": { + "(google.api.field_behavior)": "OPTIONAL" + } } }, "nested": { @@ -660,6 +663,10 @@ "EC_SIGN_P384_SHA384": 13, "EC_SIGN_SECP256K1_SHA256": 31, "HMAC_SHA256": 32, + "HMAC_SHA1": 33, + "HMAC_SHA384": 34, + "HMAC_SHA512": 35, + "HMAC_SHA224": 36, "EXTERNAL_SYMMETRIC_ENCRYPTION": 18 } }, @@ -793,7 +800,11 @@ "values": { "IMPORT_METHOD_UNSPECIFIED": 0, "RSA_OAEP_3072_SHA1_AES_256": 1, - "RSA_OAEP_4096_SHA1_AES_256": 2 + "RSA_OAEP_4096_SHA1_AES_256": 2, + "RSA_OAEP_3072_SHA256_AES_256": 3, + "RSA_OAEP_4096_SHA256_AES_256": 4, + "RSA_OAEP_3072_SHA256": 5, + "RSA_OAEP_4096_SHA256": 6 } }, "ImportJobState": { @@ -1751,9 +1762,19 @@ "(google.api.field_behavior)": "REQUIRED" } }, + "wrappedKey": { + "type": "bytes", + "id": 8, + "options": { + "(google.api.field_behavior)": "OPTIONAL" + } + }, "rsaAesWrappedKey": { "type": "bytes", - "id": 5 + "id": 5, + "options": { + "(google.api.field_behavior)": "OPTIONAL" + } } } }, diff --git a/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js b/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js index b3a69376f2b..d2ef7f91727 100644 --- a/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js +++ b/packages/google-cloud-kms/samples/generated/v1/key_management_service.encrypt.js @@ -41,7 +41,9 @@ function main(name, plaintext) { * Required. The data to encrypt. Must be no larger than 64KiB. * The maximum size depends on the key version's * protection_level google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level. - * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE keys, the + * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE, + * EXTERNAL google.cloud.kms.v1.ProtectionLevel.EXTERNAL, and + * EXTERNAL_VPC google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC keys, the * plaintext must be no larger than 64KiB. For * HSM google.cloud.kms.v1.ProtectionLevel.HSM keys, the combined length of * the plaintext and additional_authenticated_data fields must be no larger @@ -54,8 +56,10 @@ function main(name, plaintext) { * DecryptRequest.additional_authenticated_data google.cloud.kms.v1.DecryptRequest.additional_authenticated_data. * The maximum size depends on the key version's * protection_level google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level. - * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE keys, the AAD - * must be no larger than 64KiB. For + * For SOFTWARE google.cloud.kms.v1.ProtectionLevel.SOFTWARE, + * EXTERNAL google.cloud.kms.v1.ProtectionLevel.EXTERNAL, and + * EXTERNAL_VPC google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC keys the + * AAD must be no larger than 64KiB. For * HSM google.cloud.kms.v1.ProtectionLevel.HSM keys, the combined length of * the plaintext and additional_authenticated_data fields must be no larger * than 8KiB. diff --git a/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js b/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js index 9aa2b37b0b8..cf94f199960 100644 --- a/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js +++ b/packages/google-cloud-kms/samples/generated/v1/key_management_service.import_crypto_key_version.js @@ -72,27 +72,46 @@ function main(parent, algorithm, importJob) { */ // const importJob = 'abc123' /** - * Wrapped key material produced with - * RSA_OAEP_3072_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256 + * Optional. The wrapped key material to import. + * Before wrapping, key material must be formatted. If importing symmetric key + * material, the expected key material format is plain bytes. If importing + * asymmetric key material, the expected key material format is PKCS#8-encoded + * DER (the PrivateKeyInfo structure from RFC 5208). + * When wrapping with import methods + * (RSA_OAEP_3072_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256 * or - * RSA_OAEP_4096_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256. - * This field contains the concatenation of two wrapped keys: + * RSA_OAEP_4096_SHA1_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256 + * or + * RSA_OAEP_3072_SHA256_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256 + * or + * RSA_OAEP_4096_SHA256_AES_256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256), + * this field must contain the concatenation of: *
    *
  1. An ephemeral AES-256 wrapping key wrapped with the * public_key google.cloud.kms.v1.ImportJob.public_key using - * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an - * empty label. + * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty + * label. *
    2. - *
  2. The key to be imported, wrapped with the ephemeral AES-256 key - * using AES-KWP (RFC 5649). + *
  3. The formatted key to be imported, wrapped with the ephemeral AES-256 + * key using AES-KWP (RFC 5649). *
    4. *
- * If importing symmetric key material, it is expected that the unwrapped - * key contains plain bytes. If importing asymmetric key material, it is - * expected that the unwrapped key is in PKCS#8-encoded DER format (the - * PrivateKeyInfo structure from RFC 5208). * This format is the same as the format produced by PKCS#11 mechanism * CKM_RSA_AES_KEY_WRAP. + * When wrapping with import methods + * (RSA_OAEP_3072_SHA256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256 + * or + * RSA_OAEP_4096_SHA256 google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256), + * this field must contain the formatted key to be imported, wrapped with the + * public_key google.cloud.kms.v1.ImportJob.public_key using RSAES-OAEP + * with SHA-256, MGF1 with SHA-256, and an empty label. + */ + // const wrappedKey = 'Buffer.from('string')' + /** + * Optional. This field has the same meaning as + * wrapped_key google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key. + * Prefer to use that field in new work. Either that field or this field + * (but not both) must be specified. */ // const rsaAesWrappedKey = 'Buffer.from('string')' diff --git a/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json b/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json index f243bc07aa5..e09dfdc8809 100644 --- a/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json +++ b/packages/google-cloud-kms/samples/generated/v1/snippet_metadata.google.cloud.kms.v1.json @@ -786,7 +786,7 @@ "segments": [ { "start": 25, - "end": 118, + "end": 137, "type": "FULL" } ], @@ -811,6 +811,10 @@ "name": "import_job", "type": "TYPE_STRING" }, + { + "name": "wrapped_key", + "type": "TYPE_BYTES" + }, { "name": "rsa_aes_wrapped_key", "type": "TYPE_BYTES" @@ -1102,7 +1106,7 @@ "segments": [ { "start": 25, - "end": 127, + "end": 131, "type": "FULL" } ], diff --git a/packages/google-cloud-kms/src/v1/key_management_service_client.ts b/packages/google-cloud-kms/src/v1/key_management_service_client.ts index 6ef11fde1a0..e67b0362b26 100644 --- a/packages/google-cloud-kms/src/v1/key_management_service_client.ts +++ b/packages/google-cloud-kms/src/v1/key_management_service_client.ts @@ -1189,31 +1189,51 @@ export class KeyManagementServiceClient { * Required. The {@link google.cloud.kms.v1.ImportJob.name|name} of the * {@link google.cloud.kms.v1.ImportJob|ImportJob} that was used to wrap this key * material. - * @param {Buffer} request.rsaAesWrappedKey - * Wrapped key material produced with - * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256|RSA_OAEP_3072_SHA1_AES_256} + * @param {Buffer} [request.wrappedKey] + * Optional. The wrapped key material to import. + * + * Before wrapping, key material must be formatted. If importing symmetric key + * material, the expected key material format is plain bytes. If importing + * asymmetric key material, the expected key material format is PKCS#8-encoded + * DER (the PrivateKeyInfo structure from RFC 5208). + * + * When wrapping with import methods + * ({@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256|RSA_OAEP_3072_SHA1_AES_256} + * or + * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256|RSA_OAEP_4096_SHA1_AES_256} + * or + * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256|RSA_OAEP_3072_SHA256_AES_256} * or - * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256|RSA_OAEP_4096_SHA1_AES_256}. + * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256|RSA_OAEP_4096_SHA256_AES_256}), * - * This field contains the concatenation of two wrapped keys: + * this field must contain the concatenation of: *
    *
  1. An ephemeral AES-256 wrapping key wrapped with the * {@link google.cloud.kms.v1.ImportJob.public_key|public_key} using - * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an - * empty label. + * RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty + * label. *
    2. - *
  2. The key to be imported, wrapped with the ephemeral AES-256 key - * using AES-KWP (RFC 5649). + *
  3. The formatted key to be imported, wrapped with the ephemeral AES-256 + * key using AES-KWP (RFC 5649). *
    4. *
* - * If importing symmetric key material, it is expected that the unwrapped - * key contains plain bytes. If importing asymmetric key material, it is - * expected that the unwrapped key is in PKCS#8-encoded DER format (the - * PrivateKeyInfo structure from RFC 5208). - * * This format is the same as the format produced by PKCS#11 mechanism * CKM_RSA_AES_KEY_WRAP. + * + * When wrapping with import methods + * ({@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256|RSA_OAEP_3072_SHA256} + * or + * {@link google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256|RSA_OAEP_4096_SHA256}), + * + * this field must contain the formatted key to be imported, wrapped with the + * {@link google.cloud.kms.v1.ImportJob.public_key|public_key} using RSAES-OAEP + * with SHA-256, MGF1 with SHA-256, and an empty label. + * @param {Buffer} [request.rsaAesWrappedKey] + * Optional. This field has the same meaning as + * {@link google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key|wrapped_key}. + * Prefer to use that field in new work. Either that field or this field + * (but not both) must be specified. * @param {object} [options] * Call options. See {@link https://googleapis.dev/nodejs/google-gax/latest/interfaces/CallOptions.html|CallOptions} for more details. * @returns {Promise} - The promise which resolves to an array. @@ -1942,7 +1962,9 @@ export class KeyManagementServiceClient { * * The maximum size depends on the key version's * {@link google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level|protection_level}. - * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE} keys, the + * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE}, + * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL|EXTERNAL}, and + * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC|EXTERNAL_VPC} keys, the * plaintext must be no larger than 64KiB. For * {@link google.cloud.kms.v1.ProtectionLevel.HSM|HSM} keys, the combined length of * the plaintext and additional_authenticated_data fields must be no larger @@ -1954,8 +1976,10 @@ export class KeyManagementServiceClient { * * The maximum size depends on the key version's * {@link google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level|protection_level}. - * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE} keys, the AAD - * must be no larger than 64KiB. For + * For {@link google.cloud.kms.v1.ProtectionLevel.SOFTWARE|SOFTWARE}, + * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL|EXTERNAL}, and + * {@link google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC|EXTERNAL_VPC} keys the + * AAD must be no larger than 64KiB. For * {@link google.cloud.kms.v1.ProtectionLevel.HSM|HSM} keys, the combined length of * the plaintext and additional_authenticated_data fields must be no larger * than 8KiB.