Promote 'experimental_certs' -> 'certs'

Change-Id: I996160b9eccd0dd46b30d5d4827f80af5dcd41ae

CHANGELOG.md

@@ -18,6 +18,8 @@ The following changes are included in the v1.3 (November 2023) release:
     config if used.
 *   Add configuration flag to skip fork handlers registration, for applications
     that don't need the library to work in the child process.
+*   Add configuration item to provide X.509 certificates that will be exposed
+    by the library when matched with a KMS key.
 *   Several internal dependencies were updated.
 
 ### PKCS#11 v1.2

kmsp11/config/config.proto

@@ -41,7 +41,7 @@ message LibraryConfig {
 
   // Optional. True means that X.509 certificates will be generated at runtime
   // for asymmetric KMS keys that are exposed in the library if no matching
-  // certificate is found in a token's `experimental_certs`. Certificates are
+  // certificate is found in a token's `certs`. Certificates are
   // not stable between runs of this library. This functionality is intended for
   // compatibility with the SunPKCS11 JCA provider; other use is discouraged.
   bool generate_certs = 5;
@@ -87,5 +87,5 @@ message TokenConfig {
 
   // Optional. PEM-formatted X.509 certificates that should be exposed by this
   // token if a matching KMS key is found.
-  repeated string experimental_certs = 3;
+  repeated string certs = 3;
 }

kmsp11/docs/user_guide.md

@@ -141,16 +141,10 @@ experimental_create_multiple_versions  | bool | No       | false   | Enables an
 
 ### Per token configuration
 
-Item Name | Type   | Required | Default | Description
---------- | ------ | -------- | ------- | -----------
-key_ring  | string | Yes      | None    | The full name of the KMS key ring whose keys will be made accessible.
-label     | string | No       | Empty   | The label to use for this token's `CK_TOKEN_INFO` structure. Setting a value here may help an application disambiguate tokens at runtime.
-
-#### Experimental token configuration options
-
-Item Name                              | Type            | Required | Default | Description
--------------------------------------- | --------------- | -------- | ------- | -----------
-experimental_certs                     | list of strings | No       | Empty   | Enables an experiment that exposes the provided PEM X.509 certificate(s) alongside any KMS keys they match.
+--------- | --------------- | -------- | ------- | -----------
+key_ring  | string          | Yes      | None    | The full name of the KMS key ring whose keys will be made accessible.
+label     | string          | No       | Empty   | The label to use for this token's `CK_TOKEN_INFO` structure. Setting a value here may help an application disambiguate tokens at runtime.
+certs     | list of strings | No       | Empty   | Exposes the provided PEM X.509 certificate(s) alongside any KMS keys they match.
 
 ## Functions
 

kmsp11/token.cc

@@ -86,7 +86,7 @@ absl::StatusOr<std::unique_ptr<Token>> Token::New(CK_SLOT_ID slot_id,
   ASSIGN_OR_RETURN(
       std::unique_ptr<ObjectLoader> loader,
       ObjectLoader::New(token_config.key_ring(),
-                        token_config.experimental_certs(), generate_certs));
+                        token_config.certs(), generate_certs));
   ASSIGN_OR_RETURN(ObjectStoreState state, loader->BuildState(*kms_client));
   ASSIGN_OR_RETURN(std::unique_ptr<ObjectStore> store, ObjectStore::New(state));