feat: add SHA-2 import methods

PiperOrigin-RevId: 490250391
googleapis · Nov 22, 2022 · 4713c10 · 4713c10
1 parent fea1947
commit 4713c10
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 42 deletions.
diff --git a/google/cloud/kms/v1/cloudkms_v1.yaml b/google/cloud/kms/v1/cloudkms_v1.yaml
@@ -57,6 +57,7 @@ http:
     additional_bindings:
     - get: '/v1/{resource=projects/*/locations/*/keyRings/*/cryptoKeys/*}:getIamPolicy'
     - get: '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:getIamPolicy'
+    - get: '/v1/{resource=projects/*/locations/*/ekmConfig}:getIamPolicy'
     - get: '/v1/{resource=projects/*/locations/*/ekmConnections/*}:getIamPolicy'
   - selector: google.iam.v1.IAMPolicy.SetIamPolicy
     post: '/v1/{resource=projects/*/locations/*/keyRings/*}:setIamPolicy'
@@ -66,6 +67,8 @@ http:
       body: '*'
     - post: '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:setIamPolicy'
       body: '*'
+    - post: '/v1/{resource=projects/*/locations/*/ekmConfig}:setIamPolicy'
+      body: '*'
     - post: '/v1/{resource=projects/*/locations/*/ekmConnections/*}:setIamPolicy'
       body: '*'
   - selector: google.iam.v1.IAMPolicy.TestIamPermissions
@@ -76,6 +79,8 @@ http:
       body: '*'
     - post: '/v1/{resource=projects/*/locations/*/keyRings/*/importJobs/*}:testIamPermissions'
       body: '*'
+    - post: '/v1/{resource=projects/*/locations/*/ekmConfig}:testIamPermissions'
+      body: '*'
     - post: '/v1/{resource=projects/*/locations/*/ekmConnections/*}:testIamPermissions'
       body: '*'
 

diff --git a/google/cloud/kms/v1/ekm_service.proto b/google/cloud/kms/v1/ekm_service.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -85,7 +85,8 @@ service EkmService {
   }
 }
 
-// Request message for [KeyManagementService.ListEkmConnections][].
+// Request message for
+// [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].
 message ListEkmConnectionsRequest {
   // Required. The resource name of the location associated with the
   // [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
@@ -123,7 +124,8 @@ message ListEkmConnectionsRequest {
   string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
 }
 
-// Response message for [KeyManagementService.ListEkmConnections][].
+// Response message for
+// [EkmService.ListEkmConnections][google.cloud.kms.v1.EkmService.ListEkmConnections].
 message ListEkmConnectionsResponse {
   // The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
   repeated EkmConnection ekm_connections = 1;
@@ -138,7 +140,8 @@ message ListEkmConnectionsResponse {
   int32 total_size = 3;
 }
 
-// Request message for [KeyManagementService.GetEkmConnection][].
+// Request message for
+// [EkmService.GetEkmConnection][google.cloud.kms.v1.EkmService.GetEkmConnection].
 message GetEkmConnectionRequest {
   // Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
   // [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
@@ -150,7 +153,8 @@ message GetEkmConnectionRequest {
   ];
 }
 
-// Request message for [KeyManagementService.CreateEkmConnection][].
+// Request message for
+// [EkmService.CreateEkmConnection][google.cloud.kms.v1.EkmService.CreateEkmConnection].
 message CreateEkmConnectionRequest {
   // Required. The resource name of the location associated with the
   // [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
@@ -171,7 +175,8 @@ message CreateEkmConnectionRequest {
   EkmConnection ekm_connection = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
-// Request message for [KeyManagementService.UpdateEkmConnection][].
+// Request message for
+// [EkmService.UpdateEkmConnection][google.cloud.kms.v1.EkmService.UpdateEkmConnection].
 message UpdateEkmConnectionRequest {
   // Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
   // values.
@@ -263,7 +268,8 @@ message EkmConnection {
     string hostname = 3 [(google.api.field_behavior) = REQUIRED];
 
     // Required. A list of leaf server certificates used to authenticate HTTPS
-    // connections to the EKM replica.
+    // connections to the EKM replica. Currently, a maximum of 10
+    // [Certificate][google.cloud.kms.v1.Certificate] is supported.
     repeated Certificate server_certificates = 4
         [(google.api.field_behavior) = REQUIRED];
   }
@@ -286,8 +292,7 @@ message EkmConnection {
   // supported.
   repeated ServiceResolver service_resolvers = 3;
 
-  // This checksum is computed by the server based on the value of other fields,
-  // and may be sent on update requests to ensure the client has an up-to-date
-  // value before proceeding.
-  string etag = 5;
+  // Optional. Etag of the currently stored
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection].
+  string etag = 5 [(google.api.field_behavior) = OPTIONAL];
 }
diff --git a/google/cloud/kms/v1/resources.proto b/google/cloud/kms/v1/resources.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -235,6 +235,9 @@ message KeyOperationAttestation {
 
     // Cavium HSM attestation compressed with gzip. Note that this format is
     // defined by Cavium and subject to change at any time.
+    //
+    // See
+    // https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html.
     CAVIUM_V1_COMPRESSED = 3;
 
     // Cavium HSM attestation V2 compressed with gzip. This is a new format
@@ -688,6 +691,34 @@ message ImportJob {
     // [RSA AES key wrap
     // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
     RSA_OAEP_4096_SHA1_AES_256 = 2;
+
+    // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+    // scheme defined in the PKCS #11 standard. In summary, this involves
+    // wrapping the raw key with an ephemeral AES key, and wrapping the
+    // ephemeral AES key with a 3072 bit RSA key. For more details, see
+    // [RSA AES key wrap
+    // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+    RSA_OAEP_3072_SHA256_AES_256 = 3;
+
+    // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
+    // scheme defined in the PKCS #11 standard. In summary, this involves
+    // wrapping the raw key with an ephemeral AES key, and wrapping the
+    // ephemeral AES key with a 4096 bit RSA key. For more details, see
+    // [RSA AES key wrap
+    // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
+    RSA_OAEP_4096_SHA256_AES_256 = 4;
+
+    // This ImportMethod represents RSAES-OAEP with a 3072 bit RSA key. The
+    // key material to be imported is wrapped directly with the RSA key. Due
+    // to technical limitations of RSA wrapping, this method cannot be used to
+    // wrap RSA keys for import.
+    RSA_OAEP_3072_SHA256 = 5;
+
+    // This ImportMethod represents RSAES-OAEP with a 4096 bit RSA key. The
+    // key material to be imported is wrapped directly with the RSA key. Due
+    // to technical limitations of RSA wrapping, this method cannot be used to
+    // wrap RSA keys for import.
+    RSA_OAEP_4096_SHA256 = 6;
   }
 
   // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if

diff --git a/google/cloud/kms/v1/service.proto b/google/cloud/kms/v1/service.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -797,33 +797,56 @@ message ImportCryptoKeyVersionRequest {
   // material.
   string import_job = 4 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. The incoming wrapped key material that is to be imported.
+  // Optional. The wrapped key material to import.
+  //
+  // Before wrapping, key material must be formatted. If importing symmetric key
+  // material, the expected key material format is plain bytes. If importing
+  // asymmetric key material, the expected key material format is PKCS#8-encoded
+  // DER (the PrivateKeyInfo structure from RFC 5208).
+  //
+  // When wrapping with import methods
+  // ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
+  // or
+  // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
+  // or
+  // [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
+  // or
+  // [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
+  //
+  // this field must contain the concatenation of:
+  // <ol>
+  //   <li>An ephemeral AES-256 wrapping key wrapped with the
+  //       [public_key][google.cloud.kms.v1.ImportJob.public_key] using
+  //       RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
+  //       label.
+  //   </li>
+  //   <li>The formatted key to be imported, wrapped with the ephemeral AES-256
+  //       key using AES-KWP (RFC 5649).
+  //   </li>
+  // </ol>
+  //
+  // This format is the same as the format produced by PKCS#11 mechanism
+  // CKM_RSA_AES_KEY_WRAP.
+  //
+  // When wrapping with import methods
+  // ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
+  // or
+  // [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
+  //
+  // this field must contain the formatted key to be imported, wrapped with the
+  // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
+  // with SHA-256, MGF1 with SHA-256, and an empty label.
+  bytes wrapped_key = 8 [(google.api.field_behavior) = OPTIONAL];
+
+  // This field is legacy. Use the field
+  // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key]
+  // instead.
   oneof wrapped_key_material {
-    // Wrapped key material produced with
-    // [RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
-    // or
-    // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256].
-    //
-    // This field contains the concatenation of two wrapped keys:
-    // <ol>
-    //   <li>An ephemeral AES-256 wrapping key wrapped with the
-    //       [public_key][google.cloud.kms.v1.ImportJob.public_key] using
-    //       RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an
-    //       empty label.
-    //   </li>
-    //   <li>The key to be imported, wrapped with the ephemeral AES-256 key
-    //       using AES-KWP (RFC 5649).
-    //   </li>
-    // </ol>
-    //
-    // If importing symmetric key material, it is expected that the unwrapped
-    // key contains plain bytes. If importing asymmetric key material, it is
-    // expected that the unwrapped key is in PKCS#8-encoded DER format (the
-    // PrivateKeyInfo structure from RFC 5208).
-    //
-    // This format is the same as the format produced by PKCS#11 mechanism
-    // CKM_RSA_AES_KEY_WRAP.
-    bytes rsa_aes_wrapped_key = 5;
+    // Optional. This field has the same meaning as
+    // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
+    // Prefer to use that field in new work. Either that field or this field
+    // (but not both) must be specified.
+    bytes rsa_aes_wrapped_key = 5 [(google.api.field_behavior) = OPTIONAL];
   }
 }
 
@@ -935,7 +958,9 @@ message EncryptRequest {
   //
   // The maximum size depends on the key version's
   // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
-  // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the
+  // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+  // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+  // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
   // plaintext must be no larger than 64KiB. For
   // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
   // the plaintext and additional_authenticated_data fields must be no larger
@@ -948,8 +973,10 @@ message EncryptRequest {
   //
   // The maximum size depends on the key version's
   // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
-  // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE] keys, the AAD
-  // must be no larger than 64KiB. For
+  // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
+  // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
+  // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
+  // AAD must be no larger than 64KiB. For
   // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
   // the plaintext and additional_authenticated_data fields must be no larger
   // than 8KiB.