feat: support external-μ in the Digest

PiperOrigin-RevId: 897686352

Author: Google APIs

google/cloud/kms/v1/cloudkms_grpc_service_config.json

@@ -39,10 +39,6 @@
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "ListCryptoKeyVersions"
         },
-        {
-          "service": "google.cloud.kms.v1.KeyManagementService",
-          "method": "ListRetiredResources"
-        },
         {
           "service": "google.cloud.kms.v1.EkmService",
           "method": "GetEkmConnection"
@@ -63,10 +59,6 @@
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "GetCryptoKeyVersion"
         },
-        {
-          "service": "google.cloud.kms.v1.KeyManagementService",
-          "method": "GetRetiredResource"
-        },
         {
           "service": "google.cloud.kms.v1.EkmService",
           "method": "CreateEkmConnection"
@@ -115,14 +107,6 @@
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "RestoreCryptoKeyVersion"
         },
-        {
-          "service": "google.cloud.kms.v1.KeyManagementService",
-          "method": "DeleteCryptoKey"
-        },
-        {
-          "service": "google.cloud.kms.v1.KeyManagementService",
-          "method": "DeleteCryptoKeyVersion"
-        },
         {
           "service": "google.cloud.kms.v1.KeyManagementService",
           "method": "GetPublicKey"
@@ -226,6 +210,22 @@
         {
           "service": "google.cloud.kms.v1.HsmManagement",
           "method": "DeleteSingleTenantHsmInstanceProposal"
+        },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "ListRetiredResources"
+        },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "GetRetiredResource"
+        },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "DeleteCryptoKey"
+        },
+        {
+          "service": "google.cloud.kms.v1.KeyManagementService",
+          "method": "DeleteCryptoKeyVersion"
         }
       ],
       "timeout": "60s",

google/cloud/kms/v1/cloudkms_v1.yaml

@@ -27,13 +27,22 @@ documentation:
   - selector: google.cloud.location.Locations.ListLocations
     description: |-
       Lists information about the supported locations for this service.
-      This method can be called in two ways:
 
-      *   **List all public locations:** Use the path `GET /v1/locations`.
-      *   **List project-visible locations:** Use the path
-      `GET /v1/projects/{project_id}/locations`. This may include public
-      locations as well as private or other locations specifically visible
-      to the project.
+      This method lists locations based on the resource scope provided in
+      the [ListLocationsRequest.name] field:
+
+      * **Global locations**: If `name` is empty, the method lists the
+      public locations available to all projects. * **Project-specific
+      locations**: If `name` follows the format
+      `projects/{project}`, the method lists locations visible to that
+      specific project. This includes public, private, or other
+      project-specific locations enabled for the project.
+
+      For gRPC and client library implementations, the resource name is
+      passed as the `name` field. For direct service calls, the resource
+      name is
+      incorporated into the request path based on the specific service
+      implementation and version.
 
   - selector: google.iam.v1.IAMPolicy.GetIamPolicy
     description: |-

google/cloud/kms/v1/resources.proto

@@ -223,6 +223,10 @@ message CryptoKey {
   // justification codes.
   // https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
   // By default, this field is absent, and all justification codes are allowed.
+  // If the
+  // `key_access_justifications_policy.allowed_access_reasons`
+  // is empty (zero allowed justification code), all encrypt, decrypt, and sign
+  // operations will fail.
   KeyAccessJustificationsPolicy key_access_justifications_policy = 17
       [(google.api.field_behavior) = OPTIONAL];
 }
@@ -1056,13 +1060,17 @@ message ExternalProtectionLevelOptions {
 // [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy]
 // specifies zero or more allowed
 // [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, decrypt,
-// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+// [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig]
+// (the default Key Access Justifications policy).
 message KeyAccessJustificationsPolicy {
   // The list of allowed reasons for access to a
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
-  // means all encrypt, decrypt, and sign operations for the
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
-  // fail.
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Note that empty
+  // allowed_access_reasons has a different meaning depending on where this
+  // message appears. If this is under
+  // [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig],
+  // it means allow-all. If this is under
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey], it means deny-all.
   repeated AccessReason allowed_access_reasons = 1;
 }
 

google/cloud/kms/v1/service.proto

@@ -2335,6 +2335,12 @@ message Digest {
 
     // A message digest produced with the SHA-512 algorithm.
     bytes sha512 = 3;
+
+    // A message digest produced with SHAKE-256, to be used with ML-DSA
+    // external-μ algorithms only. See "message representative" note in
+    // section 6.2, algorithm 7 of the FIPS-204 standard:
+    // https://doi.org/10.6028/nist.fips.204
+    bytes external_mu = 4;
   }
 }