|
1795 | 1795 | "https://www.googleapis.com/auth/cloudkms" |
1796 | 1796 | ] |
1797 | 1797 | }, |
| 1798 | + "decapsulate": { |
| 1799 | + "description": "Decapsulates data that was encapsulated with a public key retrieved from GetPublicKey corresponding to a CryptoKeyVersion with CryptoKey.purpose KEY_ENCAPSULATION.", |
| 1800 | + "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/keyRings/{keyRingsId}/cryptoKeys/{cryptoKeysId}/cryptoKeyVersions/{cryptoKeyVersionsId}:decapsulate", |
| 1801 | + "httpMethod": "POST", |
| 1802 | + "id": "cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.decapsulate", |
| 1803 | + "parameterOrder": [ |
| 1804 | + "name" |
| 1805 | + ], |
| 1806 | + "parameters": { |
| 1807 | + "name": { |
| 1808 | + "description": "Required. The resource name of the CryptoKeyVersion to use for decapsulation.", |
| 1809 | + "location": "path", |
| 1810 | + "pattern": "^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+/cryptoKeyVersions/[^/]+$", |
| 1811 | + "required": true, |
| 1812 | + "type": "string" |
| 1813 | + } |
| 1814 | + }, |
| 1815 | + "path": "v1/{+name}:decapsulate", |
| 1816 | + "request": { |
| 1817 | + "$ref": "DecapsulateRequest" |
| 1818 | + }, |
| 1819 | + "response": { |
| 1820 | + "$ref": "DecapsulateResponse" |
| 1821 | + }, |
| 1822 | + "scopes": [ |
| 1823 | + "https://www.googleapis.com/auth/cloud-platform", |
| 1824 | + "https://www.googleapis.com/auth/cloudkms" |
| 1825 | + ] |
| 1826 | + }, |
1798 | 1827 | "destroy": { |
1799 | 1828 | "description": "Schedule a CryptoKeyVersion for destruction. Upon calling this method, CryptoKeyVersion.state will be set to DESTROY_SCHEDULED, and destroy_time will be set to the time destroy_scheduled_duration in the future. At that time, the state will automatically change to DESTROYED, and the key material will be irrevocably destroyed. Before the destroy_time is reached, RestoreCryptoKeyVersion may be called to reverse the process.", |
1800 | 1829 | "flatPath": "v1/projects/{projectsId}/locations/{locationsId}/keyRings/{keyRingsId}/cryptoKeys/{cryptoKeysId}/cryptoKeyVersions/{cryptoKeyVersionsId}:destroy", |
|
1871 | 1900 | "enum": [ |
1872 | 1901 | "PUBLIC_KEY_FORMAT_UNSPECIFIED", |
1873 | 1902 | "PEM", |
1874 | | - "NIST_PQC" |
| 1903 | + "DER", |
| 1904 | + "NIST_PQC", |
| 1905 | + "XWING_RAW_BYTES" |
1875 | 1906 | ], |
1876 | 1907 | "enumDescriptions": [ |
1877 | 1908 | "If the public_key_format field is not specified: - For PQC algorithms, an error will be returned. - For non-PQC algorithms, the default format is PEM, and the field pem will be populated. Otherwise, the public key will be exported through the public_key field in the requested format.", |
1878 | 1909 | "The returned public key will be encoded in PEM format. See the [RFC7468](https://tools.ietf.org/html/rfc7468) sections for [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13) for more information.", |
1879 | | - "This is supported only for PQC algorithms. The key material is returned in the format defined by NIST PQC standards (FIPS 203, FIPS 204, and FIPS 205)." |
| 1910 | + "The returned public key will be encoded in DER format (the PrivateKeyInfo structure from RFC 5208).", |
| 1911 | + "This is supported only for PQC algorithms. The key material is returned in the format defined by NIST PQC standards (FIPS 203, FIPS 204, and FIPS 205).", |
| 1912 | + "The returned public key is in raw bytes format defined in its standard https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem." |
1880 | 1913 | ], |
1881 | 1914 | "location": "query", |
1882 | 1915 | "type": "string" |
|
2402 | 2435 | } |
2403 | 2436 | } |
2404 | 2437 | }, |
2405 | | - "revision": "20250523", |
| 2438 | + "revision": "20250731", |
2406 | 2439 | "rootUrl": "https://cloudkms.googleapis.com/", |
2407 | 2440 | "schemas": { |
2408 | 2441 | "AsymmetricDecryptRequest": { |
|
2799 | 2832 | "ASYMMETRIC_SIGN", |
2800 | 2833 | "ASYMMETRIC_DECRYPT", |
2801 | 2834 | "RAW_ENCRYPT_DECRYPT", |
2802 | | - "MAC" |
| 2835 | + "MAC", |
| 2836 | + "KEY_ENCAPSULATION" |
2803 | 2837 | ], |
2804 | 2838 | "enumDescriptions": [ |
2805 | 2839 | "Not specified.", |
2806 | 2840 | "CryptoKeys with this purpose may be used with Encrypt and Decrypt.", |
2807 | 2841 | "CryptoKeys with this purpose may be used with AsymmetricSign and GetPublicKey.", |
2808 | 2842 | "CryptoKeys with this purpose may be used with AsymmetricDecrypt and GetPublicKey.", |
2809 | 2843 | "CryptoKeys with this purpose may be used with RawEncrypt and RawDecrypt. This purpose is meant to be used for interoperable symmetric encryption and does not support automatic CryptoKey rotation.", |
2810 | | - "CryptoKeys with this purpose may be used with MacSign." |
| 2844 | + "CryptoKeys with this purpose may be used with MacSign.", |
| 2845 | + "CryptoKeys with this purpose may be used with GetPublicKey and Decapsulate." |
2811 | 2846 | ], |
2812 | 2847 | "type": "string" |
2813 | 2848 | }, |
|
2866 | 2901 | "HMAC_SHA512", |
2867 | 2902 | "HMAC_SHA224", |
2868 | 2903 | "EXTERNAL_SYMMETRIC_ENCRYPTION", |
| 2904 | + "ML_KEM_768", |
| 2905 | + "ML_KEM_1024", |
| 2906 | + "KEM_XWING", |
2869 | 2907 | "PQ_SIGN_ML_DSA_65", |
2870 | 2908 | "PQ_SIGN_SLH_DSA_SHA2_128S", |
2871 | 2909 | "PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256" |
|
2907 | 2945 | "HMAC-SHA512 signing with a 512 bit key.", |
2908 | 2946 | "HMAC-SHA224 signing with a 224 bit key.", |
2909 | 2947 | "Algorithm representing symmetric encryption by an external key manager.", |
| 2948 | + "ML-KEM-768 (FIPS 203)", |
| 2949 | + "ML-KEM-1024 (FIPS 203)", |
| 2950 | + "X-Wing hybrid KEM combining ML-KEM-768 with X25519 following datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/.", |
2910 | 2951 | "The post-quantum Module-Lattice-Based Digital Signature Algorithm, at security level 3. Randomized version.", |
2911 | 2952 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized version.", |
2912 | 2953 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized pre-hash version supporting SHA256 digests." |
|
3078 | 3119 | "HMAC_SHA512", |
3079 | 3120 | "HMAC_SHA224", |
3080 | 3121 | "EXTERNAL_SYMMETRIC_ENCRYPTION", |
| 3122 | + "ML_KEM_768", |
| 3123 | + "ML_KEM_1024", |
| 3124 | + "KEM_XWING", |
3081 | 3125 | "PQ_SIGN_ML_DSA_65", |
3082 | 3126 | "PQ_SIGN_SLH_DSA_SHA2_128S", |
3083 | 3127 | "PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256" |
|
3119 | 3163 | "HMAC-SHA512 signing with a 512 bit key.", |
3120 | 3164 | "HMAC-SHA224 signing with a 224 bit key.", |
3121 | 3165 | "Algorithm representing symmetric encryption by an external key manager.", |
| 3166 | + "ML-KEM-768 (FIPS 203)", |
| 3167 | + "ML-KEM-1024 (FIPS 203)", |
| 3168 | + "X-Wing hybrid KEM combining ML-KEM-768 with X25519 following datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/.", |
3122 | 3169 | "The post-quantum Module-Lattice-Based Digital Signature Algorithm, at security level 3. Randomized version.", |
3123 | 3170 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized version.", |
3124 | 3171 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized pre-hash version supporting SHA256 digests." |
|
3146 | 3193 | }, |
3147 | 3194 | "type": "object" |
3148 | 3195 | }, |
| 3196 | + "DecapsulateRequest": { |
| 3197 | + "description": "Request message for KeyManagementService.Decapsulate.", |
| 3198 | + "id": "DecapsulateRequest", |
| 3199 | + "properties": { |
| 3200 | + "ciphertext": { |
| 3201 | + "description": "Required. The ciphertext produced from encapsulation with the named CryptoKeyVersion public key(s).", |
| 3202 | + "format": "byte", |
| 3203 | + "type": "string" |
| 3204 | + }, |
| 3205 | + "ciphertextCrc32c": { |
| 3206 | + "description": "Optional. A CRC32C checksum of the DecapsulateRequest.ciphertext. If specified, KeyManagementService will verify the integrity of the received DecapsulateRequest.ciphertext using this checksum. KeyManagementService will report an error if the checksum verification fails. If you receive a checksum error, your client should verify that CRC32C(DecapsulateRequest.ciphertext) is equal to DecapsulateRequest.ciphertext_crc32c, and if so, perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.", |
| 3207 | + "format": "int64", |
| 3208 | + "type": "string" |
| 3209 | + } |
| 3210 | + }, |
| 3211 | + "type": "object" |
| 3212 | + }, |
| 3213 | + "DecapsulateResponse": { |
| 3214 | + "description": "Response message for KeyManagementService.Decapsulate.", |
| 3215 | + "id": "DecapsulateResponse", |
| 3216 | + "properties": { |
| 3217 | + "name": { |
| 3218 | + "description": "The resource name of the CryptoKeyVersion used for decapsulation. Check this field to verify that the intended resource was used for decapsulation.", |
| 3219 | + "type": "string" |
| 3220 | + }, |
| 3221 | + "protectionLevel": { |
| 3222 | + "description": "The ProtectionLevel of the CryptoKeyVersion used in decapsulation.", |
| 3223 | + "enum": [ |
| 3224 | + "PROTECTION_LEVEL_UNSPECIFIED", |
| 3225 | + "SOFTWARE", |
| 3226 | + "HSM", |
| 3227 | + "EXTERNAL", |
| 3228 | + "EXTERNAL_VPC" |
| 3229 | + ], |
| 3230 | + "enumDescriptions": [ |
| 3231 | + "Not specified.", |
| 3232 | + "Crypto operations are performed in software.", |
| 3233 | + "Crypto operations are performed in a Hardware Security Module.", |
| 3234 | + "Crypto operations are performed by an external key manager.", |
| 3235 | + "Crypto operations are performed in an EKM-over-VPC backend." |
| 3236 | + ], |
| 3237 | + "type": "string" |
| 3238 | + }, |
| 3239 | + "sharedSecret": { |
| 3240 | + "description": "The decapsulated shared_secret originally encapsulated with the matching public key.", |
| 3241 | + "format": "byte", |
| 3242 | + "type": "string" |
| 3243 | + }, |
| 3244 | + "sharedSecretCrc32c": { |
| 3245 | + "description": "Integrity verification field. A CRC32C checksum of the returned DecapsulateResponse.shared_secret. An integrity check of DecapsulateResponse.shared_secret can be performed by computing the CRC32C checksum of DecapsulateResponse.shared_secret and comparing your results to this field. Discard the response in case of non-matching checksum values, and perform a limited number of retries. A persistent mismatch may indicate an issue in your computation of the CRC32C checksum. Note: receiving this response message indicates that KeyManagementService is able to successfully decrypt the ciphertext. Note: This field is defined as int64 for reasons of compatibility across different languages. However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type.", |
| 3246 | + "format": "int64", |
| 3247 | + "type": "string" |
| 3248 | + }, |
| 3249 | + "verifiedCiphertextCrc32c": { |
| 3250 | + "description": "Integrity verification field. A flag indicating whether DecapsulateRequest.ciphertext_crc32c was received by KeyManagementService and used for the integrity verification of the ciphertext. A false value of this field indicates either that DecapsulateRequest.ciphertext_crc32c was left unset or that it was not delivered to KeyManagementService. If you've set DecapsulateRequest.ciphertext_crc32c but this field is still false, discard the response and perform a limited number of retries.", |
| 3251 | + "type": "boolean" |
| 3252 | + } |
| 3253 | + }, |
| 3254 | + "type": "object" |
| 3255 | + }, |
3149 | 3256 | "DecryptRequest": { |
3150 | 3257 | "description": "Request message for KeyManagementService.Decrypt.", |
3151 | 3258 | "id": "DecryptRequest", |
|
3505 | 3612 | "HMAC_SHA512", |
3506 | 3613 | "HMAC_SHA224", |
3507 | 3614 | "EXTERNAL_SYMMETRIC_ENCRYPTION", |
| 3615 | + "ML_KEM_768", |
| 3616 | + "ML_KEM_1024", |
| 3617 | + "KEM_XWING", |
3508 | 3618 | "PQ_SIGN_ML_DSA_65", |
3509 | 3619 | "PQ_SIGN_SLH_DSA_SHA2_128S", |
3510 | 3620 | "PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256" |
|
3546 | 3656 | "HMAC-SHA512 signing with a 512 bit key.", |
3547 | 3657 | "HMAC-SHA224 signing with a 224 bit key.", |
3548 | 3658 | "Algorithm representing symmetric encryption by an external key manager.", |
| 3659 | + "ML-KEM-768 (FIPS 203)", |
| 3660 | + "ML-KEM-1024 (FIPS 203)", |
| 3661 | + "X-Wing hybrid KEM combining ML-KEM-768 with X25519 following datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/.", |
3549 | 3662 | "The post-quantum Module-Lattice-Based Digital Signature Algorithm, at security level 3. Randomized version.", |
3550 | 3663 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized version.", |
3551 | 3664 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized pre-hash version supporting SHA256 digests." |
|
4260 | 4373 | "HMAC_SHA512", |
4261 | 4374 | "HMAC_SHA224", |
4262 | 4375 | "EXTERNAL_SYMMETRIC_ENCRYPTION", |
| 4376 | + "ML_KEM_768", |
| 4377 | + "ML_KEM_1024", |
| 4378 | + "KEM_XWING", |
4263 | 4379 | "PQ_SIGN_ML_DSA_65", |
4264 | 4380 | "PQ_SIGN_SLH_DSA_SHA2_128S", |
4265 | 4381 | "PQ_SIGN_HASH_SLH_DSA_SHA2_128S_SHA256" |
|
4301 | 4417 | "HMAC-SHA512 signing with a 512 bit key.", |
4302 | 4418 | "HMAC-SHA224 signing with a 224 bit key.", |
4303 | 4419 | "Algorithm representing symmetric encryption by an external key manager.", |
| 4420 | + "ML-KEM-768 (FIPS 203)", |
| 4421 | + "ML-KEM-1024 (FIPS 203)", |
| 4422 | + "X-Wing hybrid KEM combining ML-KEM-768 with X25519 following datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/.", |
4304 | 4423 | "The post-quantum Module-Lattice-Based Digital Signature Algorithm, at security level 3. Randomized version.", |
4305 | 4424 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized version.", |
4306 | 4425 | "The post-quantum stateless hash-based digital signature algorithm, at security level 1. Randomized pre-hash version supporting SHA256 digests." |
|
4347 | 4466 | "enum": [ |
4348 | 4467 | "PUBLIC_KEY_FORMAT_UNSPECIFIED", |
4349 | 4468 | "PEM", |
4350 | | - "NIST_PQC" |
| 4469 | + "DER", |
| 4470 | + "NIST_PQC", |
| 4471 | + "XWING_RAW_BYTES" |
4351 | 4472 | ], |
4352 | 4473 | "enumDescriptions": [ |
4353 | 4474 | "If the public_key_format field is not specified: - For PQC algorithms, an error will be returned. - For non-PQC algorithms, the default format is PEM, and the field pem will be populated. Otherwise, the public key will be exported through the public_key field in the requested format.", |
4354 | 4475 | "The returned public key will be encoded in PEM format. See the [RFC7468](https://tools.ietf.org/html/rfc7468) sections for [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and [Textual Encoding of Subject Public Key Info] (https://tools.ietf.org/html/rfc7468#section-13) for more information.", |
4355 | | - "This is supported only for PQC algorithms. The key material is returned in the format defined by NIST PQC standards (FIPS 203, FIPS 204, and FIPS 205)." |
| 4476 | + "The returned public key will be encoded in DER format (the PrivateKeyInfo structure from RFC 5208).", |
| 4477 | + "This is supported only for PQC algorithms. The key material is returned in the format defined by NIST PQC standards (FIPS 203, FIPS 204, and FIPS 205).", |
| 4478 | + "The returned public key is in raw bytes format defined in its standard https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem." |
4356 | 4479 | ], |
4357 | 4480 | "type": "string" |
4358 | 4481 | } |
|
0 commit comments