kpt-grpc-demo/google/cloud/kms/v1/service.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.kms.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/kms/v1/resources.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/wrappers.proto";

option cc_enable_arenas = true;
option csharp_namespace = "Google.Cloud.Kms.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
option java_multiple_files = true;
option java_outer_classname = "KmsProto";
option java_package = "com.google.cloud.kms.v1";
option php_namespace = "Google\\Cloud\\Kms\\V1";

// Google Cloud Key Management Service
//
// Manages cryptographic keys and operations using those keys. Implements a REST
// model with the following objects:
//
// * [KeyRing][google.cloud.kms.v1.KeyRing]
// * [CryptoKey][google.cloud.kms.v1.CryptoKey]
// * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
// * [ImportJob][google.cloud.kms.v1.ImportJob]
//
// If you are using manual gRPC libraries, see
// [Using gRPC with Cloud KMS](https://cloud.google.com/kms/docs/grpc).
service KeyManagementService {
  option (google.api.default_host) = "cloudkms.googleapis.com";
  option (google.api.oauth_scopes) =
      "https://www.googleapis.com/auth/cloud-platform,"
      "https://www.googleapis.com/auth/cloudkms";

  // Lists [KeyRings][google.cloud.kms.v1.KeyRing].
  rpc ListKeyRings(ListKeyRingsRequest) returns (ListKeyRingsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/keyRings"
    };
    option (google.api.method_signature) = "parent";
  }

  // Lists [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  rpc ListCryptoKeys(ListCryptoKeysRequest) returns (ListCryptoKeysResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
    };
    option (google.api.method_signature) = "parent";
  }

  // Lists [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
  rpc ListCryptoKeyVersions(ListCryptoKeyVersionsRequest)
      returns (ListCryptoKeyVersionsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
    };
    option (google.api.method_signature) = "parent";
  }

  // Lists [ImportJobs][google.cloud.kms.v1.ImportJob].
  rpc ListImportJobs(ListImportJobsRequest) returns (ListImportJobsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
    };
    option (google.api.method_signature) = "parent";
  }

  // Returns metadata for a given [KeyRing][google.cloud.kms.v1.KeyRing].
  rpc GetKeyRing(GetKeyRingRequest) returns (KeyRing) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/keyRings/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Returns metadata for a given [CryptoKey][google.cloud.kms.v1.CryptoKey], as
  // well as its [primary][google.cloud.kms.v1.CryptoKey.primary]
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  rpc GetCryptoKey(GetCryptoKeyRequest) returns (CryptoKey) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Returns metadata for a given
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  rpc GetCryptoKeyVersion(GetCryptoKeyVersionRequest)
      returns (CryptoKeyVersion) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Returns the public key for the given
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. The
  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
  // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN]
  // or
  // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
  rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKey) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}/publicKey"
    };
    option (google.api.method_signature) = "name";
  }

  // Returns metadata for a given [ImportJob][google.cloud.kms.v1.ImportJob].
  rpc GetImportJob(GetImportJobRequest) returns (ImportJob) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/keyRings/*/importJobs/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Create a new [KeyRing][google.cloud.kms.v1.KeyRing] in a given Project and
  // Location.
  rpc CreateKeyRing(CreateKeyRingRequest) returns (KeyRing) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/keyRings"
      body: "key_ring"
    };
    option (google.api.method_signature) = "parent,key_ring_id,key_ring";
  }

  // Create a new [CryptoKey][google.cloud.kms.v1.CryptoKey] within a
  // [KeyRing][google.cloud.kms.v1.KeyRing].
  //
  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] and
  // [CryptoKey.version_template.algorithm][google.cloud.kms.v1.CryptoKeyVersionTemplate.algorithm]
  // are required.
  rpc CreateCryptoKey(CreateCryptoKeyRequest) returns (CryptoKey) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/keyRings/*}/cryptoKeys"
      body: "crypto_key"
    };
    option (google.api.method_signature) = "parent,crypto_key_id,crypto_key";
  }

  // Create a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in a
  // [CryptoKey][google.cloud.kms.v1.CryptoKey].
  //
  // The server will assign the next sequential id. If unset,
  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
  // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED].
  rpc CreateCryptoKeyVersion(CreateCryptoKeyVersionRequest)
      returns (CryptoKeyVersion) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions"
      body: "crypto_key_version"
    };
    option (google.api.method_signature) = "parent,crypto_key_version";
  }

  // Import wrapped key material into a
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  //
  // All requests must specify a [CryptoKey][google.cloud.kms.v1.CryptoKey]. If
  // a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] is additionally
  // specified in the request, key material will be reimported into that
  // version. Otherwise, a new version will be created, and will be assigned the
  // next sequential id within the [CryptoKey][google.cloud.kms.v1.CryptoKey].
  rpc ImportCryptoKeyVersion(ImportCryptoKeyVersionRequest)
      returns (CryptoKeyVersion) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/keyRings/*/cryptoKeys/*}/cryptoKeyVersions:import"
      body: "*"
    };
  }

  // Create a new [ImportJob][google.cloud.kms.v1.ImportJob] within a
  // [KeyRing][google.cloud.kms.v1.KeyRing].
  //
  // [ImportJob.import_method][google.cloud.kms.v1.ImportJob.import_method] is
  // required.
  rpc CreateImportJob(CreateImportJobRequest) returns (ImportJob) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/keyRings/*}/importJobs"
      body: "import_job"
    };
    option (google.api.method_signature) = "parent,import_job_id,import_job";
  }

  // Update a [CryptoKey][google.cloud.kms.v1.CryptoKey].
  rpc UpdateCryptoKey(UpdateCryptoKeyRequest) returns (CryptoKey) {
    option (google.api.http) = {
      patch: "/v1/{crypto_key.name=projects/*/locations/*/keyRings/*/cryptoKeys/*}"
      body: "crypto_key"
    };
    option (google.api.method_signature) = "crypto_key,update_mask";
  }

  // Update a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s
  // metadata.
  //
  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] may be changed between
  // [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED]
  // and
  // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED]
  // using this method. See
  // [DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]
  // and
  // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
  // to move between other states.
  rpc UpdateCryptoKeyVersion(UpdateCryptoKeyVersionRequest)
      returns (CryptoKeyVersion) {
    option (google.api.http) = {
      patch: "/v1/{crypto_key_version.name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}"
      body: "crypto_key_version"
    };
    option (google.api.method_signature) = "crypto_key_version,update_mask";
  }

  // Update the version of a [CryptoKey][google.cloud.kms.v1.CryptoKey] that
  // will be used in
  // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
  //
  // Returns an error if called on a key whose purpose is not
  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  rpc UpdateCryptoKeyPrimaryVersion(UpdateCryptoKeyPrimaryVersionRequest)
      returns (CryptoKey) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:updatePrimaryVersion"
      body: "*"
    };
    option (google.api.method_signature) = "name,crypto_key_version_id";
  }

  // Schedule a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for
  // destruction.
  //
  // Upon calling this method,
  // [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] will
  // be set to
  // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED],
  // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
  // be set to the time
  // [destroy_scheduled_duration][google.cloud.kms.v1.CryptoKey.destroy_scheduled_duration]
  // in the future. At that time, the
  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will automatically
  // change to
  // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED],
  // and the key material will be irrevocably destroyed.
  //
  // Before the
  // [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] is
  // reached,
  // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
  // may be called to reverse the process.
  rpc DestroyCryptoKeyVersion(DestroyCryptoKeyVersionRequest)
      returns (CryptoKeyVersion) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:destroy"
      body: "*"
    };
    option (google.api.method_signature) = "name";
  }

  // Restore a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the
  // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED]
  // state.
  //
  // Upon restoration of the CryptoKeyVersion,
  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set to
  // [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED],
  // and [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] will
  // be cleared.
  rpc RestoreCryptoKeyVersion(RestoreCryptoKeyVersionRequest)
      returns (CryptoKeyVersion) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:restore"
      body: "*"
    };
    option (google.api.method_signature) = "name";
  }

  // Encrypts data, so that it can only be recovered by a call to
  // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. The
  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  rpc Encrypt(EncryptRequest) returns (EncryptResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}:encrypt"
      body: "*"
    };
    option (google.api.method_signature) = "name,plaintext";
  }

  // Decrypts data that was protected by
  // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The
  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] must be
  // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  rpc Decrypt(DecryptRequest) returns (DecryptResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*}:decrypt"
      body: "*"
    };
    option (google.api.method_signature) = "name,ciphertext";
  }

  // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
  // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  // ASYMMETRIC_SIGN, producing a signature that can be verified with the public
  // key retrieved from
  // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
  rpc AsymmetricSign(AsymmetricSignRequest) returns (AsymmetricSignResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricSign"
      body: "*"
    };
    option (google.api.method_signature) = "name,digest";
  }

  // Decrypts data that was encrypted with a public key retrieved from
  // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
  // corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
  // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  // ASYMMETRIC_DECRYPT.
  rpc AsymmetricDecrypt(AsymmetricDecryptRequest)
      returns (AsymmetricDecryptResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:asymmetricDecrypt"
      body: "*"
    };
    option (google.api.method_signature) = "name,ciphertext";
  }

  // Signs data using a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
  // with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC,
  // producing a tag that can be verified by another source with the same key.
  rpc MacSign(MacSignRequest) returns (MacSignResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macSign"
      body: "*"
    };
    option (google.api.method_signature) = "name,data";
  }

  // Verifies MAC tag using a
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
  // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, and returns
  // a response that indicates whether or not the verification was successful.
  rpc MacVerify(MacVerifyRequest) returns (MacVerifyResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*}:macVerify"
      body: "*"
    };
    option (google.api.method_signature) = "name,data,mac";
  }

  // Generate random bytes using the Cloud KMS randomness source in the provided
  // location.
  rpc GenerateRandomBytes(GenerateRandomBytesRequest)
      returns (GenerateRandomBytesResponse) {
    option (google.api.http) = {
      post: "/v1/{location=projects/*/locations/*}:generateRandomBytes"
      body: "*"
    };
    option (google.api.method_signature) =
        "location,length_bytes,protection_level";
  }
}

// Request message for
// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
message ListKeyRingsRequest {
  // Required. The resource name of the location associated with the
  // [KeyRings][google.cloud.kms.v1.KeyRing], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Optional. Optional limit on the number of
  // [KeyRings][google.cloud.kms.v1.KeyRing] to include in the response. Further
  // [KeyRings][google.cloud.kms.v1.KeyRing] can subsequently be obtained by
  // including the
  // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token]
  // in a subsequent request.  If unspecified, the server will pick an
  // appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Optional pagination token, returned earlier via
  // [ListKeyRingsResponse.next_page_token][google.cloud.kms.v1.ListKeyRingsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response. For
  // more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted. If not specified, the
  // results will be sorted in the default order.  For more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
message ListCryptoKeysRequest {
  // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
  // to list, in the format `projects/*/locations/*/keyRings/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/KeyRing"
    }
  ];

  // Optional. Optional limit on the number of
  // [CryptoKeys][google.cloud.kms.v1.CryptoKey] to include in the response.
  // Further [CryptoKeys][google.cloud.kms.v1.CryptoKey] can subsequently be
  // obtained by including the
  // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token]
  // in a subsequent request.  If unspecified, the server will pick an
  // appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Optional pagination token, returned earlier via
  // [ListCryptoKeysResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeysResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // The fields of the primary version to include in the response.
  CryptoKeyVersion.CryptoKeyVersionView version_view = 4;

  // Optional. Only include resources that match the filter in the response. For
  // more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string filter = 5 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted. If not specified, the
  // results will be sorted in the default order. For more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
message ListCryptoKeyVersionsRequest {
  // Required. The resource name of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] to list, in the format
  // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKey"
    }
  ];

  // Optional. Optional limit on the number of
  // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] to include in the
  // response. Further [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]
  // can subsequently be obtained by including the
  // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token]
  // in a subsequent request. If unspecified, the server will pick an
  // appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Optional pagination token, returned earlier via
  // [ListCryptoKeyVersionsResponse.next_page_token][google.cloud.kms.v1.ListCryptoKeyVersionsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // The fields to include in the response.
  CryptoKeyVersion.CryptoKeyVersionView view = 4;

  // Optional. Only include resources that match the filter in the response. For
  // more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string filter = 5 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted. If not specified, the
  // results will be sorted in the default order. For more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string order_by = 6 [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
message ListImportJobsRequest {
  // Required. The resource name of the [KeyRing][google.cloud.kms.v1.KeyRing]
  // to list, in the format `projects/*/locations/*/keyRings/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/KeyRing"
    }
  ];

  // Optional. Optional limit on the number of
  // [ImportJobs][google.cloud.kms.v1.ImportJob] to include in the response.
  // Further [ImportJobs][google.cloud.kms.v1.ImportJob] can subsequently be
  // obtained by including the
  // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token]
  // in a subsequent request. If unspecified, the server will pick an
  // appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Optional pagination token, returned earlier via
  // [ListImportJobsResponse.next_page_token][google.cloud.kms.v1.ListImportJobsResponse.next_page_token].
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Only include resources that match the filter in the response. For
  // more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Specify how the results should be sorted. If not specified, the
  // results will be sorted in the default order. For more information, see
  // [Sorting and filtering list
  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for
// [KeyManagementService.ListKeyRings][google.cloud.kms.v1.KeyManagementService.ListKeyRings].
message ListKeyRingsResponse {
  // The list of [KeyRings][google.cloud.kms.v1.KeyRing].
  repeated KeyRing key_rings = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListKeyRingsRequest.page_token][google.cloud.kms.v1.ListKeyRingsRequest.page_token]
  // to retrieve the next page of results.
  string next_page_token = 2;

  // The total number of [KeyRings][google.cloud.kms.v1.KeyRing] that matched
  // the query.
  int32 total_size = 3;
}

// Response message for
// [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
message ListCryptoKeysResponse {
  // The list of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  repeated CryptoKey crypto_keys = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCryptoKeysRequest.page_token][google.cloud.kms.v1.ListCryptoKeysRequest.page_token]
  // to retrieve the next page of results.
  string next_page_token = 2;

  // The total number of [CryptoKeys][google.cloud.kms.v1.CryptoKey] that
  // matched the query.
  int32 total_size = 3;
}

// Response message for
// [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions].
message ListCryptoKeyVersionsResponse {
  // The list of [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
  repeated CryptoKeyVersion crypto_key_versions = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListCryptoKeyVersionsRequest.page_token][google.cloud.kms.v1.ListCryptoKeyVersionsRequest.page_token]
  // to retrieve the next page of results.
  string next_page_token = 2;

  // The total number of
  // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] that matched the
  // query.
  int32 total_size = 3;
}

// Response message for
// [KeyManagementService.ListImportJobs][google.cloud.kms.v1.KeyManagementService.ListImportJobs].
message ListImportJobsResponse {
  // The list of [ImportJobs][google.cloud.kms.v1.ImportJob].
  repeated ImportJob import_jobs = 1;

  // A token to retrieve next page of results. Pass this value in
  // [ListImportJobsRequest.page_token][google.cloud.kms.v1.ListImportJobsRequest.page_token]
  // to retrieve the next page of results.
  string next_page_token = 2;

  // The total number of [ImportJobs][google.cloud.kms.v1.ImportJob] that
  // matched the query.
  int32 total_size = 3;
}

// Request message for
// [KeyManagementService.GetKeyRing][google.cloud.kms.v1.KeyManagementService.GetKeyRing].
message GetKeyRingRequest {
  // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
  // [KeyRing][google.cloud.kms.v1.KeyRing] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/KeyRing"
    }
  ];
}

// Request message for
// [KeyManagementService.GetCryptoKey][google.cloud.kms.v1.KeyManagementService.GetCryptoKey].
message GetCryptoKeyRequest {
  // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKey"
    }
  ];
}

// Request message for
// [KeyManagementService.GetCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.GetCryptoKeyVersion].
message GetCryptoKeyVersionRequest {
  // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];
}

// Request message for
// [KeyManagementService.GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
message GetPublicKeyRequest {
  // Required. The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];
}

// Request message for
// [KeyManagementService.GetImportJob][google.cloud.kms.v1.KeyManagementService.GetImportJob].
message GetImportJobRequest {
  // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
  // [ImportJob][google.cloud.kms.v1.ImportJob] to get.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/ImportJob"
    }
  ];
}

// Request message for
// [KeyManagementService.CreateKeyRing][google.cloud.kms.v1.KeyManagementService.CreateKeyRing].
message CreateKeyRingRequest {
  // Required. The resource name of the location associated with the
  // [KeyRings][google.cloud.kms.v1.KeyRing], in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. It must be unique within a location and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string key_ring_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A [KeyRing][google.cloud.kms.v1.KeyRing] with initial field
  // values.
  KeyRing key_ring = 3 [(google.api.field_behavior) = REQUIRED];
}

// Request message for
// [KeyManagementService.CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey].
message CreateCryptoKeyRequest {
  // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the KeyRing
  // associated with the [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/KeyRing"
    }
  ];

  // Required. It must be unique within a KeyRing and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string crypto_key_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A [CryptoKey][google.cloud.kms.v1.CryptoKey] with initial field
  // values.
  CryptoKey crypto_key = 3 [(google.api.field_behavior) = REQUIRED];

  // If set to true, the request will create a
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] without any
  // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion]. You must
  // manually call
  // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
  // or
  // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion]
  // before you can use this [CryptoKey][google.cloud.kms.v1.CryptoKey].
  bool skip_initial_version_creation = 5;
}

// Request message for
// [KeyManagementService.CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion].
message CreateCryptoKeyVersionRequest {
  // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with the
  // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion].
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKey"
    }
  ];

  // Required. A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
  // initial field values.
  CryptoKeyVersion crypto_key_version = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request message for
// [KeyManagementService.ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
message ImportCryptoKeyVersionRequest {
  // Required. The [name][google.cloud.kms.v1.CryptoKey.name] of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] to be imported into.
  //
  // The create permission is only required on this key when creating a new
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKey"
    }
  ];

  // Optional. The optional [name][google.cloud.kms.v1.CryptoKeyVersion.name] of
  // an existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to
  // target for an import operation. If this field is not present, a new
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] containing the
  // supplied key material is created.
  //
  // If this field is present, the supplied key material is imported into
  // the existing [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. To
  // import into an existing
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] must be a child of
  // [ImportCryptoKeyVersionRequest.parent][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.parent],
  // have been previously created via [ImportCryptoKeyVersion][], and be in
  // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]
  // or
  // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED]
  // state. The key material and algorithm must match the previous
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] exactly if the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] has ever contained
  // key material.
  string crypto_key_version = 6 [
    (google.api.field_behavior) = OPTIONAL,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];

  // Required. The
  // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  // of the key being imported. This does not need to match the
  // [version_template][google.cloud.kms.v1.CryptoKey.version_template] of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] this version imports into.
  CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2
      [(google.api.field_behavior) = REQUIRED];

  // Required. The [name][google.cloud.kms.v1.ImportJob.name] of the
  // [ImportJob][google.cloud.kms.v1.ImportJob] that was used to wrap this key
  // material.
  string import_job = 4 [(google.api.field_behavior) = REQUIRED];

  // Optional. The wrapped key material to import.
  //
  // Before wrapping, key material must be formatted. If importing symmetric key
  // material, the expected key material format is plain bytes. If importing
  // asymmetric key material, the expected key material format is PKCS#8-encoded
  // DER (the PrivateKeyInfo structure from RFC 5208).
  //
  // When wrapping with import methods
  // ([RSA_OAEP_3072_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA1_AES_256]
  // or
  // [RSA_OAEP_4096_SHA1_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA1_AES_256]
  // or
  // [RSA_OAEP_3072_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256_AES_256]
  // or
  // [RSA_OAEP_4096_SHA256_AES_256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256_AES_256]),
  //
  // this field must contain the concatenation of:
  // <ol>
  //   <li>An ephemeral AES-256 wrapping key wrapped with the
  //       [public_key][google.cloud.kms.v1.ImportJob.public_key] using
  //       RSAES-OAEP with SHA-1/SHA-256, MGF1 with SHA-1/SHA-256, and an empty
  //       label.
  //   </li>
  //   <li>The formatted key to be imported, wrapped with the ephemeral AES-256
  //       key using AES-KWP (RFC 5649).
  //   </li>
  // </ol>
  //
  // This format is the same as the format produced by PKCS#11 mechanism
  // CKM_RSA_AES_KEY_WRAP.
  //
  // When wrapping with import methods
  // ([RSA_OAEP_3072_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_3072_SHA256]
  // or
  // [RSA_OAEP_4096_SHA256][google.cloud.kms.v1.ImportJob.ImportMethod.RSA_OAEP_4096_SHA256]),
  //
  // this field must contain the formatted key to be imported, wrapped with the
  // [public_key][google.cloud.kms.v1.ImportJob.public_key] using RSAES-OAEP
  // with SHA-256, MGF1 with SHA-256, and an empty label.
  bytes wrapped_key = 8 [(google.api.field_behavior) = OPTIONAL];

  // This field is legacy. Use the field
  // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key]
  // instead.
  oneof wrapped_key_material {
    // Optional. This field has the same meaning as
    // [wrapped_key][google.cloud.kms.v1.ImportCryptoKeyVersionRequest.wrapped_key].
    // Prefer to use that field in new work. Either that field or this field
    // (but not both) must be specified.
    bytes rsa_aes_wrapped_key = 5 [(google.api.field_behavior) = OPTIONAL];
  }
}

// Request message for
// [KeyManagementService.CreateImportJob][google.cloud.kms.v1.KeyManagementService.CreateImportJob].
message CreateImportJobRequest {
  // Required. The [name][google.cloud.kms.v1.KeyRing.name] of the
  // [KeyRing][google.cloud.kms.v1.KeyRing] associated with the
  // [ImportJobs][google.cloud.kms.v1.ImportJob].
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/KeyRing"
    }
  ];

  // Required. It must be unique within a KeyRing and match the regular
  // expression `[a-zA-Z0-9_-]{1,63}`
  string import_job_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. An [ImportJob][google.cloud.kms.v1.ImportJob] with initial field
  // values.
  ImportJob import_job = 3 [(google.api.field_behavior) = REQUIRED];
}

// Request message for
// [KeyManagementService.UpdateCryptoKey][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKey].
message UpdateCryptoKeyRequest {
  // Required. [CryptoKey][google.cloud.kms.v1.CryptoKey] with updated values.
  CryptoKey crypto_key = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. List of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request message for
// [KeyManagementService.UpdateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyVersion].
message UpdateCryptoKeyVersionRequest {
  // Required. [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with
  // updated values.
  CryptoKeyVersion crypto_key_version = 1
      [(google.api.field_behavior) = REQUIRED];

  // Required. List of fields to be updated in this request.
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request message for
// [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
message UpdateCryptoKeyPrimaryVersionRequest {
  // Required. The resource name of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] to update.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKey"
    }
  ];

  // Required. The id of the child
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use as primary.
  string crypto_key_version_id = 2 [(google.api.field_behavior) = REQUIRED];
}

// Request message for
// [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion].
message DestroyCryptoKeyVersionRequest {
  // Required. The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to destroy.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];
}

// Request message for
// [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion].
message RestoreCryptoKeyVersionRequest {
  // Required. The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to restore.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];
}

// Request message for
// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
message EncryptRequest {
  // Required. The resource name of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] or
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
  // encryption.
  //
  // If a [CryptoKey][google.cloud.kms.v1.CryptoKey] is specified, the server
  // will use its [primary version][google.cloud.kms.v1.CryptoKey.primary].
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = { type: "*" }
  ];

  // Required. The data to encrypt. Must be no larger than 64KiB.
  //
  // The maximum size depends on the key version's
  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
  // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
  // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
  // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys, the
  // plaintext must be no larger than 64KiB. For
  // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
  // the plaintext and additional_authenticated_data fields must be no larger
  // than 8KiB.
  bytes plaintext = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. Optional data that, if specified, must also be provided during
  // decryption through
  // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
  //
  // The maximum size depends on the key version's
  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level].
  // For [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE],
  // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL], and
  // [EXTERNAL_VPC][google.cloud.kms.v1.ProtectionLevel.EXTERNAL_VPC] keys the
  // AAD must be no larger than 64KiB. For
  // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] keys, the combined length of
  // the plaintext and additional_authenticated_data fields must be no larger
  // than 8KiB.
  bytes additional_authenticated_data = 3
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. An optional CRC32C checksum of the
  // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext])
  // is equal to
  // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value plaintext_crc32c = 7
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. An optional CRC32C checksum of the
  // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data])
  // is equal to
  // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value additional_authenticated_data_crc32c = 8
      [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
message DecryptRequest {
  // Required. The resource name of the
  // [CryptoKey][google.cloud.kms.v1.CryptoKey] to use for decryption. The
  // server will choose the appropriate version.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKey"
    }
  ];

  // Required. The encrypted data originally returned in
  // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
  bytes ciphertext = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. Optional data that must match the data originally supplied in
  // [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data].
  bytes additional_authenticated_data = 3
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. An optional CRC32C checksum of the
  // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([DecryptRequest.ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext])
  // is equal to
  // [DecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.DecryptRequest.ciphertext_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value ciphertext_crc32c = 5
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. An optional CRC32C checksum of the
  // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data])
  // is equal to
  // [DecryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value additional_authenticated_data_crc32c = 6
      [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
message AsymmetricSignRequest {
  // Required. The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
  // signing.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];

  // Optional. The digest of the data to sign. The digest must be produced with
  // the same digest algorithm as specified by the key version's
  // [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
  //
  // This field may not be supplied if
  // [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
  // is supplied.
  Digest digest = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. An optional CRC32C checksum of the
  // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest])
  // is equal to
  // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value digest_crc32c = 4
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. The data to sign.
  // It can't be supplied if
  // [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]
  // is supplied.
  bytes data = 6 [(google.api.field_behavior) = OPTIONAL];

  // Optional. An optional CRC32C checksum of the
  // [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data])
  // is equal to
  // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value data_crc32c = 7
      [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
message AsymmetricDecryptRequest {
  // Required. The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
  // decryption.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];

  // Required. The data encrypted with the named
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s public key using
  // OAEP.
  bytes ciphertext = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An optional CRC32C checksum of the
  // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext].
  // If specified,
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // verify the integrity of the received
  // [AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]
  // using this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([AsymmetricDecryptRequest.ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext])
  // is equal to
  // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value ciphertext_crc32c = 4
      [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
message MacSignRequest {
  // Required. The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
  // signing.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];

  // Required. The data to sign. The MAC tag is computed over this data field
  // based on the specific algorithm.
  bytes data = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An optional CRC32C checksum of the
  // [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. If
  // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
  // will verify the integrity of the received
  // [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] using this
  // checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
  // will report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) is
  // equal to
  // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value data_crc32c = 3
      [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
message MacVerifyRequest {
  // Required. The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
  // verification.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudkms.googleapis.com/CryptoKeyVersion"
    }
  ];

  // Required. The data used previously as a
  // [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] to generate
  // the MAC tag.
  bytes data = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An optional CRC32C checksum of the
  // [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. If
  // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
  // will verify the integrity of the received
  // [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] using
  // this checksum.
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will
  // report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data])
  // is equal to
  // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value data_crc32c = 3
      [(google.api.field_behavior) = OPTIONAL];

  // Required. The signature to verify.
  bytes mac = 4 [(google.api.field_behavior) = REQUIRED];

  // Optional. An optional CRC32C checksum of the
  // [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. If
  // specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
  // will verify the integrity of the received
  // [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] using this
  // checksum. [KeyManagementService][google.cloud.kms.v1.KeyManagementService]
  // will report an error if the checksum verification fails. If you receive a
  // checksum error, your client should verify that
  // CRC32C([MacVerifyRequest.tag][]) is equal to
  // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c],
  // and if so, perform a limited number of retries. A persistent mismatch may
  // indicate an issue in your computation of the CRC32C checksum. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value mac_crc32c = 5
      [(google.api.field_behavior) = OPTIONAL];
}

// Request message for
// [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
message GenerateRandomBytesRequest {
  // The project-specific location in which to generate random bytes.
  // For example, "projects/my-project/locations/us-central1".
  string location = 1;

  // The length in bytes of the amount of randomness to retrieve.  Minimum 8
  // bytes, maximum 1024 bytes.
  int32 length_bytes = 2;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when
  // generating the random data. Currently, only
  // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] protection level is
  // supported.
  ProtectionLevel protection_level = 3;
}

// Response message for
// [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt].
message EncryptResponse {
  // The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
  // encryption. Check this field to verify that the intended resource was used
  // for encryption.
  string name = 1;

  // The encrypted data.
  bytes ciphertext = 2;

  // Integrity verification field. A CRC32C checksum of the returned
  // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext].
  // An integrity check of
  // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
  // can be performed by computing the CRC32C checksum of
  // [EncryptResponse.ciphertext][google.cloud.kms.v1.EncryptResponse.ciphertext]
  // and comparing your results to this field. Discard the response in case of
  // non-matching checksum values, and perform a limited number of retries. A
  // persistent mismatch may indicate an issue in your computation of the CRC32C
  // checksum. Note: This field is defined as int64 for reasons of compatibility
  // across different languages. However, it is a non-negative integer, which
  // will never exceed 2^32-1, and can be safely downconverted to uint32 in
  // languages that support this type.
  google.protobuf.Int64Value ciphertext_crc32c = 4;

  // Integrity verification field. A flag indicating whether
  // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. A false value of
  // this field indicates either that
  // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_plaintext_crc32c = 5;

  // Integrity verification field. A flag indicating whether
  // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [AAD][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. A
  // false value of this field indicates either that
  // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_additional_authenticated_data_crc32c = 6;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
  // encryption.
  ProtectionLevel protection_level = 7;
}

// Response message for
// [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
message DecryptResponse {
  // The decrypted data originally supplied in
  // [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext].
  bytes plaintext = 1;

  // Integrity verification field. A CRC32C checksum of the returned
  // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext].
  // An integrity check of
  // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
  // can be performed by computing the CRC32C checksum of
  // [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]
  // and comparing your results to this field. Discard the response in case of
  // non-matching checksum values, and perform a limited number of retries. A
  // persistent mismatch may indicate an issue in your computation of the CRC32C
  // checksum. Note: receiving this response message indicates that
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] is able to
  // successfully decrypt the
  // [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. Note: This
  // field is defined as int64 for reasons of compatibility across different
  // languages. However, it is a non-negative integer, which will never exceed
  // 2^32-1, and can be safely downconverted to uint32 in languages that support
  // this type.
  google.protobuf.Int64Value plaintext_crc32c = 2;

  // Whether the Decryption was performed using the primary key version.
  bool used_primary = 3;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
  // decryption.
  ProtectionLevel protection_level = 4;
}

// Response message for
// [KeyManagementService.AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign].
message AsymmetricSignResponse {
  // The created signature.
  bytes signature = 1;

  // Integrity verification field. A CRC32C checksum of the returned
  // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature].
  // An integrity check of
  // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
  // can be performed by computing the CRC32C checksum of
  // [AsymmetricSignResponse.signature][google.cloud.kms.v1.AsymmetricSignResponse.signature]
  // and comparing your results to this field. Discard the response in case of
  // non-matching checksum values, and perform a limited number of retries. A
  // persistent mismatch may indicate an issue in your computation of the CRC32C
  // checksum. Note: This field is defined as int64 for reasons of compatibility
  // across different languages. However, it is a non-negative integer, which
  // will never exceed 2^32-1, and can be safely downconverted to uint32 in
  // languages that support this type.
  google.protobuf.Int64Value signature_crc32c = 2;

  // Integrity verification field. A flag indicating whether
  // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. A false value
  // of this field indicates either that
  // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_digest_crc32c = 3;

  // The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
  // Check this field to verify that the intended resource was used for signing.
  string name = 4;

  // Integrity verification field. A flag indicating whether
  // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of
  // this field indicates either that
  // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_data_crc32c = 5;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
  ProtectionLevel protection_level = 6;
}

// Response message for
// [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
message AsymmetricDecryptResponse {
  // The decrypted data originally encrypted with the matching public key.
  bytes plaintext = 1;

  // Integrity verification field. A CRC32C checksum of the returned
  // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext].
  // An integrity check of
  // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
  // can be performed by computing the CRC32C checksum of
  // [AsymmetricDecryptResponse.plaintext][google.cloud.kms.v1.AsymmetricDecryptResponse.plaintext]
  // and comparing your results to this field. Discard the response in case of
  // non-matching checksum values, and perform a limited number of retries. A
  // persistent mismatch may indicate an issue in your computation of the CRC32C
  // checksum. Note: This field is defined as int64 for reasons of compatibility
  // across different languages. However, it is a non-negative integer, which
  // will never exceed 2^32-1, and can be safely downconverted to uint32 in
  // languages that support this type.
  google.protobuf.Int64Value plaintext_crc32c = 2;

  // Integrity verification field. A flag indicating whether
  // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [ciphertext][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext]. A
  // false value of this field indicates either that
  // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_ciphertext_crc32c = 3;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used in
  // decryption.
  ProtectionLevel protection_level = 4;
}

// Response message for
// [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign].
message MacSignResponse {
  // The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
  // Check this field to verify that the intended resource was used for signing.
  string name = 1;

  // The created signature.
  bytes mac = 2;

  // Integrity verification field. A CRC32C checksum of the returned
  // [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. An
  // integrity check of
  // [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] can be
  // performed by computing the CRC32C checksum of
  // [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] and
  // comparing your results to this field. Discard the response in case of
  // non-matching checksum values, and perform a limited number of retries. A
  // persistent mismatch may indicate an issue in your computation of the CRC32C
  // checksum. Note: This field is defined as int64 for reasons of compatibility
  // across different languages. However, it is a non-negative integer, which
  // will never exceed 2^32-1, and can be safely downconverted to uint32 in
  // languages that support this type.
  google.protobuf.Int64Value mac_crc32c = 3;

  // Integrity verification field. A flag indicating whether
  // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [data][google.cloud.kms.v1.MacSignRequest.data]. A false value of this
  // field indicates either that
  // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_data_crc32c = 4;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
  ProtectionLevel protection_level = 5;
}

// Response message for
// [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify].
message MacVerifyResponse {
  // The resource name of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
  // verification. Check this field to verify that the intended resource was
  // used for verification.
  string name = 1;

  // This field indicates whether or not the verification operation for
  // [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] over
  // [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] was
  // successful.
  bool success = 2;

  // Integrity verification field. A flag indicating whether
  // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false value of this
  // field indicates either that
  // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_data_crc32c = 3;

  // Integrity verification field. A flag indicating whether
  // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
  // was received by
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used
  // for the integrity verification of the
  // [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false value of this
  // field indicates either that
  // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
  // was left unset or that it was not delivered to
  // [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
  // set
  // [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c]
  // but this field is still false, discard the response and perform a limited
  // number of retries.
  bool verified_mac_crc32c = 4;

  // Integrity verification field. This value is used for the integrity
  // verification of [MacVerifyResponse.success]. If the value of this field
  // contradicts the value of [MacVerifyResponse.success], discard the response
  // and perform a limited number of retries.
  bool verified_success_integrity = 5;

  // The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the
  // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for
  // verification.
  ProtectionLevel protection_level = 6;
}

// Response message for
// [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes].
message GenerateRandomBytesResponse {
  // The generated data.
  bytes data = 1;

  // Integrity verification field. A CRC32C checksum of the returned
  // [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data].
  // An integrity check of
  // [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
  // can be performed by computing the CRC32C checksum of
  // [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]
  // and comparing your results to this field. Discard the response in case of
  // non-matching checksum values, and perform a limited number of retries. A
  // persistent mismatch may indicate an issue in your computation of the CRC32C
  // checksum. Note: This field is defined as int64 for reasons of compatibility
  // across different languages. However, it is a non-negative integer, which
  // will never exceed 2^32-1, and can be safely downconverted to uint32 in
  // languages that support this type.
  google.protobuf.Int64Value data_crc32c = 3;
}

// A [Digest][google.cloud.kms.v1.Digest] holds a cryptographic message digest.
message Digest {
  // Required. The message digest.
  oneof digest {
    // A message digest produced with the SHA-256 algorithm.
    bytes sha256 = 1;

    // A message digest produced with the SHA-384 algorithm.
    bytes sha384 = 2;

    // A message digest produced with the SHA-512 algorithm.
    bytes sha512 = 3;
  }
}

// Cloud KMS metadata for the given
// [google.cloud.location.Location][google.cloud.location.Location].
message LocationMetadata {
  // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
  // [HSM][google.cloud.kms.v1.ProtectionLevel.HSM] can be created in this
  // location.
  bool hsm_available = 1;

  // Indicates whether [CryptoKeys][google.cloud.kms.v1.CryptoKey] with
  // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level]
  // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] can be created in
  // this location.
  bool ekm_available = 2;
}