feat: [kms] support external-μ in the Digest (#8014)

gcf-owl-bot[bot] · pearigee · web-flow · commit 048f3db389c8 · 2026-04-14T16:40:41.000-04:00
* feat: add a variable to SingleTenantHsmInstanceCreate to control whether future key portability features will be usable on the instance PiperOrigin-RevId: 897676455 Source-Link: googleapis/googleapis@bc600b8 Source-Link: googleapis/googleapis-gen@85de368 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy8uT3dsQm90LnlhbWwiLCJoIjoiODVkZTM2ODIxNjUyMDQ1YjM5ZTUyNzlhNDJiYmIzMmZhMjdkYWI4MSJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * feat: support external-μ in the Digest PiperOrigin-RevId: 897686352 Source-Link: googleapis/googleapis@7fbf256 Source-Link: googleapis/googleapis-gen@333010d Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy8uT3dsQm90LnlhbWwiLCJoIjoiMzMzMDEwZGI2ZjQwMDE5MTRiMDEzYWU1NjliMzQxOWViNzdmZDFlMSJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/hsm_management.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/hsm_management.proto
@@ -307,6 +307,15 @@ message SingleTenantHsmInstance {
   // become disabled.
   google.protobuf.Timestamp disable_time = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Immutable. Indicates whether key portability is enabled for the
+  // [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance].
+  // This can only be set at creation time. Key portability features are
+  // disabled by default and not yet available in GA.
+  bool key_portability_enabled = 8 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
 }
 
 // A
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto
@@ -223,6 +223,10 @@ message CryptoKey {
   // justification codes.
   // https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
   // By default, this field is absent, and all justification codes are allowed.
+  // If the
+  // `key_access_justifications_policy.allowed_access_reasons`
+  // is empty (zero allowed justification code), all encrypt, decrypt, and sign
+  // operations will fail.
   KeyAccessJustificationsPolicy key_access_justifications_policy = 17
       [(google.api.field_behavior) = OPTIONAL];
 }
@@ -1056,13 +1060,17 @@ message ExternalProtectionLevelOptions {
 // [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy]
 // specifies zero or more allowed
 // [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, decrypt,
-// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+// [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig]
+// (the default Key Access Justifications policy).
 message KeyAccessJustificationsPolicy {
   // The list of allowed reasons for access to a
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
-  // means all encrypt, decrypt, and sign operations for the
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
-  // fail.
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Note that empty
+  // allowed_access_reasons has a different meaning depending on where this
+  // message appears. If this is under
+  // [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig],
+  // it means allow-all. If this is under
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey], it means deny-all.
   repeated AccessReason allowed_access_reasons = 1;
 }
 
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto
@@ -2335,6 +2335,12 @@ message Digest {
 
     // A message digest produced with the SHA-512 algorithm.
     bytes sha512 = 3;
+
+    // A message digest produced with SHAKE-256, to be used with ML-DSA
+    // external-μ algorithms only. See "message representative" note in
+    // section 6.2, algorithm 7 of the FIPS-204 standard:
+    // https://doi.org/10.6028/nist.fips.204
+    bytes external_mu = 4;
   }
 }
 
diff --git a/packages/google-cloud-kms/protos/protos.d.ts b/packages/google-cloud-kms/protos/protos.d.ts
@@ -3193,6 +3193,9 @@ export namespace google {
 
                     /** SingleTenantHsmInstance disableTime */
                     disableTime?: (google.protobuf.ITimestamp|null);
+
+                    /** SingleTenantHsmInstance keyPortabilityEnabled */
+                    keyPortabilityEnabled?: (boolean|null);
                 }
 
                 /** Represents a SingleTenantHsmInstance. */
@@ -3225,6 +3228,9 @@ export namespace google {
                     /** SingleTenantHsmInstance disableTime. */
                     public disableTime?: (google.protobuf.ITimestamp|null);
 
+                    /** SingleTenantHsmInstance keyPortabilityEnabled. */
+                    public keyPortabilityEnabled: boolean;
+
                     /**
                      * Creates a new SingleTenantHsmInstance instance using the specified properties.
                      * @param [properties] Properties to set
@@ -14480,6 +14486,9 @@ export namespace google {
 
                     /** Digest sha512 */
                     sha512?: (Uint8Array|Buffer|string|null);
+
+                    /** Digest externalMu */
+                    externalMu?: (Uint8Array|Buffer|string|null);
                 }
 
                 /** Represents a Digest. */
@@ -14500,8 +14509,11 @@ export namespace google {
                     /** Digest sha512. */
                     public sha512?: (Uint8Array|Buffer|string|null);
 
+                    /** Digest externalMu. */
+                    public externalMu?: (Uint8Array|Buffer|string|null);
+
                     /** Digest digest. */
-                    public digest?: ("sha256"|"sha384"|"sha512");
+                    public digest?: ("sha256"|"sha384"|"sha512"|"externalMu");
 
                     /**
                      * Creates a new Digest instance using the specified properties.
diff --git a/packages/google-cloud-kms/protos/protos.js b/packages/google-cloud-kms/protos/protos.js
@@ -7053,6 +7053,7 @@
                          * @property {google.protobuf.ITimestamp|null} [deleteTime] SingleTenantHsmInstance deleteTime
                          * @property {google.protobuf.IDuration|null} [unrefreshedDurationUntilDisable] SingleTenantHsmInstance unrefreshedDurationUntilDisable
                          * @property {google.protobuf.ITimestamp|null} [disableTime] SingleTenantHsmInstance disableTime
+                         * @property {boolean|null} [keyPortabilityEnabled] SingleTenantHsmInstance keyPortabilityEnabled
                          */
     
                         /**
@@ -7126,6 +7127,14 @@
                          */
                         SingleTenantHsmInstance.prototype.disableTime = null;
     
+                        /**
+                         * SingleTenantHsmInstance keyPortabilityEnabled.
+                         * @member {boolean} keyPortabilityEnabled
+                         * @memberof google.cloud.kms.v1.SingleTenantHsmInstance
+                         * @instance
+                         */
+                        SingleTenantHsmInstance.prototype.keyPortabilityEnabled = false;
+    
                         /**
                          * Creates a new SingleTenantHsmInstance instance using the specified properties.
                          * @function create
@@ -7164,6 +7173,8 @@
                                 $root.google.protobuf.Duration.encode(message.unrefreshedDurationUntilDisable, writer.uint32(/* id 6, wireType 2 =*/50).fork()).ldelim();
                             if (message.disableTime != null && Object.hasOwnProperty.call(message, "disableTime"))
                                 $root.google.protobuf.Timestamp.encode(message.disableTime, writer.uint32(/* id 7, wireType 2 =*/58).fork()).ldelim();
+                            if (message.keyPortabilityEnabled != null && Object.hasOwnProperty.call(message, "keyPortabilityEnabled"))
+                                writer.uint32(/* id 8, wireType 0 =*/64).bool(message.keyPortabilityEnabled);
                             return writer;
                         };
     
@@ -7228,6 +7239,10 @@
                                         message.disableTime = $root.google.protobuf.Timestamp.decode(reader, reader.uint32());
                                         break;
                                     }
+                                case 8: {
+                                        message.keyPortabilityEnabled = reader.bool();
+                                        break;
+                                    }
                                 default:
                                     reader.skipType(tag & 7);
                                     break;
@@ -7306,6 +7321,9 @@
                                 if (error)
                                     return "disableTime." + error;
                             }
+                            if (message.keyPortabilityEnabled != null && message.hasOwnProperty("keyPortabilityEnabled"))
+                                if (typeof message.keyPortabilityEnabled !== "boolean")
+                                    return "keyPortabilityEnabled: boolean expected";
                             return null;
                         };
     
@@ -7392,6 +7410,8 @@
                                     throw TypeError(".google.cloud.kms.v1.SingleTenantHsmInstance.disableTime: object expected");
                                 message.disableTime = $root.google.protobuf.Timestamp.fromObject(object.disableTime);
                             }
+                            if (object.keyPortabilityEnabled != null)
+                                message.keyPortabilityEnabled = Boolean(object.keyPortabilityEnabled);
                             return message;
                         };
     
@@ -7416,6 +7436,7 @@
                                 object.deleteTime = null;
                                 object.unrefreshedDurationUntilDisable = null;
                                 object.disableTime = null;
+                                object.keyPortabilityEnabled = false;
                             }
                             if (message.name != null && message.hasOwnProperty("name"))
                                 object.name = message.name;
@@ -7431,6 +7452,8 @@
                                 object.unrefreshedDurationUntilDisable = $root.google.protobuf.Duration.toObject(message.unrefreshedDurationUntilDisable, options);
                             if (message.disableTime != null && message.hasOwnProperty("disableTime"))
                                 object.disableTime = $root.google.protobuf.Timestamp.toObject(message.disableTime, options);
+                            if (message.keyPortabilityEnabled != null && message.hasOwnProperty("keyPortabilityEnabled"))
+                                object.keyPortabilityEnabled = message.keyPortabilityEnabled;
                             return object;
                         };
     
@@ -36169,6 +36192,7 @@
                          * @property {Uint8Array|null} [sha256] Digest sha256
                          * @property {Uint8Array|null} [sha384] Digest sha384
                          * @property {Uint8Array|null} [sha512] Digest sha512
+                         * @property {Uint8Array|null} [externalMu] Digest externalMu
                          */
     
                         /**
@@ -36210,17 +36234,25 @@
                          */
                         Digest.prototype.sha512 = null;
     
+                        /**
+                         * Digest externalMu.
+                         * @member {Uint8Array|null|undefined} externalMu
+                         * @memberof google.cloud.kms.v1.Digest
+                         * @instance
+                         */
+                        Digest.prototype.externalMu = null;
+    
                         // OneOf field names bound to virtual getters and setters
                         var $oneOfFields;
     
                         /**
                          * Digest digest.
-                         * @member {"sha256"|"sha384"|"sha512"|undefined} digest
+                         * @member {"sha256"|"sha384"|"sha512"|"externalMu"|undefined} digest
                          * @memberof google.cloud.kms.v1.Digest
                          * @instance
                          */
                         Object.defineProperty(Digest.prototype, "digest", {
-                            get: $util.oneOfGetter($oneOfFields = ["sha256", "sha384", "sha512"]),
+                            get: $util.oneOfGetter($oneOfFields = ["sha256", "sha384", "sha512", "externalMu"]),
                             set: $util.oneOfSetter($oneOfFields)
                         });
     
@@ -36254,6 +36286,8 @@
                                 writer.uint32(/* id 2, wireType 2 =*/18).bytes(message.sha384);
                             if (message.sha512 != null && Object.hasOwnProperty.call(message, "sha512"))
                                 writer.uint32(/* id 3, wireType 2 =*/26).bytes(message.sha512);
+                            if (message.externalMu != null && Object.hasOwnProperty.call(message, "externalMu"))
+                                writer.uint32(/* id 4, wireType 2 =*/34).bytes(message.externalMu);
                             return writer;
                         };
     
@@ -36302,6 +36336,10 @@
                                         message.sha512 = reader.bytes();
                                         break;
                                     }
+                                case 4: {
+                                        message.externalMu = reader.bytes();
+                                        break;
+                                    }
                                 default:
                                     reader.skipType(tag & 7);
                                     break;
@@ -36357,6 +36395,13 @@
                                 if (!(message.sha512 && typeof message.sha512.length === "number" || $util.isString(message.sha512)))
                                     return "sha512: buffer expected";
                             }
+                            if (message.externalMu != null && message.hasOwnProperty("externalMu")) {
+                                if (properties.digest === 1)
+                                    return "digest: multiple values";
+                                properties.digest = 1;
+                                if (!(message.externalMu && typeof message.externalMu.length === "number" || $util.isString(message.externalMu)))
+                                    return "externalMu: buffer expected";
+                            }
                             return null;
                         };
     
@@ -36387,6 +36432,11 @@
                                     $util.base64.decode(object.sha512, message.sha512 = $util.newBuffer($util.base64.length(object.sha512)), 0);
                                 else if (object.sha512.length >= 0)
                                     message.sha512 = object.sha512;
+                            if (object.externalMu != null)
+                                if (typeof object.externalMu === "string")
+                                    $util.base64.decode(object.externalMu, message.externalMu = $util.newBuffer($util.base64.length(object.externalMu)), 0);
+                                else if (object.externalMu.length >= 0)
+                                    message.externalMu = object.externalMu;
                             return message;
                         };
     
@@ -36418,6 +36468,11 @@
                                 if (options.oneofs)
                                     object.digest = "sha512";
                             }
+                            if (message.externalMu != null && message.hasOwnProperty("externalMu")) {
+                                object.externalMu = options.bytes === String ? $util.base64.encode(message.externalMu, 0, message.externalMu.length) : options.bytes === Array ? Array.prototype.slice.call(message.externalMu) : message.externalMu;
+                                if (options.oneofs)
+                                    object.digest = "externalMu";
+                            }
                             return object;
                         };
     
diff --git a/packages/google-cloud-kms/protos/protos.json b/packages/google-cloud-kms/protos/protos.json
@@ -1138,6 +1138,13 @@
                           "options": {
                             "(google.api.field_behavior)": "OUTPUT_ONLY"
                           }
+                        },
+                        "keyPortabilityEnabled": {
+                          "type": "bool",
+                          "id": 8,
+                          "options": {
+                            "(google.api.field_behavior)": "IMMUTABLE"
+                          }
                         }
                       },
                       "nested": {
@@ -4330,7 +4337,8 @@
                           "oneof": [
                             "sha256",
                             "sha384",
-                            "sha512"
+                            "sha512",
+                            "externalMu"
                           ]
                         }
                       },
@@ -4346,6 +4354,10 @@
                         "sha512": {
                           "type": "bytes",
                           "id": 3
+                        },
+                        "externalMu": {
+                          "type": "bytes",
+                          "id": 4
                         }
                       }
                     },

Original file line number	Diff line number	Diff line change
`@@ -2335,6 +2335,12 @@ message Digest {`
`2335`	`2335`
`2336`	`2336`	`// A message digest produced with the SHA-512 algorithm.`
`2337`	`2337`	`bytes sha512 = 3;`
	`2338`	`+`
	`2339`	`+ // A message digest produced with SHAKE-256, to be used with ML-DSA`
	`2340`	`+ // external-μ algorithms only. See "message representative" note in`
	`2341`	`+ // section 6.2, algorithm 7 of the FIPS-204 standard:`
	`2342`	`+ // https://doi.org/10.6028/nist.fips.204`
	`2343`	`+ bytes external_mu = 4;`
`2338`	`2344`	`}`
`2339`	`2345`	`}`
`2340`	`2346`
Original file line number	Diff line number	Diff line change
`@@ -1138,6 +1138,13 @@`
`1138`	`1138`	`"options": {`
`1139`	`1139`	`"(google.api.field_behavior)": "OUTPUT_ONLY"`
`1140`	`1140`	`}`
	`1141`	`+ },`
	`1142`	`+ "keyPortabilityEnabled": {`
	`1143`	`+ "type": "bool",`
	`1144`	`+ "id": 8,`
	`1145`	`+ "options": {`
	`1146`	`+ "(google.api.field_behavior)": "IMMUTABLE"`
	`1147`	`+ }`
`1141`	`1148`	`}`
`1142`	`1149`	`},`
`1143`	`1150`	`"nested": {`
`@@ -4330,7 +4337,8 @@`
`4330`	`4337`	`"oneof": [`
`4331`	`4338`	`"sha256",`
`4332`	`4339`	`"sha384",`
`4333`		`- "sha512"`
	`4340`	`+ "sha512",`
	`4341`	`+ "externalMu"`
`4334`	`4342`	`]`
`4335`	`4343`	`}`
`4336`	`4344`	`},`
`@@ -4346,6 +4354,10 @@`
`4346`	`4354`	`"sha512": {`
`4347`	`4355`	`"type": "bytes",`
`4348`	`4356`	`"id": 3`
	`4357`	`+ },`
	`4358`	`+ "externalMu": {`
	`4359`	`+ "type": "bytes",`
	`4360`	`+ "id": 4`
`4349`	`4361`	`}`
`4350`	`4362`	`}`
`4351`	`4363`	`},`