feat: [Kms] Support KEY_ENCAPSULATION purpose and quantum-safe algorithms ML_KEM_768, ML_KEM_1024 and KEM_XWING (#8580)

* feat: Support KEY_ENCAPSULATION purpose and quantum-safe algorithms ML_KEM_768, ML_KEM_1024 and KEM_XWING
feat: Add PublicKeyFormat enums XWING_RAW_BYTES (used for KEM_XWING) and DER

PiperOrigin-RevId: 805449810

Source-Link: googleapis/googleapis@f8146b4

Source-Link: googleapis/googleapis-gen@79c8e5c
Copy-Tag: eyJwIjoiS21zLy5Pd2xCb3QueWFtbCIsImgiOiI3OWM4ZTVjMjAyYzE5NTZhMTVhNDhjOGVmN2RiMGE0N2YyMDFhN2Y1In0=

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

Kms/metadata/V1/Resources.php

@@ -0,0 +1,88 @@
+<?php
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_Decapsulate_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DecapsulateRequest;
+use Google\Cloud\Kms\V1\DecapsulateResponse;
+
+/**
+ * Decapsulates data that was encapsulated with a public key retrieved from
+ * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+ * corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+ * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+ * KEY_ENCAPSULATION.
+ *
+ * @param string $formattedName The resource name of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to use for
+ *                              decapsulation. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ * @param string $ciphertext    The ciphertext produced from encapsulation with the
+ *                              named [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public
+ *                              key(s).
+ */
+function decapsulate_sample(string $formattedName, string $ciphertext): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new DecapsulateRequest())
+        ->setName($formattedName)
+        ->setCiphertext($ciphertext);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var DecapsulateResponse $response */
+        $response = $keyManagementServiceClient->decapsulate($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+    $ciphertext = '...';
+
+    decapsulate_sample($formattedName, $ciphertext);
+}
+// [END cloudkms_v1_generated_KeyManagementService_Decapsulate_sync]

Kms/metadata/V1/Service.php

@@ -48,6 +48,8 @@
 use Google\Cloud\Kms\V1\CreateKeyRingRequest;
 use Google\Cloud\Kms\V1\CryptoKey;
 use Google\Cloud\Kms\V1\CryptoKeyVersion;
+use Google\Cloud\Kms\V1\DecapsulateRequest;
+use Google\Cloud\Kms\V1\DecapsulateResponse;
 use Google\Cloud\Kms\V1\DecryptRequest;
 use Google\Cloud\Kms\V1\DecryptResponse;
 use Google\Cloud\Kms\V1\DestroyCryptoKeyVersionRequest;
@@ -114,6 +116,7 @@
  * @method PromiseInterface<CryptoKeyVersion> createCryptoKeyVersionAsync(CreateCryptoKeyVersionRequest $request, array $optionalArgs = [])
  * @method PromiseInterface<ImportJob> createImportJobAsync(CreateImportJobRequest $request, array $optionalArgs = [])
  * @method PromiseInterface<KeyRing> createKeyRingAsync(CreateKeyRingRequest $request, array $optionalArgs = [])
+ * @method PromiseInterface<DecapsulateResponse> decapsulateAsync(DecapsulateRequest $request, array $optionalArgs = [])
  * @method PromiseInterface<DecryptResponse> decryptAsync(DecryptRequest $request, array $optionalArgs = [])
  * @method PromiseInterface<CryptoKeyVersion> destroyCryptoKeyVersionAsync(DestroyCryptoKeyVersionRequest $request, array $optionalArgs = [])
  * @method PromiseInterface<EncryptResponse> encryptAsync(EncryptRequest $request, array $optionalArgs = [])
@@ -590,6 +593,36 @@ public function createKeyRing(CreateKeyRingRequest $request, array $callOptions
         return $this->startApiCall('CreateKeyRing', $request, $callOptions)->wait();
     }
 
+    /**
+     * Decapsulates data that was encapsulated with a public key retrieved from
+     * [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey]
+     * corresponding to a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+     * with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
+     * KEY_ENCAPSULATION.
+     *
+     * The async variant is {@see KeyManagementServiceClient::decapsulateAsync()} .
+     *
+     * @example samples/V1/KeyManagementServiceClient/decapsulate.php
+     *
+     * @param DecapsulateRequest $request     A request to house fields associated with the call.
+     * @param array              $callOptions {
+     *     Optional.
+     *
+     *     @type RetrySettings|array $retrySettings
+     *           Retry settings to use for this call. Can be a {@see RetrySettings} object, or an
+     *           associative array of retry settings parameters. See the documentation on
+     *           {@see RetrySettings} for example usage.
+     * }
+     *
+     * @return DecapsulateResponse
+     *
+     * @throws ApiException Thrown if the API call fails.
+     */
+    public function decapsulate(DecapsulateRequest $request, array $callOptions = []): DecapsulateResponse
+    {
+        return $this->startApiCall('Decapsulate', $request, $callOptions)->wait();
+    }
+
     /**
      * Decrypts data that was protected by
      * [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. The