Skip to content

Commit 5b0219d

Browse files
Google APIscopybara-github
Google APIs
authored and
copybara-github
committed
feat: add support for Raw PKCS#1 signing keys
PiperOrigin-RevId: 403966825
1 parent e54bbc6 commit 5b0219d

2 files changed

Lines changed: 41 additions & 2 deletions

File tree

google/cloud/kms/v1/resources.proto

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,15 @@ message CryptoKeyVersion {
288288
// RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
289289
RSA_SIGN_PKCS1_4096_SHA512 = 16;
290290

291+
// RSASSA-PKCS1-v1_5 signing without encoding, with a 2048 bit key.
292+
RSA_SIGN_RAW_PKCS1_2048 = 28;
293+
294+
// RSASSA-PKCS1-v1_5 signing without encoding, with a 3072 bit key.
295+
RSA_SIGN_RAW_PKCS1_3072 = 29;
296+
297+
// RSASSA-PKCS1-v1_5 signing without encoding, with a 4096 bit key.
298+
RSA_SIGN_RAW_PKCS1_4096 = 30;
299+
291300
// RSAES-OAEP 2048 bit key with a SHA256 digest.
292301
RSA_DECRYPT_OAEP_2048_SHA256 = 8;
293302

google/cloud/kms/v1/service.proto

Lines changed: 32 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -921,10 +921,10 @@ message AsymmetricSignRequest {
921921
}
922922
];
923923

924-
// Required. The digest of the data to sign. The digest must be produced with
924+
// Optional. The digest of the data to sign. The digest must be produced with
925925
// the same digest algorithm as specified by the key version's
926926
// [algorithm][google.cloud.kms.v1.CryptoKeyVersion.algorithm].
927-
Digest digest = 3 [(google.api.field_behavior) = REQUIRED];
927+
Digest digest = 3 [(google.api.field_behavior) = OPTIONAL];
928928

929929
// Optional. An optional CRC32C checksum of the [AsymmetricSignRequest.digest][google.cloud.kms.v1.AsymmetricSignRequest.digest]. If
930930
// specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
@@ -940,6 +940,26 @@ message AsymmetricSignRequest {
940940
// never exceed 2^32-1, and can be safely downconverted to uint32 in languages
941941
// that support this type.
942942
google.protobuf.Int64Value digest_crc32c = 4 [(google.api.field_behavior) = OPTIONAL];
943+
944+
// Optional. This field will only be honored for RAW_PKCS1 keys.
945+
// The data to sign. A digest is computed over the data that will be signed,
946+
// PKCS #1 padding is applied to the digest directly and then encrypted.
947+
bytes data = 6 [(google.api.field_behavior) = OPTIONAL];
948+
949+
// Optional. An optional CRC32C checksum of the [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]. If
950+
// specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will verify the integrity of the
951+
// received [AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data] using this checksum.
952+
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] will report an error if the checksum verification
953+
// fails. If you receive a checksum error, your client should verify that
954+
// CRC32C([AsymmetricSignRequest.data][google.cloud.kms.v1.AsymmetricSignRequest.data]) is equal to
955+
// [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c], and if so, perform a limited
956+
// number of retries. A persistent mismatch may indicate an issue in your
957+
// computation of the CRC32C checksum.
958+
// Note: This field is defined as int64 for reasons of compatibility across
959+
// different languages. However, it is a non-negative integer, which will
960+
// never exceed 2^32-1, and can be safely downconverted to uint32 in languages
961+
// that support this type.
962+
google.protobuf.Int64Value data_crc32c = 7 [(google.api.field_behavior) = OPTIONAL];
943963
}
944964

945965
// Request message for [KeyManagementService.AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt].
@@ -1172,6 +1192,16 @@ message AsymmetricSignResponse {
11721192
// this field to verify that the intended resource was used for signing.
11731193
string name = 4;
11741194

1195+
// Integrity verification field. A flag indicating whether
1196+
// [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] was received by
1197+
// [KeyManagementService][google.cloud.kms.v1.KeyManagementService] and used for the integrity verification of the
1198+
// [data][google.cloud.kms.v1.AsymmetricSignRequest.data]. A false value of this field
1199+
// indicates either that [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] was left
1200+
// unset or that it was not delivered to [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. If you've
1201+
// set [AsymmetricSignRequest.data_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.data_crc32c] but this field is still false,
1202+
// discard the response and perform a limited number of retries.
1203+
bool verified_data_crc32c = 5;
1204+
11751205
// The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing.
11761206
ProtectionLevel protection_level = 6;
11771207
}

0 commit comments

Comments
 (0)