feat: [kms] support external-μ in the Digest (#8014)

gcf-owl-bot[bot] · pearigee · web-flow · commit 048f3db389c8 · 2026-04-14T16:40:41.000-04:00
* feat: add a variable to SingleTenantHsmInstanceCreate to control whether future key portability features will be usable on the instance PiperOrigin-RevId: 897676455 Source-Link: googleapis/googleapis@bc600b8 Source-Link: googleapis/googleapis-gen@85de368 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy8uT3dsQm90LnlhbWwiLCJoIjoiODVkZTM2ODIxNjUyMDQ1YjM5ZTUyNzlhNDJiYmIzMmZhMjdkYWI4MSJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * feat: support external-μ in the Digest PiperOrigin-RevId: 897686352 Source-Link: googleapis/googleapis@7fbf256 Source-Link: googleapis/googleapis-gen@333010d Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy8uT3dsQm90LnlhbWwiLCJoIjoiMzMzMDEwZGI2ZjQwMDE5MTRiMDEzYWU1NjliMzQxOWViNzdmZDFlMSJ9 * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com> Co-authored-by: Gabe Pearhill <86282859+pearigee@users.noreply.github.com>
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/hsm_management.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/hsm_management.proto
@@ -307,6 +307,15 @@ message SingleTenantHsmInstance {
   // become disabled.
   google.protobuf.Timestamp disable_time = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Immutable. Indicates whether key portability is enabled for the
+  // [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance].
+  // This can only be set at creation time. Key portability features are
+  // disabled by default and not yet available in GA.
+  bool key_portability_enabled = 8 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
 }
 
 // A
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/resources.proto
@@ -223,6 +223,10 @@ message CryptoKey {
   // justification codes.
   // https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
   // By default, this field is absent, and all justification codes are allowed.
+  // If the
+  // `key_access_justifications_policy.allowed_access_reasons`
+  // is empty (zero allowed justification code), all encrypt, decrypt, and sign
+  // operations will fail.
   KeyAccessJustificationsPolicy key_access_justifications_policy = 17
       [(google.api.field_behavior) = OPTIONAL];
 }
@@ -1056,13 +1060,17 @@ message ExternalProtectionLevelOptions {
 // [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy]
 // specifies zero or more allowed
 // [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, decrypt,
-// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+// [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig]
+// (the default Key Access Justifications policy).
 message KeyAccessJustificationsPolicy {
   // The list of allowed reasons for access to a
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
-  // means all encrypt, decrypt, and sign operations for the
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
-  // fail.
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Note that empty
+  // allowed_access_reasons has a different meaning depending on where this
+  // message appears. If this is under
+  // [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig],
+  // it means allow-all. If this is under
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey], it means deny-all.
   repeated AccessReason allowed_access_reasons = 1;
 }
 
diff --git a/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto b/packages/google-cloud-kms/protos/google/cloud/kms/v1/service.proto
@@ -2335,6 +2335,12 @@ message Digest {
 
     // A message digest produced with the SHA-512 algorithm.
     bytes sha512 = 3;
+
+    // A message digest produced with SHAKE-256, to be used with ML-DSA
+    // external-μ algorithms only. See "message representative" note in
+    // section 6.2, algorithm 7 of the FIPS-204 standard:
+    // https://doi.org/10.6028/nist.fips.204
+    bytes external_mu = 4;
   }
 }
 
diff --git a/packages/google-cloud-kms/protos/protos.d.ts b/packages/google-cloud-kms/protos/protos.d.ts
@@ -3193,6 +3193,9 @@ export namespace google {
 
                     /** SingleTenantHsmInstance disableTime */
                     disableTime?: (google.protobuf.ITimestamp|null);
+
+                    /** SingleTenantHsmInstance keyPortabilityEnabled */
+                    keyPortabilityEnabled?: (boolean|null);
                 }
 
                 /** Represents a SingleTenantHsmInstance. */
@@ -3225,6 +3228,9 @@ export namespace google {
                     /** SingleTenantHsmInstance disableTime. */
                     public disableTime?: (google.protobuf.ITimestamp|null);
 
+                    /** SingleTenantHsmInstance keyPortabilityEnabled. */
+                    public keyPortabilityEnabled: boolean;
+
                     /**
                      * Creates a new SingleTenantHsmInstance instance using the specified properties.
                      * @param [properties] Properties to set
@@ -14480,6 +14486,9 @@ export namespace google {
 
                     /** Digest sha512 */
                     sha512?: (Uint8Array|Buffer|string|null);
+
+                    /** Digest externalMu */
+                    externalMu?: (Uint8Array|Buffer|string|null);
                 }
 
                 /** Represents a Digest. */
@@ -14500,8 +14509,11 @@ export namespace google {
                     /** Digest sha512. */
                     public sha512?: (Uint8Array|Buffer|string|null);
 
+                    /** Digest externalMu. */
+                    public externalMu?: (Uint8Array|Buffer|string|null);
+
                     /** Digest digest. */
-                    public digest?: ("sha256"|"sha384"|"sha512");
+                    public digest?: ("sha256"|"sha384"|"sha512"|"externalMu");
 
                     /**
                      * Creates a new Digest instance using the specified properties.
diff --git a/packages/google-cloud-kms/protos/protos.js b/packages/google-cloud-kms/protos/protos.js
diff --git a/packages/google-cloud-kms/protos/protos.json b/packages/google-cloud-kms/protos/protos.json

Original file line number	Diff line number	Diff line change
`@@ -2335,6 +2335,12 @@ message Digest {`
`2335`	`2335`
`2336`	`2336`	`// A message digest produced with the SHA-512 algorithm.`
`2337`	`2337`	`bytes sha512 = 3;`
	`2338`	`+`
	`2339`	`+ // A message digest produced with SHAKE-256, to be used with ML-DSA`
	`2340`	`+ // external-μ algorithms only. See "message representative" note in`
	`2341`	`+ // section 6.2, algorithm 7 of the FIPS-204 standard:`
	`2342`	`+ // https://doi.org/10.6028/nist.fips.204`
	`2343`	`+ bytes external_mu = 4;`
`2338`	`2344`	`}`
`2339`	`2345`	`}`
`2340`	`2346`