feat: [google-cloud-kms] Support PQC asymmetric signing algorithms ML_DSA_65 and SLH_DSA_SHA2_128s (#13538)

- [ ] Regenerate this pull request now.

feat: Add a PublicKeyFormat enum to allow specifying the format the
public is going to be exported in

PiperOrigin-RevId: 728208243

Source-Link:
googleapis/googleapis@0c860e0

Source-Link:
googleapis/googleapis-gen@904854f
Copy-Tag:
eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy8uT3dsQm90LnlhbWwiLCJoIjoiOTA0ODU0ZmQ0YWYzNWVjY2EwM2M4NjQwNDgyMDAzMWE5ZWM4ZjdhZCJ9

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

packages/google-cloud-kms/google/cloud/kms/__init__.py

@@ -63,6 +63,7 @@
 )
 from google.cloud.kms_v1.types.resources import (
     AccessReason,
+    ChecksummedData,
     CryptoKey,
     CryptoKeyVersion,
     CryptoKeyVersionTemplate,
@@ -152,6 +153,7 @@
     "UpdateEkmConnectionRequest",
     "VerifyConnectivityRequest",
     "VerifyConnectivityResponse",
+    "ChecksummedData",
     "CryptoKey",
     "CryptoKeyVersion",
     "CryptoKeyVersionTemplate",

packages/google-cloud-kms/google/cloud/kms_v1/__init__.py

@@ -56,6 +56,7 @@
 )
 from .types.resources import (
     AccessReason,
+    ChecksummedData,
     CryptoKey,
     CryptoKeyVersion,
     CryptoKeyVersionTemplate,
@@ -127,6 +128,7 @@
     "AutokeyClient",
     "AutokeyConfig",
     "Certificate",
+    "ChecksummedData",
     "CreateCryptoKeyRequest",
     "CreateCryptoKeyVersionRequest",
     "CreateEkmConnectionRequest",

packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/async_client.py

@@ -1898,7 +1898,7 @@ async def sample_import_crypto_key_version():
                 request = kms_v1.ImportCryptoKeyVersionRequest(
                     rsa_aes_wrapped_key=b'rsa_aes_wrapped_key_blob',
                     parent="parent_value",
-                    algorithm="EXTERNAL_SYMMETRIC_ENCRYPTION",
+                    algorithm="PQ_SIGN_SLH_DSA_SHA2_128S",
                     import_job="import_job_value",
                 )
 

packages/google-cloud-kms/google/cloud/kms_v1/services/key_management_service/client.py

@@ -2370,7 +2370,7 @@ def sample_import_crypto_key_version():
                 request = kms_v1.ImportCryptoKeyVersionRequest(
                     rsa_aes_wrapped_key=b'rsa_aes_wrapped_key_blob',
                     parent="parent_value",
-                    algorithm="EXTERNAL_SYMMETRIC_ENCRYPTION",
+                    algorithm="PQ_SIGN_SLH_DSA_SHA2_128S",
                     import_job="import_job_value",
                 )
 

packages/google-cloud-kms/google/cloud/kms_v1/types/__init__.py

@@ -44,6 +44,7 @@
 )
 from .resources import (
     AccessReason,
+    ChecksummedData,
     CryptoKey,
     CryptoKeyVersion,
     CryptoKeyVersionTemplate,
@@ -125,6 +126,7 @@
     "UpdateEkmConnectionRequest",
     "VerifyConnectivityRequest",
     "VerifyConnectivityResponse",
+    "ChecksummedData",
     "CryptoKey",
     "CryptoKeyVersion",
     "CryptoKeyVersionTemplate",

packages/google-cloud-kms/google/cloud/kms_v1/types/resources.py

@@ -32,6 +32,7 @@
         "CryptoKeyVersionTemplate",
         "KeyOperationAttestation",
         "CryptoKeyVersion",
+        "ChecksummedData",
         "PublicKey",
         "ImportJob",
         "ExternalProtectionLevelOptions",
@@ -785,6 +786,14 @@ class CryptoKeyVersionAlgorithm(proto.Enum):
             EXTERNAL_SYMMETRIC_ENCRYPTION (18):
                 Algorithm representing symmetric encryption
                 by an external key manager.
+            PQ_SIGN_ML_DSA_65 (56):
+                The post-quantum Module-Lattice-Based Digital
+                Signature Algorithm, at security level 3.
+                Randomized version.
+            PQ_SIGN_SLH_DSA_SHA2_128S (57):
+                The post-quantum stateless hash-based digital
+                signature algorithm, at security level 1.
+                Randomized version.
         """
         CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
         GOOGLE_SYMMETRIC_ENCRYPTION = 1
@@ -822,6 +831,8 @@ class CryptoKeyVersionAlgorithm(proto.Enum):
         HMAC_SHA512 = 35
         HMAC_SHA224 = 36
         EXTERNAL_SYMMETRIC_ENCRYPTION = 18
+        PQ_SIGN_ML_DSA_65 = 56
+        PQ_SIGN_SLH_DSA_SHA2_128S = 57
 
     class CryptoKeyVersionState(proto.Enum):
         r"""The state of a
@@ -1002,6 +1013,42 @@ class CryptoKeyVersionView(proto.Enum):
     )
 
 
+class ChecksummedData(proto.Message):
+    r"""Data with integrity verification field.
+
+    Attributes:
+        data (bytes):
+            Raw Data.
+        crc32c_checksum (google.protobuf.wrappers_pb2.Int64Value):
+            Integrity verification field. A CRC32C checksum of the
+            returned
+            [ChecksummedData.data][google.cloud.kms.v1.ChecksummedData.data].
+            An integrity check of
+            [ChecksummedData.data][google.cloud.kms.v1.ChecksummedData.data]
+            can be performed by computing the CRC32C checksum of
+            [ChecksummedData.data][google.cloud.kms.v1.ChecksummedData.data]
+            and comparing your results to this field. Discard the
+            response in case of non-matching checksum values, and
+            perform a limited number of retries. A persistent mismatch
+            may indicate an issue in your computation of the CRC32C
+            checksum. Note: This field is defined as int64 for reasons
+            of compatibility across different languages. However, it is
+            a non-negative integer, which will never exceed ``2^32-1``,
+            and can be safely downconverted to uint32 in languages that
+            support this type.
+    """
+
+    data: bytes = proto.Field(
+        proto.BYTES,
+        number=3,
+    )
+    crc32c_checksum: wrappers_pb2.Int64Value = proto.Field(
+        proto.MESSAGE,
+        number=2,
+        message=wrappers_pb2.Int64Value,
+    )
+
+
 class PublicKey(proto.Message):
     r"""The public keys for a given
     [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained
@@ -1033,8 +1080,8 @@ class PublicKey(proto.Message):
             indicate an issue in your computation of the CRC32C
             checksum. Note: This field is defined as int64 for reasons
             of compatibility across different languages. However, it is
-            a non-negative integer, which will never exceed 2^32-1, and
-            can be safely downconverted to uint32 in languages that
+            a non-negative integer, which will never exceed ``2^32-1``,
+            and can be safely downconverted to uint32 in languages that
             support this type.
 
             NOTE: This field is in Beta.
@@ -1049,8 +1096,53 @@ class PublicKey(proto.Message):
             of the
             [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
             public key.
+        public_key_format (google.cloud.kms_v1.types.PublicKey.PublicKeyFormat):
+            The [PublicKey][google.cloud.kms.v1.PublicKey] format
+            specified by the customer through the
+            [public_key_format][google.cloud.kms.v1.GetPublicKeyRequest.public_key_format]
+            field.
+        public_key (google.cloud.kms_v1.types.ChecksummedData):
+            This field contains the public key (with integrity
+            verification), formatted according to the
+            [public_key_format][google.cloud.kms.v1.PublicKey.public_key_format]
+            field.
     """
 
+    class PublicKeyFormat(proto.Enum):
+        r"""The supported [PublicKey][google.cloud.kms.v1.PublicKey] formats.
+
+        Values:
+            PUBLIC_KEY_FORMAT_UNSPECIFIED (0):
+                If the
+                [public_key_format][google.cloud.kms.v1.GetPublicKeyRequest.public_key_format]
+                field is not specified:
+
+                -  For PQC algorithms, an error will be returned.
+                -  For non-PQC algorithms, the default format is PEM, and
+                   the field [pem][google.cloud.kms.v1.PublicKey.pem] will
+                   be populated.
+
+                Otherwise, the public key will be exported through the
+                [public_key][google.cloud.kms.v1.PublicKey.public_key] field
+                in the requested format.
+            PEM (1):
+                The returned public key will be encoded in PEM format. See
+                the `RFC7468 <https://tools.ietf.org/html/rfc7468>`__
+                sections for `General
+                Considerations <https://tools.ietf.org/html/rfc7468#section-2>`__
+                and [Textual Encoding of Subject Public Key Info]
+                (https://tools.ietf.org/html/rfc7468#section-13) for more
+                information.
+            NIST_PQC (3):
+                This is supported only for PQC algorithms.
+                The key material is returned in the format
+                defined by NIST PQC standards (FIPS 203, FIPS
+                204, and FIPS 205).
+        """
+        PUBLIC_KEY_FORMAT_UNSPECIFIED = 0
+        PEM = 1
+        NIST_PQC = 3
+
     pem: str = proto.Field(
         proto.STRING,
         number=1,
@@ -1074,6 +1166,16 @@ class PublicKey(proto.Message):
         number=5,
         enum="ProtectionLevel",
     )
+    public_key_format: PublicKeyFormat = proto.Field(
+        proto.ENUM,
+        number=7,
+        enum=PublicKeyFormat,
+    )
+    public_key: "ChecksummedData" = proto.Field(
+        proto.MESSAGE,
+        number=8,
+        message="ChecksummedData",
+    )
 
 
 class ImportJob(proto.Message):

packages/google-cloud-kms/google/cloud/kms_v1/types/service.py

@@ -513,12 +513,27 @@ class GetPublicKeyRequest(proto.Message):
             [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
             [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
             public key to get.
+        public_key_format (google.cloud.kms_v1.types.PublicKey.PublicKeyFormat):
+            Optional. The [PublicKey][google.cloud.kms.v1.PublicKey]
+            format specified by the user. This field is required for PQC
+            algorithms. If specified, the public key will be exported
+            through the
+            [public_key][google.cloud.kms.v1.PublicKey.public_key] field
+            in the requested format. Otherwise, the
+            [pem][google.cloud.kms.v1.PublicKey.pem] field will be
+            populated for non-PQC algorithms, and an error will be
+            returned for PQC algorithms.
     """
 
     name: str = proto.Field(
         proto.STRING,
         number=1,
     )
+    public_key_format: resources.PublicKey.PublicKeyFormat = proto.Field(
+        proto.ENUM,
+        number=2,
+        enum=resources.PublicKey.PublicKeyFormat,
+    )
 
 
 class GetImportJobRequest(proto.Message):

packages/google-cloud-kms/samples/generated_samples/cloudkms_v1_generated_key_management_service_import_crypto_key_version_async.py

@@ -42,7 +42,7 @@ async def sample_import_crypto_key_version():
     request = kms_v1.ImportCryptoKeyVersionRequest(
         rsa_aes_wrapped_key=b'rsa_aes_wrapped_key_blob',
         parent="parent_value",
-        algorithm="EXTERNAL_SYMMETRIC_ENCRYPTION",
+        algorithm="PQ_SIGN_SLH_DSA_SHA2_128S",
         import_job="import_job_value",
     )
 

packages/google-cloud-kms/samples/generated_samples/cloudkms_v1_generated_key_management_service_import_crypto_key_version_sync.py

@@ -42,7 +42,7 @@ def sample_import_crypto_key_version():
     request = kms_v1.ImportCryptoKeyVersionRequest(
         rsa_aes_wrapped_key=b'rsa_aes_wrapped_key_blob',
         parent="parent_value",
-        algorithm="EXTERNAL_SYMMETRIC_ENCRYPTION",
+        algorithm="PQ_SIGN_SLH_DSA_SHA2_128S",
         import_job="import_job_value",
     )
 

packages/google-cloud-kms/scripts/fixup_kms_v1_keywords.py

@@ -59,7 +59,7 @@ class kmsCallTransformer(cst.CSTTransformer):
         'get_import_job': ('name', ),
         'get_key_handle': ('name', ),
         'get_key_ring': ('name', ),
-        'get_public_key': ('name', ),
+        'get_public_key': ('name', 'public_key_format', ),
         'import_crypto_key_version': ('parent', 'algorithm', 'import_job', 'crypto_key_version', 'wrapped_key', 'rsa_aes_wrapped_key', ),
         'list_crypto_keys': ('parent', 'page_size', 'page_token', 'version_view', 'filter', 'order_by', ),
         'list_crypto_key_versions': ('parent', 'page_size', 'page_token', 'view', 'filter', 'order_by', ),