feat: [inventory] support external-μ in the Digest (#8015)

gcf-owl-bot[bot] · web-flow · commit 71be7d38a621 · 2026-04-14T10:00:56.000-07:00
* feat: add a variable to SingleTenantHsmInstanceCreate to control whether future key portability features will be usable on the instance PiperOrigin-RevId: 897676455 Source-Link: googleapis/googleapis@bc600b8 Source-Link: googleapis/googleapis-gen@85de368 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy1pbnZlbnRvcnkvLk93bEJvdC55YW1sIiwiaCI6Ijg1ZGUzNjgyMTY1MjA0NWIzOWU1Mjc5YTQyYmJiMzJmYTI3ZGFiODEifQ== * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * feat: support external-μ in the Digest PiperOrigin-RevId: 897686352 Source-Link: googleapis/googleapis@7fbf256 Source-Link: googleapis/googleapis-gen@333010d Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWttcy1pbnZlbnRvcnkvLk93bEJvdC55YW1sIiwiaCI6IjMzMzAxMGRiNmY0MDAxOTE0YjAxM2FlNTY5YjM0MTllYjc3ZmQxZTEifQ== * 🦉 Updates from OwlBot post-processor See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
diff --git a/packages/google-cloud-kms-inventory/protos/google/cloud/kms/v1/hsm_management.proto b/packages/google-cloud-kms-inventory/protos/google/cloud/kms/v1/hsm_management.proto
@@ -307,6 +307,15 @@ message SingleTenantHsmInstance {
   // become disabled.
   google.protobuf.Timestamp disable_time = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Immutable. Indicates whether key portability is enabled for the
+  // [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance].
+  // This can only be set at creation time. Key portability features are
+  // disabled by default and not yet available in GA.
+  bool key_portability_enabled = 8 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
 }
 
 // A
diff --git a/packages/google-cloud-kms-inventory/protos/google/cloud/kms/v1/resources.proto b/packages/google-cloud-kms-inventory/protos/google/cloud/kms/v1/resources.proto
@@ -223,6 +223,10 @@ message CryptoKey {
   // justification codes.
   // https://cloud.google.com/assured-workloads/key-access-justifications/docs/justification-codes
   // By default, this field is absent, and all justification codes are allowed.
+  // If the
+  // `key_access_justifications_policy.allowed_access_reasons`
+  // is empty (zero allowed justification code), all encrypt, decrypt, and sign
+  // operations will fail.
   KeyAccessJustificationsPolicy key_access_justifications_policy = 17
       [(google.api.field_behavior) = OPTIONAL];
 }
@@ -1056,13 +1060,17 @@ message ExternalProtectionLevelOptions {
 // [KeyAccessJustificationsPolicy][google.cloud.kms.v1.KeyAccessJustificationsPolicy]
 // specifies zero or more allowed
 // [AccessReason][google.cloud.kms.v1.AccessReason] values for encrypt, decrypt,
-// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey].
+// and sign operations on a [CryptoKey][google.cloud.kms.v1.CryptoKey] or
+// [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig]
+// (the default Key Access Justifications policy).
 message KeyAccessJustificationsPolicy {
   // The list of allowed reasons for access to a
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Zero allowed access reasons
-  // means all encrypt, decrypt, and sign operations for the
-  // [CryptoKey][google.cloud.kms.v1.CryptoKey] associated with this policy will
-  // fail.
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey]. Note that empty
+  // allowed_access_reasons has a different meaning depending on where this
+  // message appears. If this is under
+  // [KeyAccessJustificationsPolicyConfig][google.cloud.kms.v1.KeyAccessJustificationsPolicyConfig],
+  // it means allow-all. If this is under
+  // [CryptoKey][google.cloud.kms.v1.CryptoKey], it means deny-all.
   repeated AccessReason allowed_access_reasons = 1;
 }
 
diff --git a/packages/google-cloud-kms-inventory/protos/google/cloud/kms/v1/service.proto b/packages/google-cloud-kms-inventory/protos/google/cloud/kms/v1/service.proto
@@ -2335,6 +2335,12 @@ message Digest {
 
     // A message digest produced with the SHA-512 algorithm.
     bytes sha512 = 3;
+
+    // A message digest produced with SHAKE-256, to be used with ML-DSA
+    // external-μ algorithms only. See "message representative" note in
+    // section 6.2, algorithm 7 of the FIPS-204 standard:
+    // https://doi.org/10.6028/nist.fips.204
+    bytes external_mu = 4;
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2335,6 +2335,12 @@ message Digest {`
`2335`	`2335`
`2336`	`2336`	`// A message digest produced with the SHA-512 algorithm.`
`2337`	`2337`	`bytes sha512 = 3;`
	`2338`	`+`
	`2339`	`+ // A message digest produced with SHAKE-256, to be used with ML-DSA`
	`2340`	`+ // external-μ algorithms only. See "message representative" note in`
	`2341`	`+ // section 6.2, algorithm 7 of the FIPS-204 standard:`
	`2342`	`+ // https://doi.org/10.6028/nist.fips.204`
	`2343`	`+ bytes external_mu = 4;`
`2338`	`2344`	`}`
`2339`	`2345`	`}`
`2340`	`2346`