Sync: sync/0c629bba29

endpoints.md

@@ -52,6 +52,10 @@
   * [nebius.iam.v2.AccessKeyService](nebius/iam/v2/access_key_service.proto)
   * [nebius.iam.v2.ProjectService](nebius/iam/v2/project_service.proto)
   * [nebius.iam.v2.TenantService](nebius/iam/v2/tenant_service.proto)
+* cpl.kms.api.nebius.cloud:443
+  * [nebius.common.v1.OperationService](nebius/common/v1/operation_service.proto)
+  * [nebius.kms.v1.AsymmetricKeyService](nebius/kms/v1/asymmetric_key_service.proto)
+  * [nebius.kms.v1.SymmetricKeyService](nebius/kms/v1/symmetric_key_service.proto)
 * cpl.mysterybox.api.nebius.cloud:443
   * [nebius.common.v1.OperationService](nebius/common/v1/operation_service.proto)
   * [nebius.mysterybox.v1.SecretService](nebius/mysterybox/v1/secret_service.proto)
@@ -69,6 +73,9 @@
   * [nebius.common.v1.OperationService](nebius/common/v1/operation_service.proto)
   * [nebius.dns.v1.RecordService](nebius/dns/v1/record_service.proto)
   * [nebius.dns.v1.ZoneService](nebius/dns/v1/zone_service.proto)
+* dpl.kms.api.nebius.cloud:443
+  * [nebius.kms.v1.AsymmetricCryptoService](nebius/kms/v1/asymmetric_crypto_service.proto)
+  * [nebius.kms.v1.SymmetricCryptoService](nebius/kms/v1/symmetric_crypto_service.proto)
 * dpl.mysterybox.api.nebius.cloud:443
   * [nebius.mysterybox.v1.PayloadService](nebius/mysterybox/v1/payload_service.proto)
 * maintenance.msp.api.nebius.cloud:443

nebius/kms/v1/asymmetric_crypto_service.proto

@@ -0,0 +1,80 @@
+syntax = "proto3";
+
+package nebius.kms.v1;
+
+import "buf/validate/validate.proto";
+import "nebius/annotations.proto";
+
+option go_package = "github.com/nebius/gosdk/proto/nebius/kms/v1";
+option java_multiple_files = true;
+option java_outer_classname = "AsymmetricCryptoServiceProto";
+option java_package = "ai.nebius.pub.kms.v1";
+
+// Data plane for KMS asymmetric cryptography operations.
+service AsymmetricCryptoService {
+  option (api_service_name) = "dpl.kms";
+
+  // Signs a hashed value using an asymmetric key.
+  rpc SignHash(AsymmetricSignHashRequest) returns (AsymmetricSignHashResponse);
+
+  // Retrieves the public key of an asymmetric key pair.
+  rpc GetPublicKey(AsymmetricGetPublicKeyRequest) returns (AsymmetricGetPublicKeyResponse);
+
+  // Decrypts the ciphertext with the specified key.
+  rpc Decrypt(AsymmetricDecryptRequest) returns (AsymmetricDecryptResponse);
+}
+
+message AsymmetricSignHashRequest {
+  // ID of the asymmetric KMS key to use for signing the hash.
+  string key_id = 1 [(buf.validate.field).required = true];
+
+  // Hash to sign.
+  bytes hash = 2 [
+    (buf.validate.field).required = true,
+    (sensitive) = true
+  ];
+}
+
+message AsymmetricSignHashResponse {
+  // ID of the asymmetric KMS key used to produce the signature.
+  string key_id = 1;
+
+  // Value of signature.
+  bytes signature = 2 [(sensitive) = true];
+}
+
+message AsymmetricGetPublicKeyRequest {
+  // ID of the asymmetric KMS key whose public key should be returned.
+  string key_id = 1 [(buf.validate.field).required = true];
+}
+
+message AsymmetricGetPublicKeyResponse {
+  // ID of the asymmetric KMS key whose public key was returned.
+  string key_id = 1;
+
+  // Public key value.
+  // The value is a PEM-encoded X.509 public key, also known as SubjectPublicKeyInfo (SPKI), as defined in RFC 5280.
+  string public_key = 2;
+}
+
+message AsymmetricDecryptRequest {
+  // ID of the asymmetric KMS key.
+  string key_id = 1 [(buf.validate.field).required = true];
+
+  // cipher text to be decrypted.
+  bytes ciphertext = 2 [
+    (buf.validate.field) = {
+      bytes: {len: 512}
+      required: true
+    },
+    (sensitive) = true
+  ];
+}
+
+message AsymmetricDecryptResponse {
+  // ID of the asymmetric KMS key that was used for decryption.
+  string key_id = 1;
+
+  // Decrypted plaintext.
+  bytes plaintext = 2 [(sensitive) = true];
+}

nebius/kms/v1/asymmetric_key.proto

@@ -0,0 +1,65 @@
+syntax = "proto3";
+
+package nebius.kms.v1;
+
+import "buf/validate/validate.proto";
+import "google/protobuf/timestamp.proto";
+import "nebius/annotations.proto";
+import "nebius/common/v1/metadata.proto";
+import "nebius/kms/v1/key_state.proto";
+
+option go_package = "github.com/nebius/gosdk/proto/nebius/kms/v1";
+option java_multiple_files = true;
+option java_outer_classname = "AsymmetricKeyProto";
+option java_package = "ai.nebius.pub.kms.v1";
+
+// Supported asymmetric algorithms.
+enum AsymmetricAlgorithm {
+  ASYMMETRIC_ALGORITHM_UNSPECIFIED = 0;
+
+  // ECDSA signature with NIST P-256 curve and SHA-256
+  ECDSA_NIST_P256_SHA_256 = 1;
+
+  // ECDSA signature with NIST P-384 curve and SHA-384
+  ECDSA_NIST_P384_SHA_384 = 2;
+
+  // RSA encryption with RSA-4096 key, OAEP padding and SHA-256.
+  RSA_4096_ENC_OAEP_SHA_256 = 3;
+}
+
+// An asymmetric KMS key that may contain several versions of the cryptographic material.
+message AsymmetricKey {
+  common.v1.ResourceMetadata metadata = 1;
+
+  // The specifications of the asymmetric key.
+  AsymmetricKeySpec spec = 2;
+
+  // The current status of the asymmetric key.
+  AsymmetricKeyStatus status = 3;
+}
+
+message AsymmetricKeySpec {
+  // Description of the key.
+  string description = 1;
+
+  // Cryptographic algorithm that should be used with the key.
+  // Must be specified only during create operations. Cannot be updated.
+  AsymmetricAlgorithm algorithm = 2 [
+    (field_behavior) = IMMUTABLE,
+    (buf.validate.field) = {
+      enum: {defined_only: true}
+      required: true
+    }
+  ];
+}
+
+message AsymmetricKeyStatus {
+  // State (ACTIVE, SCHEDULED_FOR_DELETION)
+  KeyState state = 1;
+
+  // Time when the key was scheduled for deletion.
+  google.protobuf.Timestamp deleted_at = 2;
+
+  // Time when the key will be permanently deleted.
+  google.protobuf.Timestamp purge_at = 3;
+}

nebius/kms/v1/asymmetric_key_service.proto

@@ -0,0 +1,140 @@
+syntax = "proto3";
+
+package nebius.kms.v1;
+
+import "buf/validate/validate.proto";
+import "google/protobuf/duration.proto";
+import "nebius/annotations.proto";
+import "nebius/common/v1/metadata.proto";
+import "nebius/common/v1/operation.proto";
+import "nebius/kms/v1/asymmetric_key.proto";
+
+option go_package = "github.com/nebius/gosdk/proto/nebius/kms/v1";
+option java_multiple_files = true;
+option java_outer_classname = "AsymmetricKeyServiceProto";
+option java_package = "ai.nebius.pub.kms.v1";
+
+// Set of methods for managing asymmetric keys.
+service AsymmetricKeyService {
+  // control plane
+  option (api_service_name) = "cpl.kms";
+
+  // Creates an asymmetric KMS key in the specified container.
+  rpc Create(CreateAsymmetricKeyRequest) returns (common.v1.Operation);
+
+  // Updates an asymmetric KMS key.
+  rpc Update(UpdateAsymmetricKeyRequest) returns (common.v1.Operation);
+
+  // Returns the specified asymmetric KMS key by id.
+  rpc Get(GetAsymmetricKeyRequest) returns (AsymmetricKey);
+
+  // Returns the specified asymmetric KMS key by name.
+  rpc GetByName(GetAsymmetricKeyByNameRequest) returns (AsymmetricKey);
+
+  // Returns the list of asymmetric KMS keys in the specified container.
+  rpc List(ListAsymmetricKeysRequest) returns (ListAsymmetricKeysResponse);
+
+  // Schedules an asymmetric KMS key for deletion.
+  rpc Delete(DeleteAsymmetricKeyRequest) returns (common.v1.Operation);
+
+  // Update deletion delay for an asymmetric KMS key scheduled for deletion.
+  rpc UpdateDeletionDelay(UpdateAsymmetricKeyDeletionDelayRequest) returns (common.v1.Operation);
+
+  // Restores an asymmetric KMS key scheduled for deletion.
+  rpc Undelete(UndeleteAsymmetricKeyRequest) returns (common.v1.Operation);
+}
+
+message CreateAsymmetricKeyRequest {
+  // The metadata for the resource.
+  common.v1.ResourceMetadata metadata = 1 [(buf.validate.field).required = true];
+
+  // The specifications for creating an asymmetric key.
+  AsymmetricKeySpec spec = 2 [(buf.validate.field).required = true];
+}
+
+message UpdateAsymmetricKeyRequest {
+  // The metadata for the resource.
+  common.v1.ResourceMetadata metadata = 1 [(buf.validate.field).required = true];
+
+  // The specifications for updating an asymmetric key.
+  AsymmetricKeySpec spec = 2;
+}
+
+message GetAsymmetricKeyRequest {
+  // ID of the asymmetric KMS key to return.
+  // To get the ID of an asymmetric KMS key use an [AsymmetricKeyService.List] request.
+  string id = 1 [(buf.validate.field).required = true];
+
+  // By default, Get doesn't return resource if it is scheduled for deletion.
+  // If show_scheduled_for_deletion = true, the Get operation returns the resource even if it is scheduled for deletion.
+  // If show_scheduled_for_deletion = false, the Get method returns the NOT_FOUND gRPC status code.
+  bool show_scheduled_for_deletion = 2;
+}
+
+message GetAsymmetricKeyByNameRequest {
+  // Parent Id and name of the asymmetric KMS key to return.
+  // To get the name of an asymmetric KMS key use an [AsymmetricKeyService.List] request.
+  string parent_id = 1 [(buf.validate.field).required = true];
+
+  string name = 2 [(buf.validate.field).required = true];
+}
+
+message ListAsymmetricKeysRequest {
+  // ID of the container to list asymmetric KMS keys in.
+  string parent_id = 1 [(buf.validate.field).required = true];
+
+  // The maximum number of results per page to return. If the number of available
+  // results is larger than [page_size], the service returns a [ListAsymmetricKeysResponse.next_page_token]
+  // that can be used to get the next page of results in subsequent list requests.
+  // Default value: 100.
+  int64 page_size = 2;
+
+  // Page token. To get the next page of results, set [page_token] to the
+  // [ListAsymmetricKeysResponse.next_page_token] returned by a previous list request.
+  string page_token = 3;
+
+  // By default, List operation doesn't include resources that are scheduled for deletion.
+  // If show_scheduled_for_deletion = true, the listing includes resources that are scheduled for deletion.
+  bool show_scheduled_for_deletion = 4;
+}
+
+message ListAsymmetricKeysResponse {
+  // List of asymmetric KMS keys in the specified container.
+  repeated AsymmetricKey items = 1;
+
+  // This token allows you to get the next page of results for list requests. If the number
+  // of results is greater than the specified [ListAsymmetricKeysRequest.page_size], use
+  // the [next_page_token] as the value for the [ListAsymmetricKeysRequest.page_token] query parameter
+  // in the next list request. Each subsequent list request will have its own
+  // [next_page_token] to continue paging through the results.
+  string next_page_token = 2;
+}
+
+message DeleteAsymmetricKeyRequest {
+  // ID of the asymmetric KMS key to schedule for deletion.
+  // To get the ID of an asymmetric KMS key use an [AsymmetricKeyService.List] request.
+  string id = 1 [(buf.validate.field).required = true];
+}
+
+message UpdateAsymmetricKeyDeletionDelayRequest {
+  // ID of the asymmetric KMS key scheduled for deletion.
+  string id = 1 [(buf.validate.field).required = true];
+
+  // Deletion delay applied from the update timestamp.
+  // Example: "86400s" (1 day). Valid range: 86400s (1 day) to 2592000s (30 days).
+  google.protobuf.Duration deletion_delay = 2 [(buf.validate.field) = {
+    duration: {
+      lte: {seconds: 2592000}
+      gte: {seconds: 86400}
+    }
+    required: true
+  }];
+}
+
+message UndeleteAsymmetricKeyRequest {
+  // ID of the asymmetric KMS key to restore.
+  string id = 1 [(buf.validate.field).required = true];
+
+  // A new name in case the current one is already in use.
+  string name = 2;
+}

nebius/kms/v1/key_state.proto

@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package nebius.kms.v1;
+
+option go_package = "github.com/nebius/gosdk/proto/nebius/kms/v1";
+option java_multiple_files = true;
+option java_outer_classname = "KeyStateProto";
+option java_package = "ai.nebius.pub.kms.v1";
+
+// Key state
+enum KeyState {
+  KEY_STATE_UNSPECIFIED = 0;
+
+  // Key is active, ready for use
+  ACTIVE = 1;
+
+  // Key is scheduled for deletion.
+  SCHEDULED_FOR_DELETION = 2;
+}