> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Import a security object. > By default, all key operations that are implemented for that type of key will be enabled. These may be overridden by requesting specific operations in the key import request. For symmetric and asymmetric keys, value is base64-encoding of the key material in DER format. For AWS/Azure/GCP KMS keys, this imports the key material provided into the external KMS and a corresponding virtual key is created in DSM. EC and RSA keys are supported for Azure while only 256-bit AES keys are supported for AWS and GCP. ## OpenAPI ````json PUT /crypto/v1/keys { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/crypto/v1/keys": { "put": { "operationId": "ImportSobject", "tags": [ "Keys" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Import a security object.", "description": "By default, all key operations that are implemented for that type of\nkey will be enabled. These may be overridden by requesting specific\noperations in the key import request.\n\nFor symmetric and asymmetric keys, value is base64-encoding of the\nkey material in DER format.\n\nFor AWS/Azure/GCP KMS keys, this imports the key material provided into the\nexternal KMS and a corresponding virtual key is created in DSM.\nEC and RSA keys are supported for Azure while only 256-bit AES\nkeys are supported for AWS and GCP.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SobjectRequest" } } } }, "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Sobject" } } } } } } } }, "components": { "schemas": { "SobjectRequest": { "allOf": [ { "type": "object", "properties": { "activation_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Activation date of security object in seconds since EPOCH." }, "aes": { "$ref": "#/components/schemas/AesOptions" }, "allow_credential_use": { "type": "boolean", "nullable": true, "description": "Whether this security object can be used/referenced by a credential object." }, "allow_sign_hash": { "type": "boolean", "nullable": true, "description": "Whether the sign operation response contains hash or data as output." }, "aria": { "$ref": "#/components/schemas/AriaOptions" }, "bip32": { "$ref": "#/components/schemas/Bip32Options" }, "bls": { "$ref": "#/components/schemas/BlsOptions" }, "custom_metadata": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true, "description": "User managed field for adding custom metadata to the security object." }, "deactivation_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Deactivation date of security object in seconds since EPOCH." }, "des": { "$ref": "#/components/schemas/DesOptions" }, "des3": { "$ref": "#/components/schemas/Des3Options" }, "description": { "type": "string", "nullable": true, "description": "Description of the security object." }, "deterministic_signatures": { "type": "boolean", "nullable": true, "description": "Optionally get deterministic signatures, if algorithm is EC or RSA." }, "dsa": { "$ref": "#/components/schemas/DsaOptions" }, "eckcdsa": { "$ref": "#/components/schemas/EcKcdsaOptions" }, "elliptic_curve": { "$ref": "#/components/schemas/EllipticCurve" }, "enabled": { "type": "boolean", "nullable": true, "description": "Whether this security object has cryptographic operations enabled." }, "export_policy": { "$ref": "#/components/schemas/SobjectExportPolicy" }, "external": { "$ref": "#/components/schemas/ExternalKmsInfo" }, "fpe": { "$ref": "#/components/schemas/FpeOptions" }, "google_access_reason_policy": { "$ref": "#/components/schemas/RemovableGoogleAccessReasonPolicy" }, "kcdsa": { "$ref": "#/components/schemas/KcdsaOptions" }, "kcv": { "type": "string", "description": "Key Checksum Value of the security object." }, "key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" }, "nullable": true, "description": "Operations allowed to be performed by a given key." }, "key_size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Key size of the security object in bits." }, "links": { "$ref": "#/components/schemas/KeyLinks" }, "lms": { "$ref": "#/components/schemas/LmsOptions" }, "mldsa": { "$ref": "#/components/schemas/MlDsaOptions" }, "mlkem": { "$ref": "#/components/schemas/MlKemOptions" }, "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "nullable": true, "description": "Name of the security object." }, "obj_type": { "$ref": "#/components/schemas/ObjectType" }, "pub_exponent": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Public exponent" }, "publish_public_key": { "$ref": "#/components/schemas/PublishPublicKeyConfig" }, "rotation_policy": { "$ref": "#/components/schemas/RotationPolicy" }, "rsa": { "$ref": "#/components/schemas/RsaOptions" }, "seed": { "$ref": "#/components/schemas/SeedOptions" }, "slip10": { "$ref": "#/components/schemas/Slip10Options" }, "state": { "$ref": "#/components/schemas/SobjectState" }, "transient": { "type": "boolean", "nullable": true, "description": "If set to true, the security object will cease to exist after session ends." }, "value": { "type": "string", "format": "byte", "description": "Security object stored as byte array." }, "xmss": { "$ref": "#/components/schemas/XmssOptions" }, "group_id": { "type": "string", "format": "uuid", "nullable": true, "description": "UUID of the group which the security object belongs to." } } } ] }, "Sobject": { "allOf": [ { "type": "object", "properties": { "acct_id": { "type": "string", "format": "uuid", "description": "UUID of the account which the security object belongs to." }, "activation_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Activation date of security object in seconds since EPOCH." }, "aes": { "$ref": "#/components/schemas/AesOptions" }, "allow_credential_use": { "type": "boolean", "nullable": true, "description": "Whether this security object can be used/referenced by a credential object." }, "allow_sign_hash": { "type": "boolean", "nullable": true, "description": "Whether the sign operation response contains hash or data as output." }, "aria": { "$ref": "#/components/schemas/AriaOptions" }, "bip32": { "$ref": "#/components/schemas/Bip32Options" }, "bls": { "$ref": "#/components/schemas/BlsOptions" }, "compliant_with_policies": { "type": "boolean", "nullable": true, "description": "Whether this security object is compliant with cryptographic policies or not." }, "compromise_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Compromise date of security object in seconds since EPOCH." }, "created_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Timestamp at which the security object was created." }, "creator": { "$ref": "#/components/schemas/Principal" }, "custom_metadata": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true, "description": "User managed field for adding custom metadata to the security object." }, "deactivation_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Deactivation date of security object in seconds since EPOCH." }, "deletion_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Deletion date of security object in seconds since EPOCH." }, "des": { "$ref": "#/components/schemas/DesOptions" }, "des3": { "$ref": "#/components/schemas/Des3Options" }, "description": { "type": "string", "nullable": true, "description": "Description of the security object." }, "destruction_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Destruction date of security object in seconds since EPOCH." }, "deterministic_signatures": { "type": "boolean", "nullable": true, "description": "Optionally get deterministic signatures, if algorithm is EC or RSA." }, "dsa": { "$ref": "#/components/schemas/DsaOptions" }, "eckcdsa": { "$ref": "#/components/schemas/EcKcdsaOptions" }, "effective_key_policy": { "$ref": "#/components/schemas/EffectiveKeyPolicy" }, "elliptic_curve": { "$ref": "#/components/schemas/EllipticCurve" }, "enabled": { "type": "boolean", "description": "Whether this security object has cryptographic operations enabled." }, "export_policy": { "$ref": "#/components/schemas/SobjectExportPolicy" }, "external": { "$ref": "#/components/schemas/ExternalSobjectInfo" }, "fpe": { "$ref": "#/components/schemas/FpeOptions" }, "google_access_reason_policy": { "$ref": "#/components/schemas/GoogleAccessReasonPolicy" }, "history": { "type": "array", "items": { "$ref": "#/components/schemas/HistoryItem" }, "nullable": true, "description": "When a Key Undo Policy is in place, a list of (non-expired) history items is returned.\nEach history item represents a past key state that can be reverted to." }, "kcdsa": { "$ref": "#/components/schemas/KcdsaOptions" }, "kcv": { "type": "string", "description": "Key Checksum Value of the security object." }, "kcv_cmac": { "type": "string", "description": "Cmac Key Checksum Value of the security object." }, "key_creation_method": { "$ref": "#/components/schemas/KeyCreationMethod" }, "key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" }, "description": "Operations allowed to be performed by a given key." }, "key_size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Key size of the security object in bits." }, "kid": { "type": "string", "format": "uuid", "nullable": true, "description": "Unique identifier of the security object." }, "links": { "$ref": "#/components/schemas/KeyLinks" }, "lms": { "$ref": "#/components/schemas/LmsOptions" }, "mldsa": { "$ref": "#/components/schemas/MlDsaOptions" }, "mlkem": { "$ref": "#/components/schemas/MlKemOptions" }, "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "nullable": true, "description": "Name of the security object." }, "never_exportable": { "type": "boolean", "nullable": true, "description": "Whether the security object was exportable at some point in its lifetime." }, "obj_type": { "$ref": "#/components/schemas/ObjectType" }, "origin": { "$ref": "#/components/schemas/ObjectOrigin" }, "original_key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" }, "nullable": true, "description": "Key operations with which the key was created. This information is available for newly created DSM keys starting with version 5.1" }, "pub_key": { "type": "string", "format": "byte", "description": "Public key material of the security object, if it exists.\n\nFor virtual keys, this field may not be available if the key is not backed by DSM." }, "public_only": { "type": "boolean", "description": "Whether the security object only consists of public material." }, "publish_public_key": { "$ref": "#/components/schemas/PublishPublicKeyConfig" }, "revocation_reason": { "$ref": "#/components/schemas/RevocationReason" }, "rotation_policy": { "$ref": "#/components/schemas/RotationPolicy" }, "rsa": { "$ref": "#/components/schemas/RsaOptions" }, "scheduled_rotation": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Timestamp at which security object will be rotated, if rotation policy exists.\nThis time will be clamped at 31 December 9999 11:59:59 pm UTC if the calculated\nrotation time would exceed that date." }, "seed": { "$ref": "#/components/schemas/SeedOptions" }, "slip10": { "$ref": "#/components/schemas/Slip10Options" }, "state": { "$ref": "#/components/schemas/SobjectState" }, "transient_key": { "type": "string", "format": "byte", "description": "Transient key material." }, "value": { "type": "string", "format": "byte", "description": "Security object stored as byte array." }, "virtual_key_info": { "$ref": "#/components/schemas/VirtualSobjectInfo" }, "wrapping_key_group_ids": { "type": "array", "uniqueItems": true, "items": { "type": "string", "format": "uuid" }, "nullable": true, "description": "Group ids of groups that use this security object to encrypt the key material of their security objects" }, "xmss": { "$ref": "#/components/schemas/XmssOptions" }, "group_id": { "type": "string", "format": "uuid", "nullable": true, "description": "UUID of the group which the security object belongs to." } }, "required": [ "acct_id", "created_at", "creator", "enabled", "key_ops", "obj_type", "origin", "public_only" ] } ] }, "AesOptions": { "allOf": [ { "type": "object", "properties": { "key_sizes": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true }, "fpe": { "$ref": "#/components/schemas/FpeOptions" }, "tag_length": { "type": "integer", "format": "int32", "nullable": true }, "cipher_mode": { "$ref": "#/components/schemas/CipherMode" }, "random_iv": { "type": "boolean", "nullable": true }, "iv_length": { "type": "integer", "format": "int32", "nullable": true } } } ] }, "AriaOptions": { "allOf": [ { "type": "object", "properties": { "key_sizes": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true }, "tag_length": { "type": "integer", "minimum": 0, "maximum": 255, "nullable": true }, "cipher_mode": { "$ref": "#/components/schemas/CipherMode" }, "random_iv": { "type": "boolean", "nullable": true }, "iv_length": { "type": "integer", "minimum": 0, "maximum": 255, "nullable": true } } } ] }, "Bip32Options": { "allOf": [ { "type": "object", "properties": { "derivation_path": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true, "description": "The BIP32 path, starting from master. Master key is Some([]).\nEx: m/42/42'/0 -> Some([42, 2**31 + 42, 0])" }, "network": { "$ref": "#/components/schemas/Bip32Network" } } } ] }, "BlsOptions": { "allOf": [ { "type": "object", "properties": { "variant": { "$ref": "#/components/schemas/BlsVariant" } }, "required": [ "variant" ] } ] }, "DesOptions": { "allOf": [ { "type": "object", "properties": { "cipher_mode": { "$ref": "#/components/schemas/CipherMode" }, "random_iv": { "type": "boolean", "nullable": true } } } ] }, "Des3Options": { "allOf": [ { "type": "object", "properties": { "key_sizes": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "nullable": true }, "cipher_mode": { "$ref": "#/components/schemas/CipherMode" }, "random_iv": { "type": "boolean", "nullable": true }, "iv_length": { "type": "integer", "format": "int32", "nullable": true } } } ] }, "DsaOptions": { "allOf": [ { "type": "object", "properties": { "subgroup_size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true } } } ] }, "EcKcdsaOptions": { "allOf": [ { "type": "object", "properties": { "hash_alg": { "$ref": "#/components/schemas/DigestAlgorithm" } } } ] }, "EllipticCurve": { "description": "Identifies a standardized elliptic curve.", "type": "string", "enum": [ "X25519", "Ed25519", "Ed448", "X448", "SecP192K1", "SecP224K1", "SecP256K1", "NistP192", "NistP224", "NistP256", "NistP384", "NistP521", "Gost256A" ] }, "SobjectExportPolicy": { "allOf": [ { "type": "object", "properties": { "allow_weakening": { "type": "boolean", "description": "When set to `false`, the `export_policy` for the sobject can never be relaxed,\nit can only be made more strict.\nThis means that\n- If the export policy is set to `Wrapped`, it can never be set back to `Unrestricted`.\n- If the export policy is set to `Wrapped` with a limited set of keys specified,\nit can never bet set back to `Wrapped` with any key. Additionally, no new keys can\nbe added to the set of wrapping keys. Also note that if all the wrapping keys (specified\nby key id) in the export policy have been deleted/destroyed/deactivated, the sobject\nbecomes effectively unexportable.\n\nNote: these rules may change in the future." } }, "required": [ "allow_weakening" ] }, { "$ref": "#/components/schemas/ExportPolicy" } ] }, "ExternalKmsInfo": { "description": "Information about a specific external KMS key object.", "oneOf": [ { "$ref": "#/components/schemas/ExternalKmsInfoVariantAWS" }, { "$ref": "#/components/schemas/ExternalKmsInfoVariantOci" } ], "discriminator": { "propertyName": "type", "mapping": { "AWS": "ExternalKmsInfoVariantAWS", "Oci": "ExternalKmsInfoVariantOci" } } }, "FpeOptions": { "description": "FPE-specific options (for specifying the format of the\ndata to be encrypted)", "oneOf": [ { "$ref": "#/components/schemas/FpeOptionsBasic" }, { "$ref": "#/components/schemas/FpeOptionsAdvanced" }, { "$ref": "#/components/schemas/FpeOptionsV2" } ] }, "RemovableGoogleAccessReasonPolicy": { "oneOf": [ { "type": "string", "enum": [ "remove" ] }, { "$ref": "#/components/schemas/GoogleAccessReasonPolicy" } ] }, "KcdsaOptions": { "allOf": [ { "type": "object", "properties": { "subgroup_size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true }, "hash_alg": { "$ref": "#/components/schemas/DigestAlgorithm" } } } ] }, "KeyOperations": { "description": "Operations allowed to be performed on a given key.\n\n\n\n SIGN:\n If this is set, the key can be used to for signing.\n\n\n VERIFY:\n If this is set, the key can used for verifying a signature.\n\n\n ENCRYPT:\n If this is set, the key can be used for encryption.\n\n\n DECRYPT:\n If this is set, the key can be used for decryption.\n\n\n WRAPKEY:\n If this is set, the key can be used wrapping other keys.\n The key being wrapped must have the EXPORT operation enabled.\n\n\n UNWRAPKEY:\n If this is set, the key can be used to unwrap a wrapped key.\n\n\n DERIVEKEY:\n If this is set, the key can be used to derive another key.\n\n\n TRANSFORM:\n If this is set, the key can be transformed.\n\n\n MACGENERATE:\n If this is set, the key can be used to compute a cryptographic\n Message Authentication Code (MAC) on a message.\n\n\n MACVERIFY:\n If they is set, the key can be used to verify a MAC.\n\n\n EXPORT:\n If this is set, the value of the key can be retrieved\n with an authenticated request. This shouldn't be set unless\n required. It is more secure to keep the key's value inside DSM only.\n\n\n APPMANAGEABLE:\n Without this operation, management operations like delete, destroy,\n rotate, activate, restore, revoke, revert, update, remove_private, etc.\n cannot be performed by a crypto App.\n A user with access or admin app can still perform these operations.\n This option is only relevant for crypto apps.\n\n\n HIGHVOLUME:\n If this is set, audit logs will not be recorded for the key.\n High volume here tries to signify a key that is being used a lot\n and will produce lots of logs. Setting this operation disables\n audit logs for the key.\n\n\n AGREEKEY:\n If this is set, the key can be used for key agreement.\n Both the private and public key should have this option enabled\n to perform an agree operation.\n\n\n ENCAPSULATE:\n If this is set, the key can be used for key encapsulation. The\n result is a new symmetric key and a ciphertext.\n\n\n DECAPSULATE:\n If this is set, the key can be used for key decapsulation. If\n decapsulation succeeds, the result is a new symmetric key.\n\n", "type": "string", "enum": [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE" ] }, "KeyLinks": { "allOf": [ { "type": "object", "description": "Linked security objects.", "properties": { "replacement": { "type": "string", "format": "uuid", "nullable": true, "description": "key id of the key that replaced this key (i.e., this key was rotated to the `replacement` key)" }, "replaced": { "type": "string", "format": "uuid", "nullable": true, "description": "key id of the key that was replaced by this key (i.e., the `replaced` key was rotated to this key)" }, "copiedFrom": { "type": "string", "format": "uuid", "nullable": true }, "copiedTo": { "type": "array", "items": { "type": "string", "format": "uuid" }, "nullable": true }, "subkeys": { "type": "array", "items": { "type": "string", "format": "uuid" }, "nullable": true }, "parent": { "type": "string", "format": "uuid", "nullable": true }, "wrappingKey": { "type": "string", "format": "uuid", "nullable": true, "description": "Wrapping key used to wrap this security object" } } } ] }, "LmsOptions": { "allOf": [ { "type": "object", "description": "LMS specific options", "properties": { "l1_height": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The height of the top level tree. This field will be deprecated in v2." }, "l2_height": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The height of the secondary tree. This field will be deprecated in v2." }, "digest": { "$ref": "#/components/schemas/DigestAlgorithm" }, "heights": { "type": "array", "items": { "type": "integer" }, "nullable": true, "description": "Heights of the trees in each level." }, "node_size": { "type": "integer", "nullable": true, "description": "Amount of bytes associated to each node (the 'm' parameter)" }, "winternitz_width": { "type": "integer", "nullable": true, "description": "The width of the Winternitz coefficients. The default value is 8." } } } ] }, "MlDsaOptions": { "allOf": [ { "type": "object", "description": "ML-DSA specific options", "properties": { "param_set": { "$ref": "#/components/schemas/MlDsaParamSet" } }, "required": [ "param_set" ] } ] }, "MlKemOptions": { "allOf": [ { "type": "object", "description": "ML-KEM specific options", "properties": { "param_set": { "$ref": "#/components/schemas/MlKemParamSet" } } } ] }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "PublishPublicKeyConfig": { "description": "If enabled, the public key will be available publicly (without authentication) through the GetPublicKey API.", "oneOf": [ { "$ref": "#/components/schemas/PublishPublicKeyConfigVariantEnabled" }, { "$ref": "#/components/schemas/PublishPublicKeyConfigVariantDisabled" } ], "discriminator": { "propertyName": "state", "mapping": { "enabled": "PublishPublicKeyConfigVariantEnabled", "disabled": "PublishPublicKeyConfigVariantDisabled" } } }, "RotationPolicy": { "allOf": [ { "type": "object", "properties": { "effective_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "deactivate_rotated_key": { "type": "boolean", "nullable": true }, "rotate_copied_keys": { "$ref": "#/components/schemas/RotateCopiedKeys" } } }, { "$ref": "#/components/schemas/RotationInterval" } ] }, "RsaOptions": { "allOf": [ { "type": "object", "description": "RSA-specific options.", "properties": { "key_size": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Size in bits (not bytes) of the RSA key. Specify on Create only. Returned on Get." }, "public_exponent": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "Public exponent to use for generating the RSA key. Specify on Create only." }, "encryption_policy": { "type": "array", "items": { "$ref": "#/components/schemas/RsaEncryptionPolicy" }, "nullable": true, "description": "Encryption policy for an RSA key. When doing an encryption or key wrapping operation, the\npolicies are evaluated against the specified parameters one by one. If one matches, the\noperation is allowed. If none match, including if the policy list is empty, the operation\nis disallowed. Missing optional parameters will have their defaults specified according to\nthe matched policy. The default for new keys is `[{\"padding\":{\"OAEP\":{}}]`.\nIf (part of) a constraint is not specified, anything is allowed for that constraint.\nTo impose no constraints, specify `[{}]`." }, "signature_policy": { "type": "array", "items": { "$ref": "#/components/schemas/RsaSignaturePolicy" }, "nullable": true, "description": "Signature policy for an RSA key. When doing a signature operation, the policies are\nevaluated against the specified parameters one by one. If one matches, the operation is\nallowed. If none match, including if the policy list is empty, the operation is disallowed.\nMissing optional parameters will have their defaults specified according to the matched\npolicy. The default for new keys is `[{}]` (no constraints).\nIf (part of) a constraint is not specified, anything is allowed for that constraint." }, "minimum_key_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed key length. This is only relevant for group or account cryptographic\npolicies (and hence has no effect in an RSA policy on a specific key)." } } } ] }, "SeedOptions": { "allOf": [ { "type": "object", "properties": { "cipher_mode": { "$ref": "#/components/schemas/CipherMode" }, "random_iv": { "type": "boolean", "nullable": true } } } ] }, "Slip10Options": { "allOf": [ { "type": "object", "properties": { "derivation_path": { "type": "array", "items": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "description": "The Slip10 path, starting from master. Master key is [].\n\nEx: m/42/42'/0 -> [42, 2**31 + 42, 0]" } }, "required": [ "derivation_path" ] } ] }, "SobjectState": { "description": "Security object operational state.", "type": "string", "enum": [ "PreActive", "Active", "Deactivated", "Compromised", "Destroyed", "Deleted" ] }, "XmssOptions": { "allOf": [ { "type": "object", "description": "XMSS specific options", "properties": { "height": { "type": "integer", "nullable": true, "description": "The height of the Merkle tree (10, 16 or 20)" }, "digest": { "$ref": "#/components/schemas/DigestAlgorithm" }, "node_size": { "type": "integer", "nullable": true, "description": "Amount of bytes associated to each node (24 or 32)" } } } ] }, "Principal": { "description": "A security principal.", "oneOf": [ { "title": "PrincipalVariantApp", "type": "object", "properties": { "app": { "type": "string", "format": "uuid" } }, "required": [ "app" ] }, { "title": "PrincipalVariantUser", "type": "object", "properties": { "user": { "type": "string", "format": "uuid" } }, "required": [ "user" ] }, { "title": "PrincipalVariantPlugin", "type": "object", "properties": { "plugin": { "type": "string", "format": "uuid" } }, "required": [ "plugin" ] }, { "title": "PrincipalVariantUserViaApp", "type": "object", "properties": { "userviaapp": { "$ref": "#/components/schemas/PrincipalUserViaApp" } }, "required": [ "userviaapp" ] }, { "title": "PrincipalVariantSystem", "type": "string", "enum": [ "system" ] }, { "title": "PrincipalVariantUnregisteredUser", "type": "string", "enum": [ "unregistereduser" ] } ] }, "EffectiveKeyPolicy": { "allOf": [ { "type": "object", "description": "An aggregation of policies and permissions of the session creator for\na security object.", "properties": { "key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/EffectiveKeyOperations" }, "description": "Indicates allowed key operations for the security key." }, "export_policy": { "$ref": "#/components/schemas/ExportPolicy" } }, "required": [ "key_ops" ] } ] }, "ExternalSobjectInfo": { "allOf": [ { "type": "object", "description": "This describes an external object -- specifically, information about its\nsource object.", "properties": { "id": { "$ref": "#/components/schemas/ExternalKeyId" }, "hsm_group_id": { "type": "string", "format": "uuid", "description": "The group which corresponds to the external HSM." }, "external_kms_info": { "$ref": "#/components/schemas/ExternalKmsInfo" } }, "required": [ "id", "hsm_group_id" ] } ] }, "GoogleAccessReasonPolicy": { "allOf": [ { "type": "object", "description": "Policy specifying acceptable access reasons\nby Google Service Account at App or Sobject level.", "properties": { "allow": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/GoogleAccessReason" }, "description": "Set of allowed Google Access reasons." }, "allow_missing_reason": { "type": "boolean", "description": "Accept incoming requests which do not specify any access reasons." } }, "required": [ "allow", "allow_missing_reason" ] } ] }, "HistoryItem": { "allOf": [ { "type": "object", "description": "A particular entry in a security object's history.\nThese entries are maintained as part of the key history\n(aka key undo) policy feature, which allows otherwise-\nirreversible operations on security objects to be reversible.\n\nEach entry represents a particular \"snapshot in time\" to which\na security object can be reverted. Such entries are only\nrecorded when key history is disabled.", "properties": { "id": { "type": "string", "format": "uuid", "description": "The ID identifying this particular entry." }, "state": { "$ref": "#/components/schemas/HistoryItemState" }, "created_at": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "The time when this history entry was created." }, "expiry": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "The time when this entry is no longer available for\nundo purposes." } }, "required": [ "id", "state", "created_at", "expiry" ] } ] }, "KeyCreationMethod": { "description": "Information about the method by which a key was created", "oneOf": [ { "$ref": "#/components/schemas/KeyCreationMethodVariantGenerate" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantAgree" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantTransform" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantDerive" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantUnwrap" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantImport" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantEncapsulate" }, { "$ref": "#/components/schemas/KeyCreationMethodVariantDecapsulate" } ], "discriminator": { "propertyName": "method", "mapping": { "Generate": "KeyCreationMethodVariantGenerate", "Agree": "KeyCreationMethodVariantAgree", "Transform": "KeyCreationMethodVariantTransform", "Derive": "KeyCreationMethodVariantDerive", "Unwrap": "KeyCreationMethodVariantUnwrap", "Import": "KeyCreationMethodVariantImport", "Encapsulate": "KeyCreationMethodVariantEncapsulate", "Decapsulate": "KeyCreationMethodVariantDecapsulate" } } }, "ObjectOrigin": { "description": "The origin of a security object - where it was created / generated.", "type": "string", "enum": [ "FortanixHSM", "Transient", "External" ] }, "RevocationReason": { "allOf": [ { "type": "object", "description": "Reason for revoking a key.", "properties": { "code": { "$ref": "#/components/schemas/RevocationReasonCode" }, "message": { "type": "string", "nullable": true, "description": "Message is used exclusively for audit trail/logging purposes and MAY contain additional\ninformation about why the object was revoked." }, "compromise_occurance_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" } }, "required": [ "code" ] } ] }, "VirtualSobjectInfo": { "allOf": [ { "type": "object", "description": "Information specific to a virtual key. Currently, this is only relevant\nfor virtual keys backed by DSM.", "properties": { "cached_key_material": { "type": "boolean", "description": "Whether or not the source key material is cached within the key." } }, "required": [ "cached_key_material" ] } ] }, "CipherMode": { "description": "Cipher mode used for symmetric key algorithms.", "type": "string", "enum": [ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ] }, "Bip32Network": { "description": "The BIP32 network\nThe Testnet network is usually an actual network with nodes and miners, and\nfree cryptocurrency. This provides a testing environment for developers.", "type": "string", "enum": [ "mainnet", "testnet" ] }, "BlsVariant": { "description": "Signature/public-key size trade-off for BLS.", "type": "string", "enum": [ "small_signatures", "small_public_keys" ] }, "DigestAlgorithm": { "description": "A hash algorithm.", "type": "string", "enum": [ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ] }, "ExportPolicy": { "oneOf": [ { "$ref": "#/components/schemas/ExportPolicyVariantWrapped" }, { "$ref": "#/components/schemas/ExportPolicyVariantUnrestricted" } ], "discriminator": { "propertyName": "$type", "mapping": { "Wrapped": "ExportPolicyVariantWrapped", "Unrestricted": "ExportPolicyVariantUnrestricted" } } }, "ExternalKmsInfoVariantAWS": { "allOf": [ { "type": "object", "properties": { "type": { "type": "string", "enum": [ "AWS" ] } }, "required": [ "type" ] }, { "$ref": "#/components/schemas/AwsKmsInfo" } ] }, "ExternalKmsInfoVariantOci": { "allOf": [ { "type": "object", "properties": { "type": { "type": "string", "enum": [ "Oci" ] } }, "required": [ "type" ] }, { "$ref": "#/components/schemas/OciVaultInfo" } ] }, "FpeOptionsBasic": { "allOf": [ { "type": "object", "description": "Basic FPE-specific options. This is suitable for simple datatypes\nthat consist of ASCII digits, or ASCII digits and uppercase letters.", "properties": { "radix": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The FPE base for the input data (i.e., the size of the character\nset of the datatype). This must be an integer from 2 to 36.\n\nThis also implicitly defines the alphabet of the datatype. A base\nfrom 2 to 10 implies ASCII digits (e.g., a radix of 3 can be used\nto represent a ternary string), and a base from 11 to 36 implies\nASCII digits and uppercase letters (e.g., a radix of 16 can be" }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The minimum allowed length for the input data." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The maximum allowed length for the input data." }, "preserve": { "type": "array", "items": { "type": "integer", "format": "int64" }, "description": "The list of indices of characters to be preserved while performing encryption/decryption.\nIndices are Python-like; i.e., nonnegative indices index from the beginning of the input\n(where 0 is the first character), and negative indices index from the end of the input.\n(where -1 is the last character, -2 is second to last, and so on).\n\nAny preserved characters will be concatenated together and used as an FF1 tweak. For example,\nif the input data is \"abcd\", and the first and last characters are to be preserved, the FF1\ntweak will be the ASCII bytes of the string \"ad\"." }, "mask": { "type": "array", "items": { "type": "integer", "format": "int64" }, "nullable": true, "description": "The list of indices of characters to be masked while performing masked decryption.\nIndices are Python-like; i.e., nonnegative indices index from the beginning of the input\n(where 0 is the first character), and negative indices index from the end of the input.\n(where -1 is the last character, -2 is second to last, and so on)." }, "luhn_check": { "type": "boolean", "nullable": true, "description": "Whether the encrypted/decrypted data contains a checksum digit that satisfies the Luhn\nformula. (The output ciphertext/plaintext will also contain a Luhn checksum digit.)" }, "name": { "type": "string", "nullable": true, "description": "The user-provided name for the data type that represents the input data." } }, "required": [ "radix", "min_length", "max_length", "preserve" ] } ] }, "FpeOptionsAdvanced": { "allOf": [ { "type": "object", "description": "Advanced FPE options. It is recommended to use this for\nspecifying any FPE options, as it is more expressive than\nFpeOptionsBasic.", "properties": { "format": { "$ref": "#/components/schemas/FpeDataPart" }, "description": { "type": "string", "nullable": true, "description": "The user-provided name for the data type." } }, "required": [ "format" ] } ] }, "FpeOptionsV2": { "allOf": [ { "type": "object", "properties": { "format_v2": { "$ref": "#/components/schemas/FpeFormatV2" }, "description": { "type": "string", "nullable": true } }, "required": [ "format_v2" ] } ] }, "MlDsaParamSet": { "description": "ML-DSA parameter sets", "type": "string", "enum": [ "MlDsa44", "MlDsa65", "MlDsa87" ] }, "MlKemParamSet": { "description": "ML-KEM parameter sets", "type": "string", "enum": [ "MlKem512", "MlKem768", "MlKem1024" ] }, "PublishPublicKeyConfigVariantEnabled": { "allOf": [ { "type": "object", "properties": { "state": { "type": "string", "enum": [ "enabled" ] } }, "required": [ "state" ] }, { "$ref": "#/components/schemas/PublishPublicKeyConfigEnabled" } ] }, "PublishPublicKeyConfigVariantDisabled": { "allOf": [ { "type": "object", "properties": { "state": { "type": "string", "enum": [ "disabled" ] } }, "required": [ "state" ] }, { "type": "object", "properties": {} } ] }, "RotateCopiedKeys": { "oneOf": [ { "title": "RotateCopiedKeysVariantAllExternal", "type": "string", "enum": [ "all_external" ] }, { "title": "RotateCopiedKeysVariantSelect", "type": "object", "properties": { "select": { "type": "array", "items": { "type": "string", "format": "uuid" } } }, "required": [ "select" ] } ] }, "RotationInterval": { "oneOf": [ { "title": "RotationIntervalVariantIntervalDays", "type": "object", "properties": { "interval_days": { "type": "integer", "minimum": 0, "maximum": 4294967295 } }, "required": [ "interval_days" ] }, { "title": "RotationIntervalVariantIntervalMonths", "type": "object", "properties": { "interval_months": { "type": "integer", "minimum": 0, "maximum": 4294967295 } }, "required": [ "interval_months" ] } ] }, "RsaEncryptionPolicy": { "allOf": [ { "type": "object", "description": "Constraints on RSA encryption parameters. In general, if a constraint is not specified, anything is allowed.", "properties": { "padding": { "$ref": "#/components/schemas/RsaEncryptionPaddingPolicy" } } } ] }, "RsaSignaturePolicy": { "allOf": [ { "type": "object", "description": "Constraints on RSA signature parameters. In general, if a constraint is not specified, anything is allowed.", "properties": { "padding": { "$ref": "#/components/schemas/RsaSignaturePaddingPolicy" } } } ] }, "PrincipalUserViaApp": { "allOf": [ { "type": "object", "description": "UserViaApp signifies a user authorizing some app to act on its behalf through OAuth.", "properties": { "user_id": { "type": "string", "format": "uuid" }, "scopes": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/OauthScope" } } }, "required": [ "user_id", "scopes" ] } ] }, "EffectiveKeyOperations": { "description": "Operations allowed to be performed on a given key by a given User or an app\n\n\n\n SIGN:\n If this is set, the key can be used for signing.\n\n\n VERIFY:\n If this is set, the key can used for verifying a signature.\n\n\n ENCRYPT:\n If this is set, the key can be used for encryption.\n\n\n DECRYPT:\n If this is set, the key can be used for decryption.\n\n\n WRAPKEY:\n If this is set, the key can be used wrapping other keys.\n The key being wrapped must have the EXPORT operation enabled.\n\n\n UNWRAPKEY:\n If this is set, the key can be used to unwrap a wrapped key.\n\n\n DERIVEKEY:\n If this is set, the key can be used to derive another key.\n\n\n TRANSFORM:\n If this is set, the key can be transformed.\n\n\n MACGENERATE:\n If this is set, the key can be used to compute a cryptographic\n Message Authentication Code (MAC) on a message.\n\n\n MACVERIFY:\n If they is set, the key can be used to verify a MAC.\n\n\n EXPORT:\n If this is set, the value of the key can be retrieved\n with an authenticated request. This shouldn't be set unless\n required. It is more secure to keep the key's value inside DSM only.\n\n\n APPMANAGEABLE:\n Without this operation, management operations like delete, destroy,\n rotate, activate, restore, revoke, revert, update, remove_private, etc.\n cannot be performed by a crypto App.\n A user with access or admin app can still perform these operations.\n This option is only relevant for crypto apps.\n\n\n HIGHVOLUME:\n If this is set, audit logs will not be recorded for the key.\n High volume here tries to signify a key that is being used a lot\n and will produce lots of logs. Setting this operation disables\n audit logs for the key.\n\n\n AGREEKEY:\n If this is set, the key can be used for key agreement.\n Both the private and public key should have this option enabled\n to perform an agree operation.\n\n\n ENCAPSULATE:\n If this is set, the key can be used for key encapsulation. The\n result is a new symmetric key and a ciphertext.\n\n\n DECAPSULATE:\n If this is set, the key can be used for key decapsulation. If\n decapsulation succeeds, the result is a new symmetric key.\n\n\n MASKDECRYPT:\n If this is set, the key can be used for masked decryption only.\n\n", "type": "string", "enum": [ "SIGN", "VERIFY", "ENCRYPT", "DECRYPT", "WRAPKEY", "UNWRAPKEY", "DERIVEKEY", "TRANSFORM", "MACGENERATE", "MACVERIFY", "EXPORT", "APPMANAGEABLE", "HIGHVOLUME", "AGREEKEY", "ENCAPSULATE", "DECAPSULATE", "MASKDECRYPT" ] }, "ExternalKeyId": { "description": "Identification information for an external key. There are multiple\nvariants of this type to represent the different kinds of keys DSM\nsupports (e.g., AWS, Azure, etc.).\n\nThis is not to be confused with the UUID assigned to a virtual key\nin DSM, which is most likely different from the ID that the source\nkey (outside of DSM) has.", "oneOf": [ { "$ref": "#/components/schemas/ExternalKeyIdPkcs11" }, { "$ref": "#/components/schemas/ExternalKeyIdFortanix" }, { "$ref": "#/components/schemas/ExternalKeyIdAwsKms" }, { "$ref": "#/components/schemas/ExternalKeyIdAzureKeyVault" }, { "$ref": "#/components/schemas/ExternalKeyIdGcpKeyRing" }, { "$ref": "#/components/schemas/ExternalKeyIdOciVault" }, { "type": "object", "properties": {} } ] }, "GoogleAccessReason": { "description": "An access reason provided by Google when making EKMS API calls.", "type": "string", "enum": [ "REASON_UNSPECIFIED", "CUSTOMER_INITIATED_SUPPORT", "GOOGLE_INITIATED_SERVICE", "THIRD_PARTY_DATA_REQUEST", "GOOGLE_INITIATED_REVIEW", "CUSTOMER_INITIATED_ACCESS", "GOOGLE_INITIATED_SYSTEM_OPERATION", "REASON_NOT_EXPECTED", "MODIFIED_CUSTOMER_INITIATED_ACCESS", "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION", "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT", "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING" ] }, "HistoryItemState": { "allOf": [ { "type": "object", "description": "The key metadata of the security object for a\ngiven `HistoryItem`. This keeps track of properties\nsuch as allowed key operations, key state, and so on.", "properties": { "activation_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "activation_undo_window": { "$ref": "#/components/schemas/Secs" }, "revocation_reason": { "$ref": "#/components/schemas/RevocationReason" }, "compromise_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "deactivation_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "deactivation_undo_window": { "$ref": "#/components/schemas/Secs" }, "destruction_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "deletion_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z" }, "state": { "$ref": "#/components/schemas/SobjectState" }, "key_ops": { "type": "array", "items": { "$ref": "#/components/schemas/KeyOperations" } }, "public_only": { "type": "boolean" }, "has_key": { "type": "boolean" }, "rotation_policy": { "$ref": "#/components/schemas/RotationPolicy" }, "group_id": { "type": "string", "format": "uuid", "nullable": true } }, "required": [ "state", "key_ops", "public_only", "has_key" ] } ] }, "KeyCreationMethodVariantGenerate": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Generate" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantAgree": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Agree" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantTransform": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Transform" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantDerive": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Derive" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantUnwrap": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Unwrap" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantImport": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Import" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantEncapsulate": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Encapsulate" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "KeyCreationMethodVariantDecapsulate": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "Decapsulate" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "RevocationReasonCode": { "description": "Reasons to revoke a security object.", "type": "string", "enum": [ "Unspecified", "KeyCompromise", "CACompromise", "AffiliationChanged", "Superseded", "CessationOfOperation", "PrivilegeWithdrawn" ] }, "ExportPolicyVariantWrapped": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Wrapped" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/ExportPolicyWrapped" } ] }, "ExportPolicyVariantUnrestricted": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Unrestricted" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "AwsKmsInfo": { "allOf": [ { "type": "object", "description": "Information and properties of an AWS KMS key.", "properties": { "multi_region": { "$ref": "#/components/schemas/AwsMultiRegionInfo" }, "aws_key_rotation_status": { "$ref": "#/components/schemas/AwsKeyRotationStatus" }, "origin": { "$ref": "#/components/schemas/AwsKeyOrigin" } } } ] }, "OciVaultInfo": { "allOf": [ { "type": "object", "description": "Any key specific metadata that isn't already described\nby an existing security object field.", "properties": { "protection_mode": { "type": "string", "description": "Describes the OCI vault protection mode, usually\nmeaning HSM or SOFTWARE." }, "deletion_date": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "The scheduled deletion_date of the OCI key version" }, "display_name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$", "description": "The name in the OCI Vault (and may differ from\nwhat the DSM virtual key shows)." } }, "required": [ "protection_mode", "display_name" ] } ] }, "FpeDataPart": { "description": "Structure for specifying (part of) a complex tokenization data type.", "oneOf": [ { "$ref": "#/components/schemas/FpeEncryptedPart" }, { "$ref": "#/components/schemas/FpeDataPartLiteral" }, { "$ref": "#/components/schemas/FpeCompoundPart" } ] }, "FpeFormatV2": { "allOf": [ { "type": "object", "description": "The second generation of Fortanix Tokenization scheme.", "properties": { "variants": { "type": "array", "items": { "$ref": "#/components/schemas/FpeVariant" }, "description": "A token is accepted if it is accepted by any of these variants. Note\ntokenization results depend on the order of this list." }, "mode": { "$ref": "#/components/schemas/FpeTokenizeMode" }, "input_processing": { "$ref": "#/components/schemas/FpeInputProcessing" } }, "required": [ "variants" ] } ] }, "PublishPublicKeyConfigEnabled": { "allOf": [ { "type": "object", "properties": { "list_previous_version": { "type": "boolean", "description": "Additionally list the previous version of the key if not compromised." } }, "required": [ "list_previous_version" ] } ] }, "RsaEncryptionPaddingPolicy": { "description": "RSA encryption padding policy.", "oneOf": [ { "title": "RsaEncryptionPaddingPolicyVariantOaep", "type": "object", "properties": { "OAEP": { "$ref": "#/components/schemas/RsaEncryptionPaddingPolicyOaep" } }, "required": [ "OAEP" ] }, { "title": "RsaEncryptionPaddingPolicyVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] }, { "title": "RsaEncryptionPaddingPolicyVariantRawDecrypt", "type": "object", "properties": { "RAW_DECRYPT": { "type": "object", "properties": {} } }, "required": [ "RAW_DECRYPT" ] } ] }, "RsaSignaturePaddingPolicy": { "description": "RSA signature padding policy.", "oneOf": [ { "title": "RsaSignaturePaddingPolicyVariantPss", "type": "object", "properties": { "PSS": { "$ref": "#/components/schemas/RsaSignaturePaddingPolicyPss" } }, "required": [ "PSS" ] }, { "title": "RsaSignaturePaddingPolicyVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] } ] }, "OauthScope": { "description": "OAuth scope.", "type": "string", "enum": [ "app", "openid", "email", "profile" ] }, "ExternalKeyIdPkcs11": { "allOf": [ { "type": "object", "description": "A key in a legacy HSM. (DSM uses HSM Gateway to interact with\nsuch legacy HSMs using PKCS #11.)", "properties": { "id": { "type": "string", "format": "byte", "description": "The PKCS #11 ID of the key." }, "label": { "type": "string", "format": "byte", "description": "The PKCS #11 label of the key." } }, "required": [ "id", "label" ] } ] }, "ExternalKeyIdFortanix": { "allOf": [ { "type": "object", "description": "An sobject in DSM.", "properties": { "id": { "type": "string", "format": "uuid", "description": "The UUID assigned to the sobject." } }, "required": [ "id" ] } ] }, "ExternalKeyIdAwsKms": { "allOf": [ { "type": "object", "properties": { "key_arn": { "type": "string", "description": "The Amazon Resource Name of the key." }, "key_id": { "type": "string", "description": "The key ID assigned to the key." } }, "required": [ "key_arn", "key_id" ] }, { "$ref": "#/components/schemas/AwsKeyMaterialId" } ] }, "ExternalKeyIdAzureKeyVault": { "allOf": [ { "type": "object", "description": "A key in Azure Key Vault.", "properties": { "version": { "type": "string", "format": "uuid", "description": "The version of the key." }, "label": { "type": "string", "description": "The name of the key." } }, "required": [ "version", "label" ] } ] }, "ExternalKeyIdGcpKeyRing": { "allOf": [ { "type": "object", "description": "A key in a GCP key ring.", "properties": { "version": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The version of the key." }, "label": { "type": "string", "description": "The label for the key." } }, "required": [ "version", "label" ] } ] }, "ExternalKeyIdOciVault": { "allOf": [ { "type": "object", "description": "A key in an OCI key vault.", "properties": { "oci_key_id": { "type": "string", "description": "The OCID of the OciKey" }, "oci_key_version": { "type": "string", "description": "The OCID of the OciKeyVersion" } }, "required": [ "oci_key_id", "oci_key_version" ] } ] }, "Secs": { "allOf": [ { "type": "integer" } ] }, "ExportPolicyWrapped": { "allOf": [ { "type": "object", "description": "The sobject can only be exported wrapped by a key as specified\nby the `WrappingKeys`.", "properties": { "by": { "$ref": "#/components/schemas/WrappingKeys" } }, "required": [ "by" ] } ] }, "AwsMultiRegionInfo": { "allOf": [ { "type": "object", "description": "This structure mentions various properties\nof AWS multi region keys.\nhttps://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html", "properties": { "multi_region_key_type": { "$ref": "#/components/schemas/AwsMultiRegionKeyType" }, "primary_key_arn": { "type": "string", "nullable": true, "description": "Specifies a replica key's primary key ARN." }, "replica_key_arns": { "type": "array", "items": { "type": "string" }, "nullable": true, "description": "Specifies ARNs of a primary key's replicas." } }, "required": [ "multi_region_key_type" ] } ] }, "AwsKeyRotationStatus": { "oneOf": [ { "$ref": "#/components/schemas/AwsKeyRotationStatusVariantKeyRotationDisabled" }, { "$ref": "#/components/schemas/AwsKeyRotationStatusVariantKeyRotationEnabled" } ], "discriminator": { "propertyName": "type", "mapping": { "KeyRotationDisabled": "AwsKeyRotationStatusVariantKeyRotationDisabled", "KeyRotationEnabled": "AwsKeyRotationStatusVariantKeyRotationEnabled" } } }, "AwsKeyOrigin": { "description": "Origin of the AWS KMS key.\n\nSee the [AWS documentation](https://docs.aws.amazon.com/kms/latest/APIReference/API_KeyMetadata.html#KMS-Type-KeyMetadata-Origin)\nfor more information.", "type": "string", "enum": [ "AwsKms", "External", "AwsCloudHsm", "ExternalKeyStore" ] }, "FpeEncryptedPart": { "allOf": [ { "type": "object", "description": "Structure of a tokenized portion of a complex tokenization data type.\n\nImplementation note: the backend parser is locally \"greedy\" and will attempt to match\nas many characters as possible. If this later results in an invalid parse of the rest\nof the input, the backend ***will not backtrack*** and will simply return with an error.", "properties": { "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The maximum allowed length for this part (in chars)." }, "char_set": { "$ref": "#/components/schemas/FpeCharSet" }, "cipher_char_set": { "$ref": "#/components/schemas/FpeCharSet" }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "$ref": "#/components/schemas/FpePreserveMask" }, "mask": { "$ref": "#/components/schemas/FpePreserveMask" } }, "required": [ "min_length", "max_length", "char_set" ] } ] }, "FpeDataPartLiteral": { "allOf": [ { "type": "object", "description": "A section of the data type that is not to be tokenized (e.g., a delimiter).\n\nUnlike preserved characters, literal characters are not used for FF1 tweaks.", "properties": { "literal": { "type": "array", "items": { "type": "string" }, "description": "The list of possible strings that make up this literal portion of the token.\nFor example, if a delimiter can either be a space or a dash, the list would\nbe `[\" \", \"-\"]`.\n\nImplementation note: the backend will pick the first choice that matches when\nwhen parsing the input. If this results in an invalid parse of the rest of the\ninput, the backend ***will not backtrack*** and will simply return with an error." } }, "required": [ "literal" ] } ] }, "FpeCompoundPart": { "description": "Structure of a compound portion of a complex tokenization data type, itself composed of\nsmaller parts.", "oneOf": [ { "$ref": "#/components/schemas/FpeCompoundPartOr" }, { "$ref": "#/components/schemas/FpeCompoundPartConcat" }, { "$ref": "#/components/schemas/FpeCompoundPartMultiple" } ] }, "FpeVariant": { "allOf": [ { "type": "object", "description": "A concatenation of sections.", "properties": { "sections": { "type": "array", "items": { "$ref": "#/components/schemas/FpeSection" } } }, "required": [ "sections" ] } ] }, "FpeTokenizeMode": { "description": "How to tokenize a given input. The most secure option is \"PreserveFormat\".", "type": "string", "enum": [ "preserve_format", "preserve_variant", "preserve_length" ] }, "FpeInputProcessing": { "description": "Options to apply some pre- and post-processing to the input.", "type": "string", "enum": [ "strip_unknown", "passthrough_unknown" ] }, "RsaEncryptionPaddingPolicyOaep": { "allOf": [ { "type": "object", "description": "The Optional Asymmetric Encryption Padding scheme, as defined\nin RFC 8017 (PKCS #1 version 2.2)", "properties": { "mgf": { "$ref": "#/components/schemas/MgfPolicy" } } } ] }, "RsaSignaturePaddingPolicyPss": { "allOf": [ { "type": "object", "properties": { "mgf": { "$ref": "#/components/schemas/MgfPolicy" } } } ] }, "AwsKeyMaterialId": { "allOf": [ { "type": "object", "properties": { "key_material_id": { "type": "string", "description": "key material ID reported by AWS KMS" }, "key_material_index": { "type": "integer", "description": "The index of the key material in the AWS ListKeyRotations response" } }, "required": [ "key_material_id", "key_material_index" ] } ] }, "WrappingKeys": { "oneOf": [ { "$ref": "#/components/schemas/WrappingKeysVariantOnly" }, { "$ref": "#/components/schemas/WrappingKeysVariantAny" } ], "discriminator": { "propertyName": "$type", "mapping": { "Only": "WrappingKeysVariantOnly", "Any": "WrappingKeysVariantAny" } } }, "AwsMultiRegionKeyType": { "description": "Specifies the type of multi-Region keys.\nhttps://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#multi-region-concepts", "type": "string", "enum": [ "PRIMARY", "REPLICA" ] }, "AwsKeyRotationStatusVariantKeyRotationDisabled": { "allOf": [ { "type": "object", "properties": { "type": { "type": "string", "enum": [ "KeyRotationDisabled" ] } }, "required": [ "type" ] }, { "type": "object", "properties": {} } ] }, "AwsKeyRotationStatusVariantKeyRotationEnabled": { "allOf": [ { "type": "object", "properties": { "type": { "type": "string", "enum": [ "KeyRotationEnabled" ] } }, "required": [ "type" ] }, { "$ref": "#/components/schemas/AwsKeyRotationStatusKeyRotationEnabled" } ] }, "FpeCharSet": { "description": "The alphabet to use for an encrypted portion of a complex tokenization data type.\nCharacters should be specified as a list of pairs, where each pair [a, b] represents the\nrange of Unicode code points from a to b, with both bounds being inclusive. A single\ncode point can be specified as [c, c].\n\nNormally, each character is assigned a numeric value for FF1. The first character is\nassigned a value of 0, and subsequent characters are assigned values of 1, 2, and so on,\nup to the size of the alphabet. Note that the order of the ranges matters; characters\nappearing in later ranges are assigned higher numerical values compared to earlier\ncharacters. For instance, in the FpeCharSet [['a', 'z'], ['0', '9']], the digits '0' to\n'9' are assigned values from 26 to 35, since they are listed after the 'a' to 'z' range.\n\nIn any case, ranges should not overlap with each other, and should not contain surrogate\ncode points.", "allOf": [ { "type": "array", "items": { "type": "array", "minItems": 2, "maxItems": 2, "items": { "type": "string", "minLength": 1, "maxLength": 1 } } } ] }, "FpeConstraints": { "allOf": [ { "type": "object", "description": "Constraints on a portion of a complex tokenization data type.", "properties": { "luhn_check": { "type": "boolean", "nullable": true, "description": "Whether the token part contains a checksum that satisfies the Luhn formula. It is an\nerror to apply this constraint to non-numeric parts, or to have an encrypted part be\nunder more than one Luhn check constraint. Also, if an encrypted part has a Luhn check\nconstraint applied to it and may contain at least one digit that is not preserved, it\nmust not specify any other constraints." }, "num_gt": { "type": "integer", "nullable": true, "description": "Number that the token part should be greater than.\n\nThis constraint can only be specified on (non-compound) numeric encrypted parts\nguaranteed to preserve either everything or nothing at all. (For example, if an\nencrypted part consists of 5 to 10 digits, a `preserve` list that covers only the\nfirst five digits is not guaranteed to preserve everything, because if the input\nhappens to be six or more digits long, there will be at least one digit that\nremains unpreserved.)" }, "num_lt": { "type": "integer", "nullable": true, "description": "Number that the token part should be smaller than.\n\nThis constraint can only be specified on (non-compound) numeric encrypted parts\nguaranteed to preserve either everything or nothing at all. (For example, if an\nencrypted part consists of 5 to 10 digits, a `preserve` list that covers only the\nfirst five digits is not guaranteed to preserve everything, because if the input\nhappens to be six or more digits long, there will be at least one digit that\nremains unpreserved.)" }, "num_ne": { "type": "array", "items": { "type": "integer" }, "nullable": true, "description": "Numbers that the token part should not be equal to. It is an error to apply this\nconstraint to non-numeric parts." }, "date": { "$ref": "#/components/schemas/FpeDateConstraint" }, "applies_to": { "$ref": "#/components/schemas/FpeConstraintsApplicability" } } } ] }, "FpePreserveMask": { "description": "A structure indicating which indices in an encrypted part to mask or preserve.", "oneOf": [ { "$ref": "#/components/schemas/All" }, { "type": "array", "items": { "type": "integer", "format": "int64" }, "description": "Indicates that only certain characters are to be preserved or masked. Indices are\nPython-like; i.e., negative indices index from the end of the token portion, with\nindex -1 denoting the last character. (Indicating that nothing should be preserved\nor masked can be done via an empty list, which is the default value for this enum.)" } ] }, "FpeCompoundPartOr": { "allOf": [ { "type": "object", "description": "Represents an OR of multiple structures.\n\nImplementation note: an OR is _not_ a union of `FpeDataPart`s. Rather, when parsing\nthe input, the backend will simply choose the first subpart that matches the current\nportion of the input, and tokenize/detokenize accordingly. If that choice results in\nan invalid parse of the rest of the input, the backend ***will not backtrack*** and\nwill simply return with an error.", "properties": { "or": { "type": "array", "items": { "$ref": "#/components/schemas/FpeDataPart" }, "description": "The actual subparts that make up this compound part." }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "type": "boolean", "nullable": true, "description": "Whether the entire OR should be preserved as-is (i.e., not tokenized). If this is\nset, any descendant subparts cannot contain any preserve-related fields set." }, "mask": { "type": "boolean", "nullable": true, "description": "Whether the entire OR should be masked when doing masked decryption. If this is set,\nany descendant subparts cannot contain any mask-related fields set." }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The maximum allowed length for this part (in chars)." } }, "required": [ "or" ] } ] }, "FpeCompoundPartConcat": { "allOf": [ { "type": "object", "description": "Represents a concatenation of multiple structures (in a particular order).", "properties": { "concat": { "type": "array", "items": { "$ref": "#/components/schemas/FpeDataPart" }, "description": "The actual subparts that make up this compound part, in order." }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "type": "boolean", "nullable": true, "description": "Whether the entire concat should be preserved as-is (i.e., not tokenized). If this is\nset, any descendant subparts cannot contain any preserve-related fields set." }, "mask": { "type": "boolean", "nullable": true, "description": "Whether the entire concat should be masked when doing masked decryption. If this is\nset, any descendant subparts cannot contain any mask-related fields set." }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The maximum allowed length for this part (in chars)." } }, "required": [ "concat" ] } ] }, "FpeCompoundPartMultiple": { "allOf": [ { "type": "object", "description": "Indicates a part that is possibly repeated multiple times.\n\nImplementation note: the backend parser is locally \"greedy\" and will attempt to match\nas many repetitions as possible. If this later results in an invalid parse of the rest\nof the input, the backend ***will not backtrack*** and will simply return with an error.", "properties": { "multiple": { "$ref": "#/components/schemas/FpeDataPart" }, "min_repetitions": { "type": "integer", "nullable": true, "description": "The minimum number of times the subpart may occur. (A value of 1 marks a single\noccurrence.)" }, "max_repetitions": { "type": "integer", "nullable": true, "description": "The maximum number of times the subpart may occur. (A value of 1 marks a single\noccurrence.)" }, "constraints": { "$ref": "#/components/schemas/FpeConstraints" }, "preserve": { "type": "boolean", "nullable": true, "description": "Whether the entire Multiple should be preserved as-is (i.e., not tokenized). If this\nis set, the `multiple` subpart and its descendants cannot contain any preserve-related\nfields set." }, "mask": { "type": "boolean", "nullable": true, "description": "Whether the entire Multiple should be masked when doing masked decryption. If this is\nset, the `multiple` subpart and its descendants cannot contain any mask-related fields\nset." }, "min_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The minimum allowed length for this part (in chars)." }, "max_length": { "type": "integer", "minimum": 0, "maximum": 4294967295, "nullable": true, "description": "The maximum allowed length for this part (in chars)." } }, "required": [ "multiple" ] } ] }, "FpeSection": { "allOf": [ { "type": "object", "description": "A concatenation of groups, optionally including a checksum.", "properties": { "groups": { "type": "array", "items": { "$ref": "#/components/schemas/FpeGroup" } }, "checksum": { "$ref": "#/components/schemas/FpeChecksum" } }, "required": [ "groups" ] } ] }, "MgfPolicy": { "description": "MGF policy.", "oneOf": [ { "title": "MgfPolicyVariantMgf1", "type": "object", "properties": { "mgf1": { "$ref": "#/components/schemas/MgfPolicyMgf1" } }, "required": [ "mgf1" ] } ] }, "WrappingKeysVariantOnly": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Only" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/WrappingKeysOnly" } ] }, "WrappingKeysVariantAny": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Any" ] } }, "required": [ "$type" ] }, { "type": "object", "properties": {} } ] }, "AwsKeyRotationStatusKeyRotationEnabled": { "allOf": [ { "type": "object", "properties": { "rotation_period_in_days": { "type": "integer", "minimum": 0, "maximum": 65535, "nullable": true } } } ] }, "FpeDateConstraint": { "description": "Possible date-related constraint types for a portion of a complex tokenization data type.", "oneOf": [ { "$ref": "#/components/schemas/FpeDate" }, { "$ref": "#/components/schemas/FpeDatePart" } ] }, "FpeConstraintsApplicability": { "description": "A structure indicating which subparts to which to apply a set of constraints.", "oneOf": [ { "$ref": "#/components/schemas/All" }, { "type": "object", "additionalProperties": { "$ref": "#/components/schemas/FpeConstraintsApplicability" }, "description": "An object representing the individual subparts that the constraints should apply to. This\nis a BTreeMap where for each key-value pair, the key represents the \"index\" of the subpart\n(with the first subpart having index 0), and the value is an FpeConstraintsApplicability\ninstance. Note that a Multiple part only allows for one possible key-value pair, since it\nonly contains one subpart. For Concat parts, the key is the zero-based index of the subpart\nin the `concat` field, and for Multiple parts, this is always 0 (due to a Multiple having\nonly one subpart).\n\nThis cannot be used with OR parts; instead, specify constraints individually on each\nrelevant subpart." } ] }, "All": { "description": "A helper enum with a single variant, All, which indicates that something should apply to an\nentire part. (This is here mainly to allow other untagged enums to work properly.)", "type": "string", "enum": [ "all" ] }, "FpeGroup": { "allOf": [ { "type": "object", "description": "A concatenation of codes, that can be repeated an amount of times. An\namount of leading and trailing characters can be preserved, this is,\nunmodified by tokenization.", "properties": { "codes": { "type": "array", "items": { "$ref": "#/components/schemas/FpeCode" } }, "min_repetitions": { "type": "integer", "nullable": true, "description": "A group cannot be omitted, thus this field must be positive if present." }, "max_repetitions": { "type": "integer", "nullable": true }, "preserve": { "type": "array", "items": { "type": "integer" }, "minItems": 2, "maxItems": 2, "nullable": true, "description": "Amount of leading and trailing characters to preserve in this group.\nPreserved characters are the leading/trailing characters of the whole\ngroup, not individual repetitions." } }, "required": [ "codes" ] } ] }, "FpeChecksum": { "type": "string", "enum": [ "luhn" ] }, "MgfPolicyMgf1": { "allOf": [ { "type": "object", "properties": { "hash": { "$ref": "#/components/schemas/DigestAlgorithm" } } } ] }, "WrappingKeysOnly": { "allOf": [ { "type": "object", "description": "Only keys in this list can be used to wrap the sobject", "properties": { "keys": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/SobjectDescriptorPersisted" } } }, "required": [ "keys" ] } ] }, "FpeDate": { "description": "A structure for specifying a token part representing a date that occurs after a specified date\nand/or occurs before a specified date. Depending on the subparts that make up the date, one of\nthe three options is used.", "oneOf": [ { "title": "FpeDateVariantDayMonthYear", "type": "object", "properties": { "dmy_date": { "$ref": "#/components/schemas/FpeDateDayMonthYear" } }, "required": [ "dmy_date" ] }, { "title": "FpeDateVariantMonthDay", "type": "object", "properties": { "month_day_date": { "$ref": "#/components/schemas/FpeDateMonthDay" } }, "required": [ "month_day_date" ] }, { "title": "FpeDateVariantMonthYear", "type": "object", "properties": { "month_year_date": { "$ref": "#/components/schemas/FpeDateMonthYear" } }, "required": [ "month_year_date" ] } ] }, "FpeDatePart": { "description": "Possible date-related constraint types that do not form a complete date (by themselves) for a\ncomplex tokenization data type.", "type": "string", "enum": [ "month", "day", "year" ] }, "FpeCode": { "allOf": [ { "type": "object", "description": "A set of words, repeated an amount of times.", "properties": { "words": { "$ref": "#/components/schemas/FpeWords" }, "min_repetitions": { "type": "integer", "nullable": true }, "max_repetitions": { "type": "integer", "nullable": true } }, "required": [ "words" ] } ] }, "SobjectDescriptorPersisted": { "description": "Uniquely identifies a persisted sobject.", "oneOf": [ { "title": "SobjectDescriptorPersistedVariantKid", "type": "object", "properties": { "kid": { "type": "string", "format": "uuid" } }, "required": [ "kid" ] }, { "title": "SobjectDescriptorPersistedVariantName", "type": "object", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$" } }, "required": [ "name" ] } ] }, "FpeDateDayMonthYear": { "allOf": [ { "type": "object", "description": "Represents a date that consists of a Month subpart, a Day subpart, and a Year subpart. The\nYear part is allowed to be preserved, and the Day and Month parts are allowed to be\npreserved together. (The Day part cannot be preserved if the Month part is not, and vice\nversa.)", "properties": { "before": { "$ref": "#/components/schemas/FpeDayMonthYearDate" }, "after": { "$ref": "#/components/schemas/FpeDayMonthYearDate" } } } ] }, "FpeDateMonthDay": { "allOf": [ { "type": "object", "description": "Represents a date that consists of a Month subpart and a Day subpart. It is an error to\npreserve only the Month part or the Day part.", "properties": { "before": { "$ref": "#/components/schemas/FpeDayMonthDate" }, "after": { "$ref": "#/components/schemas/FpeDayMonthDate" } } } ] }, "FpeDateMonthYear": { "allOf": [ { "type": "object", "description": "Represents a date that consists of a Month subpart and a Year subpart. The Year part is\nallowed to be preserved; however, the Month part cannot be preserved by itself.", "properties": { "before": { "$ref": "#/components/schemas/FpeMonthYearDate" }, "after": { "$ref": "#/components/schemas/FpeMonthYearDate" } } } ] }, "FpeWords": { "description": "A set of fixed-length strings.", "oneOf": [ { "title": "FpeWordsVariantIntegerRanges", "type": "object", "properties": { "integer_ranges": { "$ref": "#/components/schemas/FpeWordsIntegerRanges" } }, "required": [ "integer_ranges" ] }, { "title": "FpeWordsVariantAlphabet", "type": "object", "properties": { "alphabet": { "$ref": "#/components/schemas/FpeCharSet" } }, "required": [ "alphabet" ] }, { "title": "FpeWordsVariantCustom", "type": "object", "properties": { "custom": { "$ref": "#/components/schemas/FpeWordsCustom" } }, "required": [ "custom" ] } ] }, "FpeDayMonthYearDate": { "allOf": [ { "type": "object", "description": "A structure for specifying a particular date consisting of a day, month, and year, for use in\nan FpeDate structure.", "properties": { "year": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The year, which should be an integer less than 100000. Zero is treated as a leap year." }, "month": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The month, which should be an integer from 1 to 12." }, "day": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The day, which should be an integer from 1 to either 28, 29, 30, or 31, depending on the\nmonth and year." } }, "required": [ "year", "month", "day" ] } ] }, "FpeDayMonthDate": { "allOf": [ { "type": "object", "description": "A structure for specifying a particular date consisting of a day and a month, for use in an\nFpeDate structure.", "properties": { "month": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The month, which should be an integer from 1 to 12." }, "day": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The day, which should be an integer from 1 to either 29, 30, or 31, depending on the month\nand year. Here, February is treated as having 29 days." } }, "required": [ "month", "day" ] } ] }, "FpeMonthYearDate": { "allOf": [ { "type": "object", "description": "A structure for specifying a particular date consisting of a month and a year, for use in an\nFpeDate structure.", "properties": { "year": { "type": "integer", "minimum": 0, "maximum": 4294967295, "description": "The year, which should be an integer less than 100000. Zero is treated as a leap year." }, "month": { "type": "integer", "minimum": 0, "maximum": 255, "description": "The month, which should be an integer from 1 to 12." } }, "required": [ "year", "month" ] } ] }, "FpeWordsIntegerRanges": { "allOf": [ { "type": "object", "description": "A union of positive integer ranges.\n\n```plain\nExamples: [[0, 400], [402, 1000]]\n= {0000, 0001, ..., 0400, 0402, ..., 1000}\n\n[[1,3], [49, 50]] with optional padding of length 8\n= {00000001, 00000002, 00000003, 00000049, 00000050}\n(accepts 1, 01, 00002, 49, 000050, etc)\n```", "properties": { "ranges": { "type": "array", "items": { "type": "array", "items": { "type": "integer" }, "minItems": 2, "maxItems": 2 } }, "padding_required": { "type": "boolean", "description": "If this field is true, this set accepts only numeric strings\npadded to the length given by the maximum integer in the range\nset." } }, "required": [ "ranges", "padding_required" ] } ] }, "FpeWordsCustom": { "allOf": [ { "type": "object", "properties": { "list": { "type": "array", "items": { "type": "string" }, "description": "Examples: {\"john\", \"jane\"}, {\".\", \"-\", \"_\", \"@\", \" \"}" } }, "required": [ "list" ] } ] } } } } ````