diff --git a/website/content/api-docs/secret/transit.mdx b/website/content/api-docs/secret/transit.mdx
index 485a42e5779e..d669821774b7 100644
--- a/website/content/api-docs/secret/transit.mdx
+++ b/website/content/api-docs/secret/transit.mdx
@@ -65,6 +65,8 @@ values set here cannot be changed after key creation.
- `rsa-4096` - RSA with bit size of 4096 (asymmetric)
- `hmac` - HMAC (HMAC generation, verification)
- `managed_key` - External key configured via the [Managed Keys](/vault/docs/enterprise/managed-keys) feature (enterprise only)
+ - `aes128-cmac` - AES-128 CMAC (CMAC generation, verification)
+ - `aes256-cmac` - AES-256 CMAC (CMAC generation, verification)
~> **Note**: In FIPS 140-2 mode, the following algorithms are not certified
and thus should not be used: `chacha20-poly1305` and `ed25519`.
@@ -162,6 +164,8 @@ the hash function defaults to SHA256.
- `rsa-2048` - RSA with bit size of 2048 (asymmetric)
- `rsa-3072` - RSA with bit size of 3072 (asymmetric)
- `rsa-4096` - RSA with bit size of 4096 (asymmetric)
+ - `aes128-cmac` - AES-128 CMAC (CMAC generation, verification)
+ - `aes256-cmac` - AES-256 CMAC (CMAC generation, verification)
- `public_key` `(string: "", optional)` - A plaintext PEM public key to be
imported. This limits the operations available under this key to verification
@@ -573,7 +577,7 @@ the chain as it will overwrite any previously set certificate chain.
chain against. If the version is set to `latest` or is not set, the current
key will be returned.
- - `certificate_chain` `(string: )` - A PEM encoded certificate chain. It should be composed
+ - `certificate_chain` `(string: )` - A PEM encoded certificate chain. It should be composed
by one or more concatenated PEM blocks and ordered starting from the end-entity certificate.
### Sample request
@@ -662,6 +666,7 @@ be valid.
asymmetric keys (EC with NIST P-curves or Ed25519 and RSA).
- `certificate-chain`, to return the imported certificate chain (via
`set-certificate`) corresponding to this key and version.
+ - `cmac-key`
- `name` `(string: )` – Specifies the name of the key to read
information about. This is specified as part of the URL.
@@ -1759,6 +1764,117 @@ $ curl \
}
```
+## Generate CMAC
+
+This endpoint returns the CMAC of given data using the specified key.
+
+| Method | Path |
+| :----- | :-------------------------------------- |
+| `POST` | `/transit/cmac/:name(/:url_mac_length)` |
+
+### Parameters
+
+- `name` `(string: )` – Specifies the name of the key to use for the
+ CMAC function. This is specified as part of the URL.
+
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+ operation. If not set, uses the latest version. Must be greater than or equal
+ to the key's `min_encryption_version`, if set.
+
+- `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
+ `input` or `batch_input` must be supplied.
+
+- `mac_length` (int: 0) - Specifies the MAC length to use (POST body parameter).
+ The `mac_length` cannot be larger than the cipher's block size.
+
+- `url_mac_length` (int: 0): Specifies the MAC length to use (URL parameter).
+ If provided, this value overrides `mac_length`. The `url_mac_length` cannot
+ be larger than the cipher's block size.
+
+- `batch_input` `(array