resources.proto 58 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120
  1. // Copyright 2021 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.security.privateca.v1;
  16. import "google/api/field_behavior.proto";
  17. import "google/api/resource.proto";
  18. import "google/protobuf/duration.proto";
  19. import "google/protobuf/timestamp.proto";
  20. import "google/type/expr.proto";
  21. import "google/api/annotations.proto";
  22. option cc_enable_arenas = true;
  23. option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1";
  24. option go_package = "google.golang.org/genproto/googleapis/cloud/security/privateca/v1;privateca";
  25. option java_multiple_files = true;
  26. option java_outer_classname = "PrivateCaResourcesProto";
  27. option java_package = "com.google.cloud.security.privateca.v1";
  28. option php_namespace = "Google\\Cloud\\Security\\PrivateCA\\V1";
  29. option ruby_package = "Google::Cloud::Security::PrivateCA::V1";
  30. // A [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] represents an individual Certificate Authority.
  31. // A [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] can be used to create [Certificates][google.cloud.security.privateca.v1.Certificate].
  32. message CertificateAuthority {
  33. option (google.api.resource) = {
  34. type: "privateca.googleapis.com/CertificateAuthority"
  35. pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}/certificateAuthorities/{certificate_authority}"
  36. };
  37. // URLs where a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] will publish content.
  38. message AccessUrls {
  39. // The URL where this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CA certificate is
  40. // published. This will only be set for CAs that have been activated.
  41. string ca_certificate_access_url = 1;
  42. // The URLs where this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CRLs are published. This
  43. // will only be set for CAs that have been activated.
  44. repeated string crl_access_urls = 2;
  45. }
  46. // A Cloud KMS key configuration that a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] will use.
  47. message KeyVersionSpec {
  48. oneof KeyVersion {
  49. // The resource name for an existing Cloud KMS CryptoKeyVersion in the
  50. // format
  51. // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  52. // This option enables full flexibility in the key's capabilities and
  53. // properties.
  54. string cloud_kms_key_version = 1;
  55. // The algorithm to use for creating a managed Cloud KMS key for a for a
  56. // simplified experience. All managed keys will be have their
  57. // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  58. SignHashAlgorithm algorithm = 2;
  59. }
  60. }
  61. // The type of a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], indicating its issuing chain.
  62. enum Type {
  63. // Not specified.
  64. TYPE_UNSPECIFIED = 0;
  65. // Self-signed CA.
  66. SELF_SIGNED = 1;
  67. // Subordinate CA. Could be issued by a Private CA [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
  68. // or an unmanaged CA.
  69. SUBORDINATE = 2;
  70. }
  71. // The state of a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], indicating if it can be used.
  72. enum State {
  73. // Not specified.
  74. STATE_UNSPECIFIED = 0;
  75. // Certificates can be issued from this CA. CRLs will be generated for this
  76. // CA. The CA will be part of the [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, and will be
  77. // used to issue certificates from the [CaPool][google.cloud.security.privateca.v1.CaPool].
  78. ENABLED = 1;
  79. // Certificates cannot be issued from this CA. CRLs will still be generated.
  80. // The CA will be part of the [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, but will not be
  81. // used to issue certificates from the [CaPool][google.cloud.security.privateca.v1.CaPool].
  82. DISABLED = 2;
  83. // Certificates can be issued from this CA. CRLs will be generated for this
  84. // CA. The CA will be part of the [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, but will not
  85. // be used to issue certificates from the [CaPool][google.cloud.security.privateca.v1.CaPool].
  86. STAGED = 3;
  87. // Certificates cannot be issued from this CA. CRLs will not be generated.
  88. // The CA will not be part of the [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, and will not be
  89. // used to issue certificates from the [CaPool][google.cloud.security.privateca.v1.CaPool].
  90. AWAITING_USER_ACTIVATION = 4;
  91. // Certificates cannot be issued from this CA. CRLs will not be generated.
  92. // The CA may still be recovered by calling
  93. // [CertificateAuthorityService.UndeleteCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.UndeleteCertificateAuthority] before
  94. // [expire_time][google.cloud.security.privateca.v1.CertificateAuthority.expire_time].
  95. // The CA will not be part of the [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, and will not be
  96. // used to issue certificates from the [CaPool][google.cloud.security.privateca.v1.CaPool].
  97. DELETED = 5;
  98. }
  99. // The algorithm of a Cloud KMS CryptoKeyVersion of a
  100. // [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  101. // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  102. // `ASYMMETRIC_SIGN`. These values correspond to the
  103. // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  104. // values. For RSA signing algorithms, the PSS algorithms should be preferred,
  105. // use PKCS1 algorithms if required for compatibility. For further
  106. // recommandations, see
  107. // https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  108. enum SignHashAlgorithm {
  109. // Not specified.
  110. SIGN_HASH_ALGORITHM_UNSPECIFIED = 0;
  111. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
  112. RSA_PSS_2048_SHA256 = 1;
  113. // maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
  114. RSA_PSS_3072_SHA256 = 2;
  115. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
  116. RSA_PSS_4096_SHA256 = 3;
  117. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
  118. RSA_PKCS1_2048_SHA256 = 6;
  119. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
  120. RSA_PKCS1_3072_SHA256 = 7;
  121. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
  122. RSA_PKCS1_4096_SHA256 = 8;
  123. // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
  124. EC_P256_SHA256 = 4;
  125. // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
  126. EC_P384_SHA384 = 5;
  127. }
  128. // Output only. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the
  129. // format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  130. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  131. // Required. Immutable. The [Type][google.cloud.security.privateca.v1.CertificateAuthority.Type] of this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  132. Type type = 2 [
  133. (google.api.field_behavior) = REQUIRED,
  134. (google.api.field_behavior) = IMMUTABLE
  135. ];
  136. // Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.
  137. CertificateConfig config = 3 [
  138. (google.api.field_behavior) = REQUIRED,
  139. (google.api.field_behavior) = IMMUTABLE
  140. ];
  141. // Required. The desired lifetime of the CA certificate. Used to create the
  142. // "not_before_time" and "not_after_time" fields inside an X.509
  143. // certificate.
  144. google.protobuf.Duration lifetime = 4 [(google.api.field_behavior) = REQUIRED];
  145. // Required. Immutable. Used when issuing certificates for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. If this
  146. // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] is a self-signed CertificateAuthority, this key
  147. // is also used to sign the self-signed CA certificate. Otherwise, it
  148. // is used to sign a CSR.
  149. KeyVersionSpec key_spec = 5 [
  150. (google.api.field_behavior) = REQUIRED,
  151. (google.api.field_behavior) = IMMUTABLE
  152. ];
  153. // Optional. If this is a subordinate [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], this field will be set
  154. // with the subordinate configuration, which describes its issuers. This may
  155. // be updated, but this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] must continue to validate.
  156. SubordinateConfig subordinate_config = 6 [(google.api.field_behavior) = OPTIONAL];
  157. // Output only. The [CaPool.Tier][google.cloud.security.privateca.v1.CaPool.Tier] of the [CaPool][google.cloud.security.privateca.v1.CaPool] that includes this
  158. // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  159. CaPool.Tier tier = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  160. // Output only. The [State][google.cloud.security.privateca.v1.CertificateAuthority.State] for this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  161. State state = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  162. // Output only. This [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s certificate chain, including the current
  163. // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s certificate. Ordered such that the root issuer
  164. // is the final element (consistent with RFC 5246). For a self-signed CA, this
  165. // will only list the current [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s certificate.
  166. repeated string pem_ca_certificates = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
  167. // Output only. A structured description of this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CA certificate
  168. // and its issuers. Ordered as self-to-root.
  169. repeated CertificateDescription ca_certificate_descriptions = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
  170. // Immutable. The name of a Cloud Storage bucket where this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] will
  171. // publish content, such as the CA certificate and CRLs. This must be a bucket
  172. // name, without any prefixes (such as `gs://`) or suffixes (such as
  173. // `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
  174. // would simply specify `my-bucket`. If not specified, a managed bucket will
  175. // be created.
  176. string gcs_bucket = 11 [(google.api.field_behavior) = IMMUTABLE];
  177. // Output only. URLs for accessing content published by this CA, such as the CA certificate
  178. // and CRLs.
  179. AccessUrls access_urls = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
  180. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] was created.
  181. google.protobuf.Timestamp create_time = 13 [(google.api.field_behavior) = OUTPUT_ONLY];
  182. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] was last updated.
  183. google.protobuf.Timestamp update_time = 14 [(google.api.field_behavior) = OUTPUT_ONLY];
  184. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] was soft deleted, if
  185. // it is in the [DELETED][google.cloud.security.privateca.v1.CertificateAuthority.State.DELETED] state.
  186. google.protobuf.Timestamp delete_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY];
  187. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] will be permanently purged,
  188. // if it is in the [DELETED][google.cloud.security.privateca.v1.CertificateAuthority.State.DELETED] state.
  189. google.protobuf.Timestamp expire_time = 16 [(google.api.field_behavior) = OUTPUT_ONLY];
  190. // Optional. Labels with user-defined metadata.
  191. map<string, string> labels = 17 [(google.api.field_behavior) = OPTIONAL];
  192. }
  193. // A [CaPool][google.cloud.security.privateca.v1.CaPool] represents a group of
  194. // [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority] that form a trust anchor. A
  195. // [CaPool][google.cloud.security.privateca.v1.CaPool] can be used to manage issuance policies for one or more
  196. // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] resources and to rotate CA certificates in and out
  197. // of the trust anchor.
  198. message CaPool {
  199. option (google.api.resource) = {
  200. type: "privateca.googleapis.com/CaPool"
  201. pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}"
  202. };
  203. // Options relating to the publication of each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CA
  204. // certificate and CRLs and their inclusion as extensions in issued
  205. // [Certificates][google.cloud.security.privateca.v1.Certificate]. The options set here apply to certificates
  206. // issued by any [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the [CaPool][google.cloud.security.privateca.v1.CaPool].
  207. message PublishingOptions {
  208. // Optional. When true, publishes each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CA certificate and
  209. // includes its URL in the "Authority Information Access" X.509 extension
  210. // in all issued [Certificates][google.cloud.security.privateca.v1.Certificate]. If this is false, the CA
  211. // certificate will not be published and the corresponding X.509 extension
  212. // will not be written in issued certificates.
  213. bool publish_ca_cert = 1 [(google.api.field_behavior) = OPTIONAL];
  214. // Optional. When true, publishes each [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s CRL and includes its
  215. // URL in the "CRL Distribution Points" X.509 extension in all issued
  216. // [Certificates][google.cloud.security.privateca.v1.Certificate]. If this is false, CRLs will not be published
  217. // and the corresponding X.509 extension will not be written in issued
  218. // certificates.
  219. // CRLs will expire 7 days from their creation. However, we will rebuild
  220. // daily. CRLs are also rebuilt shortly after a certificate is revoked.
  221. bool publish_crl = 2 [(google.api.field_behavior) = OPTIONAL];
  222. }
  223. // Defines controls over all certificate issuance within a [CaPool][google.cloud.security.privateca.v1.CaPool].
  224. message IssuancePolicy {
  225. // Describes a "type" of key that may be used in a [Certificate][google.cloud.security.privateca.v1.Certificate] issued
  226. // from a [CaPool][google.cloud.security.privateca.v1.CaPool].
  227. // Note that a single [AllowedKeyType][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.AllowedKeyType] may refer to either a
  228. // fully-qualified key algorithm, such as RSA 4096, or a family of key
  229. // algorithms, such as any RSA key.
  230. message AllowedKeyType {
  231. // Describes an RSA key that may be used in a [Certificate][google.cloud.security.privateca.v1.Certificate] issued from
  232. // a [CaPool][google.cloud.security.privateca.v1.CaPool].
  233. message RsaKeyType {
  234. // Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
  235. // or if set to zero, the service-level min RSA modulus size will
  236. // continue to apply.
  237. int64 min_modulus_size = 1 [(google.api.field_behavior) = OPTIONAL];
  238. // Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
  239. // or if set to zero, the service will not enforce an explicit upper
  240. // bound on RSA modulus sizes.
  241. int64 max_modulus_size = 2 [(google.api.field_behavior) = OPTIONAL];
  242. }
  243. // Describes an Elliptic Curve key that may be used in a [Certificate][google.cloud.security.privateca.v1.Certificate]
  244. // issued from a [CaPool][google.cloud.security.privateca.v1.CaPool].
  245. message EcKeyType {
  246. // Describes an elliptic curve-based signature algorithm that may be
  247. // used in a [Certificate][google.cloud.security.privateca.v1.Certificate] issued from a [CaPool][google.cloud.security.privateca.v1.CaPool].
  248. enum EcSignatureAlgorithm {
  249. // Not specified. Signifies that any signature algorithm may be used.
  250. EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0;
  251. // Refers to the Elliptic Curve Digital Signature Algorithm over the
  252. // NIST P-256 curve.
  253. ECDSA_P256 = 1;
  254. // Refers to the Elliptic Curve Digital Signature Algorithm over the
  255. // NIST P-384 curve.
  256. ECDSA_P384 = 2;
  257. // Refers to the Edwards-curve Digital Signature Algorithm over curve
  258. // 25519, as described in RFC 8410.
  259. EDDSA_25519 = 3;
  260. }
  261. // Optional. A signature algorithm that must be used. If this is omitted, any
  262. // EC-based signature algorithm will be allowed.
  263. EcSignatureAlgorithm signature_algorithm = 1 [(google.api.field_behavior) = OPTIONAL];
  264. }
  265. oneof key_type {
  266. // Represents an allowed RSA key type.
  267. RsaKeyType rsa = 1;
  268. // Represents an allowed Elliptic Curve key type.
  269. EcKeyType elliptic_curve = 2;
  270. }
  271. }
  272. // [IssuanceModes][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.IssuanceModes] specifies the allowed ways in which
  273. // [Certificates][google.cloud.security.privateca.v1.Certificate] may be requested from this
  274. // [CaPool][google.cloud.security.privateca.v1.CaPool].
  275. message IssuanceModes {
  276. // Optional. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1.Certificate] by
  277. // specifying a CSR.
  278. bool allow_csr_based_issuance = 1 [(google.api.field_behavior) = OPTIONAL];
  279. // Optional. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1.Certificate] by
  280. // specifying a [CertificateConfig][google.cloud.security.privateca.v1.CertificateConfig].
  281. bool allow_config_based_issuance = 2 [(google.api.field_behavior) = OPTIONAL];
  282. }
  283. // Optional. If any [AllowedKeyType][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.AllowedKeyType] is specified, then the certificate request's
  284. // public key must match one of the key types listed here. Otherwise,
  285. // any key may be used.
  286. repeated AllowedKeyType allowed_key_types = 1 [(google.api.field_behavior) = OPTIONAL];
  287. // Optional. The maximum lifetime allowed for issued [Certificates][google.cloud.security.privateca.v1.Certificate]. Note
  288. // that if the issuing [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] expires before a
  289. // [Certificate][google.cloud.security.privateca.v1.Certificate]'s requested maximum_lifetime, the effective lifetime will
  290. // be explicitly truncated to match it.
  291. google.protobuf.Duration maximum_lifetime = 2 [(google.api.field_behavior) = OPTIONAL];
  292. // Optional. If specified, then only methods allowed in the [IssuanceModes][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.IssuanceModes] may be
  293. // used to issue [Certificates][google.cloud.security.privateca.v1.Certificate].
  294. IssuanceModes allowed_issuance_modes = 3 [(google.api.field_behavior) = OPTIONAL];
  295. // Optional. A set of X.509 values that will be applied to all certificates issued
  296. // through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If a certificate request includes conflicting
  297. // values for the same properties, they will be overwritten by the values
  298. // defined here. If a certificate request uses a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]
  299. // that defines conflicting
  300. // [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values] for the same
  301. // properties, the certificate issuance request will fail.
  302. X509Parameters baseline_values = 4 [(google.api.field_behavior) = OPTIONAL];
  303. // Optional. Describes constraints on identities that may appear in
  304. // [Certificates][google.cloud.security.privateca.v1.Certificate] issued through this [CaPool][google.cloud.security.privateca.v1.CaPool].
  305. // If this is omitted, then this [CaPool][google.cloud.security.privateca.v1.CaPool] will not add restrictions on a
  306. // certificate's identity.
  307. CertificateIdentityConstraints identity_constraints = 5 [(google.api.field_behavior) = OPTIONAL];
  308. // Optional. Describes the set of X.509 extensions that may appear in a
  309. // [Certificate][google.cloud.security.privateca.v1.Certificate] issued through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If a certificate request
  310. // sets extensions that don't appear in the [passthrough_extensions][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.passthrough_extensions],
  311. // those extensions will be dropped. If a certificate request uses a
  312. // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] with
  313. // [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values] that don't
  314. // appear here, the certificate issuance request will fail. If this is
  315. // omitted, then this [CaPool][google.cloud.security.privateca.v1.CaPool] will not add restrictions on a
  316. // certificate's X.509 extensions. These constraints do not apply to X.509
  317. // extensions set in this [CaPool][google.cloud.security.privateca.v1.CaPool]'s [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values].
  318. CertificateExtensionConstraints passthrough_extensions = 6 [(google.api.field_behavior) = OPTIONAL];
  319. }
  320. // The tier of a [CaPool][google.cloud.security.privateca.v1.CaPool], indicating its supported functionality and/or
  321. // billing SKU.
  322. enum Tier {
  323. // Not specified.
  324. TIER_UNSPECIFIED = 0;
  325. // Enterprise tier.
  326. ENTERPRISE = 1;
  327. // DevOps tier.
  328. DEVOPS = 2;
  329. }
  330. // Output only. The resource name for this [CaPool][google.cloud.security.privateca.v1.CaPool] in the
  331. // format `projects/*/locations/*/caPools/*`.
  332. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  333. // Required. Immutable. The [Tier][google.cloud.security.privateca.v1.CaPool.Tier] of this [CaPool][google.cloud.security.privateca.v1.CaPool].
  334. Tier tier = 2 [
  335. (google.api.field_behavior) = REQUIRED,
  336. (google.api.field_behavior) = IMMUTABLE
  337. ];
  338. // Optional. The [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy] to control how [Certificates][google.cloud.security.privateca.v1.Certificate]
  339. // will be issued from this [CaPool][google.cloud.security.privateca.v1.CaPool].
  340. IssuancePolicy issuance_policy = 3 [(google.api.field_behavior) = OPTIONAL];
  341. // Optional. The [PublishingOptions][google.cloud.security.privateca.v1.CaPool.PublishingOptions] to follow when issuing
  342. // [Certificates][google.cloud.security.privateca.v1.Certificate] from any [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in this
  343. // [CaPool][google.cloud.security.privateca.v1.CaPool].
  344. PublishingOptions publishing_options = 4 [(google.api.field_behavior) = OPTIONAL];
  345. // Optional. Labels with user-defined metadata.
  346. map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];
  347. }
  348. // A [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] corresponds to a signed X.509 certificate
  349. // Revocation List (CRL). A CRL contains the serial numbers of certificates that
  350. // should no longer be trusted.
  351. message CertificateRevocationList {
  352. option (google.api.resource) = {
  353. type: "privateca.googleapis.com/CertificateRevocationList"
  354. pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}/certificateAuthorities/{certificate_authority}/certificateRevocationLists/{certificate_revocation_list}"
  355. };
  356. // Describes a revoked [Certificate][google.cloud.security.privateca.v1.Certificate].
  357. message RevokedCertificate {
  358. // The resource name for the [Certificate][google.cloud.security.privateca.v1.Certificate] in the format
  359. // `projects/*/locations/*/caPools/*/certificates/*`.
  360. string certificate = 1 [(google.api.resource_reference) = {
  361. type: "privateca.googleapis.com/Certificate"
  362. }];
  363. // The serial number of the [Certificate][google.cloud.security.privateca.v1.Certificate].
  364. string hex_serial_number = 2;
  365. // The reason the [Certificate][google.cloud.security.privateca.v1.Certificate] was revoked.
  366. RevocationReason revocation_reason = 3;
  367. }
  368. // The state of a [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList], indicating if it is current.
  369. enum State {
  370. // Not specified.
  371. STATE_UNSPECIFIED = 0;
  372. // The [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] is up to date.
  373. ACTIVE = 1;
  374. // The [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] is no longer current.
  375. SUPERSEDED = 2;
  376. }
  377. // Output only. The resource name for this [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] in
  378. // the format
  379. // `projects/*/locations/*/caPools/*certificateAuthorities/*/
  380. // certificateRevocationLists/*`.
  381. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  382. // Output only. The CRL sequence number that appears in pem_crl.
  383. int64 sequence_number = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
  384. // Output only. The revoked serial numbers that appear in pem_crl.
  385. repeated RevokedCertificate revoked_certificates = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
  386. // Output only. The PEM-encoded X.509 CRL.
  387. string pem_crl = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  388. // Output only. The location where 'pem_crl' can be accessed.
  389. string access_url = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  390. // Output only. The [State][google.cloud.security.privateca.v1.CertificateRevocationList.State] for this [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList].
  391. State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  392. // Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] was created.
  393. google.protobuf.Timestamp create_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  394. // Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] was updated.
  395. google.protobuf.Timestamp update_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  396. // Output only. The revision ID of this [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList]. A new revision is
  397. // committed whenever a new CRL is published. The format is an 8-character
  398. // hexadecimal string.
  399. string revision_id = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
  400. // Optional. Labels with user-defined metadata.
  401. map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL];
  402. }
  403. // A [Certificate][google.cloud.security.privateca.v1.Certificate] corresponds to a signed X.509 certificate issued by a
  404. // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
  405. message Certificate {
  406. option (google.api.resource) = {
  407. type: "privateca.googleapis.com/Certificate"
  408. pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}/certificates/{certificate}"
  409. };
  410. // Describes fields that are relavent to the revocation of a [Certificate][google.cloud.security.privateca.v1.Certificate].
  411. message RevocationDetails {
  412. // Indicates why a [Certificate][google.cloud.security.privateca.v1.Certificate] was revoked.
  413. RevocationReason revocation_state = 1;
  414. // The time at which this [Certificate][google.cloud.security.privateca.v1.Certificate] was revoked.
  415. google.protobuf.Timestamp revocation_time = 2;
  416. }
  417. // Output only. The resource name for this [Certificate][google.cloud.security.privateca.v1.Certificate] in the format
  418. // `projects/*/locations/*/caPools/*/certificates/*`.
  419. string name = 1 [
  420. (google.api.field_behavior) = OUTPUT_ONLY,
  421. (google.api.resource_reference) = {
  422. type: "privateca.googleapis.com/Certificate"
  423. }
  424. ];
  425. // The config used to create a signed X.509 certificate.
  426. oneof certificate_config {
  427. // Immutable. A pem-encoded X.509 certificate signing request (CSR).
  428. string pem_csr = 2 [(google.api.field_behavior) = IMMUTABLE];
  429. // Immutable. A description of the certificate and key that does not require X.509 or
  430. // ASN.1.
  431. CertificateConfig config = 3 [(google.api.field_behavior) = IMMUTABLE];
  432. }
  433. // Output only. The resource name of the issuing [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the format
  434. // `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  435. string issuer_certificate_authority = 4 [
  436. (google.api.field_behavior) = OUTPUT_ONLY,
  437. (google.api.resource_reference) = {
  438. type: "privateca.googleapis.com/CertificateAuthority"
  439. }
  440. ];
  441. // Required. Immutable. The desired lifetime of a certificate. Used to create the
  442. // "not_before_time" and "not_after_time" fields inside an X.509
  443. // certificate. Note that the lifetime may be truncated if it would extend
  444. // past the life of any certificate authority in the issuing chain.
  445. google.protobuf.Duration lifetime = 5 [
  446. (google.api.field_behavior) = REQUIRED,
  447. (google.api.field_behavior) = IMMUTABLE
  448. ];
  449. // Immutable. The resource name for a [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] used to issue this
  450. // certificate, in the format
  451. // `projects/*/locations/*/certificateTemplates/*`.
  452. // If this is specified, the caller must have the necessary permission to
  453. // use this template. If this is omitted, no template will be used.
  454. // This template must be in the same location as the [Certificate][google.cloud.security.privateca.v1.Certificate].
  455. string certificate_template = 6 [
  456. (google.api.field_behavior) = IMMUTABLE,
  457. (google.api.resource_reference) = {
  458. type: "privateca.googleapis.com/CertificateTemplate"
  459. }
  460. ];
  461. // Immutable. Specifies how the [Certificate][google.cloud.security.privateca.v1.Certificate]'s identity fields are to be decided.
  462. // If this is omitted, the `DEFAULT` subject mode will be used.
  463. SubjectRequestMode subject_mode = 7 [(google.api.field_behavior) = IMMUTABLE];
  464. // Output only. Details regarding the revocation of this [Certificate][google.cloud.security.privateca.v1.Certificate]. This
  465. // [Certificate][google.cloud.security.privateca.v1.Certificate] is considered revoked if and only if this field is present.
  466. RevocationDetails revocation_details = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  467. // Output only. The pem-encoded, signed X.509 certificate.
  468. string pem_certificate = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
  469. // Output only. A structured description of the issued X.509 certificate.
  470. CertificateDescription certificate_description = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
  471. // Output only. The chain that may be used to verify the X.509 certificate. Expected to be
  472. // in issuer-to-root order according to RFC 5246.
  473. repeated string pem_certificate_chain = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
  474. // Output only. The time at which this [Certificate][google.cloud.security.privateca.v1.Certificate] was created.
  475. google.protobuf.Timestamp create_time = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
  476. // Output only. The time at which this [Certificate][google.cloud.security.privateca.v1.Certificate] was updated.
  477. google.protobuf.Timestamp update_time = 13 [(google.api.field_behavior) = OUTPUT_ONLY];
  478. // Optional. Labels with user-defined metadata.
  479. map<string, string> labels = 14 [(google.api.field_behavior) = OPTIONAL];
  480. }
  481. // A [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] refers to a managed template for certificate
  482. // issuance.
  483. message CertificateTemplate {
  484. option (google.api.resource) = {
  485. type: "privateca.googleapis.com/CertificateTemplate"
  486. pattern: "projects/{project}/locations/{location}/certificateTemplates/{certificate_template}"
  487. };
  488. // Output only. The resource name for this [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] in the format
  489. // `projects/*/locations/*/certificateTemplates/*`.
  490. string name = 1 [
  491. (google.api.field_behavior) = OUTPUT_ONLY,
  492. (google.api.resource_reference) = {
  493. type: "privateca.googleapis.com/CertificateTemplate"
  494. }
  495. ];
  496. // Optional. A set of X.509 values that will be applied to all issued certificates that
  497. // use this template. If the certificate request includes conflicting values
  498. // for the same properties, they will be overwritten by the values defined
  499. // here. If the issuing [CaPool][google.cloud.security.privateca.v1.CaPool]'s [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy]
  500. // defines conflicting
  501. // [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values] for the same
  502. // properties, the certificate issuance request will fail.
  503. X509Parameters predefined_values = 2 [(google.api.field_behavior) = OPTIONAL];
  504. // Optional. Describes constraints on identities that may be appear in
  505. // [Certificates][google.cloud.security.privateca.v1.Certificate] issued using this template. If this is omitted,
  506. // then this template will not add restrictions on a certificate's identity.
  507. CertificateIdentityConstraints identity_constraints = 3 [(google.api.field_behavior) = OPTIONAL];
  508. // Optional. Describes the set of X.509 extensions that may appear in a
  509. // [Certificate][google.cloud.security.privateca.v1.Certificate] issued using this [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]. If a certificate
  510. // request sets extensions that don't appear in the
  511. // [passthrough_extensions][google.cloud.security.privateca.v1.CertificateTemplate.passthrough_extensions], those extensions will be dropped. If the
  512. // issuing [CaPool][google.cloud.security.privateca.v1.CaPool]'s [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy] defines
  513. // [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values] that don't appear
  514. // here, the certificate issuance request will fail. If this is omitted, then
  515. // this template will not add restrictions on a certificate's X.509
  516. // extensions. These constraints do not apply to X.509 extensions set in this
  517. // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]'s [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values].
  518. CertificateExtensionConstraints passthrough_extensions = 4 [(google.api.field_behavior) = OPTIONAL];
  519. // Optional. A human-readable description of scenarios this template is intended for.
  520. string description = 5 [(google.api.field_behavior) = OPTIONAL];
  521. // Output only. The time at which this [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] was created.
  522. google.protobuf.Timestamp create_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  523. // Output only. The time at which this [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] was updated.
  524. google.protobuf.Timestamp update_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  525. // Optional. Labels with user-defined metadata.
  526. map<string, string> labels = 8 [(google.api.field_behavior) = OPTIONAL];
  527. }
  528. // An [X509Parameters][google.cloud.security.privateca.v1.X509Parameters] is used to describe certain fields of an
  529. // X.509 certificate, such as the key usage fields, fields specific to CA
  530. // certificates, certificate policy extensions and custom extensions.
  531. message X509Parameters {
  532. // Describes values that are relevant in a CA certificate.
  533. message CaOptions {
  534. // Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this
  535. // value is missing, the extension will be omitted from the CA certificate.
  536. optional bool is_ca = 1 [(google.api.field_behavior) = OPTIONAL];
  537. // Optional. Refers to the path length restriction X.509 extension. For a CA
  538. // certificate, this value describes the depth of subordinate CA
  539. // certificates that are allowed.
  540. // If this value is less than 0, the request will fail.
  541. // If this value is missing, the max path length will be omitted from the
  542. // CA certificate.
  543. optional int32 max_issuer_path_length = 2 [(google.api.field_behavior) = OPTIONAL];
  544. }
  545. // Optional. Indicates the intended use for keys that correspond to a certificate.
  546. KeyUsage key_usage = 1 [(google.api.field_behavior) = OPTIONAL];
  547. // Optional. Describes options in this [X509Parameters][google.cloud.security.privateca.v1.X509Parameters] that are relevant in a CA
  548. // certificate.
  549. CaOptions ca_options = 2 [(google.api.field_behavior) = OPTIONAL];
  550. // Optional. Describes the X.509 certificate policy object identifiers, per
  551. // https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
  552. repeated ObjectId policy_ids = 3 [(google.api.field_behavior) = OPTIONAL];
  553. // Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses
  554. // that appear in the "Authority Information Access" extension in the
  555. // certificate.
  556. repeated string aia_ocsp_servers = 4 [(google.api.field_behavior) = OPTIONAL];
  557. // Optional. Describes custom X.509 extensions.
  558. repeated X509Extension additional_extensions = 5 [(google.api.field_behavior) = OPTIONAL];
  559. }
  560. // Describes a subordinate CA's issuers. This is either a resource name to a
  561. // known issuing [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], or a PEM issuer certificate chain.
  562. message SubordinateConfig {
  563. // This message describes a subordinate CA's issuer certificate chain. This
  564. // wrapper exists for compatibility reasons.
  565. message SubordinateConfigChain {
  566. // Required. Expected to be in leaf-to-root order according to RFC 5246.
  567. repeated string pem_certificates = 1 [(google.api.field_behavior) = REQUIRED];
  568. }
  569. oneof subordinate_config {
  570. // Required. This can refer to a [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] in the same project that
  571. // was used to create a subordinate [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. This field
  572. // is used for information and usability purposes only. The resource name
  573. // is in the format
  574. // `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
  575. string certificate_authority = 1 [
  576. (google.api.field_behavior) = REQUIRED,
  577. (google.api.resource_reference) = {
  578. type: "privateca.googleapis.com/CertificateAuthority"
  579. }
  580. ];
  581. // Required. Contains the PEM certificate chain for the issuers of this
  582. // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], but not pem certificate for this CA itself.
  583. SubordinateConfigChain pem_issuer_chain = 2 [(google.api.field_behavior) = REQUIRED];
  584. }
  585. }
  586. // A [PublicKey][google.cloud.security.privateca.v1.PublicKey] describes a public key.
  587. message PublicKey {
  588. // Types of public keys formats that are supported. Currently, only `PEM`
  589. // format is supported.
  590. enum KeyFormat {
  591. // Default unspecified value.
  592. KEY_FORMAT_UNSPECIFIED = 0;
  593. // The key is PEM-encoded as defined in [RFC
  594. // 7468](https://tools.ietf.org/html/rfc7468). It can be any of the
  595. // following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey
  596. // structure, an RFC 5280
  597. // [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1)
  598. // or a PEM-encoded X.509 certificate signing request (CSR). If a
  599. // [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1)
  600. // is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey
  601. // or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified,
  602. // it will used solely for the purpose of extracting the public key. When
  603. // generated by the service, it will always be an RFC 5280
  604. // [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1)
  605. // structure containing an algorithm identifier and a key.
  606. PEM = 1;
  607. }
  608. // Required. A public key. The padding and encoding
  609. // must match with the `KeyFormat` value specified for the `format` field.
  610. bytes key = 1 [(google.api.field_behavior) = REQUIRED];
  611. // Required. The format of the public key.
  612. KeyFormat format = 2 [(google.api.field_behavior) = REQUIRED];
  613. }
  614. // A [CertificateConfig][google.cloud.security.privateca.v1.CertificateConfig] describes an X.509 certificate or CSR that is to be
  615. // created, as an alternative to using ASN.1.
  616. message CertificateConfig {
  617. // These values are used to create the distinguished name and subject
  618. // alternative name fields in an X.509 certificate.
  619. message SubjectConfig {
  620. // Required. Contains distinguished name fields such as the common name, location and
  621. // organization.
  622. Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
  623. // Optional. The subject alternative name fields.
  624. SubjectAltNames subject_alt_name = 2 [(google.api.field_behavior) = OPTIONAL];
  625. }
  626. // Required. Specifies some of the values in a certificate that are related to the
  627. // subject.
  628. SubjectConfig subject_config = 1 [(google.api.field_behavior) = REQUIRED];
  629. // Required. Describes how some of the technical X.509 fields in a certificate should be
  630. // populated.
  631. X509Parameters x509_config = 2 [(google.api.field_behavior) = REQUIRED];
  632. // Optional. The public key that corresponds to this config. This is, for example, used
  633. // when issuing [Certificates][google.cloud.security.privateca.v1.Certificate], but not when creating a
  634. // self-signed [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] or [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] CSR.
  635. PublicKey public_key = 3 [(google.api.field_behavior) = OPTIONAL];
  636. }
  637. // A [CertificateDescription][google.cloud.security.privateca.v1.CertificateDescription] describes an X.509 certificate or CSR that has
  638. // been issued, as an alternative to using ASN.1 / X.509.
  639. message CertificateDescription {
  640. // These values describe fields in an issued X.509 certificate such as the
  641. // distinguished name, subject alternative names, serial number, and lifetime.
  642. message SubjectDescription {
  643. // Contains distinguished name fields such as the common name, location and
  644. // / organization.
  645. Subject subject = 1;
  646. // The subject alternative name fields.
  647. SubjectAltNames subject_alt_name = 2;
  648. // The serial number encoded in lowercase hexadecimal.
  649. string hex_serial_number = 3;
  650. // For convenience, the actual lifetime of an issued certificate.
  651. google.protobuf.Duration lifetime = 4;
  652. // The time at which the certificate becomes valid.
  653. google.protobuf.Timestamp not_before_time = 5;
  654. // The time after which the certificate is expired.
  655. // Per RFC 5280, the validity period for a certificate is the period of time
  656. // from not_before_time through not_after_time, inclusive.
  657. // Corresponds to 'not_before_time' + 'lifetime' - 1 second.
  658. google.protobuf.Timestamp not_after_time = 6;
  659. }
  660. // A KeyId identifies a specific public key, usually by hashing the public
  661. // key.
  662. message KeyId {
  663. // Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most
  664. // likely the 160 bit SHA-1 hash of the public key.
  665. string key_id = 1 [(google.api.field_behavior) = OPTIONAL];
  666. }
  667. // A group of fingerprints for the x509 certificate.
  668. message CertificateFingerprint {
  669. // The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
  670. string sha256_hash = 1;
  671. }
  672. // Describes some of the values in a certificate that are related to the
  673. // subject and lifetime.
  674. SubjectDescription subject_description = 1;
  675. // Describes some of the technical X.509 fields in a certificate.
  676. X509Parameters x509_description = 2;
  677. // The public key that corresponds to an issued certificate.
  678. PublicKey public_key = 3;
  679. // Provides a means of identifiying certificates that contain a particular
  680. // public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
  681. KeyId subject_key_id = 4;
  682. // Identifies the subject_key_id of the parent certificate, per
  683. // https://tools.ietf.org/html/rfc5280#section-4.2.1.1
  684. KeyId authority_key_id = 5;
  685. // Describes a list of locations to obtain CRL information, i.e.
  686. // the DistributionPoint.fullName described by
  687. // https://tools.ietf.org/html/rfc5280#section-4.2.1.13
  688. repeated string crl_distribution_points = 6;
  689. // Describes lists of issuer CA certificate URLs that appear in the
  690. // "Authority Information Access" extension in the certificate.
  691. repeated string aia_issuing_certificate_urls = 7;
  692. // The hash of the x.509 certificate.
  693. CertificateFingerprint cert_fingerprint = 8;
  694. }
  695. // An [ObjectId][google.cloud.security.privateca.v1.ObjectId] specifies an object identifier (OID). These provide context
  696. // and describe types in ASN.1 messages.
  697. message ObjectId {
  698. // Required. The parts of an OID path. The most significant parts of the path come
  699. // first.
  700. repeated int32 object_id_path = 1 [(google.api.field_behavior) = REQUIRED];
  701. }
  702. // An [X509Extension][google.cloud.security.privateca.v1.X509Extension] specifies an X.509 extension, which may be used in
  703. // different parts of X.509 objects like certificates, CSRs, and CRLs.
  704. message X509Extension {
  705. // Required. The OID for this X.509 extension.
  706. ObjectId object_id = 1 [(google.api.field_behavior) = REQUIRED];
  707. // Optional. Indicates whether or not this extension is critical (i.e., if the client
  708. // does not know how to handle this extension, the client should consider this
  709. // to be an error).
  710. bool critical = 2 [(google.api.field_behavior) = OPTIONAL];
  711. // Required. The value of this X.509 extension.
  712. bytes value = 3 [(google.api.field_behavior) = REQUIRED];
  713. }
  714. // A [KeyUsage][google.cloud.security.privateca.v1.KeyUsage] describes key usage values that may appear in an X.509
  715. // certificate.
  716. message KeyUsage {
  717. // [KeyUsage.KeyUsageOptions][google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions] corresponds to the key usage values
  718. // described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
  719. message KeyUsageOptions {
  720. // The key may be used for digital signatures.
  721. bool digital_signature = 1;
  722. // The key may be used for cryptographic commitments. Note that this may
  723. // also be referred to as "non-repudiation".
  724. bool content_commitment = 2;
  725. // The key may be used to encipher other keys.
  726. bool key_encipherment = 3;
  727. // The key may be used to encipher data.
  728. bool data_encipherment = 4;
  729. // The key may be used in a key agreement protocol.
  730. bool key_agreement = 5;
  731. // The key may be used to sign certificates.
  732. bool cert_sign = 6;
  733. // The key may be used sign certificate revocation lists.
  734. bool crl_sign = 7;
  735. // The key may be used to encipher only.
  736. bool encipher_only = 8;
  737. // The key may be used to decipher only.
  738. bool decipher_only = 9;
  739. }
  740. // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions] has fields that correspond to
  741. // certain common OIDs that could be specified as an extended key usage value.
  742. message ExtendedKeyUsageOptions {
  743. // Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
  744. // server authentication", though regularly used for non-WWW TLS.
  745. bool server_auth = 1;
  746. // Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW
  747. // client authentication", though regularly used for non-WWW TLS.
  748. bool client_auth = 2;
  749. // Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of
  750. // downloadable executable code client authentication".
  751. bool code_signing = 3;
  752. // Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email
  753. // protection".
  754. bool email_protection = 4;
  755. // Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding
  756. // the hash of an object to a time".
  757. bool time_stamping = 5;
  758. // Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing
  759. // OCSP responses".
  760. bool ocsp_signing = 6;
  761. }
  762. // Describes high-level ways in which a key may be used.
  763. KeyUsageOptions base_key_usage = 1;
  764. // Detailed scenarios in which a key may be used.
  765. ExtendedKeyUsageOptions extended_key_usage = 2;
  766. // Used to describe extended key usages that are not listed in the
  767. // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions] message.
  768. repeated ObjectId unknown_extended_key_usages = 3;
  769. }
  770. // [Subject][google.cloud.security.privateca.v1.Subject] describes parts of a distinguished name that, in turn,
  771. // describes the subject of the certificate.
  772. message Subject {
  773. // The "common name" of the subject.
  774. string common_name = 1;
  775. // The country code of the subject.
  776. string country_code = 2;
  777. // The organization of the subject.
  778. string organization = 3;
  779. // The organizational_unit of the subject.
  780. string organizational_unit = 4;
  781. // The locality or city of the subject.
  782. string locality = 5;
  783. // The province, territory, or regional state of the subject.
  784. string province = 6;
  785. // The street address of the subject.
  786. string street_address = 7;
  787. // The postal code of the subject.
  788. string postal_code = 8;
  789. }
  790. // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] corresponds to a more modern way of listing what
  791. // the asserted identity is in a certificate (i.e., compared to the "common
  792. // name" in the distinguished name).
  793. message SubjectAltNames {
  794. // Contains only valid, fully-qualified host names.
  795. repeated string dns_names = 1;
  796. // Contains only valid RFC 3986 URIs.
  797. repeated string uris = 2;
  798. // Contains only valid RFC 2822 E-mail addresses.
  799. repeated string email_addresses = 3;
  800. // Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
  801. repeated string ip_addresses = 4;
  802. // Contains additional subject alternative name values.
  803. repeated X509Extension custom_sans = 5;
  804. }
  805. // Describes constraints on a [Certificate][google.cloud.security.privateca.v1.Certificate]'s [Subject][google.cloud.security.privateca.v1.Subject] and
  806. // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames].
  807. message CertificateIdentityConstraints {
  808. // Optional. A CEL expression that may be used to validate the resolved X.509 Subject
  809. // and/or Subject Alternative Name before a certificate is signed.
  810. // To see the full allowed syntax and some examples, see
  811. // https://cloud.google.com/certificate-authority-service/docs/using-cel
  812. google.type.Expr cel_expression = 1 [(google.api.field_behavior) = OPTIONAL];
  813. // Required. If this is true, the [Subject][google.cloud.security.privateca.v1.Subject] field may be copied from a certificate
  814. // request into the signed certificate. Otherwise, the requested [Subject][google.cloud.security.privateca.v1.Subject]
  815. // will be discarded.
  816. optional bool allow_subject_passthrough = 2 [(google.api.field_behavior) = REQUIRED];
  817. // Required. If this is true, the [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] extension may be copied from a
  818. // certificate request into the signed certificate. Otherwise, the requested
  819. // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] will be discarded.
  820. optional bool allow_subject_alt_names_passthrough = 3 [(google.api.field_behavior) = REQUIRED];
  821. }
  822. // Describes a set of X.509 extensions that may be part of some certificate
  823. // issuance controls.
  824. message CertificateExtensionConstraints {
  825. // Describes well-known X.509 extensions that can appear in a [Certificate][google.cloud.security.privateca.v1.Certificate],
  826. // not including the [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] extension.
  827. enum KnownCertificateExtension {
  828. // Not specified.
  829. KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED = 0;
  830. // Refers to a certificate's Key Usage extension, as described in [RFC 5280
  831. // section 4.2.1.3](https://tools.ietf.org/html/rfc5280#section-4.2.1.3).
  832. // This corresponds to the [KeyUsage.base_key_usage][google.cloud.security.privateca.v1.KeyUsage.base_key_usage] field.
  833. BASE_KEY_USAGE = 1;
  834. // Refers to a certificate's Extended Key Usage extension, as described in
  835. // [RFC 5280
  836. // section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12).
  837. // This corresponds to the [KeyUsage.extended_key_usage][google.cloud.security.privateca.v1.KeyUsage.extended_key_usage] message.
  838. EXTENDED_KEY_USAGE = 2;
  839. // Refers to a certificate's Basic Constraints extension, as described in
  840. // [RFC 5280
  841. // section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9).
  842. // This corresponds to the [X509Parameters.ca_options][google.cloud.security.privateca.v1.X509Parameters.ca_options] field.
  843. CA_OPTIONS = 3;
  844. // Refers to a certificate's Policy object identifiers, as described in
  845. // [RFC 5280
  846. // section 4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4).
  847. // This corresponds to the [X509Parameters.policy_ids][google.cloud.security.privateca.v1.X509Parameters.policy_ids] field.
  848. POLICY_IDS = 4;
  849. // Refers to OCSP servers in a certificate's Authority Information Access
  850. // extension, as described in
  851. // [RFC 5280
  852. // section 4.2.2.1](https://tools.ietf.org/html/rfc5280#section-4.2.2.1),
  853. // This corresponds to the [X509Parameters.aia_ocsp_servers][google.cloud.security.privateca.v1.X509Parameters.aia_ocsp_servers] field.
  854. AIA_OCSP_SERVERS = 5;
  855. }
  856. // Optional. A set of named X.509 extensions. Will be combined with
  857. // [additional_extensions][google.cloud.security.privateca.v1.CertificateExtensionConstraints.additional_extensions] to determine the full set of X.509 extensions.
  858. repeated KnownCertificateExtension known_extensions = 1 [(google.api.field_behavior) = OPTIONAL];
  859. // Optional. A set of [ObjectIds][google.cloud.security.privateca.v1.ObjectId] identifying custom X.509 extensions.
  860. // Will be combined with [known_extensions][google.cloud.security.privateca.v1.CertificateExtensionConstraints.known_extensions] to determine the full set of
  861. // X.509 extensions.
  862. repeated ObjectId additional_extensions = 2 [(google.api.field_behavior) = OPTIONAL];
  863. }
  864. // A [RevocationReason][google.cloud.security.privateca.v1.RevocationReason] indicates whether a [Certificate][google.cloud.security.privateca.v1.Certificate] has been revoked,
  865. // and the reason for revocation. These correspond to standard revocation
  866. // reasons from RFC 5280. Note that the enum labels and values in this
  867. // definition are not the same ASN.1 values defined in RFC 5280. These values
  868. // will be translated to the correct ASN.1 values when a CRL is created.
  869. enum RevocationReason {
  870. // Default unspecified value. This value does indicate that a [Certificate][google.cloud.security.privateca.v1.Certificate]
  871. // has been revoked, but that a reason has not been recorded.
  872. REVOCATION_REASON_UNSPECIFIED = 0;
  873. // Key material for this [Certificate][google.cloud.security.privateca.v1.Certificate] may have leaked.
  874. KEY_COMPROMISE = 1;
  875. // The key material for a certificate authority in the issuing path may have
  876. // leaked.
  877. CERTIFICATE_AUTHORITY_COMPROMISE = 2;
  878. // The subject or other attributes in this [Certificate][google.cloud.security.privateca.v1.Certificate] have changed.
  879. AFFILIATION_CHANGED = 3;
  880. // This [Certificate][google.cloud.security.privateca.v1.Certificate] has been superseded.
  881. SUPERSEDED = 4;
  882. // This [Certificate][google.cloud.security.privateca.v1.Certificate] or entities in the issuing path have ceased to
  883. // operate.
  884. CESSATION_OF_OPERATION = 5;
  885. // This [Certificate][google.cloud.security.privateca.v1.Certificate] should not be considered valid, it is expected that it
  886. // may become valid in the future.
  887. CERTIFICATE_HOLD = 6;
  888. // This [Certificate][google.cloud.security.privateca.v1.Certificate] no longer has permission to assert the listed
  889. // attributes.
  890. PRIVILEGE_WITHDRAWN = 7;
  891. // The authority which determines appropriate attributes for a [Certificate][google.cloud.security.privateca.v1.Certificate]
  892. // may have been compromised.
  893. ATTRIBUTE_AUTHORITY_COMPROMISE = 8;
  894. }
  895. // Describes the way in which a [Certificate][google.cloud.security.privateca.v1.Certificate]'s [Subject][google.cloud.security.privateca.v1.Subject] and/or
  896. // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] will be resolved.
  897. enum SubjectRequestMode {
  898. // Not specified.
  899. SUBJECT_REQUEST_MODE_UNSPECIFIED = 0;
  900. // The default mode used in most cases. Indicates that the certificate's
  901. // [Subject][google.cloud.security.privateca.v1.Subject] and/or [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] are specified in the certificate
  902. // request. This mode requires the caller to have the
  903. // `privateca.certificates.create` permission.
  904. DEFAULT = 1;
  905. // A mode reserved for special cases. Indicates that the certificate should
  906. // have one or more SPIFFE [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] set by the service based
  907. // on the caller's identity. This mode will ignore any explicitly specified
  908. // [Subject][google.cloud.security.privateca.v1.Subject] and/or [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] in the certificate request.
  909. // This mode requires the caller to have the
  910. // `privateca.certificates.createForSelf` permission.
  911. REFLECTED_SPIFFE = 2;
  912. }