resources.proto 46 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903
  1. // Copyright 2020 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.security.privateca.v1beta1;
  16. import "google/api/field_behavior.proto";
  17. import "google/api/resource.proto";
  18. import "google/protobuf/duration.proto";
  19. import "google/protobuf/timestamp.proto";
  20. import "google/protobuf/wrappers.proto";
  21. import "google/api/annotations.proto";
  22. option cc_enable_arenas = true;
  23. option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1Beta1";
  24. option go_package = "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1;privateca";
  25. option java_multiple_files = true;
  26. option java_outer_classname = "PrivateCaResourcesProto";
  27. option java_package = "com.google.cloud.security.privateca.v1beta1";
  28. option php_namespace = "Google\\Cloud\\Security\\PrivateCA\\V1beta1";
  29. option ruby_package = "Google::Cloud::Security::PrivateCA::V1beta1";
  30. // A [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] represents an individual Certificate Authority.
  31. // A [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] can be used to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate].
  32. message CertificateAuthority {
  33. option (google.api.resource) = {
  34. type: "privateca.googleapis.com/CertificateAuthority"
  35. pattern: "projects/{project}/locations/{location}/certificateAuthorities/{certificate_authority}"
  36. };
  37. // Options that affect all certificates issued by a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  38. message IssuingOptions {
  39. // Required. When true, includes a URL to the issuing CA certificate in the
  40. // "authority information access" X.509 extension.
  41. bool include_ca_cert_url = 1 [(google.api.field_behavior) = REQUIRED];
  42. // Required. When true, includes a URL to the CRL corresponding to certificates
  43. // issued from a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  44. // CRLs will expire 7 days from their creation. However, we will rebuild
  45. // daily. CRLs are also rebuilt shortly after a certificate is revoked.
  46. bool include_crl_access_url = 2 [(google.api.field_behavior) = REQUIRED];
  47. }
  48. // The issuing policy for a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  49. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] will not be successfully issued from this
  50. // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] if they violate the policy.
  51. message CertificateAuthorityPolicy {
  52. message AllowedConfigList {
  53. // Required. All [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
  54. // must match at least one listed [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper]. If a
  55. // [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper] has an empty field, any value will be
  56. // allowed for that field.
  57. repeated ReusableConfigWrapper allowed_config_values = 1 [(google.api.field_behavior) = REQUIRED];
  58. }
  59. // [AllowedSubjectAltNames][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames] specifies the allowed values for
  60. // [SubjectAltNames][google.cloud.security.privateca.v1beta1.SubjectAltNames] by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] when issuing
  61. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate].
  62. message AllowedSubjectAltNames {
  63. // Optional. Contains valid, fully-qualified host names. Glob patterns are also
  64. // supported. To allow an explicit wildcard certificate, escape with
  65. // backlash (i.e. "\*").
  66. // E.g. for globbed entries: '*bar.com' will allow foo.bar.com, but not
  67. // *.bar.com, unless the [allow_globbing_dns_wildcards][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames.allow_globbing_dns_wildcards] field is set.
  68. // E.g. for wildcard entries: '\*.bar.com' will allow '*.bar.com', but not
  69. // 'foo.bar.com'.
  70. repeated string allowed_dns_names = 1 [(google.api.field_behavior) = OPTIONAL];
  71. // Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To
  72. // match across path seperators (i.e. '/') use the double star glob
  73. // pattern (i.e. '**').
  74. repeated string allowed_uris = 2 [(google.api.field_behavior) = OPTIONAL];
  75. // Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also
  76. // supported.
  77. repeated string allowed_email_addresses = 3 [(google.api.field_behavior) = OPTIONAL];
  78. // Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6
  79. // addresses and subnet ranges. Subnet ranges are specified using the
  80. // '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns
  81. // are supported only for ip address entries (i.e. not for subnet ranges).
  82. repeated string allowed_ips = 4 [(google.api.field_behavior) = OPTIONAL];
  83. // Optional. Specifies if glob patterns used for [allowed_dns_names][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames.allowed_dns_names] allows
  84. // wildcard certificates.
  85. bool allow_globbing_dns_wildcards = 5 [(google.api.field_behavior) = OPTIONAL];
  86. // Optional. Specifies if to allow custom X509Extension values.
  87. bool allow_custom_sans = 6 [(google.api.field_behavior) = OPTIONAL];
  88. }
  89. // [IssuanceModes][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes] specifies the allowed ways in which
  90. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] may be requested from this
  91. // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  92. message IssuanceModes {
  93. // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate] by
  94. // specifying a CSR.
  95. bool allow_csr_based_issuance = 1 [(google.api.field_behavior) = REQUIRED];
  96. // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate] by
  97. // specifying a [CertificateConfig][google.cloud.security.privateca.v1beta1.CertificateConfig].
  98. bool allow_config_based_issuance = 2 [(google.api.field_behavior) = REQUIRED];
  99. }
  100. // Allowed configurations or a single configuration for all issued
  101. // certificates.
  102. oneof config_policy {
  103. // Optional. All [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
  104. // must match at least one listed [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper] in the list.
  105. AllowedConfigList allowed_config_list = 1 [(google.api.field_behavior) = OPTIONAL];
  106. // Optional. All [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
  107. // will use the provided configuration values, overwriting any requested
  108. // configuration values.
  109. ReusableConfigWrapper overwrite_config_values = 2 [(google.api.field_behavior) = OPTIONAL];
  110. }
  111. // Optional. If any [Subject][google.cloud.security.privateca.v1beta1.Subject] is specified here, then all
  112. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must
  113. // match at least one listed [Subject][google.cloud.security.privateca.v1beta1.Subject]. If a [Subject][google.cloud.security.privateca.v1beta1.Subject] has an empty
  114. // field, any value will be allowed for that field.
  115. repeated Subject allowed_locations_and_organizations = 3 [(google.api.field_behavior) = OPTIONAL];
  116. // Optional. If any value is specified here, then all
  117. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must
  118. // match at least one listed value. If no value is specified, all values
  119. // will be allowed for this fied. Glob patterns are also supported.
  120. repeated string allowed_common_names = 4 [(google.api.field_behavior) = OPTIONAL];
  121. // Optional. If a [AllowedSubjectAltNames][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames] is specified here, then all
  122. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must
  123. // match [AllowedSubjectAltNames][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames]. If no value or an empty value
  124. // is specified, any value will be allowed for the [SubjectAltNames][google.cloud.security.privateca.v1beta1.SubjectAltNames]
  125. // field.
  126. AllowedSubjectAltNames allowed_sans = 5 [(google.api.field_behavior) = OPTIONAL];
  127. // Optional. The maximum lifetime allowed by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. Note that
  128. // if the any part if the issuing chain expires before a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]'s
  129. // requested maximum_lifetime, the effective lifetime will be explicitly
  130. // truncated.
  131. google.protobuf.Duration maximum_lifetime = 6 [(google.api.field_behavior) = OPTIONAL];
  132. // Optional. If specified, then only methods allowed in the [IssuanceModes][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes] may be
  133. // used to issue [Certificates][google.cloud.security.privateca.v1beta1.Certificate].
  134. IssuanceModes allowed_issuance_modes = 8 [(google.api.field_behavior) = OPTIONAL];
  135. }
  136. // URLs where a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will publish content.
  137. message AccessUrls {
  138. // The URL where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA certificate is
  139. // published. This will only be set for CAs that have been activated.
  140. string ca_certificate_access_url = 1;
  141. // The URL where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CRLs are published. This
  142. // will only be set for CAs that have been activated.
  143. string crl_access_url = 2;
  144. }
  145. // A Cloud KMS key configuration that a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will use.
  146. message KeyVersionSpec {
  147. oneof KeyVersion {
  148. // Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
  149. // format
  150. // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  151. // This option enables full flexibility in the key's capabilities and
  152. // properties.
  153. string cloud_kms_key_version = 1 [(google.api.field_behavior) = REQUIRED];
  154. // Required. The algorithm to use for creating a managed Cloud KMS key for a for a
  155. // simplified experience. All managed keys will be have their
  156. // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`.
  157. SignHashAlgorithm algorithm = 2 [(google.api.field_behavior) = REQUIRED];
  158. }
  159. }
  160. // The type of a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], indicating its issuing chain.
  161. enum Type {
  162. // Not specified.
  163. TYPE_UNSPECIFIED = 0;
  164. // Self-signed CA.
  165. SELF_SIGNED = 1;
  166. // Subordinate CA. Could be issued by a Private CA [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
  167. // or an unmanaged CA.
  168. SUBORDINATE = 2;
  169. }
  170. // The tier of a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], indicating its supported
  171. // functionality and/or billing SKU.
  172. enum Tier {
  173. // Not specified.
  174. TIER_UNSPECIFIED = 0;
  175. // Enterprise tier.
  176. ENTERPRISE = 1;
  177. // DevOps tier.
  178. DEVOPS = 2;
  179. }
  180. // The state of a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], indicating if it can be used.
  181. enum State {
  182. // Not specified.
  183. STATE_UNSPECIFIED = 0;
  184. // Certificates can be issued from this CA. CRLs will be generated for this
  185. // CA.
  186. ENABLED = 1;
  187. // Certificates cannot be issued from this CA. CRLs will still be generated.
  188. DISABLED = 2;
  189. // Certificates cannot be issued from this CA. CRLs will not be generated.
  190. PENDING_ACTIVATION = 3;
  191. // Certificates cannot be issued from this CA. CRLs will not be generated.
  192. PENDING_DELETION = 4;
  193. }
  194. // The algorithm of a Cloud KMS CryptoKeyVersion of a
  195. // [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
  196. // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
  197. // `ASYMMETRIC_SIGN`. These values correspond to the
  198. // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
  199. // values. For RSA signing algorithms, the PSS algorithms should be preferred,
  200. // use PKCS1 algorithms if required for compatibility. For further
  201. // recommandations, see
  202. // https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
  203. enum SignHashAlgorithm {
  204. // Not specified.
  205. SIGN_HASH_ALGORITHM_UNSPECIFIED = 0;
  206. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
  207. RSA_PSS_2048_SHA256 = 1;
  208. // maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
  209. RSA_PSS_3072_SHA256 = 2;
  210. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
  211. RSA_PSS_4096_SHA256 = 3;
  212. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
  213. RSA_PKCS1_2048_SHA256 = 6;
  214. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
  215. RSA_PKCS1_3072_SHA256 = 7;
  216. // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
  217. RSA_PKCS1_4096_SHA256 = 8;
  218. // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
  219. EC_P256_SHA256 = 4;
  220. // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
  221. EC_P384_SHA384 = 5;
  222. }
  223. // Output only. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
  224. // format `projects/*/locations/*/certificateAuthorities/*`.
  225. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  226. // Required. Immutable. The [Type][google.cloud.security.privateca.v1beta1.CertificateAuthority.Type] of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  227. Type type = 2 [
  228. (google.api.field_behavior) = REQUIRED,
  229. (google.api.field_behavior) = IMMUTABLE
  230. ];
  231. // Required. Immutable. The [Tier][google.cloud.security.privateca.v1beta1.CertificateAuthority.Tier] of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  232. Tier tier = 3 [
  233. (google.api.field_behavior) = REQUIRED,
  234. (google.api.field_behavior) = IMMUTABLE
  235. ];
  236. // Required. Immutable. The config used to create a self-signed X.509 certificate or CSR.
  237. CertificateConfig config = 4 [
  238. (google.api.field_behavior) = REQUIRED,
  239. (google.api.field_behavior) = IMMUTABLE
  240. ];
  241. // Required. The desired lifetime of the CA certificate. Used to create the
  242. // "not_before_time" and "not_after_time" fields inside an X.509
  243. // certificate.
  244. google.protobuf.Duration lifetime = 5 [(google.api.field_behavior) = REQUIRED];
  245. // Required. Immutable. Used when issuing certificates for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. If this
  246. // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] is a self-signed CertificateAuthority, this key
  247. // is also used to sign the self-signed CA certificate. Otherwise, it
  248. // is used to sign a CSR.
  249. KeyVersionSpec key_spec = 6 [
  250. (google.api.field_behavior) = REQUIRED,
  251. (google.api.field_behavior) = IMMUTABLE
  252. ];
  253. // Optional. The [CertificateAuthorityPolicy][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy] to enforce when issuing
  254. // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] from this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  255. CertificateAuthorityPolicy certificate_policy = 7 [(google.api.field_behavior) = OPTIONAL];
  256. // Optional. The [IssuingOptions][google.cloud.security.privateca.v1beta1.CertificateAuthority.IssuingOptions] to follow when issuing [Certificates][google.cloud.security.privateca.v1beta1.Certificate]
  257. // from this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  258. IssuingOptions issuing_options = 8 [(google.api.field_behavior) = OPTIONAL];
  259. // Optional. If this is a subordinate [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], this field will be set
  260. // with the subordinate configuration, which describes its issuers. This may
  261. // be updated, but this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must continue to validate.
  262. SubordinateConfig subordinate_config = 19 [(google.api.field_behavior) = OPTIONAL];
  263. // Output only. The [State][google.cloud.security.privateca.v1beta1.CertificateAuthority.State] for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  264. State state = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
  265. // Output only. This [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate chain, including the current
  266. // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate. Ordered such that the root issuer
  267. // is the final element (consistent with RFC 5246). For a self-signed CA, this
  268. // will only list the current [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate.
  269. repeated string pem_ca_certificates = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
  270. // Output only. A structured description of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA certificate
  271. // and its issuers. Ordered as self-to-root.
  272. repeated CertificateDescription ca_certificate_descriptions = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
  273. // Immutable. The name of a Cloud Storage bucket where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will
  274. // publish content, such as the CA certificate and CRLs. This must be a bucket
  275. // name, without any prefixes (such as `gs://`) or suffixes (such as
  276. // `.googleapis.com`). For example, to use a bucket named `my-bucket`, you
  277. // would simply specify `my-bucket`. If not specified, a managed bucket will
  278. // be created.
  279. string gcs_bucket = 13 [(google.api.field_behavior) = IMMUTABLE];
  280. // Output only. URLs for accessing content published by this CA, such as the CA certificate
  281. // and CRLs.
  282. AccessUrls access_urls = 14 [(google.api.field_behavior) = OUTPUT_ONLY];
  283. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] was created.
  284. google.protobuf.Timestamp create_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY];
  285. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] was updated.
  286. google.protobuf.Timestamp update_time = 16 [(google.api.field_behavior) = OUTPUT_ONLY];
  287. // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will be deleted, if
  288. // scheduled for deletion.
  289. google.protobuf.Timestamp delete_time = 17 [(google.api.field_behavior) = OUTPUT_ONLY];
  290. // Optional. Labels with user-defined metadata.
  291. map<string, string> labels = 18 [(google.api.field_behavior) = OPTIONAL];
  292. }
  293. // A [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] corresponds to a signed X.509 certificate
  294. // Revocation List (CRL). A CRL contains the serial numbers of certificates that
  295. // should no longer be trusted.
  296. message CertificateRevocationList {
  297. option (google.api.resource) = {
  298. type: "privateca.googleapis.com/CertificateRevocationList"
  299. pattern: "projects/{project}/locations/{location}/certificateAuthorities/{certificate_authority}/certificateRevocationLists/{certificate_revocation_list}"
  300. };
  301. // Describes a revoked [Certificate][google.cloud.security.privateca.v1beta1.Certificate].
  302. message RevokedCertificate {
  303. // The resource path for the [Certificate][google.cloud.security.privateca.v1beta1.Certificate] in the format
  304. // `projects/*/locations/*/certificateAuthorities/*/certificates/*`.
  305. string certificate = 1;
  306. // The serial number of the [Certificate][google.cloud.security.privateca.v1beta1.Certificate].
  307. string hex_serial_number = 2;
  308. // The reason the [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was revoked.
  309. RevocationReason revocation_reason = 3;
  310. }
  311. // The state of a [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList], indicating if it is current.
  312. enum State {
  313. // Not specified.
  314. STATE_UNSPECIFIED = 0;
  315. // The [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] is up to date.
  316. ACTIVE = 1;
  317. // The [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] is no longer current.
  318. SUPERSEDED = 2;
  319. }
  320. // Output only. The resource path for this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] in
  321. // the format
  322. // `projects/*/locations/*/certificateAuthorities/*/
  323. // certificateRevocationLists/*`.
  324. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  325. // Output only. The CRL sequence number that appears in pem_crl.
  326. int64 sequence_number = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
  327. // Output only. The revoked serial numbers that appear in pem_crl.
  328. repeated RevokedCertificate revoked_certificates = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
  329. // Output only. The PEM-encoded X.509 CRL.
  330. string pem_crl = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  331. // Output only. The location where 'pem_crl' can be accessed.
  332. string access_url = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  333. // Output only. The [State][google.cloud.security.privateca.v1beta1.CertificateRevocationList.State] for this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList].
  334. State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  335. // Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] was created.
  336. google.protobuf.Timestamp create_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  337. // Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] was updated.
  338. google.protobuf.Timestamp update_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  339. // Optional. Labels with user-defined metadata.
  340. map<string, string> labels = 9 [(google.api.field_behavior) = OPTIONAL];
  341. }
  342. // A [Certificate][google.cloud.security.privateca.v1beta1.Certificate] corresponds to a signed X.509 certificate issued by a
  343. // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
  344. message Certificate {
  345. option (google.api.resource) = {
  346. type: "privateca.googleapis.com/Certificate"
  347. pattern: "projects/{project}/locations/{location}/certificateAuthorities/{certificate_authority}/certificates/{certificate}"
  348. };
  349. // Describes fields that are relavent to the revocation of a [Certificate][google.cloud.security.privateca.v1beta1.Certificate].
  350. message RevocationDetails {
  351. // Indicates why a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was revoked.
  352. RevocationReason revocation_state = 1;
  353. // The time at which this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was revoked.
  354. google.protobuf.Timestamp revocation_time = 2;
  355. }
  356. // Output only. The resource path for this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] in the format
  357. // `projects/*/locations/*/certificateAuthorities/*/certificates/*`.
  358. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  359. // The config used to create a signed X.509 certificate.
  360. oneof certificate_config {
  361. // Immutable. A pem-encoded X.509 certificate signing request (CSR).
  362. string pem_csr = 2 [(google.api.field_behavior) = IMMUTABLE];
  363. // Immutable. A description of the certificate and key that does not require X.509 or
  364. // ASN.1.
  365. CertificateConfig config = 3 [(google.api.field_behavior) = IMMUTABLE];
  366. }
  367. // Required. Immutable. The desired lifetime of a certificate. Used to create the
  368. // "not_before_time" and "not_after_time" fields inside an X.509
  369. // certificate. Note that the lifetime may be truncated if it would extend
  370. // past the life of any certificate authority in the issuing chain.
  371. google.protobuf.Duration lifetime = 4 [
  372. (google.api.field_behavior) = REQUIRED,
  373. (google.api.field_behavior) = IMMUTABLE
  374. ];
  375. // Output only. Details regarding the revocation of this [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. This
  376. // [Certificate][google.cloud.security.privateca.v1beta1.Certificate] is considered revoked if and only if this field is present.
  377. RevocationDetails revocation_details = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  378. // Output only. The pem-encoded, signed X.509 certificate.
  379. string pem_certificate = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  380. // Output only. A structured description of the issued X.509 certificate.
  381. CertificateDescription certificate_description = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  382. // Output only. The chain that may be used to verify the X.509 certificate. Expected to be
  383. // in issuer-to-root order according to RFC 5246.
  384. repeated string pem_certificate_chain = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  385. // Output only. The time at which this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was created.
  386. google.protobuf.Timestamp create_time = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
  387. // Output only. The time at which this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was updated.
  388. google.protobuf.Timestamp update_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
  389. // Optional. Labels with user-defined metadata.
  390. map<string, string> labels = 11 [(google.api.field_behavior) = OPTIONAL];
  391. }
  392. // A [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] refers to a managed [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues]. Those, in
  393. // turn, are used to describe certain fields of an X.509 certificate, such as
  394. // the key usage fields, fields specific to CA certificates, certificate policy
  395. // extensions and custom extensions.
  396. message ReusableConfig {
  397. option (google.api.resource) = {
  398. type: "privateca.googleapis.com/ReusableConfig"
  399. pattern: "projects/{project}/locations/{location}/reusableConfigs/{reusable_config}"
  400. };
  401. // Output only. The resource path for this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] in the format
  402. // `projects/*/locations/*/reusableConfigs/*`.
  403. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  404. // Required. The config values.
  405. ReusableConfigValues values = 2 [(google.api.field_behavior) = REQUIRED];
  406. // Optional. A human-readable description of scenarios these ReusableConfigValues may be
  407. // compatible with.
  408. string description = 3 [(google.api.field_behavior) = OPTIONAL];
  409. // Output only. The time at which this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] was created.
  410. google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  411. // Output only. The time at which this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] was updated.
  412. google.protobuf.Timestamp update_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  413. // Optional. Labels with user-defined metadata.
  414. map<string, string> labels = 6 [(google.api.field_behavior) = OPTIONAL];
  415. }
  416. // A [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues] is used to describe certain fields of an
  417. // X.509 certificate, such as the key usage fields, fields specific to CA
  418. // certificates, certificate policy extensions and custom extensions.
  419. message ReusableConfigValues {
  420. // Describes values that are relevant in a CA certificate.
  421. message CaOptions {
  422. // Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this
  423. // value is missing, the extension will be omitted from the CA certificate.
  424. google.protobuf.BoolValue is_ca = 1 [(google.api.field_behavior) = OPTIONAL];
  425. // Optional. Refers to the path length restriction X.509 extension. For a CA
  426. // certificate, this value describes the depth of subordinate CA
  427. // certificates that are allowed.
  428. // If this value is less than 0, the request will fail.
  429. // If this value is missing, the max path length will be omitted from the
  430. // CA certificate.
  431. google.protobuf.Int32Value max_issuer_path_length = 2 [(google.api.field_behavior) = OPTIONAL];
  432. }
  433. // Optional. Indicates the intended use for keys that correspond to a certificate.
  434. KeyUsage key_usage = 1 [(google.api.field_behavior) = OPTIONAL];
  435. // Optional. Describes options in this [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues] that are
  436. // relevant in a CA certificate.
  437. CaOptions ca_options = 2 [(google.api.field_behavior) = OPTIONAL];
  438. // Optional. Describes the X.509 certificate policy object identifiers, per
  439. // https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
  440. repeated ObjectId policy_ids = 3 [(google.api.field_behavior) = OPTIONAL];
  441. // Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses
  442. // that appear in the "Authority Information Access" extension in the
  443. // certificate.
  444. repeated string aia_ocsp_servers = 4 [(google.api.field_behavior) = OPTIONAL];
  445. // Optional. Describes custom X.509 extensions.
  446. repeated X509Extension additional_extensions = 5 [(google.api.field_behavior) = OPTIONAL];
  447. }
  448. // A [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper] describes values that may assist in creating an
  449. // X.509 certificate, or a reference to a pre-defined set of values.
  450. message ReusableConfigWrapper {
  451. // Reusable or inline config values.
  452. oneof config_values {
  453. // Required. A resource path to a [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] in the format
  454. // `projects/*/locations/*/reusableConfigs/*`.
  455. string reusable_config = 1 [(google.api.field_behavior) = REQUIRED];
  456. // Required. A user-specified inline [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues].
  457. ReusableConfigValues reusable_config_values = 2 [(google.api.field_behavior) = REQUIRED];
  458. }
  459. }
  460. // Describes a subordinate CA's issuers. This is either a resource path to a
  461. // known issuing [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], or a PEM issuer certificate chain.
  462. message SubordinateConfig {
  463. // This message describes a subordinate CA's issuer certificate chain. This
  464. // wrapper exists for compatibility reasons.
  465. message SubordinateConfigChain {
  466. // Required. Expected to be in leaf-to-root order according to RFC 5246.
  467. repeated string pem_certificates = 1 [(google.api.field_behavior) = REQUIRED];
  468. }
  469. oneof subordinate_config {
  470. // Required. This can refer to a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the same project that
  471. // was used to create a subordinate [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. This field
  472. // is used for information and usability purposes only. The resource name
  473. // is in the format `projects/*/locations/*/certificateAuthorities/*`.
  474. string certificate_authority = 1 [(google.api.field_behavior) = REQUIRED];
  475. // Required. Contains the PEM certificate chain for the issuers of this
  476. // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], but not pem certificate for this CA itself.
  477. SubordinateConfigChain pem_issuer_chain = 2 [(google.api.field_behavior) = REQUIRED];
  478. }
  479. }
  480. // A [PublicKey][google.cloud.security.privateca.v1beta1.PublicKey] describes a public key.
  481. message PublicKey {
  482. // Types of public keys that are supported.
  483. // At a minimum, we support RSA and ECDSA, for the key sizes or curves listed:
  484. // https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms
  485. enum KeyType {
  486. // Default unspecified value.
  487. KEY_TYPE_UNSPECIFIED = 0;
  488. // A PEM-encoded PKCS#1/RFC 3447 RSAPrivateKey structure.
  489. PEM_RSA_KEY = 1;
  490. // A PEM-encoded compressed NIST P-256/secp256r1/prime256v1 or P-384 key.
  491. PEM_EC_KEY = 2;
  492. }
  493. // Required. The type of public key.
  494. KeyType type = 1 [(google.api.field_behavior) = REQUIRED];
  495. // Required. A public key. Padding and encoding varies by 'KeyType' and is described
  496. // along with the KeyType values.
  497. bytes key = 2 [(google.api.field_behavior) = REQUIRED];
  498. }
  499. // A [CertificateConfig][google.cloud.security.privateca.v1beta1.CertificateConfig] describes an X.509 certificate or CSR that is to be
  500. // created, as an alternative to using ASN.1.
  501. message CertificateConfig {
  502. // These values are used to create the distinguished name and subject
  503. // alternative name fields in an X.509 certificate.
  504. message SubjectConfig {
  505. // Required. Contains distinguished name fields such as the location and organization.
  506. Subject subject = 1 [(google.api.field_behavior) = REQUIRED];
  507. // Optional. The "common name" of the distinguished name.
  508. string common_name = 2 [(google.api.field_behavior) = OPTIONAL];
  509. // Optional. The subject alternative name fields.
  510. SubjectAltNames subject_alt_name = 3 [(google.api.field_behavior) = OPTIONAL];
  511. }
  512. // Required. Specifies some of the values in a certificate that are related to the
  513. // subject.
  514. SubjectConfig subject_config = 1 [(google.api.field_behavior) = REQUIRED];
  515. // Required. Describes how some of the technical fields in a certificate should be
  516. // populated.
  517. ReusableConfigWrapper reusable_config = 2 [(google.api.field_behavior) = REQUIRED];
  518. // Optional. The public key that corresponds to this config. This is, for example, used
  519. // when issuing [Certificates][google.cloud.security.privateca.v1beta1.Certificate], but not when creating a
  520. // self-signed [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] or [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] CSR.
  521. PublicKey public_key = 3 [(google.api.field_behavior) = OPTIONAL];
  522. }
  523. // A [CertificateDescription][google.cloud.security.privateca.v1beta1.CertificateDescription] describes an X.509 certificate or CSR that has
  524. // been issued, as an alternative to using ASN.1 / X.509.
  525. message CertificateDescription {
  526. // These values describe fields in an issued X.509 certificate such as the
  527. // distinguished name, subject alternative names, serial number, and lifetime.
  528. message SubjectDescription {
  529. // Contains distinguished name fields such as the location and organization.
  530. Subject subject = 1;
  531. // The "common name" of the distinguished name.
  532. string common_name = 2;
  533. // The subject alternative name fields.
  534. SubjectAltNames subject_alt_name = 3;
  535. // The serial number encoded in lowercase hexadecimal.
  536. string hex_serial_number = 4;
  537. // For convenience, the actual lifetime of an issued certificate.
  538. // Corresponds to 'not_after_time' - 'not_before_time'.
  539. google.protobuf.Duration lifetime = 5;
  540. // The time at which the certificate becomes valid.
  541. google.protobuf.Timestamp not_before_time = 6;
  542. // The time at which the certificate expires.
  543. google.protobuf.Timestamp not_after_time = 7;
  544. }
  545. // A KeyId identifies a specific public key, usually by hashing the public
  546. // key.
  547. message KeyId {
  548. // Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most
  549. // likely the 160 bit SHA-1 hash of the public key.
  550. string key_id = 1 [(google.api.field_behavior) = OPTIONAL];
  551. }
  552. // A group of fingerprints for the x509 certificate.
  553. message CertificateFingerprint {
  554. // The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
  555. string sha256_hash = 1;
  556. }
  557. // Describes some of the values in a certificate that are related to the
  558. // subject and lifetime.
  559. SubjectDescription subject_description = 1;
  560. // Describes some of the technical fields in a certificate.
  561. ReusableConfigValues config_values = 2;
  562. // The public key that corresponds to an issued certificate.
  563. PublicKey public_key = 3;
  564. // Provides a means of identifiying certificates that contain a particular
  565. // public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
  566. KeyId subject_key_id = 4;
  567. // Identifies the subject_key_id of the parent certificate, per
  568. // https://tools.ietf.org/html/rfc5280#section-4.2.1.1
  569. KeyId authority_key_id = 5;
  570. // Describes a list of locations to obtain CRL information, i.e.
  571. // the DistributionPoint.fullName described by
  572. // https://tools.ietf.org/html/rfc5280#section-4.2.1.13
  573. repeated string crl_distribution_points = 6;
  574. // Describes lists of issuer CA certificate URLs that appear in the
  575. // "Authority Information Access" extension in the certificate.
  576. repeated string aia_issuing_certificate_urls = 7;
  577. // The hash of the x.509 certificate.
  578. CertificateFingerprint cert_fingerprint = 8;
  579. }
  580. // An [ObjectId][google.cloud.security.privateca.v1beta1.ObjectId] specifies an object identifier (OID). These provide context
  581. // and describe types in ASN.1 messages.
  582. message ObjectId {
  583. // Required. The parts of an OID path. The most significant parts of the path come
  584. // first.
  585. repeated int32 object_id_path = 1 [(google.api.field_behavior) = REQUIRED];
  586. }
  587. // An [X509Extension][google.cloud.security.privateca.v1beta1.X509Extension] specifies an X.509 extension, which may be used in
  588. // different parts of X.509 objects like certificates, CSRs, and CRLs.
  589. message X509Extension {
  590. // Required. The OID for this X.509 extension.
  591. ObjectId object_id = 1 [(google.api.field_behavior) = REQUIRED];
  592. // Required. Indicates whether or not this extension is critical (i.e., if the client
  593. // does not know how to handle this extension, the client should consider this
  594. // to be an error).
  595. bool critical = 2 [(google.api.field_behavior) = REQUIRED];
  596. // Required. The value of this X.509 extension.
  597. bytes value = 3 [(google.api.field_behavior) = REQUIRED];
  598. }
  599. // A [KeyUsage][google.cloud.security.privateca.v1beta1.KeyUsage] describes key usage values that may appear in an X.509
  600. // certificate.
  601. message KeyUsage {
  602. // [KeyUsage.KeyUsageOptions][google.cloud.security.privateca.v1beta1.KeyUsage.KeyUsageOptions] corresponds to the key usage values
  603. // described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3.
  604. message KeyUsageOptions {
  605. // The key may be used for digital signatures.
  606. bool digital_signature = 1;
  607. // The key may be used for cryptographic commitments. Note that this may
  608. // also be referred to as "non-repudiation".
  609. bool content_commitment = 2;
  610. // The key may be used to encipher other keys.
  611. bool key_encipherment = 3;
  612. // The key may be used to encipher data.
  613. bool data_encipherment = 4;
  614. // The key may be used in a key agreement protocol.
  615. bool key_agreement = 5;
  616. // The key may be used to sign certificates.
  617. bool cert_sign = 6;
  618. // The key may be used sign certificate revocation lists.
  619. bool crl_sign = 7;
  620. // The key may be used to encipher only.
  621. bool encipher_only = 8;
  622. // The key may be used to decipher only.
  623. bool decipher_only = 9;
  624. }
  625. // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1beta1.KeyUsage.ExtendedKeyUsageOptions] has fields that correspond to
  626. // certain common OIDs that could be specified as an extended key usage value.
  627. message ExtendedKeyUsageOptions {
  628. // Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW
  629. // server authentication", though regularly used for non-WWW TLS.
  630. bool server_auth = 1;
  631. // Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW
  632. // client authentication", though regularly used for non-WWW TLS.
  633. bool client_auth = 2;
  634. // Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of
  635. // downloadable executable code client authentication".
  636. bool code_signing = 3;
  637. // Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email
  638. // protection".
  639. bool email_protection = 4;
  640. // Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding
  641. // the hash of an object to a time".
  642. bool time_stamping = 5;
  643. // Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing
  644. // OCSP responses".
  645. bool ocsp_signing = 6;
  646. }
  647. // Describes high-level ways in which a key may be used.
  648. KeyUsageOptions base_key_usage = 1;
  649. // Detailed scenarios in which a key may be used.
  650. ExtendedKeyUsageOptions extended_key_usage = 2;
  651. // Used to describe extended key usages that are not listed in the
  652. // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1beta1.KeyUsage.ExtendedKeyUsageOptions] message.
  653. repeated ObjectId unknown_extended_key_usages = 3;
  654. }
  655. // [Subject][google.cloud.security.privateca.v1beta1.Subject] describes parts of a distinguished name that, in turn,
  656. // describes the subject of the certificate.
  657. message Subject {
  658. // The country code of the subject.
  659. string country_code = 1;
  660. // The organization of the subject.
  661. string organization = 2;
  662. // The organizational_unit of the subject.
  663. string organizational_unit = 3;
  664. // The locality or city of the subject.
  665. string locality = 4;
  666. // The province, territory, or regional state of the subject.
  667. string province = 5;
  668. // The street address of the subject.
  669. string street_address = 6;
  670. // The postal code of the subject.
  671. string postal_code = 7;
  672. }
  673. // [SubjectAltNames][google.cloud.security.privateca.v1beta1.SubjectAltNames] corresponds to a more modern way of listing what
  674. // the asserted identity is in a certificate (i.e., compared to the "common
  675. // name" in the distinguished name).
  676. message SubjectAltNames {
  677. // Contains only valid, fully-qualified host names.
  678. repeated string dns_names = 1;
  679. // Contains only valid RFC 3986 URIs.
  680. repeated string uris = 2;
  681. // Contains only valid RFC 2822 E-mail addresses.
  682. repeated string email_addresses = 3;
  683. // Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
  684. repeated string ip_addresses = 4;
  685. // Contains additional subject alternative name values.
  686. repeated X509Extension custom_sans = 5;
  687. }
  688. // A [RevocationReason][google.cloud.security.privateca.v1beta1.RevocationReason] indicates whether a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] has been revoked,
  689. // and the reason for revocation. These correspond to standard revocation
  690. // reasons from RFC 5280. Note that the enum labels and values in this
  691. // definition are not the same ASN.1 values defined in RFC 5280. These values
  692. // will be translated to the correct ASN.1 values when a CRL is created.
  693. enum RevocationReason {
  694. // Default unspecified value. This value does indicate that a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]
  695. // has been revoked, but that a reason has not been recorded.
  696. REVOCATION_REASON_UNSPECIFIED = 0;
  697. // Key material for this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] may have leaked.
  698. KEY_COMPROMISE = 1;
  699. // The key material for a certificate authority in the issuing path may have
  700. // leaked.
  701. CERTIFICATE_AUTHORITY_COMPROMISE = 2;
  702. // The subject or other attributes in this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] have changed.
  703. AFFILIATION_CHANGED = 3;
  704. // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] has been superseded.
  705. SUPERSEDED = 4;
  706. // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] or entities in the issuing path have ceased to
  707. // operate.
  708. CESSATION_OF_OPERATION = 5;
  709. // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] should not be considered valid, it is expected that it
  710. // may become valid in the future.
  711. CERTIFICATE_HOLD = 6;
  712. // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] no longer has permission to assert the listed
  713. // attributes.
  714. PRIVILEGE_WITHDRAWN = 7;
  715. // The authority which determines appropriate attributes for a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]
  716. // may have been compromised.
  717. ATTRIBUTE_AUTHORITY_COMPROMISE = 8;
  718. }