1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.security.privateca.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23import "google/type/expr.proto"; 24 25option cc_enable_arenas = true; 26option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1"; 27option go_package = "cloud.google.com/go/security/privateca/apiv1/privatecapb;privatecapb"; 28option java_multiple_files = true; 29option java_outer_classname = "PrivateCaResourcesProto"; 30option java_package = "com.google.cloud.security.privateca.v1"; 31option php_namespace = "Google\\Cloud\\Security\\PrivateCA\\V1"; 32option ruby_package = "Google::Cloud::Security::PrivateCA::V1"; 33 34// A 35// [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 36// represents an individual Certificate Authority. A 37// [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 38// can be used to create 39// [Certificates][google.cloud.security.privateca.v1.Certificate]. 40message CertificateAuthority { 41 option (google.api.resource) = { 42 type: "privateca.googleapis.com/CertificateAuthority" 43 pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}/certificateAuthorities/{certificate_authority}" 44 }; 45 46 // The type of a 47 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], 48 // indicating its issuing chain. 49 enum Type { 50 // Not specified. 51 TYPE_UNSPECIFIED = 0; 52 53 // Self-signed CA. 54 SELF_SIGNED = 1; 55 56 // Subordinate CA. Could be issued by a Private CA 57 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 58 // or an unmanaged CA. 59 SUBORDINATE = 2; 60 } 61 62 // The state of a 63 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], 64 // indicating if it can be used. 65 enum State { 66 // Not specified. 67 STATE_UNSPECIFIED = 0; 68 69 // Certificates can be issued from this CA. CRLs will be generated for this 70 // CA. The CA will be part of the 71 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, and 72 // will be used to issue certificates from the 73 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 74 ENABLED = 1; 75 76 // Certificates cannot be issued from this CA. CRLs will still be generated. 77 // The CA will be part of the 78 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, but 79 // will not be used to issue certificates from the 80 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 81 DISABLED = 2; 82 83 // Certificates can be issued from this CA. CRLs will be generated for this 84 // CA. The CA will be part of the 85 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, but 86 // will not be used to issue certificates from the 87 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 88 STAGED = 3; 89 90 // Certificates cannot be issued from this CA. CRLs will not be generated. 91 // The CA will not be part of the 92 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, and 93 // will not be used to issue certificates from the 94 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 95 AWAITING_USER_ACTIVATION = 4; 96 97 // Certificates cannot be issued from this CA. CRLs will not be generated. 98 // The CA may still be recovered by calling 99 // [CertificateAuthorityService.UndeleteCertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthorityService.UndeleteCertificateAuthority] 100 // before 101 // [expire_time][google.cloud.security.privateca.v1.CertificateAuthority.expire_time]. 102 // The CA will not be part of the 103 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s trust anchor, and 104 // will not be used to issue certificates from the 105 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 106 DELETED = 5; 107 } 108 109 // URLs where a 110 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 111 // will publish content. 112 message AccessUrls { 113 // The URL where this 114 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 115 // CA certificate is published. This will only be set for CAs that have been 116 // activated. 117 string ca_certificate_access_url = 1; 118 119 // The URLs where this 120 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 121 // CRLs are published. This will only be set for CAs that have been 122 // activated. 123 repeated string crl_access_urls = 2; 124 } 125 126 // A Cloud KMS key configuration that a 127 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 128 // will use. 129 message KeyVersionSpec { 130 oneof KeyVersion { 131 // The resource name for an existing Cloud KMS CryptoKeyVersion in the 132 // format 133 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 134 // This option enables full flexibility in the key's capabilities and 135 // properties. 136 string cloud_kms_key_version = 1; 137 138 // The algorithm to use for creating a managed Cloud KMS key for a for a 139 // simplified experience. All managed keys will be have their 140 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`. 141 SignHashAlgorithm algorithm = 2; 142 } 143 } 144 145 // The algorithm of a Cloud KMS CryptoKeyVersion of a 146 // [CryptoKey][google.cloud.kms.v1.CryptoKey] with the 147 // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value 148 // `ASYMMETRIC_SIGN`. These values correspond to the 149 // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 150 // values. For RSA signing algorithms, the PSS algorithms should be preferred, 151 // use PKCS1 algorithms if required for compatibility. For further 152 // recommendations, see 153 // https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations. 154 enum SignHashAlgorithm { 155 // Not specified. 156 SIGN_HASH_ALGORITHM_UNSPECIFIED = 0; 157 158 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256 159 RSA_PSS_2048_SHA256 = 1; 160 161 // maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256 162 RSA_PSS_3072_SHA256 = 2; 163 164 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256 165 RSA_PSS_4096_SHA256 = 3; 166 167 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 168 RSA_PKCS1_2048_SHA256 = 6; 169 170 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256 171 RSA_PKCS1_3072_SHA256 = 7; 172 173 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256 174 RSA_PKCS1_4096_SHA256 = 8; 175 176 // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 177 EC_P256_SHA256 = 4; 178 179 // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384 180 EC_P384_SHA384 = 5; 181 } 182 183 // Output only. The resource name for this 184 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 185 // in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. 186 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 187 188 // Required. Immutable. The 189 // [Type][google.cloud.security.privateca.v1.CertificateAuthority.Type] of 190 // this 191 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. 192 Type type = 2 [ 193 (google.api.field_behavior) = REQUIRED, 194 (google.api.field_behavior) = IMMUTABLE 195 ]; 196 197 // Required. Immutable. The config used to create a self-signed X.509 198 // certificate or CSR. 199 CertificateConfig config = 3 [ 200 (google.api.field_behavior) = REQUIRED, 201 (google.api.field_behavior) = IMMUTABLE 202 ]; 203 204 // Required. Immutable. The desired lifetime of the CA certificate. Used to 205 // create the "not_before_time" and "not_after_time" fields inside an X.509 206 // certificate. 207 google.protobuf.Duration lifetime = 4 [ 208 (google.api.field_behavior) = REQUIRED, 209 (google.api.field_behavior) = IMMUTABLE 210 ]; 211 212 // Required. Immutable. Used when issuing certificates for this 213 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. 214 // If this 215 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 216 // is a self-signed CertificateAuthority, this key is also used to sign the 217 // self-signed CA certificate. Otherwise, it is used to sign a CSR. 218 KeyVersionSpec key_spec = 5 [ 219 (google.api.field_behavior) = REQUIRED, 220 (google.api.field_behavior) = IMMUTABLE 221 ]; 222 223 // Optional. If this is a subordinate 224 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], 225 // this field will be set with the subordinate configuration, which describes 226 // its issuers. This may be updated, but this 227 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 228 // must continue to validate. 229 SubordinateConfig subordinate_config = 6 230 [(google.api.field_behavior) = OPTIONAL]; 231 232 // Output only. The 233 // [CaPool.Tier][google.cloud.security.privateca.v1.CaPool.Tier] of the 234 // [CaPool][google.cloud.security.privateca.v1.CaPool] that includes this 235 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. 236 CaPool.Tier tier = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 237 238 // Output only. The 239 // [State][google.cloud.security.privateca.v1.CertificateAuthority.State] for 240 // this 241 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. 242 State state = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 243 244 // Output only. This 245 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 246 // certificate chain, including the current 247 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 248 // certificate. Ordered such that the root issuer is the final element 249 // (consistent with RFC 5246). For a self-signed CA, this will only list the 250 // current 251 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 252 // certificate. 253 repeated string pem_ca_certificates = 9 254 [(google.api.field_behavior) = OUTPUT_ONLY]; 255 256 // Output only. A structured description of this 257 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 258 // CA certificate and its issuers. Ordered as self-to-root. 259 repeated CertificateDescription ca_certificate_descriptions = 10 260 [(google.api.field_behavior) = OUTPUT_ONLY]; 261 262 // Immutable. The name of a Cloud Storage bucket where this 263 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 264 // will publish content, such as the CA certificate and CRLs. This must be a 265 // bucket name, without any prefixes (such as `gs://`) or suffixes (such as 266 // `.googleapis.com`). For example, to use a bucket named `my-bucket`, you 267 // would simply specify `my-bucket`. If not specified, a managed bucket will 268 // be created. 269 string gcs_bucket = 11 [(google.api.field_behavior) = IMMUTABLE]; 270 271 // Output only. URLs for accessing content published by this CA, such as the 272 // CA certificate and CRLs. 273 AccessUrls access_urls = 12 [(google.api.field_behavior) = OUTPUT_ONLY]; 274 275 // Output only. The time at which this 276 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 277 // was created. 278 google.protobuf.Timestamp create_time = 13 279 [(google.api.field_behavior) = OUTPUT_ONLY]; 280 281 // Output only. The time at which this 282 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 283 // was last updated. 284 google.protobuf.Timestamp update_time = 14 285 [(google.api.field_behavior) = OUTPUT_ONLY]; 286 287 // Output only. The time at which this 288 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 289 // was soft deleted, if it is in the 290 // [DELETED][google.cloud.security.privateca.v1.CertificateAuthority.State.DELETED] 291 // state. 292 google.protobuf.Timestamp delete_time = 15 293 [(google.api.field_behavior) = OUTPUT_ONLY]; 294 295 // Output only. The time at which this 296 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 297 // will be permanently purged, if it is in the 298 // [DELETED][google.cloud.security.privateca.v1.CertificateAuthority.State.DELETED] 299 // state. 300 google.protobuf.Timestamp expire_time = 16 301 [(google.api.field_behavior) = OUTPUT_ONLY]; 302 303 // Optional. Labels with user-defined metadata. 304 map<string, string> labels = 17 [(google.api.field_behavior) = OPTIONAL]; 305} 306 307// A [CaPool][google.cloud.security.privateca.v1.CaPool] represents a group of 308// [CertificateAuthorities][google.cloud.security.privateca.v1.CertificateAuthority] 309// that form a trust anchor. A 310// [CaPool][google.cloud.security.privateca.v1.CaPool] can be used to manage 311// issuance policies for one or more 312// [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 313// resources and to rotate CA certificates in and out of the trust anchor. 314message CaPool { 315 option (google.api.resource) = { 316 type: "privateca.googleapis.com/CaPool" 317 pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}" 318 }; 319 320 // The tier of a [CaPool][google.cloud.security.privateca.v1.CaPool], 321 // indicating its supported functionality and/or billing SKU. 322 enum Tier { 323 // Not specified. 324 TIER_UNSPECIFIED = 0; 325 326 // Enterprise tier. 327 ENTERPRISE = 1; 328 329 // DevOps tier. 330 DEVOPS = 2; 331 } 332 333 // Options relating to the publication of each 334 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 335 // CA certificate and CRLs and their inclusion as extensions in issued 336 // [Certificates][google.cloud.security.privateca.v1.Certificate]. The options 337 // set here apply to certificates issued by any 338 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 339 // in the [CaPool][google.cloud.security.privateca.v1.CaPool]. 340 message PublishingOptions { 341 // Supported encoding formats for publishing. 342 enum EncodingFormat { 343 // Not specified. By default, PEM format will be used. 344 ENCODING_FORMAT_UNSPECIFIED = 0; 345 346 // The 347 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 348 // CA certificate and CRLs will be published in PEM format. 349 PEM = 1; 350 351 // The 352 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 353 // CA certificate and CRLs will be published in DER format. 354 DER = 2; 355 } 356 357 // Optional. When true, publishes each 358 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 359 // CA certificate and includes its URL in the "Authority Information Access" 360 // X.509 extension in all issued 361 // [Certificates][google.cloud.security.privateca.v1.Certificate]. If this 362 // is false, the CA certificate will not be published and the corresponding 363 // X.509 extension will not be written in issued certificates. 364 bool publish_ca_cert = 1 [(google.api.field_behavior) = OPTIONAL]; 365 366 // Optional. When true, publishes each 367 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s 368 // CRL and includes its URL in the "CRL Distribution Points" X.509 extension 369 // in all issued 370 // [Certificates][google.cloud.security.privateca.v1.Certificate]. If this 371 // is false, CRLs will not be published and the corresponding X.509 372 // extension will not be written in issued certificates. CRLs will expire 7 373 // days from their creation. However, we will rebuild daily. CRLs are also 374 // rebuilt shortly after a certificate is revoked. 375 bool publish_crl = 2 [(google.api.field_behavior) = OPTIONAL]; 376 377 // Optional. Specifies the encoding format of each 378 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 379 // resource's CA certificate and CRLs. If this is omitted, CA certificates 380 // and CRLs will be published in PEM. 381 EncodingFormat encoding_format = 3 [(google.api.field_behavior) = OPTIONAL]; 382 } 383 384 // Defines controls over all certificate issuance within a 385 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 386 message IssuancePolicy { 387 // Describes a "type" of key that may be used in a 388 // [Certificate][google.cloud.security.privateca.v1.Certificate] issued from 389 // a [CaPool][google.cloud.security.privateca.v1.CaPool]. Note that a single 390 // [AllowedKeyType][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.AllowedKeyType] 391 // may refer to either a fully-qualified key algorithm, such as RSA 4096, or 392 // a family of key algorithms, such as any RSA key. 393 message AllowedKeyType { 394 // Describes an RSA key that may be used in a 395 // [Certificate][google.cloud.security.privateca.v1.Certificate] issued 396 // from a [CaPool][google.cloud.security.privateca.v1.CaPool]. 397 message RsaKeyType { 398 // Optional. The minimum allowed RSA modulus size (inclusive), in bits. 399 // If this is not set, or if set to zero, the service-level min RSA 400 // modulus size will continue to apply. 401 int64 min_modulus_size = 1 [(google.api.field_behavior) = OPTIONAL]; 402 403 // Optional. The maximum allowed RSA modulus size (inclusive), in bits. 404 // If this is not set, or if set to zero, the service will not enforce 405 // an explicit upper bound on RSA modulus sizes. 406 int64 max_modulus_size = 2 [(google.api.field_behavior) = OPTIONAL]; 407 } 408 409 // Describes an Elliptic Curve key that may be used in a 410 // [Certificate][google.cloud.security.privateca.v1.Certificate] issued 411 // from a [CaPool][google.cloud.security.privateca.v1.CaPool]. 412 message EcKeyType { 413 // Describes an elliptic curve-based signature algorithm that may be 414 // used in a 415 // [Certificate][google.cloud.security.privateca.v1.Certificate] issued 416 // from a [CaPool][google.cloud.security.privateca.v1.CaPool]. 417 enum EcSignatureAlgorithm { 418 // Not specified. Signifies that any signature algorithm may be used. 419 EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0; 420 421 // Refers to the Elliptic Curve Digital Signature Algorithm over the 422 // NIST P-256 curve. 423 ECDSA_P256 = 1; 424 425 // Refers to the Elliptic Curve Digital Signature Algorithm over the 426 // NIST P-384 curve. 427 ECDSA_P384 = 2; 428 429 // Refers to the Edwards-curve Digital Signature Algorithm over curve 430 // 25519, as described in RFC 8410. 431 EDDSA_25519 = 3; 432 } 433 434 // Optional. A signature algorithm that must be used. If this is 435 // omitted, any EC-based signature algorithm will be allowed. 436 EcSignatureAlgorithm signature_algorithm = 1 437 [(google.api.field_behavior) = OPTIONAL]; 438 } 439 440 oneof key_type { 441 // Represents an allowed RSA key type. 442 RsaKeyType rsa = 1; 443 444 // Represents an allowed Elliptic Curve key type. 445 EcKeyType elliptic_curve = 2; 446 } 447 } 448 449 // [IssuanceModes][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.IssuanceModes] 450 // specifies the allowed ways in which 451 // [Certificates][google.cloud.security.privateca.v1.Certificate] may be 452 // requested from this [CaPool][google.cloud.security.privateca.v1.CaPool]. 453 message IssuanceModes { 454 // Optional. When true, allows callers to create 455 // [Certificates][google.cloud.security.privateca.v1.Certificate] by 456 // specifying a CSR. 457 bool allow_csr_based_issuance = 1 458 [(google.api.field_behavior) = OPTIONAL]; 459 460 // Optional. When true, allows callers to create 461 // [Certificates][google.cloud.security.privateca.v1.Certificate] by 462 // specifying a 463 // [CertificateConfig][google.cloud.security.privateca.v1.CertificateConfig]. 464 bool allow_config_based_issuance = 2 465 [(google.api.field_behavior) = OPTIONAL]; 466 } 467 468 // Optional. If any 469 // [AllowedKeyType][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.AllowedKeyType] 470 // is specified, then the certificate request's public key must match one of 471 // the key types listed here. Otherwise, any key may be used. 472 repeated AllowedKeyType allowed_key_types = 1 473 [(google.api.field_behavior) = OPTIONAL]; 474 475 // Optional. The maximum lifetime allowed for issued 476 // [Certificates][google.cloud.security.privateca.v1.Certificate]. Note that 477 // if the issuing 478 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 479 // expires before a 480 // [Certificate][google.cloud.security.privateca.v1.Certificate] resource's 481 // requested maximum_lifetime, the effective lifetime will be explicitly 482 // truncated to match it. 483 google.protobuf.Duration maximum_lifetime = 2 484 [(google.api.field_behavior) = OPTIONAL]; 485 486 // Optional. If specified, then only methods allowed in the 487 // [IssuanceModes][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.IssuanceModes] 488 // may be used to issue 489 // [Certificates][google.cloud.security.privateca.v1.Certificate]. 490 IssuanceModes allowed_issuance_modes = 3 491 [(google.api.field_behavior) = OPTIONAL]; 492 493 // Optional. A set of X.509 values that will be applied to all certificates 494 // issued through this [CaPool][google.cloud.security.privateca.v1.CaPool]. 495 // If a certificate request includes conflicting values for the same 496 // properties, they will be overwritten by the values defined here. If a 497 // certificate request uses a 498 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 499 // that defines conflicting 500 // [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values] 501 // for the same properties, the certificate issuance request will fail. 502 X509Parameters baseline_values = 4 [(google.api.field_behavior) = OPTIONAL]; 503 504 // Optional. Describes constraints on identities that may appear in 505 // [Certificates][google.cloud.security.privateca.v1.Certificate] issued 506 // through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If this 507 // is omitted, then this [CaPool][google.cloud.security.privateca.v1.CaPool] 508 // will not add restrictions on a certificate's identity. 509 CertificateIdentityConstraints identity_constraints = 5 510 [(google.api.field_behavior) = OPTIONAL]; 511 512 // Optional. Describes the set of X.509 extensions that may appear in a 513 // [Certificate][google.cloud.security.privateca.v1.Certificate] issued 514 // through this [CaPool][google.cloud.security.privateca.v1.CaPool]. If a 515 // certificate request sets extensions that don't appear in the 516 // [passthrough_extensions][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.passthrough_extensions], 517 // those extensions will be dropped. If a certificate request uses a 518 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 519 // with 520 // [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values] 521 // that don't appear here, the certificate issuance request will fail. If 522 // this is omitted, then this 523 // [CaPool][google.cloud.security.privateca.v1.CaPool] will not add 524 // restrictions on a certificate's X.509 extensions. These constraints do 525 // not apply to X.509 extensions set in this 526 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s 527 // [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values]. 528 CertificateExtensionConstraints passthrough_extensions = 6 529 [(google.api.field_behavior) = OPTIONAL]; 530 } 531 532 // Output only. The resource name for this 533 // [CaPool][google.cloud.security.privateca.v1.CaPool] in the format 534 // `projects/*/locations/*/caPools/*`. 535 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 536 537 // Required. Immutable. The 538 // [Tier][google.cloud.security.privateca.v1.CaPool.Tier] of this 539 // [CaPool][google.cloud.security.privateca.v1.CaPool]. 540 Tier tier = 2 [ 541 (google.api.field_behavior) = REQUIRED, 542 (google.api.field_behavior) = IMMUTABLE 543 ]; 544 545 // Optional. The 546 // [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy] 547 // to control how 548 // [Certificates][google.cloud.security.privateca.v1.Certificate] will be 549 // issued from this [CaPool][google.cloud.security.privateca.v1.CaPool]. 550 IssuancePolicy issuance_policy = 3 [(google.api.field_behavior) = OPTIONAL]; 551 552 // Optional. The 553 // [PublishingOptions][google.cloud.security.privateca.v1.CaPool.PublishingOptions] 554 // to follow when issuing 555 // [Certificates][google.cloud.security.privateca.v1.Certificate] from any 556 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 557 // in this [CaPool][google.cloud.security.privateca.v1.CaPool]. 558 PublishingOptions publishing_options = 4 559 [(google.api.field_behavior) = OPTIONAL]; 560 561 // Optional. Labels with user-defined metadata. 562 map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL]; 563} 564 565// A 566// [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] 567// corresponds to a signed X.509 certificate Revocation List (CRL). A CRL 568// contains the serial numbers of certificates that should no longer be trusted. 569message CertificateRevocationList { 570 option (google.api.resource) = { 571 type: "privateca.googleapis.com/CertificateRevocationList" 572 pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}/certificateAuthorities/{certificate_authority}/certificateRevocationLists/{certificate_revocation_list}" 573 }; 574 575 // Describes a revoked 576 // [Certificate][google.cloud.security.privateca.v1.Certificate]. 577 message RevokedCertificate { 578 // The resource name for the 579 // [Certificate][google.cloud.security.privateca.v1.Certificate] in the 580 // format `projects/*/locations/*/caPools/*/certificates/*`. 581 string certificate = 1 [(google.api.resource_reference) = { 582 type: "privateca.googleapis.com/Certificate" 583 }]; 584 585 // The serial number of the 586 // [Certificate][google.cloud.security.privateca.v1.Certificate]. 587 string hex_serial_number = 2; 588 589 // The reason the 590 // [Certificate][google.cloud.security.privateca.v1.Certificate] was 591 // revoked. 592 RevocationReason revocation_reason = 3; 593 } 594 595 // The state of a 596 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList], 597 // indicating if it is current. 598 enum State { 599 // Not specified. 600 STATE_UNSPECIFIED = 0; 601 602 // The 603 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] 604 // is up to date. 605 ACTIVE = 1; 606 607 // The 608 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] 609 // is no longer current. 610 SUPERSEDED = 2; 611 } 612 613 // Output only. The resource name for this 614 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] 615 // in the format `projects/*/locations/*/caPools/*certificateAuthorities/*/ 616 // certificateRevocationLists/*`. 617 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 618 619 // Output only. The CRL sequence number that appears in pem_crl. 620 int64 sequence_number = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 621 622 // Output only. The revoked serial numbers that appear in pem_crl. 623 repeated RevokedCertificate revoked_certificates = 3 624 [(google.api.field_behavior) = OUTPUT_ONLY]; 625 626 // Output only. The PEM-encoded X.509 CRL. 627 string pem_crl = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 628 629 // Output only. The location where 'pem_crl' can be accessed. 630 string access_url = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 631 632 // Output only. The 633 // [State][google.cloud.security.privateca.v1.CertificateRevocationList.State] 634 // for this 635 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList]. 636 State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 637 638 // Output only. The time at which this 639 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] 640 // was created. 641 google.protobuf.Timestamp create_time = 7 642 [(google.api.field_behavior) = OUTPUT_ONLY]; 643 644 // Output only. The time at which this 645 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList] 646 // was updated. 647 google.protobuf.Timestamp update_time = 8 648 [(google.api.field_behavior) = OUTPUT_ONLY]; 649 650 // Output only. The revision ID of this 651 // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList]. 652 // A new revision is committed whenever a new CRL is published. The format is 653 // an 8-character hexadecimal string. 654 string revision_id = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 655 656 // Optional. Labels with user-defined metadata. 657 map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL]; 658} 659 660// A [Certificate][google.cloud.security.privateca.v1.Certificate] corresponds 661// to a signed X.509 certificate issued by a 662// [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. 663message Certificate { 664 option (google.api.resource) = { 665 type: "privateca.googleapis.com/Certificate" 666 pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}/certificates/{certificate}" 667 }; 668 669 // Describes fields that are relavent to the revocation of a 670 // [Certificate][google.cloud.security.privateca.v1.Certificate]. 671 message RevocationDetails { 672 // Indicates why a 673 // [Certificate][google.cloud.security.privateca.v1.Certificate] was 674 // revoked. 675 RevocationReason revocation_state = 1; 676 677 // The time at which this 678 // [Certificate][google.cloud.security.privateca.v1.Certificate] was 679 // revoked. 680 google.protobuf.Timestamp revocation_time = 2; 681 } 682 683 // Output only. The resource name for this 684 // [Certificate][google.cloud.security.privateca.v1.Certificate] in the format 685 // `projects/*/locations/*/caPools/*/certificates/*`. 686 string name = 1 [ 687 (google.api.field_behavior) = OUTPUT_ONLY, 688 (google.api.resource_reference) = { 689 type: "privateca.googleapis.com/Certificate" 690 } 691 ]; 692 693 // The config used to create a signed X.509 certificate. 694 oneof certificate_config { 695 // Immutable. A pem-encoded X.509 certificate signing request (CSR). 696 string pem_csr = 2 [(google.api.field_behavior) = IMMUTABLE]; 697 698 // Immutable. A description of the certificate and key that does not require 699 // X.509 or ASN.1. 700 CertificateConfig config = 3 [(google.api.field_behavior) = IMMUTABLE]; 701 } 702 703 // Output only. The resource name of the issuing 704 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 705 // in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. 706 string issuer_certificate_authority = 4 [ 707 (google.api.field_behavior) = OUTPUT_ONLY, 708 (google.api.resource_reference) = { 709 type: "privateca.googleapis.com/CertificateAuthority" 710 } 711 ]; 712 713 // Required. Immutable. The desired lifetime of a certificate. Used to create 714 // the "not_before_time" and "not_after_time" fields inside an X.509 715 // certificate. Note that the lifetime may be truncated if it would extend 716 // past the life of any certificate authority in the issuing chain. 717 google.protobuf.Duration lifetime = 5 [ 718 (google.api.field_behavior) = REQUIRED, 719 (google.api.field_behavior) = IMMUTABLE 720 ]; 721 722 // Immutable. The resource name for a 723 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 724 // used to issue this certificate, in the format 725 // `projects/*/locations/*/certificateTemplates/*`. 726 // If this is specified, the caller must have the necessary permission to 727 // use this template. If this is omitted, no template will be used. 728 // This template must be in the same location as the 729 // [Certificate][google.cloud.security.privateca.v1.Certificate]. 730 string certificate_template = 6 [ 731 (google.api.field_behavior) = IMMUTABLE, 732 (google.api.resource_reference) = { 733 type: "privateca.googleapis.com/CertificateTemplate" 734 } 735 ]; 736 737 // Immutable. Specifies how the 738 // [Certificate][google.cloud.security.privateca.v1.Certificate]'s identity 739 // fields are to be decided. If this is omitted, the `DEFAULT` subject mode 740 // will be used. 741 SubjectRequestMode subject_mode = 7 [(google.api.field_behavior) = IMMUTABLE]; 742 743 // Output only. Details regarding the revocation of this 744 // [Certificate][google.cloud.security.privateca.v1.Certificate]. This 745 // [Certificate][google.cloud.security.privateca.v1.Certificate] is considered 746 // revoked if and only if this field is present. 747 RevocationDetails revocation_details = 8 748 [(google.api.field_behavior) = OUTPUT_ONLY]; 749 750 // Output only. The pem-encoded, signed X.509 certificate. 751 string pem_certificate = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 752 753 // Output only. A structured description of the issued X.509 certificate. 754 CertificateDescription certificate_description = 10 755 [(google.api.field_behavior) = OUTPUT_ONLY]; 756 757 // Output only. The chain that may be used to verify the X.509 certificate. 758 // Expected to be in issuer-to-root order according to RFC 5246. 759 repeated string pem_certificate_chain = 11 760 [(google.api.field_behavior) = OUTPUT_ONLY]; 761 762 // Output only. The time at which this 763 // [Certificate][google.cloud.security.privateca.v1.Certificate] was created. 764 google.protobuf.Timestamp create_time = 12 765 [(google.api.field_behavior) = OUTPUT_ONLY]; 766 767 // Output only. The time at which this 768 // [Certificate][google.cloud.security.privateca.v1.Certificate] was updated. 769 google.protobuf.Timestamp update_time = 13 770 [(google.api.field_behavior) = OUTPUT_ONLY]; 771 772 // Optional. Labels with user-defined metadata. 773 map<string, string> labels = 14 [(google.api.field_behavior) = OPTIONAL]; 774} 775 776// A 777// [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 778// refers to a managed template for certificate issuance. 779message CertificateTemplate { 780 option (google.api.resource) = { 781 type: "privateca.googleapis.com/CertificateTemplate" 782 pattern: "projects/{project}/locations/{location}/certificateTemplates/{certificate_template}" 783 }; 784 785 // Output only. The resource name for this 786 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 787 // in the format `projects/*/locations/*/certificateTemplates/*`. 788 string name = 1 [ 789 (google.api.field_behavior) = OUTPUT_ONLY, 790 (google.api.resource_reference) = { 791 type: "privateca.googleapis.com/CertificateTemplate" 792 } 793 ]; 794 795 // Optional. The maximum lifetime allowed for issued 796 // [Certificates][google.cloud.security.privateca.v1.Certificate] that use 797 // this template. If the issuing 798 // [CaPool][google.cloud.security.privateca.v1.CaPool] resource's 799 // [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy] 800 // specifies a 801 // [maximum_lifetime][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.maximum_lifetime] 802 // the minimum of the two durations will be the maximum lifetime for issued 803 // [Certificates][google.cloud.security.privateca.v1.Certificate]. Note that 804 // if the issuing 805 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 806 // expires before a 807 // [Certificate][google.cloud.security.privateca.v1.Certificate]'s requested 808 // maximum_lifetime, the effective lifetime will be explicitly truncated 809 // to match it. 810 google.protobuf.Duration maximum_lifetime = 9 811 [(google.api.field_behavior) = OPTIONAL]; 812 813 // Optional. A set of X.509 values that will be applied to all issued 814 // certificates that use this template. If the certificate request includes 815 // conflicting values for the same properties, they will be overwritten by the 816 // values defined here. If the issuing 817 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s 818 // [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy] 819 // defines conflicting 820 // [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values] 821 // for the same properties, the certificate issuance request will fail. 822 X509Parameters predefined_values = 2 [(google.api.field_behavior) = OPTIONAL]; 823 824 // Optional. Describes constraints on identities that may be appear in 825 // [Certificates][google.cloud.security.privateca.v1.Certificate] issued using 826 // this template. If this is omitted, then this template will not add 827 // restrictions on a certificate's identity. 828 CertificateIdentityConstraints identity_constraints = 3 829 [(google.api.field_behavior) = OPTIONAL]; 830 831 // Optional. Describes the set of X.509 extensions that may appear in a 832 // [Certificate][google.cloud.security.privateca.v1.Certificate] issued using 833 // this 834 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]. 835 // If a certificate request sets extensions that don't appear in the 836 // [passthrough_extensions][google.cloud.security.privateca.v1.CertificateTemplate.passthrough_extensions], 837 // those extensions will be dropped. If the issuing 838 // [CaPool][google.cloud.security.privateca.v1.CaPool]'s 839 // [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy] 840 // defines 841 // [baseline_values][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.baseline_values] 842 // that don't appear here, the certificate issuance request will fail. If this 843 // is omitted, then this template will not add restrictions on a certificate's 844 // X.509 extensions. These constraints do not apply to X.509 extensions set in 845 // this 846 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]'s 847 // [predefined_values][google.cloud.security.privateca.v1.CertificateTemplate.predefined_values]. 848 CertificateExtensionConstraints passthrough_extensions = 4 849 [(google.api.field_behavior) = OPTIONAL]; 850 851 // Optional. A human-readable description of scenarios this template is 852 // intended for. 853 string description = 5 [(google.api.field_behavior) = OPTIONAL]; 854 855 // Output only. The time at which this 856 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 857 // was created. 858 google.protobuf.Timestamp create_time = 6 859 [(google.api.field_behavior) = OUTPUT_ONLY]; 860 861 // Output only. The time at which this 862 // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate] 863 // was updated. 864 google.protobuf.Timestamp update_time = 7 865 [(google.api.field_behavior) = OUTPUT_ONLY]; 866 867 // Optional. Labels with user-defined metadata. 868 map<string, string> labels = 8 [(google.api.field_behavior) = OPTIONAL]; 869} 870 871// An [X509Parameters][google.cloud.security.privateca.v1.X509Parameters] is 872// used to describe certain fields of an X.509 certificate, such as the key 873// usage fields, fields specific to CA certificates, certificate policy 874// extensions and custom extensions. 875message X509Parameters { 876 // Describes values that are relevant in a CA certificate. 877 message CaOptions { 878 // Optional. Refers to the "CA" X.509 extension, which is a boolean value. 879 // When this value is missing, the extension will be omitted from the CA 880 // certificate. 881 optional bool is_ca = 1 [(google.api.field_behavior) = OPTIONAL]; 882 883 // Optional. Refers to the path length restriction X.509 extension. For a CA 884 // certificate, this value describes the depth of subordinate CA 885 // certificates that are allowed. 886 // If this value is less than 0, the request will fail. 887 // If this value is missing, the max path length will be omitted from the 888 // CA certificate. 889 optional int32 max_issuer_path_length = 2 890 [(google.api.field_behavior) = OPTIONAL]; 891 } 892 893 // Describes the X.509 name constraints extension, per 894 // https://tools.ietf.org/html/rfc5280#section-4.2.1.10 895 message NameConstraints { 896 // Indicates whether or not the name constraints are marked critical. 897 bool critical = 1; 898 899 // Contains permitted DNS names. Any DNS name that can be 900 // constructed by simply adding zero or more labels to 901 // the left-hand side of the name satisfies the name constraint. 902 // For example, `example.com`, `www.example.com`, `www.sub.example.com` 903 // would satisfy `example.com` while `example1.com` does not. 904 repeated string permitted_dns_names = 2; 905 906 // Contains excluded DNS names. Any DNS name that can be 907 // constructed by simply adding zero or more labels to 908 // the left-hand side of the name satisfies the name constraint. 909 // For example, `example.com`, `www.example.com`, `www.sub.example.com` 910 // would satisfy `example.com` while `example1.com` does not. 911 repeated string excluded_dns_names = 3; 912 913 // Contains the permitted IP ranges. For IPv4 addresses, the ranges 914 // are expressed using CIDR notation as specified in RFC 4632. 915 // For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 916 // addresses. 917 repeated string permitted_ip_ranges = 4; 918 919 // Contains the excluded IP ranges. For IPv4 addresses, the ranges 920 // are expressed using CIDR notation as specified in RFC 4632. 921 // For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 922 // addresses. 923 repeated string excluded_ip_ranges = 5; 924 925 // Contains the permitted email addresses. The value can be a particular 926 // email address, a hostname to indicate all email addresses on that host or 927 // a domain with a leading period (e.g. `.example.com`) to indicate 928 // all email addresses in that domain. 929 repeated string permitted_email_addresses = 6; 930 931 // Contains the excluded email addresses. The value can be a particular 932 // email address, a hostname to indicate all email addresses on that host or 933 // a domain with a leading period (e.g. `.example.com`) to indicate 934 // all email addresses in that domain. 935 repeated string excluded_email_addresses = 7; 936 937 // Contains the permitted URIs that apply to the host part of the name. 938 // The value can be a hostname or a domain with a 939 // leading period (like `.example.com`) 940 repeated string permitted_uris = 8; 941 942 // Contains the excluded URIs that apply to the host part of the name. 943 // The value can be a hostname or a domain with a 944 // leading period (like `.example.com`) 945 repeated string excluded_uris = 9; 946 } 947 948 // Optional. Indicates the intended use for keys that correspond to a 949 // certificate. 950 KeyUsage key_usage = 1 [(google.api.field_behavior) = OPTIONAL]; 951 952 // Optional. Describes options in this 953 // [X509Parameters][google.cloud.security.privateca.v1.X509Parameters] that 954 // are relevant in a CA certificate. 955 CaOptions ca_options = 2 [(google.api.field_behavior) = OPTIONAL]; 956 957 // Optional. Describes the X.509 certificate policy object identifiers, per 958 // https://tools.ietf.org/html/rfc5280#section-4.2.1.4. 959 repeated ObjectId policy_ids = 3 [(google.api.field_behavior) = OPTIONAL]; 960 961 // Optional. Describes Online Certificate Status Protocol (OCSP) endpoint 962 // addresses that appear in the "Authority Information Access" extension in 963 // the certificate. 964 repeated string aia_ocsp_servers = 4 [(google.api.field_behavior) = OPTIONAL]; 965 966 // Optional. Describes the X.509 name constraints extension. 967 NameConstraints name_constraints = 6 [(google.api.field_behavior) = OPTIONAL]; 968 969 // Optional. Describes custom X.509 extensions. 970 repeated X509Extension additional_extensions = 5 971 [(google.api.field_behavior) = OPTIONAL]; 972} 973 974// Describes a subordinate CA's issuers. This is either a resource name to a 975// known issuing 976// [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], 977// or a PEM issuer certificate chain. 978message SubordinateConfig { 979 // This message describes a subordinate CA's issuer certificate chain. This 980 // wrapper exists for compatibility reasons. 981 message SubordinateConfigChain { 982 // Required. Expected to be in leaf-to-root order according to RFC 5246. 983 repeated string pem_certificates = 1 984 [(google.api.field_behavior) = REQUIRED]; 985 } 986 987 oneof subordinate_config { 988 // Required. This can refer to a 989 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 990 // that was used to create a subordinate 991 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]. 992 // This field is used for information and usability purposes only. The 993 // resource name is in the format 994 // `projects/*/locations/*/caPools/*/certificateAuthorities/*`. 995 string certificate_authority = 1 [ 996 (google.api.field_behavior) = REQUIRED, 997 (google.api.resource_reference) = { 998 type: "privateca.googleapis.com/CertificateAuthority" 999 } 1000 ]; 1001 1002 // Required. Contains the PEM certificate chain for the issuers of this 1003 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority], 1004 // but not pem certificate for this CA itself. 1005 SubordinateConfigChain pem_issuer_chain = 2 1006 [(google.api.field_behavior) = REQUIRED]; 1007 } 1008} 1009 1010// A [PublicKey][google.cloud.security.privateca.v1.PublicKey] describes a 1011// public key. 1012message PublicKey { 1013 // Types of public keys formats that are supported. Currently, only `PEM` 1014 // format is supported. 1015 enum KeyFormat { 1016 // Default unspecified value. 1017 KEY_FORMAT_UNSPECIFIED = 0; 1018 1019 // The key is PEM-encoded as defined in [RFC 1020 // 7468](https://tools.ietf.org/html/rfc7468). It can be any of the 1021 // following: a PEM-encoded PKCS#1/RFC 3447 RSAPublicKey 1022 // structure, an RFC 5280 1023 // [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1) 1024 // or a PEM-encoded X.509 certificate signing request (CSR). If a 1025 // [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1) 1026 // is specified, it can contain a A PEM-encoded PKCS#1/RFC 3447 RSAPublicKey 1027 // or a NIST P-256/secp256r1/prime256v1 or P-384 key. If a CSR is specified, 1028 // it will used solely for the purpose of extracting the public key. When 1029 // generated by the service, it will always be an RFC 5280 1030 // [SubjectPublicKeyInfo](https://tools.ietf.org/html/rfc5280#section-4.1) 1031 // structure containing an algorithm identifier and a key. 1032 PEM = 1; 1033 } 1034 1035 // Required. A public key. The padding and encoding 1036 // must match with the `KeyFormat` value specified for the `format` field. 1037 bytes key = 1 [(google.api.field_behavior) = REQUIRED]; 1038 1039 // Required. The format of the public key. 1040 KeyFormat format = 2 [(google.api.field_behavior) = REQUIRED]; 1041} 1042 1043// A [CertificateConfig][google.cloud.security.privateca.v1.CertificateConfig] 1044// describes an X.509 certificate or CSR that is to be created, as an 1045// alternative to using ASN.1. 1046message CertificateConfig { 1047 // These values are used to create the distinguished name and subject 1048 // alternative name fields in an X.509 certificate. 1049 message SubjectConfig { 1050 // Optional. Contains distinguished name fields such as the common name, 1051 // location and organization. 1052 Subject subject = 1 [(google.api.field_behavior) = OPTIONAL]; 1053 1054 // Optional. The subject alternative name fields. 1055 SubjectAltNames subject_alt_name = 2 1056 [(google.api.field_behavior) = OPTIONAL]; 1057 } 1058 1059 // A KeyId identifies a specific public key, usually by hashing the public 1060 // key. 1061 message KeyId { 1062 // Required. The value of this KeyId encoded in lowercase hexadecimal. This 1063 // is most likely the 160 bit SHA-1 hash of the public key. 1064 string key_id = 1 [(google.api.field_behavior) = REQUIRED]; 1065 } 1066 1067 // Required. Specifies some of the values in a certificate that are related to 1068 // the subject. 1069 SubjectConfig subject_config = 1 [(google.api.field_behavior) = REQUIRED]; 1070 1071 // Required. Describes how some of the technical X.509 fields in a certificate 1072 // should be populated. 1073 X509Parameters x509_config = 2 [(google.api.field_behavior) = REQUIRED]; 1074 1075 // Optional. The public key that corresponds to this config. This is, for 1076 // example, used when issuing 1077 // [Certificates][google.cloud.security.privateca.v1.Certificate], but not 1078 // when creating a self-signed 1079 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 1080 // or 1081 // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority] 1082 // CSR. 1083 PublicKey public_key = 3 [(google.api.field_behavior) = OPTIONAL]; 1084 1085 // Optional. When specified this provides a custom SKI to be used in the 1086 // certificate. This should only be used to maintain a SKI of an existing CA 1087 // originally created outside CA service, which was not generated using method 1088 // (1) described in RFC 5280 section 4.2.1.2. 1089 KeyId subject_key_id = 4 [(google.api.field_behavior) = OPTIONAL]; 1090} 1091 1092// A 1093// [CertificateDescription][google.cloud.security.privateca.v1.CertificateDescription] 1094// describes an X.509 certificate or CSR that has been issued, as an alternative 1095// to using ASN.1 / X.509. 1096message CertificateDescription { 1097 // These values describe fields in an issued X.509 certificate such as the 1098 // distinguished name, subject alternative names, serial number, and lifetime. 1099 message SubjectDescription { 1100 // Contains distinguished name fields such as the common name, location and 1101 // / organization. 1102 Subject subject = 1; 1103 1104 // The subject alternative name fields. 1105 SubjectAltNames subject_alt_name = 2; 1106 1107 // The serial number encoded in lowercase hexadecimal. 1108 string hex_serial_number = 3; 1109 1110 // For convenience, the actual lifetime of an issued certificate. 1111 google.protobuf.Duration lifetime = 4; 1112 1113 // The time at which the certificate becomes valid. 1114 google.protobuf.Timestamp not_before_time = 5; 1115 1116 // The time after which the certificate is expired. 1117 // Per RFC 5280, the validity period for a certificate is the period of time 1118 // from not_before_time through not_after_time, inclusive. 1119 // Corresponds to 'not_before_time' + 'lifetime' - 1 second. 1120 google.protobuf.Timestamp not_after_time = 6; 1121 } 1122 1123 // A KeyId identifies a specific public key, usually by hashing the public 1124 // key. 1125 message KeyId { 1126 // Optional. The value of this KeyId encoded in lowercase hexadecimal. This 1127 // is most likely the 160 bit SHA-1 hash of the public key. 1128 string key_id = 1 [(google.api.field_behavior) = OPTIONAL]; 1129 } 1130 1131 // A group of fingerprints for the x509 certificate. 1132 message CertificateFingerprint { 1133 // The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. 1134 string sha256_hash = 1; 1135 } 1136 1137 // Describes some of the values in a certificate that are related to the 1138 // subject and lifetime. 1139 SubjectDescription subject_description = 1; 1140 1141 // Describes some of the technical X.509 fields in a certificate. 1142 X509Parameters x509_description = 2; 1143 1144 // The public key that corresponds to an issued certificate. 1145 PublicKey public_key = 3; 1146 1147 // Provides a means of identifiying certificates that contain a particular 1148 // public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. 1149 KeyId subject_key_id = 4; 1150 1151 // Identifies the subject_key_id of the parent certificate, per 1152 // https://tools.ietf.org/html/rfc5280#section-4.2.1.1 1153 KeyId authority_key_id = 5; 1154 1155 // Describes a list of locations to obtain CRL information, i.e. 1156 // the DistributionPoint.fullName described by 1157 // https://tools.ietf.org/html/rfc5280#section-4.2.1.13 1158 repeated string crl_distribution_points = 6; 1159 1160 // Describes lists of issuer CA certificate URLs that appear in the 1161 // "Authority Information Access" extension in the certificate. 1162 repeated string aia_issuing_certificate_urls = 7; 1163 1164 // The hash of the x.509 certificate. 1165 CertificateFingerprint cert_fingerprint = 8; 1166} 1167 1168// An [ObjectId][google.cloud.security.privateca.v1.ObjectId] specifies an 1169// object identifier (OID). These provide context and describe types in ASN.1 1170// messages. 1171message ObjectId { 1172 // Required. The parts of an OID path. The most significant parts of the path 1173 // come first. 1174 repeated int32 object_id_path = 1 [(google.api.field_behavior) = REQUIRED]; 1175} 1176 1177// An [X509Extension][google.cloud.security.privateca.v1.X509Extension] 1178// specifies an X.509 extension, which may be used in different parts of X.509 1179// objects like certificates, CSRs, and CRLs. 1180message X509Extension { 1181 // Required. The OID for this X.509 extension. 1182 ObjectId object_id = 1 [(google.api.field_behavior) = REQUIRED]; 1183 1184 // Optional. Indicates whether or not this extension is critical (i.e., if the 1185 // client does not know how to handle this extension, the client should 1186 // consider this to be an error). 1187 bool critical = 2 [(google.api.field_behavior) = OPTIONAL]; 1188 1189 // Required. The value of this X.509 extension. 1190 bytes value = 3 [(google.api.field_behavior) = REQUIRED]; 1191} 1192 1193// A [KeyUsage][google.cloud.security.privateca.v1.KeyUsage] describes key usage 1194// values that may appear in an X.509 certificate. 1195message KeyUsage { 1196 // [KeyUsage.KeyUsageOptions][google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions] 1197 // corresponds to the key usage values described in 1198 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3. 1199 message KeyUsageOptions { 1200 // The key may be used for digital signatures. 1201 bool digital_signature = 1; 1202 1203 // The key may be used for cryptographic commitments. Note that this may 1204 // also be referred to as "non-repudiation". 1205 bool content_commitment = 2; 1206 1207 // The key may be used to encipher other keys. 1208 bool key_encipherment = 3; 1209 1210 // The key may be used to encipher data. 1211 bool data_encipherment = 4; 1212 1213 // The key may be used in a key agreement protocol. 1214 bool key_agreement = 5; 1215 1216 // The key may be used to sign certificates. 1217 bool cert_sign = 6; 1218 1219 // The key may be used sign certificate revocation lists. 1220 bool crl_sign = 7; 1221 1222 // The key may be used to encipher only. 1223 bool encipher_only = 8; 1224 1225 // The key may be used to decipher only. 1226 bool decipher_only = 9; 1227 } 1228 1229 // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions] 1230 // has fields that correspond to certain common OIDs that could be specified 1231 // as an extended key usage value. 1232 message ExtendedKeyUsageOptions { 1233 // Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW 1234 // server authentication", though regularly used for non-WWW TLS. 1235 bool server_auth = 1; 1236 1237 // Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW 1238 // client authentication", though regularly used for non-WWW TLS. 1239 bool client_auth = 2; 1240 1241 // Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of 1242 // downloadable executable code client authentication". 1243 bool code_signing = 3; 1244 1245 // Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email 1246 // protection". 1247 bool email_protection = 4; 1248 1249 // Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding 1250 // the hash of an object to a time". 1251 bool time_stamping = 5; 1252 1253 // Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing 1254 // OCSP responses". 1255 bool ocsp_signing = 6; 1256 } 1257 1258 // Describes high-level ways in which a key may be used. 1259 KeyUsageOptions base_key_usage = 1; 1260 1261 // Detailed scenarios in which a key may be used. 1262 ExtendedKeyUsageOptions extended_key_usage = 2; 1263 1264 // Used to describe extended key usages that are not listed in the 1265 // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions] 1266 // message. 1267 repeated ObjectId unknown_extended_key_usages = 3; 1268} 1269 1270// [Subject][google.cloud.security.privateca.v1.Subject] describes parts of a 1271// distinguished name that, in turn, describes the subject of the certificate. 1272message Subject { 1273 // The "common name" of the subject. 1274 string common_name = 1; 1275 1276 // The country code of the subject. 1277 string country_code = 2; 1278 1279 // The organization of the subject. 1280 string organization = 3; 1281 1282 // The organizational_unit of the subject. 1283 string organizational_unit = 4; 1284 1285 // The locality or city of the subject. 1286 string locality = 5; 1287 1288 // The province, territory, or regional state of the subject. 1289 string province = 6; 1290 1291 // The street address of the subject. 1292 string street_address = 7; 1293 1294 // The postal code of the subject. 1295 string postal_code = 8; 1296} 1297 1298// [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] 1299// corresponds to a more modern way of listing what the asserted identity is in 1300// a certificate (i.e., compared to the "common name" in the distinguished 1301// name). 1302message SubjectAltNames { 1303 // Contains only valid, fully-qualified host names. 1304 repeated string dns_names = 1; 1305 1306 // Contains only valid RFC 3986 URIs. 1307 repeated string uris = 2; 1308 1309 // Contains only valid RFC 2822 E-mail addresses. 1310 repeated string email_addresses = 3; 1311 1312 // Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. 1313 repeated string ip_addresses = 4; 1314 1315 // Contains additional subject alternative name values. 1316 // For each custom_san, the `value` field must contain an ASN.1 encoded 1317 // UTF8String. 1318 repeated X509Extension custom_sans = 5; 1319} 1320 1321// Describes constraints on a 1322// [Certificate][google.cloud.security.privateca.v1.Certificate]'s 1323// [Subject][google.cloud.security.privateca.v1.Subject] and 1324// [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames]. 1325message CertificateIdentityConstraints { 1326 // Optional. A CEL expression that may be used to validate the resolved X.509 1327 // Subject and/or Subject Alternative Name before a certificate is signed. To 1328 // see the full allowed syntax and some examples, see 1329 // https://cloud.google.com/certificate-authority-service/docs/using-cel 1330 google.type.Expr cel_expression = 1 [(google.api.field_behavior) = OPTIONAL]; 1331 1332 // Required. If this is true, the 1333 // [Subject][google.cloud.security.privateca.v1.Subject] field may be copied 1334 // from a certificate request into the signed certificate. Otherwise, the 1335 // requested [Subject][google.cloud.security.privateca.v1.Subject] will be 1336 // discarded. 1337 optional bool allow_subject_passthrough = 2 1338 [(google.api.field_behavior) = REQUIRED]; 1339 1340 // Required. If this is true, the 1341 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] 1342 // extension may be copied from a certificate request into the signed 1343 // certificate. Otherwise, the requested 1344 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] will 1345 // be discarded. 1346 optional bool allow_subject_alt_names_passthrough = 3 1347 [(google.api.field_behavior) = REQUIRED]; 1348} 1349 1350// Describes a set of X.509 extensions that may be part of some certificate 1351// issuance controls. 1352message CertificateExtensionConstraints { 1353 // Describes well-known X.509 extensions that can appear in a 1354 // [Certificate][google.cloud.security.privateca.v1.Certificate], not 1355 // including the 1356 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] 1357 // extension. 1358 enum KnownCertificateExtension { 1359 // Not specified. 1360 KNOWN_CERTIFICATE_EXTENSION_UNSPECIFIED = 0; 1361 1362 // Refers to a certificate's Key Usage extension, as described in [RFC 5280 1363 // section 4.2.1.3](https://tools.ietf.org/html/rfc5280#section-4.2.1.3). 1364 // This corresponds to the 1365 // [KeyUsage.base_key_usage][google.cloud.security.privateca.v1.KeyUsage.base_key_usage] 1366 // field. 1367 BASE_KEY_USAGE = 1; 1368 1369 // Refers to a certificate's Extended Key Usage extension, as described in 1370 // [RFC 5280 1371 // section 4.2.1.12](https://tools.ietf.org/html/rfc5280#section-4.2.1.12). 1372 // This corresponds to the 1373 // [KeyUsage.extended_key_usage][google.cloud.security.privateca.v1.KeyUsage.extended_key_usage] 1374 // message. 1375 EXTENDED_KEY_USAGE = 2; 1376 1377 // Refers to a certificate's Basic Constraints extension, as described in 1378 // [RFC 5280 1379 // section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9). 1380 // This corresponds to the 1381 // [X509Parameters.ca_options][google.cloud.security.privateca.v1.X509Parameters.ca_options] 1382 // field. 1383 CA_OPTIONS = 3; 1384 1385 // Refers to a certificate's Policy object identifiers, as described in 1386 // [RFC 5280 1387 // section 4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4). 1388 // This corresponds to the 1389 // [X509Parameters.policy_ids][google.cloud.security.privateca.v1.X509Parameters.policy_ids] 1390 // field. 1391 POLICY_IDS = 4; 1392 1393 // Refers to OCSP servers in a certificate's Authority Information Access 1394 // extension, as described in 1395 // [RFC 5280 1396 // section 4.2.2.1](https://tools.ietf.org/html/rfc5280#section-4.2.2.1), 1397 // This corresponds to the 1398 // [X509Parameters.aia_ocsp_servers][google.cloud.security.privateca.v1.X509Parameters.aia_ocsp_servers] 1399 // field. 1400 AIA_OCSP_SERVERS = 5; 1401 1402 // Refers to Name Constraints extension as described in 1403 // [RFC 5280 1404 // section 4.2.1.10](https://tools.ietf.org/html/rfc5280#section-4.2.1.10) 1405 NAME_CONSTRAINTS = 6; 1406 } 1407 1408 // Optional. A set of named X.509 extensions. Will be combined with 1409 // [additional_extensions][google.cloud.security.privateca.v1.CertificateExtensionConstraints.additional_extensions] 1410 // to determine the full set of X.509 extensions. 1411 repeated KnownCertificateExtension known_extensions = 1 1412 [(google.api.field_behavior) = OPTIONAL]; 1413 1414 // Optional. A set of [ObjectIds][google.cloud.security.privateca.v1.ObjectId] 1415 // identifying custom X.509 extensions. Will be combined with 1416 // [known_extensions][google.cloud.security.privateca.v1.CertificateExtensionConstraints.known_extensions] 1417 // to determine the full set of X.509 extensions. 1418 repeated ObjectId additional_extensions = 2 1419 [(google.api.field_behavior) = OPTIONAL]; 1420} 1421 1422// A [RevocationReason][google.cloud.security.privateca.v1.RevocationReason] 1423// indicates whether a 1424// [Certificate][google.cloud.security.privateca.v1.Certificate] has been 1425// revoked, and the reason for revocation. These correspond to standard 1426// revocation reasons from RFC 5280. Note that the enum labels and values in 1427// this definition are not the same ASN.1 values defined in RFC 5280. These 1428// values will be translated to the correct ASN.1 values when a CRL is created. 1429enum RevocationReason { 1430 // Default unspecified value. This value does indicate that a 1431 // [Certificate][google.cloud.security.privateca.v1.Certificate] has been 1432 // revoked, but that a reason has not been recorded. 1433 REVOCATION_REASON_UNSPECIFIED = 0; 1434 1435 // Key material for this 1436 // [Certificate][google.cloud.security.privateca.v1.Certificate] may have 1437 // leaked. 1438 KEY_COMPROMISE = 1; 1439 1440 // The key material for a certificate authority in the issuing path may have 1441 // leaked. 1442 CERTIFICATE_AUTHORITY_COMPROMISE = 2; 1443 1444 // The subject or other attributes in this 1445 // [Certificate][google.cloud.security.privateca.v1.Certificate] have changed. 1446 AFFILIATION_CHANGED = 3; 1447 1448 // This [Certificate][google.cloud.security.privateca.v1.Certificate] has been 1449 // superseded. 1450 SUPERSEDED = 4; 1451 1452 // This [Certificate][google.cloud.security.privateca.v1.Certificate] or 1453 // entities in the issuing path have ceased to operate. 1454 CESSATION_OF_OPERATION = 5; 1455 1456 // This [Certificate][google.cloud.security.privateca.v1.Certificate] should 1457 // not be considered valid, it is expected that it may become valid in the 1458 // future. 1459 CERTIFICATE_HOLD = 6; 1460 1461 // This [Certificate][google.cloud.security.privateca.v1.Certificate] no 1462 // longer has permission to assert the listed attributes. 1463 PRIVILEGE_WITHDRAWN = 7; 1464 1465 // The authority which determines appropriate attributes for a 1466 // [Certificate][google.cloud.security.privateca.v1.Certificate] may have been 1467 // compromised. 1468 ATTRIBUTE_AUTHORITY_COMPROMISE = 8; 1469} 1470 1471// Describes the way in which a 1472// [Certificate][google.cloud.security.privateca.v1.Certificate]'s 1473// [Subject][google.cloud.security.privateca.v1.Subject] and/or 1474// [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] will be 1475// resolved. 1476enum SubjectRequestMode { 1477 // Not specified. 1478 SUBJECT_REQUEST_MODE_UNSPECIFIED = 0; 1479 1480 // The default mode used in most cases. Indicates that the certificate's 1481 // [Subject][google.cloud.security.privateca.v1.Subject] and/or 1482 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] are 1483 // specified in the certificate request. This mode requires the caller to have 1484 // the `privateca.certificates.create` permission. 1485 DEFAULT = 1; 1486 1487 // A mode reserved for special cases. Indicates that the certificate should 1488 // have one SPIFFE 1489 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] set 1490 // by the service based on the caller's identity. This mode will ignore any 1491 // explicitly specified [Subject][google.cloud.security.privateca.v1.Subject] 1492 // and/or 1493 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] in 1494 // the certificate request. This mode requires the caller to have the 1495 // `privateca.certificates.createForSelf` permission. 1496 REFLECTED_SPIFFE = 2; 1497} 1498