1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.security.privateca.v1beta1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23import "google/protobuf/wrappers.proto"; 24 25option cc_enable_arenas = true; 26option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1Beta1"; 27option go_package = "cloud.google.com/go/security/privateca/apiv1beta1/privatecapb;privatecapb"; 28option java_multiple_files = true; 29option java_outer_classname = "PrivateCaResourcesProto"; 30option java_package = "com.google.cloud.security.privateca.v1beta1"; 31option php_namespace = "Google\\Cloud\\Security\\PrivateCA\\V1beta1"; 32option ruby_package = "Google::Cloud::Security::PrivateCA::V1beta1"; 33 34// A [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] represents an individual Certificate Authority. 35// A [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] can be used to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate]. 36message CertificateAuthority { 37 option (google.api.resource) = { 38 type: "privateca.googleapis.com/CertificateAuthority" 39 pattern: "projects/{project}/locations/{location}/certificateAuthorities/{certificate_authority}" 40 }; 41 42 // Options that affect all certificates issued by a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 43 message IssuingOptions { 44 // Required. When true, includes a URL to the issuing CA certificate in the 45 // "authority information access" X.509 extension. 46 bool include_ca_cert_url = 1 [(google.api.field_behavior) = REQUIRED]; 47 48 // Required. When true, includes a URL to the CRL corresponding to certificates 49 // issued from a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 50 // CRLs will expire 7 days from their creation. However, we will rebuild 51 // daily. CRLs are also rebuilt shortly after a certificate is revoked. 52 bool include_crl_access_url = 2 [(google.api.field_behavior) = REQUIRED]; 53 } 54 55 // The issuing policy for a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 56 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] will not be successfully issued from this 57 // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] if they violate the policy. 58 message CertificateAuthorityPolicy { 59 message AllowedConfigList { 60 // Required. All [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] 61 // must match at least one listed [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper]. If a 62 // [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper] has an empty field, any value will be 63 // allowed for that field. 64 repeated ReusableConfigWrapper allowed_config_values = 1 [(google.api.field_behavior) = REQUIRED]; 65 } 66 67 // [AllowedSubjectAltNames][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames] specifies the allowed values for 68 // [SubjectAltNames][google.cloud.security.privateca.v1beta1.SubjectAltNames] by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] when issuing 69 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate]. 70 message AllowedSubjectAltNames { 71 // Optional. Contains valid, fully-qualified host names. Glob patterns are also 72 // supported. To allow an explicit wildcard certificate, escape with 73 // backlash (i.e. `\*`). 74 // E.g. for globbed entries: `*bar.com` will allow `foo.bar.com`, but not 75 // `*.bar.com`, unless the [allow_globbing_dns_wildcards][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames.allow_globbing_dns_wildcards] field is set. 76 // E.g. for wildcard entries: `\*.bar.com` will allow `*.bar.com`, but not 77 // `foo.bar.com`. 78 repeated string allowed_dns_names = 1 [(google.api.field_behavior) = OPTIONAL]; 79 80 // Optional. Contains valid RFC 3986 URIs. Glob patterns are also supported. To 81 // match across path seperators (i.e. '/') use the double star glob 82 // pattern (i.e. '**'). 83 repeated string allowed_uris = 2 [(google.api.field_behavior) = OPTIONAL]; 84 85 // Optional. Contains valid RFC 2822 E-mail addresses. Glob patterns are also 86 // supported. 87 repeated string allowed_email_addresses = 3 [(google.api.field_behavior) = OPTIONAL]; 88 89 // Optional. Contains valid 32-bit IPv4 addresses and subnet ranges or RFC 4291 IPv6 90 // addresses and subnet ranges. Subnet ranges are specified using the 91 // '/' notation (e.g. 10.0.0.0/8, 2001:700:300:1800::/64). Glob patterns 92 // are supported only for ip address entries (i.e. not for subnet ranges). 93 repeated string allowed_ips = 4 [(google.api.field_behavior) = OPTIONAL]; 94 95 // Optional. Specifies if glob patterns used for [allowed_dns_names][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames.allowed_dns_names] allows 96 // wildcard certificates. 97 bool allow_globbing_dns_wildcards = 5 [(google.api.field_behavior) = OPTIONAL]; 98 99 // Optional. Specifies if to allow custom X509Extension values. 100 bool allow_custom_sans = 6 [(google.api.field_behavior) = OPTIONAL]; 101 } 102 103 // [IssuanceModes][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes] specifies the allowed ways in which 104 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] may be requested from this 105 // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 106 message IssuanceModes { 107 // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate] by 108 // specifying a CSR. 109 bool allow_csr_based_issuance = 1 [(google.api.field_behavior) = REQUIRED]; 110 111 // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate] by 112 // specifying a [CertificateConfig][google.cloud.security.privateca.v1beta1.CertificateConfig]. 113 bool allow_config_based_issuance = 2 [(google.api.field_behavior) = REQUIRED]; 114 } 115 116 // Allowed configurations or a single configuration for all issued 117 // certificates. 118 oneof config_policy { 119 // Optional. All [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] 120 // must match at least one listed [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper] in the list. 121 AllowedConfigList allowed_config_list = 1 [(google.api.field_behavior) = OPTIONAL]; 122 123 // Optional. All [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] 124 // will use the provided configuration values, overwriting any requested 125 // configuration values. 126 ReusableConfigWrapper overwrite_config_values = 2 [(google.api.field_behavior) = OPTIONAL]; 127 } 128 129 // Optional. If any [Subject][google.cloud.security.privateca.v1beta1.Subject] is specified here, then all 130 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must 131 // match at least one listed [Subject][google.cloud.security.privateca.v1beta1.Subject]. If a [Subject][google.cloud.security.privateca.v1beta1.Subject] has an empty 132 // field, any value will be allowed for that field. 133 repeated Subject allowed_locations_and_organizations = 3 [(google.api.field_behavior) = OPTIONAL]; 134 135 // Optional. If any value is specified here, then all 136 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must 137 // match at least one listed value. If no value is specified, all values 138 // will be allowed for this fied. Glob patterns are also supported. 139 repeated string allowed_common_names = 4 [(google.api.field_behavior) = OPTIONAL]; 140 141 // Optional. If a [AllowedSubjectAltNames][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames] is specified here, then all 142 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] issued by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must 143 // match [AllowedSubjectAltNames][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.AllowedSubjectAltNames]. If no value or an empty value 144 // is specified, any value will be allowed for the [SubjectAltNames][google.cloud.security.privateca.v1beta1.SubjectAltNames] 145 // field. 146 AllowedSubjectAltNames allowed_sans = 5 [(google.api.field_behavior) = OPTIONAL]; 147 148 // Optional. The maximum lifetime allowed by the [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. Note that 149 // if the any part if the issuing chain expires before a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]'s 150 // requested maximum_lifetime, the effective lifetime will be explicitly 151 // truncated. 152 google.protobuf.Duration maximum_lifetime = 6 [(google.api.field_behavior) = OPTIONAL]; 153 154 // Optional. If specified, then only methods allowed in the [IssuanceModes][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes] may be 155 // used to issue [Certificates][google.cloud.security.privateca.v1beta1.Certificate]. 156 IssuanceModes allowed_issuance_modes = 8 [(google.api.field_behavior) = OPTIONAL]; 157 } 158 159 // URLs where a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will publish content. 160 message AccessUrls { 161 // The URL where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA certificate is 162 // published. This will only be set for CAs that have been activated. 163 string ca_certificate_access_url = 1; 164 165 // The URL where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CRLs are published. This 166 // will only be set for CAs that have been activated. 167 string crl_access_url = 2; 168 } 169 170 // A Cloud KMS key configuration that a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will use. 171 message KeyVersionSpec { 172 oneof KeyVersion { 173 // Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the 174 // format 175 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`. 176 // This option enables full flexibility in the key's capabilities and 177 // properties. 178 string cloud_kms_key_version = 1 [(google.api.field_behavior) = REQUIRED]; 179 180 // Required. The algorithm to use for creating a managed Cloud KMS key for a for a 181 // simplified experience. All managed keys will be have their 182 // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as `HSM`. 183 SignHashAlgorithm algorithm = 2 [(google.api.field_behavior) = REQUIRED]; 184 } 185 } 186 187 // The type of a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], indicating its issuing chain. 188 enum Type { 189 // Not specified. 190 TYPE_UNSPECIFIED = 0; 191 192 // Self-signed CA. 193 SELF_SIGNED = 1; 194 195 // Subordinate CA. Could be issued by a Private CA [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] 196 // or an unmanaged CA. 197 SUBORDINATE = 2; 198 } 199 200 // The tier of a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], indicating its supported 201 // functionality and/or billing SKU. 202 enum Tier { 203 // Not specified. 204 TIER_UNSPECIFIED = 0; 205 206 // Enterprise tier. 207 ENTERPRISE = 1; 208 209 // DevOps tier. 210 DEVOPS = 2; 211 } 212 213 // The state of a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], indicating if it can be used. 214 enum State { 215 // Not specified. 216 STATE_UNSPECIFIED = 0; 217 218 // Certificates can be issued from this CA. CRLs will be generated for this 219 // CA. 220 ENABLED = 1; 221 222 // Certificates cannot be issued from this CA. CRLs will still be generated. 223 DISABLED = 2; 224 225 // Certificates cannot be issued from this CA. CRLs will not be generated. 226 PENDING_ACTIVATION = 3; 227 228 // Certificates cannot be issued from this CA. CRLs will not be generated. 229 PENDING_DELETION = 4; 230 } 231 232 // The algorithm of a Cloud KMS CryptoKeyVersion of a 233 // [CryptoKey][google.cloud.kms.v1.CryptoKey] with the 234 // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value 235 // `ASYMMETRIC_SIGN`. These values correspond to the 236 // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] 237 // values. For RSA signing algorithms, the PSS algorithms should be preferred, 238 // use PKCS1 algorithms if required for compatibility. For further 239 // recommandations, see 240 // https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations. 241 enum SignHashAlgorithm { 242 // Not specified. 243 SIGN_HASH_ALGORITHM_UNSPECIFIED = 0; 244 245 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256 246 RSA_PSS_2048_SHA256 = 1; 247 248 // maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256 249 RSA_PSS_3072_SHA256 = 2; 250 251 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256 252 RSA_PSS_4096_SHA256 = 3; 253 254 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 255 RSA_PKCS1_2048_SHA256 = 6; 256 257 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256 258 RSA_PKCS1_3072_SHA256 = 7; 259 260 // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256 261 RSA_PKCS1_4096_SHA256 = 8; 262 263 // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 264 EC_P256_SHA256 = 4; 265 266 // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384 267 EC_P384_SHA384 = 5; 268 } 269 270 // Output only. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the 271 // format `projects/*/locations/*/certificateAuthorities/*`. 272 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 273 274 // Required. Immutable. The [Type][google.cloud.security.privateca.v1beta1.CertificateAuthority.Type] of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 275 Type type = 2 [ 276 (google.api.field_behavior) = REQUIRED, 277 (google.api.field_behavior) = IMMUTABLE 278 ]; 279 280 // Required. Immutable. The [Tier][google.cloud.security.privateca.v1beta1.CertificateAuthority.Tier] of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 281 Tier tier = 3 [ 282 (google.api.field_behavior) = REQUIRED, 283 (google.api.field_behavior) = IMMUTABLE 284 ]; 285 286 // Required. Immutable. The config used to create a self-signed X.509 certificate or CSR. 287 CertificateConfig config = 4 [ 288 (google.api.field_behavior) = REQUIRED, 289 (google.api.field_behavior) = IMMUTABLE 290 ]; 291 292 // Required. The desired lifetime of the CA certificate. Used to create the 293 // "not_before_time" and "not_after_time" fields inside an X.509 294 // certificate. 295 google.protobuf.Duration lifetime = 5 [(google.api.field_behavior) = REQUIRED]; 296 297 // Required. Immutable. Used when issuing certificates for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. If this 298 // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] is a self-signed CertificateAuthority, this key 299 // is also used to sign the self-signed CA certificate. Otherwise, it 300 // is used to sign a CSR. 301 KeyVersionSpec key_spec = 6 [ 302 (google.api.field_behavior) = REQUIRED, 303 (google.api.field_behavior) = IMMUTABLE 304 ]; 305 306 // Optional. The [CertificateAuthorityPolicy][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy] to enforce when issuing 307 // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] from this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 308 CertificateAuthorityPolicy certificate_policy = 7 [(google.api.field_behavior) = OPTIONAL]; 309 310 // Optional. The [IssuingOptions][google.cloud.security.privateca.v1beta1.CertificateAuthority.IssuingOptions] to follow when issuing [Certificates][google.cloud.security.privateca.v1beta1.Certificate] 311 // from this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 312 IssuingOptions issuing_options = 8 [(google.api.field_behavior) = OPTIONAL]; 313 314 // Optional. If this is a subordinate [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], this field will be set 315 // with the subordinate configuration, which describes its issuers. This may 316 // be updated, but this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must continue to validate. 317 SubordinateConfig subordinate_config = 19 [(google.api.field_behavior) = OPTIONAL]; 318 319 // Output only. The [State][google.cloud.security.privateca.v1beta1.CertificateAuthority.State] for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 320 State state = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; 321 322 // Output only. This [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate chain, including the current 323 // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate. Ordered such that the root issuer 324 // is the final element (consistent with RFC 5246). For a self-signed CA, this 325 // will only list the current [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate. 326 repeated string pem_ca_certificates = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 327 328 // Output only. A structured description of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA certificate 329 // and its issuers. Ordered as self-to-root. 330 repeated CertificateDescription ca_certificate_descriptions = 12 [(google.api.field_behavior) = OUTPUT_ONLY]; 331 332 // Immutable. The name of a Cloud Storage bucket where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will 333 // publish content, such as the CA certificate and CRLs. This must be a bucket 334 // name, without any prefixes (such as `gs://`) or suffixes (such as 335 // `.googleapis.com`). For example, to use a bucket named `my-bucket`, you 336 // would simply specify `my-bucket`. If not specified, a managed bucket will 337 // be created. 338 string gcs_bucket = 13 [(google.api.field_behavior) = IMMUTABLE]; 339 340 // Output only. URLs for accessing content published by this CA, such as the CA certificate 341 // and CRLs. 342 AccessUrls access_urls = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 343 344 // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] was created. 345 google.protobuf.Timestamp create_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY]; 346 347 // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] was updated. 348 google.protobuf.Timestamp update_time = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; 349 350 // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will be deleted, if 351 // scheduled for deletion. 352 google.protobuf.Timestamp delete_time = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; 353 354 // Optional. Labels with user-defined metadata. 355 map<string, string> labels = 18 [(google.api.field_behavior) = OPTIONAL]; 356} 357 358// A [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] corresponds to a signed X.509 certificate 359// Revocation List (CRL). A CRL contains the serial numbers of certificates that 360// should no longer be trusted. 361message CertificateRevocationList { 362 option (google.api.resource) = { 363 type: "privateca.googleapis.com/CertificateRevocationList" 364 pattern: "projects/{project}/locations/{location}/certificateAuthorities/{certificate_authority}/certificateRevocationLists/{certificate_revocation_list}" 365 }; 366 367 // Describes a revoked [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. 368 message RevokedCertificate { 369 // The resource path for the [Certificate][google.cloud.security.privateca.v1beta1.Certificate] in the format 370 // `projects/*/locations/*/certificateAuthorities/*/certificates/*`. 371 string certificate = 1; 372 373 // The serial number of the [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. 374 string hex_serial_number = 2; 375 376 // The reason the [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was revoked. 377 RevocationReason revocation_reason = 3; 378 } 379 380 // The state of a [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList], indicating if it is current. 381 enum State { 382 // Not specified. 383 STATE_UNSPECIFIED = 0; 384 385 // The [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] is up to date. 386 ACTIVE = 1; 387 388 // The [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] is no longer current. 389 SUPERSEDED = 2; 390 } 391 392 // Output only. The resource path for this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] in 393 // the format 394 // `projects/*/locations/*/certificateAuthorities/*/ 395 // certificateRevocationLists/*`. 396 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 397 398 // Output only. The CRL sequence number that appears in pem_crl. 399 int64 sequence_number = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 400 401 // Output only. The revoked serial numbers that appear in pem_crl. 402 repeated RevokedCertificate revoked_certificates = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 403 404 // Output only. The PEM-encoded X.509 CRL. 405 string pem_crl = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 406 407 // Output only. The location where 'pem_crl' can be accessed. 408 string access_url = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 409 410 // Output only. The [State][google.cloud.security.privateca.v1beta1.CertificateRevocationList.State] for this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList]. 411 State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 412 413 // Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] was created. 414 google.protobuf.Timestamp create_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 415 416 // Output only. The time at which this [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] was updated. 417 google.protobuf.Timestamp update_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 418 419 // Optional. Labels with user-defined metadata. 420 map<string, string> labels = 9 [(google.api.field_behavior) = OPTIONAL]; 421} 422 423// A [Certificate][google.cloud.security.privateca.v1beta1.Certificate] corresponds to a signed X.509 certificate issued by a 424// [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. 425message Certificate { 426 option (google.api.resource) = { 427 type: "privateca.googleapis.com/Certificate" 428 pattern: "projects/{project}/locations/{location}/certificateAuthorities/{certificate_authority}/certificates/{certificate}" 429 }; 430 431 // Describes fields that are relavent to the revocation of a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. 432 message RevocationDetails { 433 // Indicates why a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was revoked. 434 RevocationReason revocation_state = 1; 435 436 // The time at which this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was revoked. 437 google.protobuf.Timestamp revocation_time = 2; 438 } 439 440 // Output only. The resource path for this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] in the format 441 // `projects/*/locations/*/certificateAuthorities/*/certificates/*`. 442 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 443 444 // The config used to create a signed X.509 certificate. 445 oneof certificate_config { 446 // Immutable. A pem-encoded X.509 certificate signing request (CSR). 447 string pem_csr = 2 [(google.api.field_behavior) = IMMUTABLE]; 448 449 // Immutable. A description of the certificate and key that does not require X.509 or 450 // ASN.1. 451 CertificateConfig config = 3 [(google.api.field_behavior) = IMMUTABLE]; 452 } 453 454 // Required. Immutable. The desired lifetime of a certificate. Used to create the 455 // "not_before_time" and "not_after_time" fields inside an X.509 456 // certificate. Note that the lifetime may be truncated if it would extend 457 // past the life of any certificate authority in the issuing chain. 458 google.protobuf.Duration lifetime = 4 [ 459 (google.api.field_behavior) = REQUIRED, 460 (google.api.field_behavior) = IMMUTABLE 461 ]; 462 463 // Output only. Details regarding the revocation of this [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. This 464 // [Certificate][google.cloud.security.privateca.v1beta1.Certificate] is considered revoked if and only if this field is present. 465 RevocationDetails revocation_details = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 466 467 // Output only. The pem-encoded, signed X.509 certificate. 468 string pem_certificate = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 469 470 // Output only. A structured description of the issued X.509 certificate. 471 CertificateDescription certificate_description = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 472 473 // Output only. The chain that may be used to verify the X.509 certificate. Expected to be 474 // in issuer-to-root order according to RFC 5246. 475 repeated string pem_certificate_chain = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 476 477 // Output only. The time at which this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was created. 478 google.protobuf.Timestamp create_time = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 479 480 // Output only. The time at which this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] was updated. 481 google.protobuf.Timestamp update_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; 482 483 // Optional. Labels with user-defined metadata. 484 map<string, string> labels = 11 [(google.api.field_behavior) = OPTIONAL]; 485} 486 487// A [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] refers to a managed [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues]. Those, in 488// turn, are used to describe certain fields of an X.509 certificate, such as 489// the key usage fields, fields specific to CA certificates, certificate policy 490// extensions and custom extensions. 491message ReusableConfig { 492 option (google.api.resource) = { 493 type: "privateca.googleapis.com/ReusableConfig" 494 pattern: "projects/{project}/locations/{location}/reusableConfigs/{reusable_config}" 495 }; 496 497 // Output only. The resource path for this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] in the format 498 // `projects/*/locations/*/reusableConfigs/*`. 499 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 500 501 // Required. The config values. 502 ReusableConfigValues values = 2 [(google.api.field_behavior) = REQUIRED]; 503 504 // Optional. A human-readable description of scenarios these ReusableConfigValues may be 505 // compatible with. 506 string description = 3 [(google.api.field_behavior) = OPTIONAL]; 507 508 // Output only. The time at which this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] was created. 509 google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 510 511 // Output only. The time at which this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] was updated. 512 google.protobuf.Timestamp update_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 513 514 // Optional. Labels with user-defined metadata. 515 map<string, string> labels = 6 [(google.api.field_behavior) = OPTIONAL]; 516} 517 518// A [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues] is used to describe certain fields of an 519// X.509 certificate, such as the key usage fields, fields specific to CA 520// certificates, certificate policy extensions and custom extensions. 521message ReusableConfigValues { 522 // Describes values that are relevant in a CA certificate. 523 message CaOptions { 524 // Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this 525 // value is missing, the extension will be omitted from the CA certificate. 526 google.protobuf.BoolValue is_ca = 1 [(google.api.field_behavior) = OPTIONAL]; 527 528 // Optional. Refers to the path length restriction X.509 extension. For a CA 529 // certificate, this value describes the depth of subordinate CA 530 // certificates that are allowed. 531 // If this value is less than 0, the request will fail. 532 // If this value is missing, the max path length will be omitted from the 533 // CA certificate. 534 google.protobuf.Int32Value max_issuer_path_length = 2 [(google.api.field_behavior) = OPTIONAL]; 535 } 536 537 // Optional. Indicates the intended use for keys that correspond to a certificate. 538 KeyUsage key_usage = 1 [(google.api.field_behavior) = OPTIONAL]; 539 540 // Optional. Describes options in this [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues] that are 541 // relevant in a CA certificate. 542 CaOptions ca_options = 2 [(google.api.field_behavior) = OPTIONAL]; 543 544 // Optional. Describes the X.509 certificate policy object identifiers, per 545 // https://tools.ietf.org/html/rfc5280#section-4.2.1.4. 546 repeated ObjectId policy_ids = 3 [(google.api.field_behavior) = OPTIONAL]; 547 548 // Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses 549 // that appear in the "Authority Information Access" extension in the 550 // certificate. 551 repeated string aia_ocsp_servers = 4 [(google.api.field_behavior) = OPTIONAL]; 552 553 // Optional. Describes custom X.509 extensions. 554 repeated X509Extension additional_extensions = 5 [(google.api.field_behavior) = OPTIONAL]; 555} 556 557// A [ReusableConfigWrapper][google.cloud.security.privateca.v1beta1.ReusableConfigWrapper] describes values that may assist in creating an 558// X.509 certificate, or a reference to a pre-defined set of values. 559message ReusableConfigWrapper { 560 // Reusable or inline config values. 561 oneof config_values { 562 // Required. A resource path to a [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] in the format 563 // `projects/*/locations/*/reusableConfigs/*`. 564 string reusable_config = 1 [(google.api.field_behavior) = REQUIRED]; 565 566 // Required. A user-specified inline [ReusableConfigValues][google.cloud.security.privateca.v1beta1.ReusableConfigValues]. 567 ReusableConfigValues reusable_config_values = 2 [(google.api.field_behavior) = REQUIRED]; 568 } 569} 570 571// Describes a subordinate CA's issuers. This is either a resource path to a 572// known issuing [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], or a PEM issuer certificate chain. 573message SubordinateConfig { 574 // This message describes a subordinate CA's issuer certificate chain. This 575 // wrapper exists for compatibility reasons. 576 message SubordinateConfigChain { 577 // Required. Expected to be in leaf-to-root order according to RFC 5246. 578 repeated string pem_certificates = 1 [(google.api.field_behavior) = REQUIRED]; 579 } 580 581 oneof subordinate_config { 582 // Required. This can refer to a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the same project that 583 // was used to create a subordinate [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. This field 584 // is used for information and usability purposes only. The resource name 585 // is in the format `projects/*/locations/*/certificateAuthorities/*`. 586 string certificate_authority = 1 [(google.api.field_behavior) = REQUIRED]; 587 588 // Required. Contains the PEM certificate chain for the issuers of this 589 // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], but not pem certificate for this CA itself. 590 SubordinateConfigChain pem_issuer_chain = 2 [(google.api.field_behavior) = REQUIRED]; 591 } 592} 593 594// A [PublicKey][google.cloud.security.privateca.v1beta1.PublicKey] describes a public key. 595message PublicKey { 596 // Types of public keys that are supported. 597 // At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: 598 // https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms 599 enum KeyType { 600 // Default unspecified value. 601 KEY_TYPE_UNSPECIFIED = 0; 602 603 // A PEM-encoded PKCS#1/RFC 3447 RSAPrivateKey structure. 604 PEM_RSA_KEY = 1; 605 606 // A PEM-encoded compressed NIST P-256/secp256r1/prime256v1 or P-384 key. 607 PEM_EC_KEY = 2; 608 } 609 610 // Required. The type of public key. 611 KeyType type = 1 [(google.api.field_behavior) = REQUIRED]; 612 613 // Required. A public key. Padding and encoding varies by 'KeyType' and is described 614 // along with the KeyType values. 615 bytes key = 2 [(google.api.field_behavior) = REQUIRED]; 616} 617 618// A [CertificateConfig][google.cloud.security.privateca.v1beta1.CertificateConfig] describes an X.509 certificate or CSR that is to be 619// created, as an alternative to using ASN.1. 620message CertificateConfig { 621 // These values are used to create the distinguished name and subject 622 // alternative name fields in an X.509 certificate. 623 message SubjectConfig { 624 // Required. Contains distinguished name fields such as the location and organization. 625 Subject subject = 1 [(google.api.field_behavior) = REQUIRED]; 626 627 // Optional. The "common name" of the distinguished name. 628 string common_name = 2 [(google.api.field_behavior) = OPTIONAL]; 629 630 // Optional. The subject alternative name fields. 631 SubjectAltNames subject_alt_name = 3 [(google.api.field_behavior) = OPTIONAL]; 632 } 633 634 // Required. Specifies some of the values in a certificate that are related to the 635 // subject. 636 SubjectConfig subject_config = 1 [(google.api.field_behavior) = REQUIRED]; 637 638 // Required. Describes how some of the technical fields in a certificate should be 639 // populated. 640 ReusableConfigWrapper reusable_config = 2 [(google.api.field_behavior) = REQUIRED]; 641 642 // Optional. The public key that corresponds to this config. This is, for example, used 643 // when issuing [Certificates][google.cloud.security.privateca.v1beta1.Certificate], but not when creating a 644 // self-signed [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] or [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] CSR. 645 PublicKey public_key = 3 [(google.api.field_behavior) = OPTIONAL]; 646} 647 648// A [CertificateDescription][google.cloud.security.privateca.v1beta1.CertificateDescription] describes an X.509 certificate or CSR that has 649// been issued, as an alternative to using ASN.1 / X.509. 650message CertificateDescription { 651 // These values describe fields in an issued X.509 certificate such as the 652 // distinguished name, subject alternative names, serial number, and lifetime. 653 message SubjectDescription { 654 // Contains distinguished name fields such as the location and organization. 655 Subject subject = 1; 656 657 // The "common name" of the distinguished name. 658 string common_name = 2; 659 660 // The subject alternative name fields. 661 SubjectAltNames subject_alt_name = 3; 662 663 // The serial number encoded in lowercase hexadecimal. 664 string hex_serial_number = 4; 665 666 // For convenience, the actual lifetime of an issued certificate. 667 // Corresponds to 'not_after_time' - 'not_before_time'. 668 google.protobuf.Duration lifetime = 5; 669 670 // The time at which the certificate becomes valid. 671 google.protobuf.Timestamp not_before_time = 6; 672 673 // The time at which the certificate expires. 674 google.protobuf.Timestamp not_after_time = 7; 675 } 676 677 // A KeyId identifies a specific public key, usually by hashing the public 678 // key. 679 message KeyId { 680 // Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most 681 // likely the 160 bit SHA-1 hash of the public key. 682 string key_id = 1 [(google.api.field_behavior) = OPTIONAL]; 683 } 684 685 // A group of fingerprints for the x509 certificate. 686 message CertificateFingerprint { 687 // The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. 688 string sha256_hash = 1; 689 } 690 691 // Describes some of the values in a certificate that are related to the 692 // subject and lifetime. 693 SubjectDescription subject_description = 1; 694 695 // Describes some of the technical fields in a certificate. 696 ReusableConfigValues config_values = 2; 697 698 // The public key that corresponds to an issued certificate. 699 PublicKey public_key = 3; 700 701 // Provides a means of identifiying certificates that contain a particular 702 // public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. 703 KeyId subject_key_id = 4; 704 705 // Identifies the subject_key_id of the parent certificate, per 706 // https://tools.ietf.org/html/rfc5280#section-4.2.1.1 707 KeyId authority_key_id = 5; 708 709 // Describes a list of locations to obtain CRL information, i.e. 710 // the DistributionPoint.fullName described by 711 // https://tools.ietf.org/html/rfc5280#section-4.2.1.13 712 repeated string crl_distribution_points = 6; 713 714 // Describes lists of issuer CA certificate URLs that appear in the 715 // "Authority Information Access" extension in the certificate. 716 repeated string aia_issuing_certificate_urls = 7; 717 718 // The hash of the x.509 certificate. 719 CertificateFingerprint cert_fingerprint = 8; 720} 721 722// An [ObjectId][google.cloud.security.privateca.v1beta1.ObjectId] specifies an object identifier (OID). These provide context 723// and describe types in ASN.1 messages. 724message ObjectId { 725 // Required. The parts of an OID path. The most significant parts of the path come 726 // first. 727 repeated int32 object_id_path = 1 [(google.api.field_behavior) = REQUIRED]; 728} 729 730// An [X509Extension][google.cloud.security.privateca.v1beta1.X509Extension] specifies an X.509 extension, which may be used in 731// different parts of X.509 objects like certificates, CSRs, and CRLs. 732message X509Extension { 733 // Required. The OID for this X.509 extension. 734 ObjectId object_id = 1 [(google.api.field_behavior) = REQUIRED]; 735 736 // Required. Indicates whether or not this extension is critical (i.e., if the client 737 // does not know how to handle this extension, the client should consider this 738 // to be an error). 739 bool critical = 2 [(google.api.field_behavior) = REQUIRED]; 740 741 // Required. The value of this X.509 extension. 742 bytes value = 3 [(google.api.field_behavior) = REQUIRED]; 743} 744 745// A [KeyUsage][google.cloud.security.privateca.v1beta1.KeyUsage] describes key usage values that may appear in an X.509 746// certificate. 747message KeyUsage { 748 // [KeyUsage.KeyUsageOptions][google.cloud.security.privateca.v1beta1.KeyUsage.KeyUsageOptions] corresponds to the key usage values 749 // described in https://tools.ietf.org/html/rfc5280#section-4.2.1.3. 750 message KeyUsageOptions { 751 // The key may be used for digital signatures. 752 bool digital_signature = 1; 753 754 // The key may be used for cryptographic commitments. Note that this may 755 // also be referred to as "non-repudiation". 756 bool content_commitment = 2; 757 758 // The key may be used to encipher other keys. 759 bool key_encipherment = 3; 760 761 // The key may be used to encipher data. 762 bool data_encipherment = 4; 763 764 // The key may be used in a key agreement protocol. 765 bool key_agreement = 5; 766 767 // The key may be used to sign certificates. 768 bool cert_sign = 6; 769 770 // The key may be used sign certificate revocation lists. 771 bool crl_sign = 7; 772 773 // The key may be used to encipher only. 774 bool encipher_only = 8; 775 776 // The key may be used to decipher only. 777 bool decipher_only = 9; 778 } 779 780 // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1beta1.KeyUsage.ExtendedKeyUsageOptions] has fields that correspond to 781 // certain common OIDs that could be specified as an extended key usage value. 782 message ExtendedKeyUsageOptions { 783 // Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW 784 // server authentication", though regularly used for non-WWW TLS. 785 bool server_auth = 1; 786 787 // Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW 788 // client authentication", though regularly used for non-WWW TLS. 789 bool client_auth = 2; 790 791 // Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of 792 // downloadable executable code client authentication". 793 bool code_signing = 3; 794 795 // Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email 796 // protection". 797 bool email_protection = 4; 798 799 // Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding 800 // the hash of an object to a time". 801 bool time_stamping = 5; 802 803 // Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing 804 // OCSP responses". 805 bool ocsp_signing = 6; 806 } 807 808 // Describes high-level ways in which a key may be used. 809 KeyUsageOptions base_key_usage = 1; 810 811 // Detailed scenarios in which a key may be used. 812 ExtendedKeyUsageOptions extended_key_usage = 2; 813 814 // Used to describe extended key usages that are not listed in the 815 // [KeyUsage.ExtendedKeyUsageOptions][google.cloud.security.privateca.v1beta1.KeyUsage.ExtendedKeyUsageOptions] message. 816 repeated ObjectId unknown_extended_key_usages = 3; 817} 818 819// [Subject][google.cloud.security.privateca.v1beta1.Subject] describes parts of a distinguished name that, in turn, 820// describes the subject of the certificate. 821message Subject { 822 // The country code of the subject. 823 string country_code = 1; 824 825 // The organization of the subject. 826 string organization = 2; 827 828 // The organizational_unit of the subject. 829 string organizational_unit = 3; 830 831 // The locality or city of the subject. 832 string locality = 4; 833 834 // The province, territory, or regional state of the subject. 835 string province = 5; 836 837 // The street address of the subject. 838 string street_address = 6; 839 840 // The postal code of the subject. 841 string postal_code = 7; 842} 843 844// [SubjectAltNames][google.cloud.security.privateca.v1beta1.SubjectAltNames] corresponds to a more modern way of listing what 845// the asserted identity is in a certificate (i.e., compared to the "common 846// name" in the distinguished name). 847message SubjectAltNames { 848 // Contains only valid, fully-qualified host names. 849 repeated string dns_names = 1; 850 851 // Contains only valid RFC 3986 URIs. 852 repeated string uris = 2; 853 854 // Contains only valid RFC 2822 E-mail addresses. 855 repeated string email_addresses = 3; 856 857 // Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. 858 repeated string ip_addresses = 4; 859 860 // Contains additional subject alternative name values. 861 repeated X509Extension custom_sans = 5; 862} 863 864// A [RevocationReason][google.cloud.security.privateca.v1beta1.RevocationReason] indicates whether a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] has been revoked, 865// and the reason for revocation. These correspond to standard revocation 866// reasons from RFC 5280. Note that the enum labels and values in this 867// definition are not the same ASN.1 values defined in RFC 5280. These values 868// will be translated to the correct ASN.1 values when a CRL is created. 869enum RevocationReason { 870 // Default unspecified value. This value does indicate that a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] 871 // has been revoked, but that a reason has not been recorded. 872 REVOCATION_REASON_UNSPECIFIED = 0; 873 874 // Key material for this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] may have leaked. 875 KEY_COMPROMISE = 1; 876 877 // The key material for a certificate authority in the issuing path may have 878 // leaked. 879 CERTIFICATE_AUTHORITY_COMPROMISE = 2; 880 881 // The subject or other attributes in this [Certificate][google.cloud.security.privateca.v1beta1.Certificate] have changed. 882 AFFILIATION_CHANGED = 3; 883 884 // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] has been superseded. 885 SUPERSEDED = 4; 886 887 // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] or entities in the issuing path have ceased to 888 // operate. 889 CESSATION_OF_OPERATION = 5; 890 891 // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] should not be considered valid, it is expected that it 892 // may become valid in the future. 893 CERTIFICATE_HOLD = 6; 894 895 // This [Certificate][google.cloud.security.privateca.v1beta1.Certificate] no longer has permission to assert the listed 896 // attributes. 897 PRIVILEGE_WITHDRAWN = 7; 898 899 // The authority which determines appropriate attributes for a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] 900 // may have been compromised. 901 ATTRIBUTE_AUTHORITY_COMPROMISE = 8; 902} 903