feat!: BREAKING_CHANGE: Updates to Certificate Authority Service for …

…Beta release PiperOrigin-RevId: 334847962
googleapis · Oct 1, 2020 · 7ab31c7 · 7ab31c7
1 parent 714c619
commit 7ab31c7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 193 deletions.
diff --git a/google/cloud/security/privateca/v1beta1/resources.proto b/google/cloud/security/privateca/v1beta1/resources.proto
@@ -170,7 +170,8 @@ message CertificateAuthority {
   message KeyVersionSpec {
     oneof KeyVersion {
       // Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the
-      // format`projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
+      // format
+      // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
       // This option enables full flexibility in the key's capabilities and
       // properties.
       string cloud_kms_key_version = 1 [(google.api.field_behavior) = REQUIRED];
@@ -231,20 +232,32 @@ message CertificateAuthority {
   // [CryptoKey][google.cloud.kms.v1.CryptoKey] with the
   // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] value
   // `ASYMMETRIC_SIGN`. These values correspond to the
-  // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKey.CryptoKeyVersion.CryptoKeyVersionAlgorithm].
-  // values.
+  // [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm]
+  // values. For RSA signing algorithms, the PSS algorithms should be preferred,
+  // use PKCS1 algorithms if required for compatibility. For further
+  // recommandations, see
+  // https://cloud.google.com/kms/docs/algorithms#algorithm_recommendations.
   enum SignHashAlgorithm {
     // Not specified.
     SIGN_HASH_ALGORITHM_UNSPECIFIED = 0;
 
     // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
-    RSA_PSS_2048_SHA_256 = 1;
+    RSA_PSS_2048_SHA256 = 1;
 
     // maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
-    RSA_PSS_3072_SHA_256 = 2;
+    RSA_PSS_3072_SHA256 = 2;
 
     // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
-    RSA_PSS_4096_SHA_256 = 3;
+    RSA_PSS_4096_SHA256 = 3;
+
+    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
+    RSA_PKCS1_2048_SHA256 = 6;
+
+    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
+    RSA_PKCS1_3072_SHA256 = 7;
+
+    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
+    RSA_PKCS1_4096_SHA256 = 8;
 
     // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
     EC_P256_SHA256 = 4;
@@ -437,11 +450,14 @@ message Certificate {
     CertificateConfig config = 3 [(google.api.field_behavior) = IMMUTABLE];
   }
 
-  // Required. The desired lifetime of a certificate. Used to create the
+  // Required. Immutable. The desired lifetime of a certificate. Used to create the
   // "not_before_time" and "not_after_time" fields inside an X.509
   // certificate. Note that the lifetime may be truncated if it would extend
   // past the life of any certificate authority in the issuing chain.
-  google.protobuf.Duration lifetime = 4 [(google.api.field_behavior) = REQUIRED];
+  google.protobuf.Duration lifetime = 4 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
 
   // Output only. Details regarding the revocation of this [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. This
   // [Certificate][google.cloud.security.privateca.v1beta1.Certificate] is considered revoked if and only if this field is present.
@@ -525,7 +541,7 @@ message ReusableConfigValues {
   CaOptions ca_options = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. Describes the X.509 certificate policy object identifiers, per
-  // https://tools.ietf.org/html/rfc5280#section-4.2.1.4rfc5280
+  // https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
   repeated ObjectId policy_ids = 3 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses
@@ -845,8 +861,10 @@ message SubjectAltNames {
 }
 
 // A [RevocationReason][google.cloud.security.privateca.v1beta1.RevocationReason] indicates whether a [Certificate][google.cloud.security.privateca.v1beta1.Certificate] has been revoked,
-// and the reason for revocation. These are standard revocation reasons from RFC
-// 5280.
+// and the reason for revocation. These correspond to standard revocation
+// reasons from RFC 5280. Note that the enum labels and values in this
+// definition are not the same ASN.1 values defined in RFC 5280. These values
+// will be translated to the correct ASN.1 values when a CRL is created.
 enum RevocationReason {
   // Default unspecified value. This value does indicate that a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]
   // has been revoked, but that a reason has not been recorded.

diff --git a/google/cloud/security/privateca/v1beta1/service.proto b/google/cloud/security/privateca/v1beta1/service.proto
@@ -22,6 +22,7 @@ import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/security/privateca/v1beta1/resources.proto";
 import "google/longrunning/operations.proto";
+import "google/protobuf/duration.proto";
 import "google/protobuf/field_mask.proto";
 import "google/protobuf/timestamp.proto";
 
@@ -73,7 +74,8 @@ service CertificateAuthorityService {
     option (google.api.method_signature) = "name";
   }
 
-  // Update a [Certificate][google.cloud.security.privateca.v1beta1.Certificate].
+  // Update a [Certificate][google.cloud.security.privateca.v1beta1.Certificate]. Currently, the only field you can update is the
+  // [labels][google.cloud.security.privateca.v1beta1.Certificate.labels] field.
   rpc UpdateCertificate(UpdateCertificateRequest) returns (Certificate) {
     option (google.api.http) = {
       patch: "/v1beta1/{certificate.name=projects/*/locations/*/certificateAuthorities/*/certificates/*}"
@@ -208,20 +210,6 @@ service CertificateAuthorityService {
     };
   }
 
-  // Create a new [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] in a given Project, Location
-  // for a particular [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
-  rpc CreateCertificateRevocationList(CreateCertificateRevocationListRequest) returns (google.longrunning.Operation) {
-    option (google.api.http) = {
-      post: "/v1beta1/{parent=projects/*/locations/*/certificateAuthorities/*}/certificateRevocationLists"
-      body: "certificate_revocation_list"
-    };
-    option (google.api.method_signature) = "parent,certificate_revocation_list,certificate_revocation_list_id";
-    option (google.longrunning.operation_info) = {
-      response_type: "CertificateRevocationList"
-      metadata_type: "OperationMetadata"
-    };
-  }
-
   // Returns a [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList].
   rpc GetCertificateRevocationList(GetCertificateRevocationListRequest) returns (CertificateRevocationList) {
     option (google.api.http) = {
@@ -251,31 +239,6 @@ service CertificateAuthorityService {
     };
   }
 
-  // Create a new [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] in a given Project and Location.
-  rpc CreateReusableConfig(CreateReusableConfigRequest) returns (google.longrunning.Operation) {
-    option (google.api.http) = {
-      post: "/v1beta1/{parent=projects/*/locations/*}/reusableConfigs"
-      body: "reusable_config"
-    };
-    option (google.api.method_signature) = "parent,reusable_config,reusable_config_id";
-    option (google.longrunning.operation_info) = {
-      response_type: "ReusableConfig"
-      metadata_type: "OperationMetadata"
-    };
-  }
-
-  // DeleteReusableConfig deletes a [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig].
-  rpc DeleteReusableConfig(DeleteReusableConfigRequest) returns (google.longrunning.Operation) {
-    option (google.api.http) = {
-      delete: "/v1beta1/{name=projects/*/locations/*/reusableConfigs/*}"
-    };
-    option (google.api.method_signature) = "name";
-    option (google.longrunning.operation_info) = {
-      response_type: "google.protobuf.Empty"
-      metadata_type: "google.cloud.security.privateca.v1beta1.OperationMetadata"
-    };
-  }
-
   // Returns a [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig].
   rpc GetReusableConfig(GetReusableConfigRequest) returns (ReusableConfig) {
     option (google.api.http) = {
@@ -291,19 +254,6 @@ service CertificateAuthorityService {
     };
     option (google.api.method_signature) = "parent";
   }
-
-  // Update a [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig].
-  rpc UpdateReusableConfig(UpdateReusableConfigRequest) returns (google.longrunning.Operation) {
-    option (google.api.http) = {
-      patch: "/v1beta1/{reusable_config.name=projects/*/locations/*/reusableConfigs/*}"
-      body: "reusable_config"
-    };
-    option (google.api.method_signature) = "reusable_config,update_mask";
-    option (google.longrunning.operation_info) = {
-      response_type: "ReusableConfig"
-      metadata_type: "OperationMetadata"
-    };
-  }
 }
 
 // Request message for [CertificateAuthorityService.CreateCertificate][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.CreateCertificate].
@@ -319,7 +269,7 @@ message CreateCertificateRequest {
   ];
 
   // Optional. It must be unique within a location and match the regular
-  // expression `[a-zA-Z0-9-]{1,63}`. This field is required when using a
+  // expression `[a-zA-Z0-9_-]{1,63}`. This field is required when using a
   // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the Enterprise [CertificateAuthority.Tier][google.cloud.security.privateca.v1beta1.CertificateAuthority.Tier],
   // but is optional and its value is ignored otherwise.
   string certificate_id = 2 [(google.api.field_behavior) = OPTIONAL];
@@ -379,10 +329,14 @@ message ListCertificatesRequest {
   // [ListCertificatesResponse.next_page_token][google.cloud.security.privateca.v1beta1.ListCertificatesResponse.next_page_token].
   string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Only include resources that match the filter in the response.
+  // Optional. Only include resources that match the filter in the response. For details
+  // on supported filters and syntax, see [Certificates Filtering
+  // documentation](https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support).
   string filter = 4 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Specify how the results should be sorted.
+  // Optional. Specify how the results should be sorted. For details on supported fields
+  // and syntax, see [Certificates Sorting
+  // documentation](https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#sorting_support).
   string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
 }
 
@@ -505,7 +459,7 @@ message CreateCertificateAuthorityRequest {
   ];
 
   // Required. It must be unique within a location and match the regular
-  // expression `[a-zA-Z0-9-]{1,63}`
+  // expression `[a-zA-Z0-9_-]{1,63}`
   string certificate_authority_id = 2 [(google.api.field_behavior) = REQUIRED];
 
   // Required. A [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] with initial field values.
@@ -743,42 +697,6 @@ message UpdateCertificateAuthorityRequest {
   string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
 }
 
-// Request message for
-// [CertificateAuthorityService.CreateCertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.CreateCertificateRevocationList].
-message CreateCertificateRevocationListRequest {
-  // Required. The resource name of the location and [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]
-  // associated with the [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList], in the format
-  // `projects/*/locations/*/certificateAuthorities/*`.
-  string parent = 1 [
-    (google.api.field_behavior) = REQUIRED,
-    (google.api.resource_reference) = {
-      type: "privateca.googleapis.com/CertificateAuthority"
-    }
-  ];
-
-  // Required. It must be unique within a location and match the regular expression
-  // `[a-zA-Z0-9-]{1,63}`
-  string certificate_revocation_list_id = 2 [(google.api.field_behavior) = REQUIRED];
-
-  // Required. A [CertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateRevocationList] with initial field values.
-  CertificateRevocationList certificate_revocation_list = 3 [(google.api.field_behavior) = REQUIRED];
-
-  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
-  // retry your request, the server will know to ignore the request if it has
-  // already been completed. The server will guarantee that for at least 60
-  // minutes since the first request.
-  //
-  // For example, consider a situation where you make an initial request and t
-  // he request times out. If you make the request again with the same request
-  // ID, the server can check if original operation with the same request ID
-  // was received, and if so, will ignore the second request. This prevents
-  // clients from accidentally creating duplicate commitments.
-  //
-  // The request ID must be a valid UUID with the exception that zero UUID is
-  // not supported (00000000-0000-0000-0000-000000000000).
-  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
-}
-
 // Request message for
 // [CertificateAuthorityService.GetCertificateRevocationList][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.GetCertificateRevocationList].
 message GetCertificateRevocationListRequest {
@@ -864,70 +782,6 @@ message UpdateCertificateRevocationListRequest {
   string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
 }
 
-// Request message for
-// [CertificateAuthorityService.CreateReusableConfig][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.CreateReusableConfig].
-message CreateReusableConfigRequest {
-  // Required. The resource name of the location associated with the
-  // [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig], in the format
-  // `projects/*/locations/*`.
-  string parent = 1 [
-    (google.api.field_behavior) = REQUIRED,
-    (google.api.resource_reference) = {
-      type: "locations.googleapis.com/Location"
-    }
-  ];
-
-  // Required. It must be unique within a location and match the regular
-  // expression `[a-zA-Z0-9-]{1,63}`
-  string reusable_config_id = 2 [(google.api.field_behavior) = REQUIRED];
-
-  // Required. A [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] with initial field values.
-  ReusableConfig reusable_config = 3 [(google.api.field_behavior) = REQUIRED];
-
-  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
-  // retry your request, the server will know to ignore the request if it has
-  // already been completed. The server will guarantee that for at least 60
-  // minutes since the first request.
-  //
-  // For example, consider a situation where you make an initial request and t
-  // he request times out. If you make the request again with the same request
-  // ID, the server can check if original operation with the same request ID
-  // was received, and if so, will ignore the second request. This prevents
-  // clients from accidentally creating duplicate commitments.
-  //
-  // The request ID must be a valid UUID with the exception that zero UUID is
-  // not supported (00000000-0000-0000-0000-000000000000).
-  string request_id = 4 [(google.api.field_behavior) = OPTIONAL];
-}
-
-// Request message for
-// [CertificateAuthorityService.DeleteReusableConfig][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.DeleteReusableConfig].
-message DeleteReusableConfigRequest {
-  // Required. The resource name for this [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] in the format
-  // `projects/*/locations/*/reusableConfigs/*`.
-  string name = 1 [
-    (google.api.field_behavior) = REQUIRED,
-    (google.api.resource_reference) = {
-      type: "privateca.googleapis.com/ReusableConfig"
-    }
-  ];
-
-  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
-  // retry your request, the server will know to ignore the request if it has
-  // already been completed. The server will guarantee that for at least 60
-  // minutes since the first request.
-  //
-  // For example, consider a situation where you make an initial request and t
-  // he request times out. If you make the request again with the same request
-  // ID, the server can check if original operation with the same request ID
-  // was received, and if so, will ignore the second request. This prevents
-  // clients from accidentally creating duplicate commitments.
-  //
-  // The request ID must be a valid UUID with the exception that zero UUID is
-  // not supported (00000000-0000-0000-0000-000000000000).
-  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
-}
-
 // Request message for
 // [CertificateAuthorityService.GetReusableConfig][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.GetReusableConfig].
 message GetReusableConfigRequest {
@@ -987,31 +841,6 @@ message ListReusableConfigsResponse {
   repeated string unreachable = 3;
 }
 
-// Request message for
-// [CertificateAuthorityService.UpdateReusableConfig][google.cloud.security.privateca.v1beta1.CertificateAuthorityService.UpdateReusableConfig].
-message UpdateReusableConfigRequest {
-  // Required. [ReusableConfig][google.cloud.security.privateca.v1beta1.ReusableConfig] with updated values.
-  ReusableConfig reusable_config = 1 [(google.api.field_behavior) = REQUIRED];
-
-  // Required. A list of fields to be updated in this request.
-  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
-
-  // Optional. An ID to identify requests. Specify a unique request ID so that if you must
-  // retry your request, the server will know to ignore the request if it has
-  // already been completed. The server will guarantee that for at least 60
-  // minutes since the first request.
-  //
-  // For example, consider a situation where you make an initial request and t
-  // he request times out. If you make the request again with the same request
-  // ID, the server can check if original operation with the same request ID
-  // was received, and if so, will ignore the second request. This prevents
-  // clients from accidentally creating duplicate commitments.
-  //
-  // The request ID must be a valid UUID with the exception that zero UUID is
-  // not supported (00000000-0000-0000-0000-000000000000).
-  string request_id = 3 [(google.api.field_behavior) = OPTIONAL];
-}
-
 // Represents the metadata of the long-running operation.
 message OperationMetadata {
   // Output only. The time the operation was created.