feat!: Updating CAS beta libraries for release.

PiperOrigin-RevId: 329963295

google/cloud/security/privateca/v1beta1/privateca_gapic.yaml

@@ -8,7 +8,7 @@ language_settings:
   go:
     package_name: cloud.google.com/go/security/privateca/apiv1beta1
   csharp:
-    package_name: Google.Cloud.Security.PrivateCA.V1Alpha1
+    package_name: Google.Cloud.Security.PrivateCA.V1Beta1
   ruby:
     package_name: Google::Cloud::Security::Privateca::V1beta1
   php:

google/cloud/security/privateca/v1beta1/privateca_v1beta1.yaml

@@ -1,7 +1,7 @@
 type: google.api.Service
 config_version: 3
 name: privateca.googleapis.com
-title: Certificate Authority Service API
+title: Certificate Authority API
 
 apis:
 - name: google.cloud.security.privateca.v1beta1.CertificateAuthorityService

google/cloud/security/privateca/v1beta1/resources.proto

@@ -99,6 +99,19 @@ message CertificateAuthority {
       bool allow_custom_sans = 6 [(google.api.field_behavior) = OPTIONAL];
     }
 
+    // [IssuanceModes][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes] specifies the allowed ways in which
+    // [Certificates][google.cloud.security.privateca.v1beta1.Certificate] may be requested from this
+    // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
+    message IssuanceModes {
+      // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate] by
+      // specifying a CSR.
+      bool allow_csr_based_issuance = 1 [(google.api.field_behavior) = REQUIRED];
+
+      // Required. When true, allows callers to create [Certificates][google.cloud.security.privateca.v1beta1.Certificate] by
+      // specifying a [CertificateConfig][google.cloud.security.privateca.v1beta1.CertificateConfig].
+      bool allow_config_based_issuance = 2 [(google.api.field_behavior) = REQUIRED];
+    }
+
     // Allowed configurations or a single configuration for all issued
     // certificates.
     oneof config_policy {
@@ -136,6 +149,10 @@ message CertificateAuthority {
     // requested maximum_lifetime, the effective lifetime will be explicitly
     // truncated.
     google.protobuf.Duration maximum_lifetime = 6 [(google.api.field_behavior) = OPTIONAL];
+
+    // Optional. If specified, then only methods allowed in the [IssuanceModes][google.cloud.security.privateca.v1beta1.CertificateAuthority.CertificateAuthorityPolicy.IssuanceModes] may be
+    // used to issue [Certificates][google.cloud.security.privateca.v1beta1.Certificate].
+    IssuanceModes allowed_issuance_modes = 8 [(google.api.field_behavior) = OPTIONAL];
   }
 
   // URLs where a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will publish content.
@@ -220,23 +237,20 @@ message CertificateAuthority {
     // Not specified.
     SIGN_HASH_ALGORITHM_UNSPECIFIED = 0;
 
-    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256
-    RSA_2048_SHA_256 = 1;
+    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256
+    RSA_PSS_2048_SHA_256 = 1;
 
-    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_3072_SHA256
-    RSA_3072_SHA_256 = 2;
+    // maps to CryptoKeyVersionAlgorithm. RSA_SIGN_PSS_3072_SHA256
+    RSA_PSS_3072_SHA_256 = 2;
 
-    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_4096_SHA256
-    RSA_4096_SHA_256 = 3;
+    // maps to CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_4096_SHA256
+    RSA_PSS_4096_SHA_256 = 3;
 
     // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256
     EC_P256_SHA256 = 4;
 
-    // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA256
-    EC_P384_SHA256 = 5;
-
-    // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P521_SHA256
-    EC_P521_SHA256 = 6;
+    // maps to CryptoKeyVersionAlgorithm.EC_SIGN_P384_SHA384
+    EC_P384_SHA384 = 5;
   }
 
   // Output only. The resource name for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the
@@ -283,19 +297,23 @@ message CertificateAuthority {
   // from this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
   IssuingOptions issuing_options = 8 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. This [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s issuer chain. If self-signed, will be the
-  // same as 'pem_cert'. This may be updated (e.g., if an issuer's cert was
-  // replaced). Expected to be in issuer-to-root order according to RFC 5246.
-  repeated string pem_issuer_cert_chain = 9 [(google.api.field_behavior) = OPTIONAL];
+  // Optional. If this is a subordinate [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], this field will be set
+  // with the subordinate configuration, which describes its issuers. This may
+  // be updated, but this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] must continue to validate.
+  SubordinateConfig subordinate_config = 19 [(google.api.field_behavior) = OPTIONAL];
 
   // Output only. The [State][google.cloud.security.privateca.v1beta1.CertificateAuthority.State] for this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority].
   State state = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. This [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA certificate.
-  string pem_certificate = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. This [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate chain, including the current
+  // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate. Ordered such that the root issuer
+  // is the final element (consistent with RFC 5246). For a self-signed CA, this
+  // will only list the current [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s certificate.
+  repeated string pem_ca_certificates = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. A structured description of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA cert.
-  CertificateDescription ca_certificate_description = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. A structured description of this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]'s CA certificate
+  // and its issuers. Ordered as self-to-root.
+  repeated CertificateDescription ca_certificate_descriptions = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Immutable. The name of a Cloud Storage bucket where this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will
   // publish content, such as the CA certificate and CRLs. This must be a bucket
@@ -317,7 +335,7 @@ message CertificateAuthority {
 
   // Output only. The time at which this [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] will be deleted, if
   // scheduled for deletion.
-  google.protobuf.Timestamp deletion_time = 17 [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp delete_time = 17 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Optional. Labels with user-defined metadata.
   map<string, string> labels = 18 [(google.api.field_behavior) = OPTIONAL];
@@ -533,6 +551,29 @@ message ReusableConfigWrapper {
   }
 }
 
+// Describes a subordinate CA's issuers. This is either a resource path to a
+// known issuing [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], or a PEM issuer certificate chain.
+message SubordinateConfig {
+  // This message describes a subordinate CA's issuer certificate chain. This
+  // wrapper exists for compatibility reasons.
+  message SubordinateConfigChain {
+    // Required. Expected to be in leaf-to-root order according to RFC 5246.
+    repeated string pem_certificates = 1 [(google.api.field_behavior) = REQUIRED];
+  }
+
+  oneof subordinate_config {
+    // Required. This can refer to a [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority] in the same project that
+    // was used to create a subordinate [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority]. This field
+    // is used for information and usability purposes only. The resource name
+    // is in the format `projects/*/locations/*/certificateAuthorities/*`.
+    string certificate_authority = 1 [(google.api.field_behavior) = REQUIRED];
+
+    // Required. Contains the PEM certificate chain for the issuers of this
+    // [CertificateAuthority][google.cloud.security.privateca.v1beta1.CertificateAuthority], but not pem certificate for this CA itself.
+    SubordinateConfigChain pem_issuer_chain = 2 [(google.api.field_behavior) = REQUIRED];
+  }
+}
+
 // A [PublicKey][google.cloud.security.privateca.v1beta1.PublicKey] describes a public key.
 message PublicKey {
   // Types of public keys that are supported.
@@ -624,6 +665,12 @@ message CertificateDescription {
     string key_id = 1 [(google.api.field_behavior) = OPTIONAL];
   }
 
+  // A group of fingerprints for the x509 certificate.
+  message CertificateFingerprint {
+    // The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate.
+    string sha256_hash = 1;
+  }
+
   // Describes some of the values in a certificate that are related to the
   // subject and lifetime.
   SubjectDescription subject_description = 1;
@@ -650,6 +697,9 @@ message CertificateDescription {
   // Describes lists of issuer CA certificate URLs that appear in the
   // "Authority Information Access" extension in the certificate.
   repeated string aia_issuing_certificate_urls = 7;
+
+  // The hash of the x.509 certificate.
+  CertificateFingerprint cert_fingerprint = 8;
 }
 
 // An [ObjectId][google.cloud.security.privateca.v1beta1.ObjectId] specifies an object identifier (OID). These provide context