feat: add RDN sequence

Google APIs · copybara-github · commit cd7fed30706c · 2025-07-07T16:17:03.000-07:00
feat: add User Defined Access URLs
feat: add backdate duration
feat: adds tbs_certificate_digest to CertificateDescription

PiperOrigin-RevId: 780300269
diff --git a/google/cloud/security/privateca/v1/BUILD.bazel b/google/cloud/security/privateca/v1/BUILD.bazel
@@ -28,6 +28,7 @@ proto_library(
         "//google/api:annotations_proto",
         "//google/api:client_proto",
         "//google/api:field_behavior_proto",
+        "//google/api:field_info_proto",
         "//google/api:resource_proto",
         "//google/longrunning:operations_proto",
         "//google/type:expr_proto",
diff --git a/google/cloud/security/privateca/v1/resources.proto b/google/cloud/security/privateca/v1/resources.proto
@@ -22,7 +22,6 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/timestamp.proto";
 import "google/type/expr.proto";
 
-option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.Security.PrivateCA.V1";
 option go_package = "cloud.google.com/go/security/privateca/apiv1/privatecapb;privatecapb";
 option java_multiple_files = true;
@@ -180,10 +179,32 @@ message CertificateAuthority {
     EC_P384_SHA384 = 5;
   }
 
-  // Output only. The resource name for this
+  // User-defined URLs for accessing content published by this
+  // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority].
+  message UserDefinedAccessUrls {
+    // Optional. A list of URLs where the issuer CA certificate may be
+    // downloaded, which appears in the "Authority Information Access" extension
+    // in the certificate. If specified, the default [Cloud Storage
+    // URLs][google.cloud.security.privateca.v1.CertificateAuthority.AccessUrls.ca_certificate_access_url]
+    // will be omitted.
+    repeated string aia_issuing_certificate_urls = 1
+        [(google.api.field_behavior) = OPTIONAL];
+
+    // Optional. A list of URLs where to obtain CRL information, i.e.
+    // the DistributionPoint.fullName described by
+    // https://tools.ietf.org/html/rfc5280#section-4.2.1.13.
+    // If specified, the default
+    // [Cloud Storage
+    // URLs][google.cloud.security.privateca.v1.CertificateAuthority.AccessUrls.crl_access_urls]
+    // will be omitted.
+    repeated string crl_access_urls = 2
+        [(google.api.field_behavior) = OPTIONAL];
+  }
+
+  // Identifier. The resource name for this
   // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
   // in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
   // Required. Immutable. The
   // [Type][google.cloud.security.privateca.v1.CertificateAuthority.Type] of
@@ -302,6 +323,18 @@ message CertificateAuthority {
 
   // Optional. Labels with user-defined metadata.
   map<string, string> labels = 17 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. User-defined URLs for CA certificate and CRLs. The service does
+  // not publish content to these URLs. It is up to the user to mirror content
+  // to these URLs.
+  UserDefinedAccessUrls user_defined_access_urls = 18
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Output only. Reserved for future use.
+  bool satisfies_pzs = 19 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Reserved for future use.
+  bool satisfies_pzi = 20 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A [CaPool][google.cloud.security.privateca.v1.CaPool] represents a group of
@@ -472,6 +505,16 @@ message CaPool {
     repeated AllowedKeyType allowed_key_types = 1
         [(google.api.field_behavior) = OPTIONAL];
 
+    // Optional. The duration to backdate all certificates issued from this
+    // [CaPool][google.cloud.security.privateca.v1.CaPool]. If not set, the
+    // certificates will be issued with a not_before_time of the issuance time
+    // (i.e. the current time). If set, the certificates will be issued with a
+    // not_before_time of the issuance time minus the backdate_duration. The
+    // not_after_time will be adjusted to preserve the requested lifetime. The
+    // backdate_duration must be less than or equal to 48 hours.
+    google.protobuf.Duration backdate_duration = 7
+        [(google.api.field_behavior) = OPTIONAL];
+
     // Optional. The maximum lifetime allowed for issued
     // [Certificates][google.cloud.security.privateca.v1.Certificate]. Note that
     // if the issuing
@@ -529,10 +572,10 @@ message CaPool {
         [(google.api.field_behavior) = OPTIONAL];
   }
 
-  // Output only. The resource name for this
+  // Identifier. The resource name for this
   // [CaPool][google.cloud.security.privateca.v1.CaPool] in the format
   // `projects/*/locations/*/caPools/*`.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
   // Required. Immutable. The
   // [Tier][google.cloud.security.privateca.v1.CaPool.Tier] of this
@@ -610,11 +653,11 @@ message CertificateRevocationList {
     SUPERSEDED = 2;
   }
 
-  // Output only. The resource name for this
+  // Identifier. The resource name for this
   // [CertificateRevocationList][google.cloud.security.privateca.v1.CertificateRevocationList]
   // in the format `projects/*/locations/*/caPools/*certificateAuthorities/*/
   //    certificateRevocationLists/*`.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
   // Output only. The CRL sequence number that appears in pem_crl.
   int64 sequence_number = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
@@ -680,15 +723,10 @@ message Certificate {
     google.protobuf.Timestamp revocation_time = 2;
   }
 
-  // Output only. The resource name for this
+  // Identifier. The resource name for this
   // [Certificate][google.cloud.security.privateca.v1.Certificate] in the format
   // `projects/*/locations/*/caPools/*/certificates/*`.
-  string name = 1 [
-    (google.api.field_behavior) = OUTPUT_ONLY,
-    (google.api.resource_reference) = {
-      type: "privateca.googleapis.com/Certificate"
-    }
-  ];
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
   // The config used to create a signed X.509 certificate.
   oneof certificate_config {
@@ -782,15 +820,10 @@ message CertificateTemplate {
     pattern: "projects/{project}/locations/{location}/certificateTemplates/{certificate_template}"
   };
 
-  // Output only. The resource name for this
+  // Identifier. The resource name for this
   // [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]
   // in the format `projects/*/locations/*/certificateTemplates/*`.
-  string name = 1 [
-    (google.api.field_behavior) = OUTPUT_ONLY,
-    (google.api.resource_reference) = {
-      type: "privateca.googleapis.com/CertificateTemplate"
-    }
-  ];
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
   // Optional. The maximum lifetime allowed for issued
   // [Certificates][google.cloud.security.privateca.v1.Certificate] that use
@@ -873,19 +906,19 @@ message CertificateTemplate {
 // usage fields, fields specific to CA certificates, certificate policy
 // extensions and custom extensions.
 message X509Parameters {
-  // Describes values that are relevant in a CA certificate.
+  // Describes the X.509 basic constraints extension, per [RFC 5280
+  // section 4.2.1.9](https://tools.ietf.org/html/rfc5280#section-4.2.1.9)
   message CaOptions {
-    // Optional. Refers to the "CA" X.509 extension, which is a boolean value.
-    // When this value is missing, the extension will be omitted from the CA
-    // certificate.
+    // Optional. Refers to the "CA" boolean field in the X.509 extension.
+    // When this value is missing, the basic constraints extension will be
+    // omitted from the certificate.
     optional bool is_ca = 1 [(google.api.field_behavior) = OPTIONAL];
 
-    // Optional. Refers to the path length restriction X.509 extension. For a CA
-    // certificate, this value describes the depth of subordinate CA
-    // certificates that are allowed.
-    // If this value is less than 0, the request will fail.
-    // If this value is missing, the max path length will be omitted from the
-    // CA certificate.
+    // Optional. Refers to the path length constraint field in the X.509
+    // extension. For a CA certificate, this value describes the depth of
+    // subordinate CA certificates that are allowed. If this value is less than
+    // 0, the request will fail. If this value is missing, the max path length
+    // will be omitted from the certificate.
     optional int32 max_issuer_path_length = 2
         [(google.api.field_behavior) = OPTIONAL];
   }
@@ -951,7 +984,9 @@ message X509Parameters {
 
   // Optional. Describes options in this
   // [X509Parameters][google.cloud.security.privateca.v1.X509Parameters] that
-  // are relevant in a CA certificate.
+  // are relevant in a CA certificate. If not specified, a default basic
+  // constraints extension with `is_ca=false` will be added for leaf
+  // certificates.
   CaOptions ca_options = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. Describes the X.509 certificate policy object identifiers, per
@@ -1163,6 +1198,12 @@ message CertificateDescription {
 
   // The hash of the x.509 certificate.
   CertificateFingerprint cert_fingerprint = 8;
+
+  // The hash of the pre-signed certificate, which will be signed by the CA.
+  // Corresponds to the TBS Certificate in
+  // https://tools.ietf.org/html/rfc5280#section-4.1.2. The field will always be
+  // populated.
+  string tbs_certificate_digest = 9;
 }
 
 // An [ObjectId][google.cloud.security.privateca.v1.ObjectId] specifies an
@@ -1267,6 +1308,31 @@ message KeyUsage {
   repeated ObjectId unknown_extended_key_usages = 3;
 }
 
+// [AttributeTypeAndValue][google.cloud.security.privateca.v1.AttributeTypeAndValue]
+// specifies an attribute type and value. It can use either a OID or enum value
+// to specify the attribute type.
+message AttributeTypeAndValue {
+  // The attribute type for the attribute and value pair.
+  oneof attribute_type {
+    // The attribute type of the attribute and value pair.
+    AttributeType type = 1;
+
+    // Object ID for an attribute type of an attribute and value pair.
+    ObjectId object_id = 2;
+  }
+
+  // The value for the attribute type.
+  string value = 3;
+}
+
+// [RelativeDistinguishedName][google.cloud.security.privateca.v1.RelativeDistinguishedName]
+// specifies a relative distinguished name which will be used to build a
+// distinguished name.
+message RelativeDistinguishedName {
+  // Attributes describes the attribute value assertions in the RDN.
+  repeated AttributeTypeAndValue attributes = 1;
+}
+
 // [Subject][google.cloud.security.privateca.v1.Subject] describes parts of a
 // distinguished name that, in turn, describes the subject of the certificate.
 message Subject {
@@ -1293,6 +1359,9 @@ message Subject {
 
   // The postal code of the subject.
   string postal_code = 8;
+
+  // This field can be used in place of the named subject fields.
+  repeated RelativeDistinguishedName rdn_sequence = 9;
 }
 
 // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames]
@@ -1419,6 +1488,37 @@ message CertificateExtensionConstraints {
       [(google.api.field_behavior) = OPTIONAL];
 }
 
+// [AttributeType][google.cloud.security.privateca.v1.AttributeType] specifies
+// the type of Attribute in a relative distinguished name.
+enum AttributeType {
+  // Attribute type is unspecified.
+  ATTRIBUTE_TYPE_UNSPECIFIED = 0;
+
+  // The "common name" of the subject.
+  COMMON_NAME = 1;
+
+  // The country code of the subject.
+  COUNTRY_CODE = 2;
+
+  // The organization of the subject.
+  ORGANIZATION = 3;
+
+  // The organizational unit of the subject.
+  ORGANIZATIONAL_UNIT = 4;
+
+  // The locality or city of the subject.
+  LOCALITY = 5;
+
+  // The province, territory, or regional state of the subject.
+  PROVINCE = 6;
+
+  // The street address of the subject.
+  STREET_ADDRESS = 7;
+
+  // The postal code of the subject.
+  POSTAL_CODE = 8;
+}
+
 // A [RevocationReason][google.cloud.security.privateca.v1.RevocationReason]
 // indicates whether a
 // [Certificate][google.cloud.security.privateca.v1.Certificate] has been
@@ -1484,6 +1584,17 @@ enum SubjectRequestMode {
   // the `privateca.certificates.create` permission.
   DEFAULT = 1;
 
+  // A mode used to get an accurate representation of the Subject
+  // field's distinguished name. Indicates that the certificate's
+  // [Subject][google.cloud.security.privateca.v1.Subject] and/or
+  // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] are
+  // specified in the certificate request. When parsing a PEM CSR this mode will
+  // maintain the sequence of RDNs found in the CSR's subject field in the
+  // issued [Certificate][google.cloud.security.privateca.v1.Certificate]. This
+  // mode requires the caller to have the `privateca.certificates.create`
+  // permission.
+  RDN_SEQUENCE = 3;
+
   // A mode reserved for special cases. Indicates that the certificate should
   // have one SPIFFE
   // [SubjectAltNames][google.cloud.security.privateca.v1.SubjectAltNames] set
diff --git a/google/cloud/security/privateca/v1/service.proto b/google/cloud/security/privateca/v1/service.proto
