feat: [google-cloud-private-ca] Add custom subject key identifier field (#12447)

BEGIN_COMMIT_OVERRIDE feat: Add custom subject key identifier field feat: Add support for fine-grained maximum certificate lifetime controls docs: A comment for field `subject` in message `.google.cloud.security.privateca.v1.CertificateConfig` is changed docs: A comment for method `FetchCaCerts` in service `CertificateAuthorityService` is changed docs: A comment for field `ca_certs` in message `.google.cloud.security.privateca.v1.FetchCaCertsResponse` is changed END_COMMIT_OVERRIDE - [ ] Regenerate this pull request now. feat: Add support for fine-grained maximum certificate lifetime controls docs: A comment for field `subject` in message `.google.cloud.security.privateca.v1.CertificateConfig` is changed docs: A comment for method `FetchCaCerts` in service `CertificateAuthorityService` is changed docs: A comment for field `ca_certs` in message `.google.cloud.security.privateca.v1.FetchCaCertsResponse` is changed PiperOrigin-RevId: 615112752 Source-Link: googleapis/googleapis@1793994 Source-Link: googleapis/googleapis-gen@ba61c00 Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLXByaXZhdGUtY2EvLk93bEJvdC55YW1sIiwiaCI6ImJhNjFjMDA4OWZiNTMwMGYyY2QxZGIwMzM3Njc2NzY4MmRiMTc0NzYifQ== --------- Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

packages/google-cloud-private-ca/google/cloud/security/privateca_v1/services/certificate_authority_service/async_client.py

@@ -2891,10 +2891,8 @@ async def fetch_ca_certs(
  ) -> service.FetchCaCertsResponse:
  r"""FetchCaCerts returns the current trust anchor for the
  [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
- include CA certificate chains for all ACTIVE
- [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
- resources in the
- [CaPool][google.cloud.security.privateca.v1.CaPool].
+ include CA certificate chains for all Certificate Authorities in
+ the ENABLED, DISABLED, or STAGED states.
 
  .. code-block:: python
 

packages/google-cloud-private-ca/google/cloud/security/privateca_v1/services/certificate_authority_service/client.py

@@ -3395,10 +3395,8 @@ def fetch_ca_certs(
  ) -> service.FetchCaCertsResponse:
  r"""FetchCaCerts returns the current trust anchor for the
  [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
- include CA certificate chains for all ACTIVE
- [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
- resources in the
- [CaPool][google.cloud.security.privateca.v1.CaPool].
+ include CA certificate chains for all Certificate Authorities in
+ the ENABLED, DISABLED, or STAGED states.
 
  .. code-block:: python
 

packages/google-cloud-private-ca/google/cloud/security/privateca_v1/services/certificate_authority_service/transports/grpc.py

@@ -845,10 +845,8 @@ def fetch_ca_certs(
 
  FetchCaCerts returns the current trust anchor for the
  [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
- include CA certificate chains for all ACTIVE
- [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
- resources in the
- [CaPool][google.cloud.security.privateca.v1.CaPool].
+ include CA certificate chains for all Certificate Authorities in
+ the ENABLED, DISABLED, or STAGED states.
 
  Returns:
  Callable[[~.FetchCaCertsRequest],

packages/google-cloud-private-ca/google/cloud/security/privateca_v1/services/certificate_authority_service/transports/grpc_asyncio.py

@@ -862,10 +862,8 @@ def fetch_ca_certs(
 
  FetchCaCerts returns the current trust anchor for the
  [CaPool][google.cloud.security.privateca.v1.CaPool]. This will
- include CA certificate chains for all ACTIVE
- [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
- resources in the
- [CaPool][google.cloud.security.privateca.v1.CaPool].
+ include CA certificate chains for all Certificate Authorities in
+ the ENABLED, DISABLED, or STAGED states.
 
  Returns:
  Callable[[~.FetchCaCertsRequest],

packages/google-cloud-private-ca/google/cloud/security/privateca_v1/types/resources.py

@@ -1209,6 +1209,23 @@ class CertificateTemplate(proto.Message):
  [CertificateTemplate][google.cloud.security.privateca.v1.CertificateTemplate]
  in the format
  ``projects/*/locations/*/certificateTemplates/*``.
+ maximum_lifetime (google.protobuf.duration_pb2.Duration):
+ Optional. The maximum lifetime allowed for issued
+ [Certificates][google.cloud.security.privateca.v1.Certificate]
+ that use this template. If the issuing
+ [CaPool][google.cloud.security.privateca.v1.CaPool]'s
+ [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy]
+ specifies a
+ [maximum_lifetime][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.maximum_lifetime]
+ the minimum of the two durations will be the maximum
+ lifetime for issued
+ [Certificates][google.cloud.security.privateca.v1.Certificate].
+ Note that if the issuing
+ [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
+ expires before a
+ [Certificate][google.cloud.security.privateca.v1.Certificate]'s
+ requested maximum_lifetime, the effective lifetime will be
+ explicitly truncated to match it.
  predefined_values (google.cloud.security.privateca_v1.types.X509Parameters):
  Optional. A set of X.509 values that will be applied to all
  issued certificates that use this template. If the
@@ -1267,6 +1284,11 @@ class CertificateTemplate(proto.Message):
  proto.STRING,
  number=1,
  )
+ maximum_lifetime: duration_pb2.Duration = proto.Field(
+ proto.MESSAGE,
+ number=9,
+ message=duration_pb2.Duration,
+ )
  predefined_values: "X509Parameters" = proto.Field(
  proto.MESSAGE,
  number=2,
@@ -1629,6 +1651,13 @@ class CertificateConfig(proto.Message):
  or
  [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
  CSR.
+ subject_key_id (google.cloud.security.privateca_v1.types.CertificateConfig.KeyId):
+ Optional. When specified this provides a
+ custom SKI to be used in the certificate. This
+ should only be used to maintain a SKI of an
+ existing CA originally created outside CAS,
+ which was not generated using method (1)
+ described in RFC 5280 section 4.2.1.2.
  """
 
  class SubjectConfig(proto.Message):
@@ -1637,7 +1666,7 @@ class SubjectConfig(proto.Message):
 
  Attributes:
  subject (google.cloud.security.privateca_v1.types.Subject):
- Required. Contains distinguished name fields
+ Optional. Contains distinguished name fields
  such as the common name, location and
  organization.
  subject_alt_name (google.cloud.security.privateca_v1.types.SubjectAltNames):
@@ -1656,6 +1685,22 @@ class SubjectConfig(proto.Message):
  message="SubjectAltNames",
  )
 
+ class KeyId(proto.Message):
+ r"""A KeyId identifies a specific public key, usually by hashing
+ the public key.
+
+ Attributes:
+ key_id (str):
+ Required. The value of this KeyId encoded in
+ lowercase hexadecimal. This is most likely the
+ 160 bit SHA-1 hash of the public key.
+ """
+
+ key_id: str = proto.Field(
+ proto.STRING,
+ number=1,
+ )
+
  subject_config: SubjectConfig = proto.Field(
  proto.MESSAGE,
  number=1,
@@ -1671,6 +1716,11 @@ class SubjectConfig(proto.Message):
  number=3,
  message="PublicKey",
  )
+ subject_key_id: KeyId = proto.Field(
+ proto.MESSAGE,
+ number=4,
+ message=KeyId,
+ )
 
 
 class CertificateDescription(proto.Message):

packages/google-cloud-private-ca/google/cloud/security/privateca_v1/types/service.py

@@ -1112,11 +1112,10 @@ class FetchCaCertsResponse(proto.Message):
 
  Attributes:
  ca_certs (MutableSequence[google.cloud.security.privateca_v1.types.FetchCaCertsResponse.CertChain]):
- The PEM encoded CA certificate chains of all
- [ACTIVE][CertificateAuthority.State.ACTIVE]
- [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
- resources in this
- [CaPool][google.cloud.security.privateca.v1.CaPool].
+ The PEM encoded CA certificate chains of all Certificate
+ Authorities in this
+ [CaPool][google.cloud.security.privateca.v1.CaPool] in the
+ ENABLED, DISABLED, or STAGED states.
  """
 
  class CertChain(proto.Message):

packages/google-cloud-private-ca/tests/unit/gapic/privateca_v1/test_certificate_authority_service.py

@@ -9566,6 +9566,7 @@ def test_create_certificate_rest(request_type):
  "additional_extensions": {},
  },
  "public_key": {"key": b"key_blob", "format_": 1},
+ "subject_key_id": {"key_id": "key_id_value"},
  },
  "issuer_certificate_authority": "issuer_certificate_authority_value",
  "lifetime": {"seconds": 751, "nanos": 543},
@@ -11005,6 +11006,7 @@ def test_update_certificate_rest(request_type):
  "additional_extensions": {},
  },
  "public_key": {"key": b"key_blob", "format_": 1},
+ "subject_key_id": {"key_id": "key_id_value"},
  },
  "issuer_certificate_authority": "issuer_certificate_authority_value",
  "lifetime": {"seconds": 751, "nanos": 543},
@@ -11796,6 +11798,7 @@ def test_create_certificate_authority_rest(request_type):
  "additional_extensions": {},
  },
  "public_key": {"key": b"key_blob", "format_": 1},
+ "subject_key_id": {"key_id": "key_id_value"},
  },
  "lifetime": {"seconds": 751, "nanos": 543},
  "key_spec": {
@@ -14340,6 +14343,7 @@ def test_update_certificate_authority_rest(request_type):
  "additional_extensions": {},
  },
  "public_key": {"key": b"key_blob", "format_": 1},
+ "subject_key_id": {"key_id": "key_id_value"},
  },
  "lifetime": {"seconds": 751, "nanos": 543},
  "key_spec": {
@@ -17833,6 +17837,7 @@ def test_create_certificate_template_rest(request_type):
  request_init = {"parent": "projects/sample1/locations/sample2"}
  request_init["certificate_template"] = {
  "name": "name_value",
+ "maximum_lifetime": {"seconds": 751, "nanos": 543},
  "predefined_values": {
  "key_usage": {
  "base_key_usage": {
@@ -19184,6 +19189,7 @@ def test_update_certificate_template_rest(request_type):
  }
  request_init["certificate_template"] = {
  "name": "projects/sample1/locations/sample2/certificateTemplates/sample3",
+ "maximum_lifetime": {"seconds": 751, "nanos": 543},
  "predefined_values": {
  "key_usage": {
  "base_key_usage": {