From cc8365784a33f9d97b66a0b4fbcdab9c50d469d5 Mon Sep 17 00:00:00 2001 From: gfxcc Date: Wed, 20 Apr 2022 12:24:08 -1000 Subject: [PATCH] Fix missing fields on Certificate (#5941) --- mmv1/products/privateca/api.yaml | 194 ++++++++++++++++++++++++++++++- 1 file changed, 191 insertions(+), 3 deletions(-) diff --git a/mmv1/products/privateca/api.yaml b/mmv1/products/privateca/api.yaml index 6aff2f71d74b..297a516cb65a 100644 --- a/mmv1/products/privateca/api.yaml +++ b/mmv1/products/privateca/api.yaml @@ -562,6 +562,11 @@ objects: required: true input: true url_param_only: true + - !ruby/object:Api::Type::String + name: 'issuerCertificateAuthority' + description: | + The resource name of the issuing CertificateAuthority in the format projects/*/locations/*/caPools/*/certificateAuthorities/*. + output: true - !ruby/object:Api::Type::String name: 'lifetime' description: | @@ -739,8 +744,187 @@ objects: output: true description: | The time at which the certificate expires. + - !ruby/object:Api::Type::NestedObject + name: 'x509Description' + output: true + description: | + A structured description of the issued X.509 certificate. + properties: + - !ruby/object:Api::Type::Array + name: 'additionalExtensions' + description: | + Describes custom X.509 extensions. + output: true + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::Boolean + name: 'critical' + description: | + Indicates whether or not this extension is critical (i.e., if the client does not know how to + handle this extension, the client should consider this to be an error). + output: true + - !ruby/object:Api::Type::String + name: 'value' + description: | + The value of this X.509 extension. A base64-encoded string. + - !ruby/object:Api::Type::NestedObject + name: 'objectId' + description: | + Describes values that are relevant in a CA certificate. + output: true + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + output: true + - !ruby/object:Api::Type::Array + name: 'policyIds' + description: | + Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. + output: true + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + output: true + - !ruby/object:Api::Type::Array + name: 'aiaOcspServers' + item_type: Api::Type::String + description: | + Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the + "Authority Information Access" extension in the certificate. + output: true + - !ruby/object:Api::Type::NestedObject + name: 'caOptions' + description: | + Describes values that are relevant in a CA certificate. + output: true + properties: + - !ruby/object:Api::Type::Boolean + name: 'isCa' + description: | + When true, the "CA" in Basic Constraints extension will be set to true. + output: true + - !ruby/object:Api::Type::Integer + name: 'maxIssuerPathLength' + description: | + Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of + subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. + output: true + - !ruby/object:Api::Type::NestedObject + name: 'keyUsage' + description: | + Indicates the intended use for keys that correspond to a certificate. + output: true + properties: + - !ruby/object:Api::Type::NestedObject + name: 'baseKeyUsage' + description: | + Describes high-level ways in which a key may be used. + output: true + properties: + - !ruby/object:Api::Type::Boolean + name: 'digitalSignature' + description: | + The key may be used for digital signatures. + output: true + - !ruby/object:Api::Type::Boolean + name: 'contentCommitment' + description: | + The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". + output: true + - !ruby/object:Api::Type::Boolean + name: 'keyEncipherment' + description: | + The key may be used to encipher other keys. + output: true + - !ruby/object:Api::Type::Boolean + name: 'dataEncipherment' + description: | + The key may be used to encipher data. + output: true + - !ruby/object:Api::Type::Boolean + name: 'keyAgreement' + description: | + The key may be used in a key agreement protocol. + output: true + - !ruby/object:Api::Type::Boolean + name: 'certSign' + description: | + The key may be used to sign certificates. + output: true + - !ruby/object:Api::Type::Boolean + name: 'crlSign' + description: | + The key may be used sign certificate revocation lists. + output: true + - !ruby/object:Api::Type::Boolean + name: 'encipherOnly' + description: | + The key may be used to encipher only. + output: true + - !ruby/object:Api::Type::Boolean + name: 'decipherOnly' + description: | + The key may be used to decipher only. + output: true + - !ruby/object:Api::Type::NestedObject + name: 'extendedKeyUsage' + description: | + Describes high-level ways in which a key may be used. + output: true + properties: + - !ruby/object:Api::Type::Boolean + name: 'serverAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. + output: true + - !ruby/object:Api::Type::Boolean + name: 'clientAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. + output: true + - !ruby/object:Api::Type::Boolean + name: 'codeSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". + output: true + - !ruby/object:Api::Type::Boolean + name: 'emailProtection' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". + output: true + - !ruby/object:Api::Type::Boolean + name: 'timeStamping' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". + output: true + - !ruby/object:Api::Type::Boolean + name: 'ocspSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". + output: true + - !ruby/object:Api::Type::Array + name: 'unknownExtendedKeyUsages' + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + output: true + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + output: true - !ruby/object:Api::Type::NestedObject name: 'configValues' + deprecation_message: Deprecated in favor of `x509_description`. output: true description: | Describes some of the technical fields in a certificate. @@ -927,8 +1111,15 @@ objects: output: true description: | The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. + - !ruby/object:Api::Type::Array + name: 'pemCertificateChain' + output: true + description: | + The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. + item_type: Api::Type::String - !ruby/object:Api::Type::Array name: 'pemCertificates' + deprecation_message: Deprecated in favor of `pem_certificate_chain`. output: true description: | Required. Expected to be in leaf-to-root order according to RFC 5246. @@ -1669,6 +1860,3 @@ objects: name: 'name' description: Dummy property. required: true - - -