Class: Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/security/privateca/v1/resources.rb

Overview

Defines controls over all certificate issuance within a CaPool.

Defined Under Namespace

Classes: AllowedKeyType, IssuanceModes

Instance Attribute Summary collapse

Instance Attribute Details

#allowed_issuance_modes::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes

Returns Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

Returns:



443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#allowed_key_types::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>

Returns Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

Returns:



443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#baseline_values::Google::Cloud::Security::PrivateCA::V1::X509Parameters

Returns Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.

Returns:



443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#identity_constraints::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints

Returns Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.

Returns:



443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#maximum_lifetime::Google::Protobuf::Duration

Returns Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

Returns:



443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#passthrough_extensions::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints

Returns Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

Returns:



443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end