Class: Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/security/privateca/v1/resources.rb

Overview

Defines controls over all certificate issuance within a CaPool.

Defined Under Namespace

Classes: AllowedKeyType, IssuanceModes

Instance Attribute Summary collapse

Instance Attribute Details

#allowed_issuance_modes::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes

Returns Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

Returns:



326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 326

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
  # fully-qualified key algorithm, such as RSA 4096, or a family of key
  # algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service-level min RSA modulus size will
    #     continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service will not enforce an explicit upper
    #     bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
    # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is omitted, any
    #     EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#allowed_key_types::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>

Returns Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

Returns:



326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 326

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
  # fully-qualified key algorithm, such as RSA 4096, or a family of key
  # algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service-level min RSA modulus size will
    #     continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service will not enforce an explicit upper
    #     bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
    # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is omitted, any
    #     EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#baseline_values::Google::Cloud::Security::PrivateCA::V1::X509Parameters

Returns Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.

Returns:



326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 326

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
  # fully-qualified key algorithm, such as RSA 4096, or a family of key
  # algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service-level min RSA modulus size will
    #     continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service will not enforce an explicit upper
    #     bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
    # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is omitted, any
    #     EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#identity_constraints::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints

Returns Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.

Returns:



326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 326

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
  # fully-qualified key algorithm, such as RSA 4096, or a family of key
  # algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service-level min RSA modulus size will
    #     continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service will not enforce an explicit upper
    #     bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
    # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is omitted, any
    #     EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#maximum_lifetime::Google::Protobuf::Duration

Returns Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

Returns:



326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 326

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
  # fully-qualified key algorithm, such as RSA 4096, or a family of key
  # algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service-level min RSA modulus size will
    #     continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service will not enforce an explicit upper
    #     bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
    # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is omitted, any
    #     EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#passthrough_extensions::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints

Returns Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

Returns:



326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 326

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
  # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # Note that a single {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType} may refer to either a
  # fully-qualified key algorithm, such as RSA 4096, or a family of key
  # algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
    # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service-level min RSA modulus size will
    #     continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size, in bits. If this is not set,
    #     or if set to zero, the service will not enforce an explicit upper
    #     bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate}
    # issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is omitted, any
    #     EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes} specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be requested from this
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end