Class: Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

Inherits:

Object

• Object
• Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/security/privateca/v1/resources.rb

Overview

Defines controls over all certificate issuance within a CaPool.

Defined Under Namespace

Classes: AllowedKeyType, IssuanceModes

Instance Attribute Summary

• #allowed_issuance_modes ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes

  Optional.

• #allowed_key_types ⇒ ::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>

  Optional.

• #baseline_values ⇒ ::Google::Cloud::Security::PrivateCA::V1::X509Parameters

  Optional.

• #identity_constraints ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints

  Optional.

• #maximum_lifetime ⇒ ::Google::Protobuf::Duration

  Optional.

• #passthrough_extensions ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints

  Optional.

Instance Attribute Details

#allowed_issuance_modes ⇒ ::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes

Returns Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes) —

  Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#allowed_key_types ⇒ ::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>

Returns Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

Returns:

• (::Array<::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType>) —

  Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#baseline_values ⇒ ::Google::Cloud::Security::PrivateCA::V1::X509Parameters

Returns Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::X509Parameters) —

  Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#identity_constraints ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints

Returns Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateIdentityConstraints) —

  Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#maximum_lifetime ⇒ ::Google::Protobuf::Duration

Returns Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

Returns:

• (::Google::Protobuf::Duration) —

  Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end

#passthrough_extensions ⇒ ::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints

Returns Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

Returns:

• (::Google::Cloud::Security::PrivateCA::V1::CertificateExtensionConstraints) —

  Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values.

# File 'proto_docs/google/cloud/security/privateca/v1/resources.rb', line 443

class IssuancePolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes a "type" of key that may be used in a
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued from
  # a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}. Note that a single
  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType AllowedKeyType}
  # may refer to either a fully-qualified key algorithm, such as RSA 4096, or
  # a family of key algorithms, such as any RSA key.
  # @!attribute [rw] rsa
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::RsaKeyType]
  #     Represents an allowed RSA key type.
  # @!attribute [rw] elliptic_curve
  #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType]
  #     Represents an allowed Elliptic Curve key type.
  class AllowedKeyType
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes an RSA key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] min_modulus_size
    #   @return [::Integer]
    #     Optional. The minimum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service-level min RSA
    #     modulus size will continue to apply.
    # @!attribute [rw] max_modulus_size
    #   @return [::Integer]
    #     Optional. The maximum allowed RSA modulus size (inclusive), in bits.
    #     If this is not set, or if set to zero, the service will not enforce
    #     an explicit upper bound on RSA modulus sizes.
    class RsaKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes an Elliptic Curve key that may be used in a
    # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
    # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
    # @!attribute [rw] signature_algorithm
    #   @return [::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::AllowedKeyType::EcKeyType::EcSignatureAlgorithm]
    #     Optional. A signature algorithm that must be used. If this is
    #     omitted, any EC-based signature algorithm will be allowed.
    class EcKeyType
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes an elliptic curve-based signature algorithm that may be
      # used in a
      # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificate} issued
      # from a {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
      module EcSignatureAlgorithm
        # Not specified. Signifies that any signature algorithm may be used.
        EC_SIGNATURE_ALGORITHM_UNSPECIFIED = 0

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-256 curve.
        ECDSA_P256 = 1

        # Refers to the Elliptic Curve Digital Signature Algorithm over the
        # NIST P-384 curve.
        ECDSA_P384 = 2

        # Refers to the Edwards-curve Digital Signature Algorithm over curve
        # 25519, as described in RFC 8410.
        EDDSA_25519 = 3
      end
    end
  end

  # {::Google::Cloud::Security::PrivateCA::V1::CaPool::IssuancePolicy::IssuanceModes IssuanceModes}
  # specifies the allowed ways in which
  # {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} may be
  # requested from this {::Google::Cloud::Security::PrivateCA::V1::CaPool CaPool}.
  # @!attribute [rw] allow_csr_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a CSR.
  # @!attribute [rw] allow_config_based_issuance
  #   @return [::Boolean]
  #     Optional. When true, allows callers to create
  #     {::Google::Cloud::Security::PrivateCA::V1::Certificate Certificates} by
  #     specifying a
  #     {::Google::Cloud::Security::PrivateCA::V1::CertificateConfig CertificateConfig}.
  class IssuanceModes
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end
end