feat: Add encoding format to .google.cloud.security.privateca.v1.CaPool Resource

Google APIs · copybara-github · commit 8d326d5a7e71 · 2024-04-01T15:24:02.000-07:00
docs: A comment for field `maximum_lifetime` in message `.google.cloud.security.privateca.v1.CaPool` is changed
docs: A comment for field `maximum_lifetime` in message `.google.cloud.security.privateca.v1.CertificateTemplate` is changed
docs: A comment for field `subject_key_id` in message `.google.cloud.security.privateca.v1.CertificateConfig` is changed
docs: A comment for method `FetchCaCerts` in service `CertificateAuthorityService` is changed
docs: A comment for field `ignore_dependent_resources` in message `.google.cloud.security.privateca.v1.DisableCertificateAuthorityRequest` is changed
docs: A comment for field `ignore_dependent_resources` in message `.google.cloud.security.privateca.v1.DeleteCertificateAuthorityRequest` is changed
docs: A comment for field `ignore_dependent_resources` in message `.google.cloud.security.privateca.v1.DeleteCaPoolRequest` is changed
docs: A comment for field `ca_certs` in message `.google.cloud.security.privateca.v1.FetchCaCertsResponse` is changed

PiperOrigin-RevId: 620969058
diff --git a/google/cloud/security/privateca/v1/resources.proto b/google/cloud/security/privateca/v1/resources.proto
@@ -338,6 +338,22 @@ message CaPool {
   // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
   // in the [CaPool][google.cloud.security.privateca.v1.CaPool].
   message PublishingOptions {
+    // Supported encoding formats for publishing.
+    enum EncodingFormat {
+      // Not specified. By default, PEM format will be used.
+      ENCODING_FORMAT_UNSPECIFIED = 0;
+
+      // The
+      // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s
+      // CA certificate and CRLs will be published in PEM format.
+      PEM = 1;
+
+      // The
+      // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s
+      // CA certificate and CRLs will be published in DER format.
+      DER = 2;
+    }
+
     // Optional. When true, publishes each
     // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]'s
     // CA certificate and includes its URL in the "Authority Information Access"
@@ -357,6 +373,12 @@ message CaPool {
     // days from their creation. However, we will rebuild daily. CRLs are also
     // rebuilt shortly after a certificate is revoked.
     bool publish_crl = 2 [(google.api.field_behavior) = OPTIONAL];
+
+    // Optional. Specifies the encoding format of each
+    // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
+    // resource's CA certificate and CRLs. If this is omitted, CA certificates
+    // and CRLs will be published in PEM.
+    EncodingFormat encoding_format = 3 [(google.api.field_behavior) = OPTIONAL];
   }
 
   // Defines controls over all certificate issuance within a
@@ -455,9 +477,9 @@ message CaPool {
     // if the issuing
     // [CertificateAuthority][google.cloud.security.privateca.v1.CertificateAuthority]
     // expires before a
-    // [Certificate][google.cloud.security.privateca.v1.Certificate]'s requested
-    // maximum_lifetime, the effective lifetime will be explicitly truncated to
-    // match it.
+    // [Certificate][google.cloud.security.privateca.v1.Certificate] resource's
+    // requested maximum_lifetime, the effective lifetime will be explicitly
+    // truncated to match it.
     google.protobuf.Duration maximum_lifetime = 2
         [(google.api.field_behavior) = OPTIONAL];
 
@@ -773,7 +795,7 @@ message CertificateTemplate {
   // Optional. The maximum lifetime allowed for issued
   // [Certificates][google.cloud.security.privateca.v1.Certificate] that use
   // this template. If the issuing
-  // [CaPool][google.cloud.security.privateca.v1.CaPool]'s
+  // [CaPool][google.cloud.security.privateca.v1.CaPool] resource's
   // [IssuancePolicy][google.cloud.security.privateca.v1.CaPool.IssuancePolicy]
   // specifies a
   // [maximum_lifetime][google.cloud.security.privateca.v1.CaPool.IssuancePolicy.maximum_lifetime]
@@ -1062,8 +1084,8 @@ message CertificateConfig {
 
   // Optional. When specified this provides a custom SKI to be used in the
   // certificate. This should only be used to maintain a SKI of an existing CA
-  // originally created outside CAS, which was not generated using method (1)
-  // described in RFC 5280 section 4.2.1.2.
+  // originally created outside CA service, which was not generated using method
+  // (1) described in RFC 5280 section 4.2.1.2.
   KeyId subject_key_id = 4 [(google.api.field_behavior) = OPTIONAL];
 }
 
diff --git a/google/cloud/security/privateca/v1/service.proto b/google/cloud/security/privateca/v1/service.proto
@@ -301,7 +301,7 @@ service CertificateAuthorityService {
 
   // FetchCaCerts returns the current trust anchor for the
   // [CaPool][google.cloud.security.privateca.v1.CaPool]. This will include CA
-  // certificate chains for all Certificate Authorities in the ENABLED,
+  // certificate chains for all certificate authorities in the ENABLED,
   // DISABLED, or STAGED states.
   rpc FetchCaCerts(FetchCaCertsRequest) returns (FetchCaCertsResponse) {
     option (google.api.http) = {
@@ -723,7 +723,7 @@ message DisableCertificateAuthorityRequest {
 
   // Optional. This field allows this CA to be disabled even if it's being
   // depended on by another resource. However, doing so may result in unintended
-  // and unrecoverable effects on any dependent resource(s) since the CA will
+  // and unrecoverable effects on any dependent resources since the CA will
   // no longer be able to issue certificates.
   bool ignore_dependent_resources = 3 [(google.api.field_behavior) = OPTIONAL];
 }
@@ -910,9 +910,9 @@ message DeleteCertificateAuthorityRequest {
   // been allowed. If you proceed, there will be no way to recover this CA.
   bool skip_grace_period = 5 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. This field allows this ca to be deleted even if it's being
+  // Optional. This field allows this CA to be deleted even if it's being
   // depended on by another resource. However, doing so may result in unintended
-  // and unrecoverable effects on any dependent resource(s) since the CA will
+  // and unrecoverable effects on any dependent resources since the CA will
   // no longer be able to issue certificates.
   bool ignore_dependent_resources = 6 [(google.api.field_behavior) = OPTIONAL];
 }
@@ -1040,7 +1040,7 @@ message DeleteCaPoolRequest {
 
   // Optional. This field allows this pool to be deleted even if it's being
   // depended on by another resource. However, doing so may result in unintended
-  // and unrecoverable effects on any dependent resource(s) since the pool will
+  // and unrecoverable effects on any dependent resources since the pool will
   // no longer be able to issue certificates.
   bool ignore_dependent_resources = 4 [(google.api.field_behavior) = OPTIONAL];
 }
@@ -1082,7 +1082,7 @@ message FetchCaCertsResponse {
     repeated string certificates = 1;
   }
 
-  // The PEM encoded CA certificate chains of all Certificate Authorities in
+  // The PEM encoded CA certificate chains of all certificate authorities in
   // this [CaPool][google.cloud.security.privateca.v1.CaPool] in the ENABLED,
   // DISABLED, or STAGED states.
   repeated CertChain ca_certs = 1;
