From d507f58f5bc8831035b4e4d8b1ce5d5d40ca2cf3 Mon Sep 17 00:00:00 2001 From: SitaLakshmi Date: Wed, 1 Sep 2021 23:48:36 +0530 Subject: [PATCH 1/9] docs(samples): init commit - set issuance policy --- .../UpdateCaPool_IssuancePolicy.java | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java diff --git a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java new file mode 100644 index 00000000..66f62bc2 --- /dev/null +++ b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java @@ -0,0 +1,116 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_set_issuance_policy] + +import com.google.api.core.ApiFuture; +import com.google.cloud.security.privateca.v1.CaPool; +import com.google.cloud.security.privateca.v1.CaPool.IssuancePolicy; +import com.google.cloud.security.privateca.v1.CaPoolName; +import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; +import com.google.cloud.security.privateca.v1.CertificateExtensionConstraints; +import com.google.cloud.security.privateca.v1.CertificateExtensionConstraints.KnownCertificateExtension; +import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints; +import com.google.cloud.security.privateca.v1.UpdateCaPoolRequest; +import com.google.longrunning.Operation; +import com.google.protobuf.FieldMask; +import java.io.IOException; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +public class UpdateCaPool_IssuancePolicy { + + public static void main(String[] args) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + // TODO(developer): Replace these variables before running the sample. + // location: For a list of locations, see: + // https://cloud.google.com/certificate-authority-service/docs/locations + // pool_Id: The CA pool for which the issuance policy is to be updated. + String project = "your-project-id"; + String location = "ca-location"; + String pool_Id = "ca-pool-id"; + + updateCaPoolIssuancePolicy(project, location, pool_Id); + } + + /* Update the Issuance policy for a CA Pool. All certificates issued from this CA Pool should + meet the issuance policy. */ + public static void updateCaPoolIssuancePolicy(String project, String location, String pool_Id) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + + // Set the updated issuance policy for the CA Pool. + CaPool.IssuancePolicy issuancePolicy = CaPool.IssuancePolicy.newBuilder() + .setPassthroughExtensions(CertificateExtensionConstraints.newBuilder() + .addKnownExtensions(KnownCertificateExtension.BASE_KEY_USAGE) + .addKnownExtensions(KnownCertificateExtension.EXTENDED_KEY_USAGE).build()) + .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() + .setAllowSubjectPassthrough(true) + .setAllowSubjectAltNamesPassthrough(true).build()).build(); + + CaPool caPool = CaPool.newBuilder() + .setName(CaPoolName.of(project, location, pool_Id).toString()) + .setIssuancePolicy(issuancePolicy).build(); + + /* 1. Set the CA pool with updated values. + 2. Set the update mask to specify which properties of the CA Pool should be updated. + Only the properties specified in the mask will be updated. Make sure that the mask fields + match the updated issuance policy. + For more info on constructing path for update mask, see: + https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */ + UpdateCaPoolRequest updateCaPoolRequest = UpdateCaPoolRequest.newBuilder() + .setCaPool(caPool) + .setUpdateMask(FieldMask.newBuilder(FieldMask.newBuilder() + .addPaths("issuance_policy.identity_constraints.allow_subject_passthrough") + .addPaths("issuance_policy.identity_constraints.allow_subject_alt_names_passthrough") + .addPaths("issuance_policy.passthrough_extensions.known_extensions").build())) + .build(); + + // Update CA Pool request. + ApiFuture futureCall = certificateAuthorityServiceClient.updateCaPoolCallable() + .futureCall(updateCaPoolRequest); + + Operation operation = futureCall.get(60, TimeUnit.SECONDS); + + // Check for errors. + if (operation.hasError()) { + System.out.println("Error in updating CA Pool ! " + operation.getError()); + return; + } + + // Get the CA Pool's issuance policy and verify if the fields have been successfully updated. + IssuancePolicy response = certificateAuthorityServiceClient + .getCaPool(CaPoolName.of(project, location, pool_Id).toString()).getIssuancePolicy(); + + // Similarly, you can check for other modified fields as well. + if (response.getIdentityConstraints().getAllowSubjectPassthrough() && response + .getIdentityConstraints().getAllowSubjectAltNamesPassthrough()) { + System.out.println("CA Pool has been updated successfully ! "); + return; + } + + System.out.println("Error in updating CA Pool ! Please try again ! " + response); + } + } +} +// [END privateca_set_issuance_policy] \ No newline at end of file From f66382f1fc05277f2d53de2ff43f0c62f8acd62e Mon Sep 17 00:00:00 2001 From: SitaLakshmi Date: Thu, 2 Sep 2021 01:15:28 +0530 Subject: [PATCH 2/9] docs(samples): added certificate template CRUD samples --- .../privateca/CreateCertificateTemplate.java | 116 ++++++++++++++++++ .../privateca/DeleteCertificateTemplate.java | 77 ++++++++++++ .../privateca/ListCertificateTemplates.java | 72 +++++++++++ .../privateca/UpdateCertificateTemplate.java | 108 ++++++++++++++++ 4 files changed, 373 insertions(+) create mode 100644 samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java create mode 100644 samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java create mode 100644 samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java create mode 100644 samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java new file mode 100644 index 00000000..6e97b02d --- /dev/null +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java @@ -0,0 +1,116 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_create_certificate_template] + +import com.google.api.core.ApiFuture; +import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; +import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints; +import com.google.cloud.security.privateca.v1.CertificateTemplate; +import com.google.cloud.security.privateca.v1.CreateCertificateTemplateRequest; +import com.google.cloud.security.privateca.v1.KeyUsage; +import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions; +import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions; +import com.google.cloud.security.privateca.v1.LocationName; +import com.google.cloud.security.privateca.v1.X509Parameters; +import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions; +import com.google.longrunning.Operation; +import com.google.type.Expr; +import java.io.IOException; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +public class CreateCertificateTemplate { + + public static void main(String[] args) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* TODO(developer): Replace these variables before running the sample. + location: For a list of locations, see: + https://cloud.google.com/certificate-authority-service/docs/locations */ + String project = "your-project-id"; + String location = "ca-location"; + + createCertificateTemplate(project, location); + } + + /* Creates a Certificate template. These templates can be reused for common + certificate issuance scenarios. */ + public static void createCertificateTemplate(String project, String location) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + + // A unique identifier of the certificate template. + String certificateTemplateId = "server-tls"; + + /* Describes any predefined X.509 values set by this template. + The provided extensions are copied over to certificate requests that use this template.*/ + KeyUsage keyUsage = KeyUsage.newBuilder() + .setBaseKeyUsage(KeyUsageOptions.newBuilder() + .setDigitalSignature(true) + .setKeyEncipherment(true).build()) + .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder() + .setServerAuth(true).build()) + .build(); + + CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build(); + + /* CEL expression that is evaluated against the Subject and + Subject Alternative Name of the certificate before it is issued. */ + Expr expr = Expr.newBuilder() + .setExpression("subject_alt_names.all(san, san.type == DNS)") + .build(); + + // Set the certificate issuance schema. + CertificateTemplate certificateTemplate = CertificateTemplate.newBuilder() + .setPredefinedValues(X509Parameters.newBuilder() + .setKeyUsage(keyUsage) + .setCaOptions(caOptions).build()) + .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() + .setCelExpression(expr) + .setAllowSubjectPassthrough(false) + .setAllowSubjectAltNamesPassthrough(false).build()) + .build(); + + // Set the parent and certificate template properties. + CreateCertificateTemplateRequest certificateTemplateRequest = CreateCertificateTemplateRequest + .newBuilder() + .setParent(LocationName.of(project, location).toString()) + .setCertificateTemplate(certificateTemplate) + .setCertificateTemplateId(certificateTemplateId).build(); + + // Create Template request. + ApiFuture futureCall = certificateAuthorityServiceClient + .createCertificateTemplateCallable().futureCall(certificateTemplateRequest); + + Operation response = futureCall.get(60, TimeUnit.SECONDS); + + if (response.hasError()) { + System.out.println("Error creating certificate template ! " + response.getError()); + return; + } + + System.out.println("Successfully created certificate template ! " + response.getName()); + } + } +} +// [END privateca_create_certificate_template] \ No newline at end of file diff --git a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java new file mode 100644 index 00000000..7d42f1f4 --- /dev/null +++ b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java @@ -0,0 +1,77 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_delete_certificate_template] + +import com.google.api.core.ApiFuture; +import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; +import com.google.cloud.security.privateca.v1.CertificateTemplateName; +import com.google.cloud.security.privateca.v1.DeleteCertificateTemplateRequest; +import com.google.longrunning.Operation; +import java.io.IOException; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +public class DeleteCertificateTemplate { + + + public static void main(String[] args) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* TODO(developer): Replace these variables before running the sample. + location: For a list of locations, see: + https://cloud.google.com/certificate-authority-service/docs/locations + certificateTemplateId: Id of the certificate template to delete. */ + String project = "your-project-id"; + String location = "ca-location"; + String certificateTemplateId = "certificate-template-id"; + + deleteCertificateTemplate(project, location, certificateTemplateId); + } + + // Deletes the certificate template present in the given project and location. + public static void deleteCertificateTemplate(String project, String location, + String certificateTemplateId) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + + // Set the parent name of the certificate template to be deleted. + DeleteCertificateTemplateRequest request = DeleteCertificateTemplateRequest.newBuilder() + .setName(CertificateTemplateName.of(project, location, certificateTemplateId).toString()) + .build(); + + ApiFuture futureCall = certificateAuthorityServiceClient + .deleteCertificateTemplateCallable().futureCall(request); + + Operation response = futureCall.get(60, TimeUnit.SECONDS); + + // Check for errors. + if (response.hasError()) { + System.out.println("Error deleting the certificate template ! " + response.getError()); + return; + } + + System.out.println("Successfully created certificate template ! " + response.getName()); + } + } +} +// [END privateca_delete_certificate_template] diff --git a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java new file mode 100644 index 00000000..99421431 --- /dev/null +++ b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java @@ -0,0 +1,72 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_list_certificate_template] + +import com.google.api.core.ApiFuture; +import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; +import com.google.cloud.security.privateca.v1.CertificateTemplate; +import com.google.cloud.security.privateca.v1.ListCertificateTemplatesRequest; +import com.google.cloud.security.privateca.v1.ListCertificateTemplatesResponse; +import com.google.cloud.security.privateca.v1.LocationName; +import java.io.IOException; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +public class ListCertificateTemplates { + + public static void main(String[] args) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* TODO(developer): Replace these variables before running the sample. + location: For a list of locations, see: + https://cloud.google.com/certificate-authority-service/docs/locations */ + String project = "your-project-id"; + String location = "ca-location"; + + listCertificateTemplates(project, location); + } + + // Lists the certificate templates present in the given project and location. + public static void listCertificateTemplates(String project, String location) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + + // Set the parent name to list the certificate templates. + ListCertificateTemplatesRequest request = ListCertificateTemplatesRequest.newBuilder() + .setParent(LocationName.of(project, location).toString()) + .build(); + + ApiFuture futureCall = certificateAuthorityServiceClient + .listCertificateTemplatesCallable().futureCall(request); + + // Get the response. + ListCertificateTemplatesResponse response = futureCall.get(60, TimeUnit.SECONDS); + + // List all templates. + for (CertificateTemplate template : response.getCertificateTemplatesList()) { + System.out.println(template.getName()); + } + } + } +} +// [END privateca_list_certificate_template] diff --git a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java new file mode 100644 index 00000000..588da44e --- /dev/null +++ b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java @@ -0,0 +1,108 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_update_certificate_template] + +import com.google.api.core.ApiFuture; +import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; +import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints; +import com.google.cloud.security.privateca.v1.CertificateTemplate; +import com.google.cloud.security.privateca.v1.CertificateTemplateName; +import com.google.cloud.security.privateca.v1.UpdateCertificateTemplateRequest; +import com.google.longrunning.Operation; +import com.google.protobuf.FieldMask; +import java.io.IOException; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +public class UpdateCertificateTemplate { + + + public static void main(String[] args) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + // TODO(developer): Replace these variables before running the sample. + // location: For a list of locations, see: + // https://cloud.google.com/certificate-authority-service/docs/locations + // certificateTemplateId: Id of the certificate template to update. + String project = "your-project-id"; + String location = "ca-location"; + String certificateTemplateId = "certificate-template-id"; + + updateCertificateTemplate(project, location, certificateTemplateId); + } + + // Updates an existing certificate template. + public static void updateCertificateTemplate(String project, String location, + String certificateTemplateId) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + + String certificateTemplateName = CertificateTemplateName + .of(project, location, certificateTemplateId).toString(); + + // Set the parent name and the properties to be updated. + CertificateTemplate certificateTemplate = CertificateTemplate.newBuilder() + .setName(certificateTemplateName) + .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() + .setAllowSubjectPassthrough(false) + .setAllowSubjectAltNamesPassthrough(true).build()) + .build(); + + // Set the mask corresponding to the properties updated above. + FieldMask fieldMask = FieldMask.newBuilder() + .addPaths("identity_constraints.allow_subject_alt_names_passthrough") + .addPaths("identity_constraints.allow_subject_passthrough").build(); + + /* Set the new template. + Set the mask to specify which properties of the template should be updated. */ + UpdateCertificateTemplateRequest request = UpdateCertificateTemplateRequest.newBuilder() + .setCertificateTemplate(certificateTemplate) + .setUpdateMask(fieldMask).build(); + + // Create the update certificate template request. + ApiFuture futureCall = certificateAuthorityServiceClient + .updateCertificateTemplateCallable().futureCall(request); + + Operation response = futureCall.get(60, TimeUnit.SECONDS); + + // Check for errors. + if (response.hasError()) { + System.out.println("Error in updating certificate template ! " + response.getError()); + return; + } + + // Get the updated certificate template and check if the properties have been updated. + CertificateIdentityConstraints updatedCertificateIdentityConstraints = certificateAuthorityServiceClient + .getCertificateTemplate(certificateTemplateName).getIdentityConstraints(); + + if (!updatedCertificateIdentityConstraints.getAllowSubjectPassthrough() && + updatedCertificateIdentityConstraints.getAllowSubjectAltNamesPassthrough()) { + System.out.println("Successfully updated the certificate template ! " + response.getName()); + return; + } + + System.out.println("Error in updating certificate template ! "); + } + } +} +// [END privateca_update_certificate_template] From ecc2d58a50e42d06e540a5468ba6ec27298da43a Mon Sep 17 00:00:00 2001 From: SitaLakshmi Date: Thu, 2 Sep 2021 03:13:49 +0530 Subject: [PATCH 3/9] refactor(samples): modified the samples for test coherence --- .../java/privateca/CreateCertificate.java | 6 ++-- .../privateca/CreateCertificateTemplate.java | 9 +++--- .../java/privateca/CreateSubordinateCa.java | 4 +++ .../UpdateCaPool_IssuancePolicy.java | 28 +++++++++++-------- 4 files changed, 27 insertions(+), 20 deletions(-) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java index 296a9964..70d1ee4a 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java @@ -51,7 +51,7 @@ public static void main(String[] args) // certificateAuthorityName: The name of the certificate authority which issues the certificate. // certificateName: Set a unique name for the certificate. String project = "your-project-id"; - ByteString publicKeyBytes = ByteString.copyFrom(new byte[] {}); + ByteString publicKeyBytes = ByteString.copyFrom(new byte[]{}); String location = "ca-location"; String pool_Id = "ca-pool_Id"; String certificateAuthorityName = "certificate-authority-name"; @@ -84,8 +84,8 @@ public static void createCertificate( // domainName: List the fully qualified domain name. // certificateLifetime: The validity of the certificate in seconds. String commonName = "common-name"; - String orgName = "org-name"; - String domainName = "dnsname.com"; + String orgName = "google"; + String domainName = "test.google.com"; long certificateLifetime = 1000L; // Set the Public Key and its format. diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java index 6e97b02d..c97cd938 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java @@ -44,13 +44,15 @@ public static void main(String[] args) https://cloud.google.com/certificate-authority-service/docs/locations */ String project = "your-project-id"; String location = "ca-location"; + String certificateTemplateId = "certificate-template-id"; - createCertificateTemplate(project, location); + createCertificateTemplate(project, location, certificateTemplateId); } /* Creates a Certificate template. These templates can be reused for common certificate issuance scenarios. */ - public static void createCertificateTemplate(String project, String location) + public static void createCertificateTemplate(String project, String location, + String certificateTemplateId) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* Initialize client that will be used to send requests. This client only needs to be created once, and can be reused for multiple requests. After completing all of your requests, call @@ -59,9 +61,6 @@ public static void createCertificateTemplate(String project, String location) try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { - // A unique identifier of the certificate template. - String certificateTemplateId = "server-tls"; - /* Describes any predefined X.509 values set by this template. The provided extensions are copied over to certificate requests that use this template.*/ KeyUsage keyUsage = KeyUsage.newBuilder() diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java index 78f95b57..d7cb38e3 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java @@ -29,6 +29,7 @@ import com.google.cloud.security.privateca.v1.KeyUsage; import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions; import com.google.cloud.security.privateca.v1.Subject; +import com.google.cloud.security.privateca.v1.SubjectAltNames; import com.google.cloud.security.privateca.v1.X509Parameters; import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions; import com.google.longrunning.Operation; @@ -65,6 +66,7 @@ public static void createSubordinateCertificateAuthority( String commonName = "common-name"; String orgName = "csr-org-name"; + String domainName = "test.google.com"; int caDuration = 100000; // Validity of this CA in seconds. // Set the type of Algorithm. @@ -76,6 +78,8 @@ public static void createSubordinateCertificateAuthority( SubjectConfig.newBuilder() .setSubject( Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build()) + // Set the fully qualified domain name. + .setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build()) .build(); // Set the key usage options for X.509 fields. diff --git a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java index 66f62bc2..894b5617 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java @@ -22,12 +22,11 @@ import com.google.cloud.security.privateca.v1.CaPool.IssuancePolicy; import com.google.cloud.security.privateca.v1.CaPoolName; import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; -import com.google.cloud.security.privateca.v1.CertificateExtensionConstraints; -import com.google.cloud.security.privateca.v1.CertificateExtensionConstraints.KnownCertificateExtension; import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints; import com.google.cloud.security.privateca.v1.UpdateCaPoolRequest; import com.google.longrunning.Operation; import com.google.protobuf.FieldMask; +import com.google.type.Expr; import java.io.IOException; import java.util.concurrent.ExecutionException; import java.util.concurrent.TimeUnit; @@ -59,14 +58,18 @@ public static void updateCaPoolIssuancePolicy(String project, String location, S try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { - // Set the updated issuance policy for the CA Pool. - CaPool.IssuancePolicy issuancePolicy = CaPool.IssuancePolicy.newBuilder() - .setPassthroughExtensions(CertificateExtensionConstraints.newBuilder() - .addKnownExtensions(KnownCertificateExtension.BASE_KEY_USAGE) - .addKnownExtensions(KnownCertificateExtension.EXTENDED_KEY_USAGE).build()) + /* Set the updated issuance policy for the CA Pool. + This particular issuance policy allows only SANs that + have DNS Names as "us.google.org" or ending in ".google.com". */ + String expr = "subject_alt_names.all(san, san.type == DNS && (san.value == \"us.google.org\"" + + " || san.value.endsWith(\".google.com\")) )"; + + CaPool.IssuancePolicy issuancePolicy = IssuancePolicy.newBuilder() .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() .setAllowSubjectPassthrough(true) - .setAllowSubjectAltNamesPassthrough(true).build()).build(); + .setAllowSubjectAltNamesPassthrough(true) + .setCelExpression(Expr.newBuilder().setExpression(expr).build()).build()) + .build(); CaPool caPool = CaPool.newBuilder() .setName(CaPoolName.of(project, location, pool_Id).toString()) @@ -83,7 +86,7 @@ public static void updateCaPoolIssuancePolicy(String project, String location, S .setUpdateMask(FieldMask.newBuilder(FieldMask.newBuilder() .addPaths("issuance_policy.identity_constraints.allow_subject_passthrough") .addPaths("issuance_policy.identity_constraints.allow_subject_alt_names_passthrough") - .addPaths("issuance_policy.passthrough_extensions.known_extensions").build())) + .addPaths("issuance_policy.identity_constraints.cel_expression").build())) .build(); // Update CA Pool request. @@ -94,7 +97,7 @@ public static void updateCaPoolIssuancePolicy(String project, String location, S // Check for errors. if (operation.hasError()) { - System.out.println("Error in updating CA Pool ! " + operation.getError()); + System.out.println("Error in updating CA Pool Issuance policy ! " + operation.getError()); return; } @@ -105,11 +108,12 @@ public static void updateCaPoolIssuancePolicy(String project, String location, S // Similarly, you can check for other modified fields as well. if (response.getIdentityConstraints().getAllowSubjectPassthrough() && response .getIdentityConstraints().getAllowSubjectAltNamesPassthrough()) { - System.out.println("CA Pool has been updated successfully ! "); + System.out.println("CA Pool Issuance policy has been updated successfully ! "); return; } - System.out.println("Error in updating CA Pool ! Please try again ! " + response); + System.out + .println("Error in updating CA Pool Issuance policy ! Please try again ! " + response); } } } From 6d4c3e04ab489e66f9ad60351822140eb0e4cfa8 Mon Sep 17 00:00:00 2001 From: SitaLakshmi Date: Thu, 2 Sep 2021 03:14:15 +0530 Subject: [PATCH 4/9] test(samples): Added tests for issuance policy and certificate templates. --- .../src/test/java/privateca/SnippetsIT.java | 86 ++++++++++++++++--- 1 file changed, 74 insertions(+), 12 deletions(-) diff --git a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java index db1cc226..3d21ddbd 100644 --- a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java +++ b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java @@ -18,12 +18,14 @@ import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertWithMessage; +import com.google.cloud.security.privateca.v1.CaPool.IssuancePolicy; import com.google.cloud.security.privateca.v1.CaPoolName; import com.google.cloud.security.privateca.v1.Certificate; import com.google.cloud.security.privateca.v1.CertificateAuthority; import com.google.cloud.security.privateca.v1.CertificateAuthorityName; import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; import com.google.cloud.security.privateca.v1.CertificateName; +import com.google.cloud.security.privateca.v1.CertificateTemplateName; import com.google.cloud.security.privateca.v1.FetchCertificateAuthorityCsrResponse; import com.google.protobuf.ByteString; import java.io.ByteArrayOutputStream; @@ -63,6 +65,7 @@ public class SnippetsIT { private static String CA_NAME; private static String CA_NAME_DELETE; private static String SUBORDINATE_CA_NAME; + private static String CERTIFICATE_TEMPLATE_NAME; private static String CERTIFICATE_NAME; private static String CSR_CERTIFICATE_NAME; private static int KEY_SIZE; @@ -79,18 +82,19 @@ public static void reqEnvVar(String envVarName) { @BeforeClass public static void setUp() throws IOException, ExecutionException, NoSuchProviderException, NoSuchAlgorithmException, - InterruptedException { + InterruptedException, TimeoutException { reqEnvVar("GOOGLE_APPLICATION_CREDENTIALS"); reqEnvVar("GOOGLE_CLOUD_PROJECT"); LOCATION = "asia-south1"; - CA_POOL_ID = "ca-pool-" + UUID.randomUUID().toString(); - CA_POOL_ID_DELETE = "ca-pool-" + UUID.randomUUID().toString(); - CA_NAME = "ca-name-" + UUID.randomUUID().toString(); - CA_NAME_DELETE = "ca-name-" + UUID.randomUUID().toString(); - SUBORDINATE_CA_NAME = "sub-ca-name-" + UUID.randomUUID().toString(); - CERTIFICATE_NAME = "certificate-name-" + UUID.randomUUID().toString(); - CSR_CERTIFICATE_NAME = "csr-certificate-name-" + UUID.randomUUID().toString(); + CA_POOL_ID = "ca-pool-" + UUID.randomUUID(); + CA_POOL_ID_DELETE = "ca-pool-" + UUID.randomUUID(); + CA_NAME = "ca-name-" + UUID.randomUUID(); + CA_NAME_DELETE = "ca-name-" + UUID.randomUUID(); + SUBORDINATE_CA_NAME = "sub-ca-name-" + UUID.randomUUID(); + CERTIFICATE_TEMPLATE_NAME = "certificate-template-name-" + UUID.randomUUID(); + CERTIFICATE_NAME = "certificate-name-" + UUID.randomUUID(); + CSR_CERTIFICATE_NAME = "csr-certificate-name-" + UUID.randomUUID(); KEY_SIZE = 2048; // Default key size // <--- START CA POOL ---> @@ -98,6 +102,9 @@ public static void setUp() privateca.CreateCaPool.createCaPool(PROJECT_ID, LOCATION, CA_POOL_ID); privateca.CreateCaPool.createCaPool(PROJECT_ID, LOCATION, CA_POOL_ID_DELETE); sleep(5); + // Set the issuance policy for the created CA Pool. + privateca.UpdateCaPool_IssuancePolicy + .updateCaPoolIssuancePolicy(PROJECT_ID, LOCATION, CA_POOL_ID); // <--- END CA POOL ---> // <--- START ROOT CA ---> @@ -117,18 +124,23 @@ public static void setUp() // <--- END ROOT CA ---> // <--- START SUBORDINATE CA ---> - // Create a Subordinate Certificate Authority. + // Follow the below steps to create and enable a Subordinate Certificate Authority. + // 1. Create a Subordinate Certificate Authority. privateca.CreateSubordinateCa.createSubordinateCertificateAuthority( PROJECT_ID, LOCATION, CA_POOL_ID, SUBORDINATE_CA_NAME); sleep(10); - // Fetch CSR. + // 2. Fetch CSR. String pemCSR = fetchPemCSR(CA_POOL_ID, SUBORDINATE_CA_NAME); - // Sign the CSR, and create a certificate. + // 3. Sign the CSR, and create a certificate. privateca.CreateCertificate_CSR.createCertificateWithCSR( PROJECT_ID, LOCATION, CA_POOL_ID, CA_NAME, CSR_CERTIFICATE_NAME, pemCSR); // <--- END SUBORDINATE CA ---> // <--- START CERTIFICATE ---> + // Create Certificate Template. + privateca.CreateCertificateTemplate + .createCertificateTemplate(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); + // Create an asymmetric key pair using Bouncy Castle crypto framework. KeyPair asymmetricKeyPair = createAsymmetricKeyPair(); @@ -155,7 +167,8 @@ public static void setUp() } @AfterClass - public static void cleanUp() throws InterruptedException, ExecutionException, IOException { + public static void cleanUp() + throws InterruptedException, ExecutionException, IOException, TimeoutException { ByteArrayOutputStream stdOut = new ByteArrayOutputStream(); System.setOut(new PrintStream(stdOut)); @@ -164,6 +177,10 @@ public static void cleanUp() throws InterruptedException, ExecutionException, IO privateca.RevokeCertificate.revokeCertificate( PROJECT_ID, LOCATION, CA_POOL_ID, CSR_CERTIFICATE_NAME); + // Delete Certificate Template. + privateca.DeleteCertificateTemplate + .deleteCertificateTemplate(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); + // Delete root CA. privateca.DeleteCertificateAuthority.deleteCertificateAuthority( PROJECT_ID, LOCATION, CA_POOL_ID, CA_NAME); @@ -255,6 +272,22 @@ public void testCreateCAPool() throws IOException { } } + @Test + public void testUpdateCAPoolIssuancePolicy() throws IOException { + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + IssuancePolicy issuancePolicy = + certificateAuthorityServiceClient + .getCaPool(CaPoolName.of(PROJECT_ID, LOCATION, CA_POOL_ID).toString()) + .getIssuancePolicy(); + + String actualExpression = issuancePolicy.getIdentityConstraints().getCelExpression() + .getExpression(); + String expectedExpression = "subject_alt_names.all(san, san.type == DNS && (san.value == \"us.google.org\" || san.value.endsWith(\".google.com\")) )"; + assertThat(actualExpression).contains(expectedExpression); + } + } + @Test public void testListCAPools() throws IOException { privateca.ListCaPools.listCaPools(PROJECT_ID, LOCATION); @@ -308,6 +341,35 @@ public void testDeleteUndeleteCertificateAuthority() .contains("Successfully restored the Certificate Authority ! " + CA_NAME_DELETE); } + @Test + public void testCreateCertificateTemplate() throws IOException { + // Check that the Certificate template has been created as part of the setup. + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + String certificateTemplate = certificateAuthorityServiceClient.getCertificateTemplate( + CertificateTemplateName.of(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME).toString()) + .getName(); + + assertThat(certificateTemplate) + .contains(String.format("projects/%s/locations/%s/", PROJECT_ID, LOCATION)); + } + } + + @Test + public void testListCertificateTemplate() + throws IOException, ExecutionException, InterruptedException, TimeoutException { + privateca.ListCertificateTemplates.listCertificateTemplates(PROJECT_ID, LOCATION); + assertThat(stdOut.toString()).contains(CERTIFICATE_TEMPLATE_NAME); + } + + @Test + public void updateCertificateTemplate() + throws IOException, ExecutionException, InterruptedException, TimeoutException { + privateca.UpdateCertificateTemplate + .updateCertificateTemplate(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); + assertThat(stdOut.toString()).contains("Successfully updated the certificate template ! "); + } + @Test public void testCreateCertificate() throws IOException { // Check if the certificate created during setup is successful. From 45db4072e009e4e7aefbeaf092a2671cb3786f82 Mon Sep 17 00:00:00 2001 From: Owl Bot Date: Wed, 1 Sep 2021 21:49:59 +0000 Subject: [PATCH 5/9] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --- README.md | 11 ++- .../java/privateca/CreateCertificate.java | 2 +- .../privateca/CreateCertificateTemplate.java | 80 ++++++++-------- .../privateca/DeleteCertificateTemplate.java | 29 +++--- .../privateca/ListCertificateTemplates.java | 21 +++-- .../UpdateCaPool_IssuancePolicy.java | 94 +++++++++++-------- .../privateca/UpdateCertificateTemplate.java | 62 ++++++------ .../src/test/java/privateca/SnippetsIT.java | 34 ++++--- 8 files changed, 186 insertions(+), 147 deletions(-) diff --git a/README.md b/README.md index 04696331..f2d71a65 100644 --- a/README.md +++ b/README.md @@ -19,20 +19,20 @@ If you are using Maven, add this to your pom.xml file: com.google.cloud google-cloud-security-private-ca - 2.0.2 + 2.1.0 ``` If you are using Gradle without BOM, add this to your dependencies ```Groovy -implementation 'com.google.cloud:google-cloud-security-private-ca:2.0.2' +implementation 'com.google.cloud:google-cloud-security-private-ca:2.1.0' ``` If you are using SBT, add this to your dependencies ```Scala -libraryDependencies += "com.google.cloud" % "google-cloud-security-private-ca" % "2.0.2" +libraryDependencies += "com.google.cloud" % "google-cloud-security-private-ca" % "2.1.0" ``` ## Authentication @@ -80,18 +80,23 @@ Samples are in the [`samples/`](https://github.com/googleapis/java-security-priv | Create Ca Pool | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCaPool.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCaPool.java) | | Create Certificate | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java) | | Create Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateAuthority.java) | +| Create Certificate Template | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java) | | Create Certificate_CSR | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate_CSR.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate_CSR.java) | | Create Subordinate Ca | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java) | | Delete Ca Pool | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DeleteCaPool.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DeleteCaPool.java) | | Delete Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateAuthority.java) | +| Delete Certificate Template | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java) | | Disable Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DisableCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DisableCertificateAuthority.java) | | Enable Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/EnableCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/EnableCertificateAuthority.java) | | Filter Certificates | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java) | | List Ca Pools | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCaPools.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCaPools.java) | | List Certificate Authorities | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateAuthorities.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCertificateAuthorities.java) | +| List Certificate Templates | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java) | | List Certificates | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCertificates.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCertificates.java) | | Revoke Certificate | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/RevokeCertificate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/RevokeCertificate.java) | | Undelete Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/UndeleteCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/UndeleteCertificateAuthority.java) | +| Update Ca Pool_Issuance Policy | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java) | +| Update Certificate Template | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java) | diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java index 70d1ee4a..ec6ac1a3 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java @@ -51,7 +51,7 @@ public static void main(String[] args) // certificateAuthorityName: The name of the certificate authority which issues the certificate. // certificateName: Set a unique name for the certificate. String project = "your-project-id"; - ByteString publicKeyBytes = ByteString.copyFrom(new byte[]{}); + ByteString publicKeyBytes = ByteString.copyFrom(new byte[] {}); String location = "ca-location"; String pool_Id = "ca-pool_Id"; String certificateAuthorityName = "certificate-authority-name"; diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java index c97cd938..e3c4b5cc 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java @@ -40,8 +40,8 @@ public class CreateCertificateTemplate { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* TODO(developer): Replace these variables before running the sample. - location: For a list of locations, see: - https://cloud.google.com/certificate-authority-service/docs/locations */ + location: For a list of locations, see: + https://cloud.google.com/certificate-authority-service/docs/locations */ String project = "your-project-id"; String location = "ca-location"; String certificateTemplateId = "certificate-template-id"; @@ -50,56 +50,62 @@ public static void main(String[] args) } /* Creates a Certificate template. These templates can be reused for common - certificate issuance scenarios. */ - public static void createCertificateTemplate(String project, String location, - String certificateTemplateId) + certificate issuance scenarios. */ + public static void createCertificateTemplate( + String project, String location, String certificateTemplateId) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* Initialize client that will be used to send requests. This client only needs to be created - once, and can be reused for multiple requests. After completing all of your requests, call - the `certificateAuthorityServiceClient.close()` method on the client to safely - clean up any remaining background resources. */ + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { /* Describes any predefined X.509 values set by this template. - The provided extensions are copied over to certificate requests that use this template.*/ - KeyUsage keyUsage = KeyUsage.newBuilder() - .setBaseKeyUsage(KeyUsageOptions.newBuilder() - .setDigitalSignature(true) - .setKeyEncipherment(true).build()) - .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder() - .setServerAuth(true).build()) - .build(); + The provided extensions are copied over to certificate requests that use this template.*/ + KeyUsage keyUsage = + KeyUsage.newBuilder() + .setBaseKeyUsage( + KeyUsageOptions.newBuilder() + .setDigitalSignature(true) + .setKeyEncipherment(true) + .build()) + .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build()) + .build(); CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build(); /* CEL expression that is evaluated against the Subject and - Subject Alternative Name of the certificate before it is issued. */ - Expr expr = Expr.newBuilder() - .setExpression("subject_alt_names.all(san, san.type == DNS)") - .build(); + Subject Alternative Name of the certificate before it is issued. */ + Expr expr = + Expr.newBuilder().setExpression("subject_alt_names.all(san, san.type == DNS)").build(); // Set the certificate issuance schema. - CertificateTemplate certificateTemplate = CertificateTemplate.newBuilder() - .setPredefinedValues(X509Parameters.newBuilder() - .setKeyUsage(keyUsage) - .setCaOptions(caOptions).build()) - .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() - .setCelExpression(expr) - .setAllowSubjectPassthrough(false) - .setAllowSubjectAltNamesPassthrough(false).build()) - .build(); + CertificateTemplate certificateTemplate = + CertificateTemplate.newBuilder() + .setPredefinedValues( + X509Parameters.newBuilder().setKeyUsage(keyUsage).setCaOptions(caOptions).build()) + .setIdentityConstraints( + CertificateIdentityConstraints.newBuilder() + .setCelExpression(expr) + .setAllowSubjectPassthrough(false) + .setAllowSubjectAltNamesPassthrough(false) + .build()) + .build(); // Set the parent and certificate template properties. - CreateCertificateTemplateRequest certificateTemplateRequest = CreateCertificateTemplateRequest - .newBuilder() - .setParent(LocationName.of(project, location).toString()) - .setCertificateTemplate(certificateTemplate) - .setCertificateTemplateId(certificateTemplateId).build(); + CreateCertificateTemplateRequest certificateTemplateRequest = + CreateCertificateTemplateRequest.newBuilder() + .setParent(LocationName.of(project, location).toString()) + .setCertificateTemplate(certificateTemplate) + .setCertificateTemplateId(certificateTemplateId) + .build(); // Create Template request. - ApiFuture futureCall = certificateAuthorityServiceClient - .createCertificateTemplateCallable().futureCall(certificateTemplateRequest); + ApiFuture futureCall = + certificateAuthorityServiceClient + .createCertificateTemplateCallable() + .futureCall(certificateTemplateRequest); Operation response = futureCall.get(60, TimeUnit.SECONDS); @@ -112,4 +118,4 @@ public static void createCertificateTemplate(String project, String location, } } } -// [END privateca_create_certificate_template] \ No newline at end of file +// [END privateca_create_certificate_template] diff --git a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java index 7d42f1f4..417ffae2 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java @@ -29,13 +29,12 @@ public class DeleteCertificateTemplate { - public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* TODO(developer): Replace these variables before running the sample. - location: For a list of locations, see: - https://cloud.google.com/certificate-authority-service/docs/locations - certificateTemplateId: Id of the certificate template to delete. */ + location: For a list of locations, see: + https://cloud.google.com/certificate-authority-service/docs/locations + certificateTemplateId: Id of the certificate template to delete. */ String project = "your-project-id"; String location = "ca-location"; String certificateTemplateId = "certificate-template-id"; @@ -44,23 +43,25 @@ public static void main(String[] args) } // Deletes the certificate template present in the given project and location. - public static void deleteCertificateTemplate(String project, String location, - String certificateTemplateId) + public static void deleteCertificateTemplate( + String project, String location, String certificateTemplateId) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* Initialize client that will be used to send requests. This client only needs to be created - once, and can be reused for multiple requests. After completing all of your requests, call - the `certificateAuthorityServiceClient.close()` method on the client to safely - clean up any remaining background resources. */ + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { // Set the parent name of the certificate template to be deleted. - DeleteCertificateTemplateRequest request = DeleteCertificateTemplateRequest.newBuilder() - .setName(CertificateTemplateName.of(project, location, certificateTemplateId).toString()) - .build(); + DeleteCertificateTemplateRequest request = + DeleteCertificateTemplateRequest.newBuilder() + .setName( + CertificateTemplateName.of(project, location, certificateTemplateId).toString()) + .build(); - ApiFuture futureCall = certificateAuthorityServiceClient - .deleteCertificateTemplateCallable().futureCall(request); + ApiFuture futureCall = + certificateAuthorityServiceClient.deleteCertificateTemplateCallable().futureCall(request); Operation response = futureCall.get(60, TimeUnit.SECONDS); diff --git a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java index 99421431..bc574c02 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java @@ -33,8 +33,8 @@ public class ListCertificateTemplates { public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* TODO(developer): Replace these variables before running the sample. - location: For a list of locations, see: - https://cloud.google.com/certificate-authority-service/docs/locations */ + location: For a list of locations, see: + https://cloud.google.com/certificate-authority-service/docs/locations */ String project = "your-project-id"; String location = "ca-location"; @@ -45,19 +45,20 @@ public static void main(String[] args) public static void listCertificateTemplates(String project, String location) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* Initialize client that will be used to send requests. This client only needs to be created - once, and can be reused for multiple requests. After completing all of your requests, call - the `certificateAuthorityServiceClient.close()` method on the client to safely - clean up any remaining background resources. */ + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { // Set the parent name to list the certificate templates. - ListCertificateTemplatesRequest request = ListCertificateTemplatesRequest.newBuilder() - .setParent(LocationName.of(project, location).toString()) - .build(); + ListCertificateTemplatesRequest request = + ListCertificateTemplatesRequest.newBuilder() + .setParent(LocationName.of(project, location).toString()) + .build(); - ApiFuture futureCall = certificateAuthorityServiceClient - .listCertificateTemplatesCallable().futureCall(request); + ApiFuture futureCall = + certificateAuthorityServiceClient.listCertificateTemplatesCallable().futureCall(request); // Get the response. ListCertificateTemplatesResponse response = futureCall.get(60, TimeUnit.SECONDS); diff --git a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java index 894b5617..1b091432 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java @@ -48,50 +48,62 @@ public static void main(String[] args) } /* Update the Issuance policy for a CA Pool. All certificates issued from this CA Pool should - meet the issuance policy. */ + meet the issuance policy. */ public static void updateCaPoolIssuancePolicy(String project, String location, String pool_Id) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* Initialize client that will be used to send requests. This client only needs to be created - once, and can be reused for multiple requests. After completing all of your requests, call - the `certificateAuthorityServiceClient.close()` method on the client to safely - clean up any remaining background resources. */ + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { /* Set the updated issuance policy for the CA Pool. - This particular issuance policy allows only SANs that - have DNS Names as "us.google.org" or ending in ".google.com". */ - String expr = "subject_alt_names.all(san, san.type == DNS && (san.value == \"us.google.org\"" - + " || san.value.endsWith(\".google.com\")) )"; - - CaPool.IssuancePolicy issuancePolicy = IssuancePolicy.newBuilder() - .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() - .setAllowSubjectPassthrough(true) - .setAllowSubjectAltNamesPassthrough(true) - .setCelExpression(Expr.newBuilder().setExpression(expr).build()).build()) - .build(); - - CaPool caPool = CaPool.newBuilder() - .setName(CaPoolName.of(project, location, pool_Id).toString()) - .setIssuancePolicy(issuancePolicy).build(); + This particular issuance policy allows only SANs that + have DNS Names as "us.google.org" or ending in ".google.com". */ + String expr = + "subject_alt_names.all(san, san.type == DNS && (san.value == \"us.google.org\"" + + " || san.value.endsWith(\".google.com\")) )"; + + CaPool.IssuancePolicy issuancePolicy = + IssuancePolicy.newBuilder() + .setIdentityConstraints( + CertificateIdentityConstraints.newBuilder() + .setAllowSubjectPassthrough(true) + .setAllowSubjectAltNamesPassthrough(true) + .setCelExpression(Expr.newBuilder().setExpression(expr).build()) + .build()) + .build(); + + CaPool caPool = + CaPool.newBuilder() + .setName(CaPoolName.of(project, location, pool_Id).toString()) + .setIssuancePolicy(issuancePolicy) + .build(); /* 1. Set the CA pool with updated values. - 2. Set the update mask to specify which properties of the CA Pool should be updated. - Only the properties specified in the mask will be updated. Make sure that the mask fields - match the updated issuance policy. - For more info on constructing path for update mask, see: - https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */ - UpdateCaPoolRequest updateCaPoolRequest = UpdateCaPoolRequest.newBuilder() - .setCaPool(caPool) - .setUpdateMask(FieldMask.newBuilder(FieldMask.newBuilder() - .addPaths("issuance_policy.identity_constraints.allow_subject_passthrough") - .addPaths("issuance_policy.identity_constraints.allow_subject_alt_names_passthrough") - .addPaths("issuance_policy.identity_constraints.cel_expression").build())) - .build(); + 2. Set the update mask to specify which properties of the CA Pool should be updated. + Only the properties specified in the mask will be updated. Make sure that the mask fields + match the updated issuance policy. + For more info on constructing path for update mask, see: + https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */ + UpdateCaPoolRequest updateCaPoolRequest = + UpdateCaPoolRequest.newBuilder() + .setCaPool(caPool) + .setUpdateMask( + FieldMask.newBuilder( + FieldMask.newBuilder() + .addPaths( + "issuance_policy.identity_constraints.allow_subject_passthrough") + .addPaths( + "issuance_policy.identity_constraints.allow_subject_alt_names_passthrough") + .addPaths("issuance_policy.identity_constraints.cel_expression") + .build())) + .build(); // Update CA Pool request. - ApiFuture futureCall = certificateAuthorityServiceClient.updateCaPoolCallable() - .futureCall(updateCaPoolRequest); + ApiFuture futureCall = + certificateAuthorityServiceClient.updateCaPoolCallable().futureCall(updateCaPoolRequest); Operation operation = futureCall.get(60, TimeUnit.SECONDS); @@ -102,19 +114,21 @@ public static void updateCaPoolIssuancePolicy(String project, String location, S } // Get the CA Pool's issuance policy and verify if the fields have been successfully updated. - IssuancePolicy response = certificateAuthorityServiceClient - .getCaPool(CaPoolName.of(project, location, pool_Id).toString()).getIssuancePolicy(); + IssuancePolicy response = + certificateAuthorityServiceClient + .getCaPool(CaPoolName.of(project, location, pool_Id).toString()) + .getIssuancePolicy(); // Similarly, you can check for other modified fields as well. - if (response.getIdentityConstraints().getAllowSubjectPassthrough() && response - .getIdentityConstraints().getAllowSubjectAltNamesPassthrough()) { + if (response.getIdentityConstraints().getAllowSubjectPassthrough() + && response.getIdentityConstraints().getAllowSubjectAltNamesPassthrough()) { System.out.println("CA Pool Issuance policy has been updated successfully ! "); return; } - System.out - .println("Error in updating CA Pool Issuance policy ! Please try again ! " + response); + System.out.println( + "Error in updating CA Pool Issuance policy ! Please try again ! " + response); } } } -// [END privateca_set_issuance_policy] \ No newline at end of file +// [END privateca_set_issuance_policy] diff --git a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java index 588da44e..66feb63f 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java @@ -32,7 +32,6 @@ public class UpdateCertificateTemplate { - public static void main(String[] args) throws IOException, ExecutionException, InterruptedException, TimeoutException { // TODO(developer): Replace these variables before running the sample. @@ -47,41 +46,48 @@ public static void main(String[] args) } // Updates an existing certificate template. - public static void updateCertificateTemplate(String project, String location, - String certificateTemplateId) + public static void updateCertificateTemplate( + String project, String location, String certificateTemplateId) throws IOException, ExecutionException, InterruptedException, TimeoutException { /* Initialize client that will be used to send requests. This client only needs to be created - once, and can be reused for multiple requests. After completing all of your requests, call - the `certificateAuthorityServiceClient.close()` method on the client to safely - clean up any remaining background resources. */ + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { - String certificateTemplateName = CertificateTemplateName - .of(project, location, certificateTemplateId).toString(); + String certificateTemplateName = + CertificateTemplateName.of(project, location, certificateTemplateId).toString(); // Set the parent name and the properties to be updated. - CertificateTemplate certificateTemplate = CertificateTemplate.newBuilder() - .setName(certificateTemplateName) - .setIdentityConstraints(CertificateIdentityConstraints.newBuilder() - .setAllowSubjectPassthrough(false) - .setAllowSubjectAltNamesPassthrough(true).build()) - .build(); + CertificateTemplate certificateTemplate = + CertificateTemplate.newBuilder() + .setName(certificateTemplateName) + .setIdentityConstraints( + CertificateIdentityConstraints.newBuilder() + .setAllowSubjectPassthrough(false) + .setAllowSubjectAltNamesPassthrough(true) + .build()) + .build(); // Set the mask corresponding to the properties updated above. - FieldMask fieldMask = FieldMask.newBuilder() - .addPaths("identity_constraints.allow_subject_alt_names_passthrough") - .addPaths("identity_constraints.allow_subject_passthrough").build(); + FieldMask fieldMask = + FieldMask.newBuilder() + .addPaths("identity_constraints.allow_subject_alt_names_passthrough") + .addPaths("identity_constraints.allow_subject_passthrough") + .build(); /* Set the new template. - Set the mask to specify which properties of the template should be updated. */ - UpdateCertificateTemplateRequest request = UpdateCertificateTemplateRequest.newBuilder() - .setCertificateTemplate(certificateTemplate) - .setUpdateMask(fieldMask).build(); + Set the mask to specify which properties of the template should be updated. */ + UpdateCertificateTemplateRequest request = + UpdateCertificateTemplateRequest.newBuilder() + .setCertificateTemplate(certificateTemplate) + .setUpdateMask(fieldMask) + .build(); // Create the update certificate template request. - ApiFuture futureCall = certificateAuthorityServiceClient - .updateCertificateTemplateCallable().futureCall(request); + ApiFuture futureCall = + certificateAuthorityServiceClient.updateCertificateTemplateCallable().futureCall(request); Operation response = futureCall.get(60, TimeUnit.SECONDS); @@ -92,11 +98,13 @@ public static void updateCertificateTemplate(String project, String location, } // Get the updated certificate template and check if the properties have been updated. - CertificateIdentityConstraints updatedCertificateIdentityConstraints = certificateAuthorityServiceClient - .getCertificateTemplate(certificateTemplateName).getIdentityConstraints(); + CertificateIdentityConstraints updatedCertificateIdentityConstraints = + certificateAuthorityServiceClient + .getCertificateTemplate(certificateTemplateName) + .getIdentityConstraints(); - if (!updatedCertificateIdentityConstraints.getAllowSubjectPassthrough() && - updatedCertificateIdentityConstraints.getAllowSubjectAltNamesPassthrough()) { + if (!updatedCertificateIdentityConstraints.getAllowSubjectPassthrough() + && updatedCertificateIdentityConstraints.getAllowSubjectAltNamesPassthrough()) { System.out.println("Successfully updated the certificate template ! " + response.getName()); return; } diff --git a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java index 3d21ddbd..a42b843a 100644 --- a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java +++ b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java @@ -82,7 +82,7 @@ public static void reqEnvVar(String envVarName) { @BeforeClass public static void setUp() throws IOException, ExecutionException, NoSuchProviderException, NoSuchAlgorithmException, - InterruptedException, TimeoutException { + InterruptedException, TimeoutException { reqEnvVar("GOOGLE_APPLICATION_CREDENTIALS"); reqEnvVar("GOOGLE_CLOUD_PROJECT"); @@ -103,8 +103,8 @@ public static void setUp() privateca.CreateCaPool.createCaPool(PROJECT_ID, LOCATION, CA_POOL_ID_DELETE); sleep(5); // Set the issuance policy for the created CA Pool. - privateca.UpdateCaPool_IssuancePolicy - .updateCaPoolIssuancePolicy(PROJECT_ID, LOCATION, CA_POOL_ID); + privateca.UpdateCaPool_IssuancePolicy.updateCaPoolIssuancePolicy( + PROJECT_ID, LOCATION, CA_POOL_ID); // <--- END CA POOL ---> // <--- START ROOT CA ---> @@ -138,8 +138,8 @@ public static void setUp() // <--- START CERTIFICATE ---> // Create Certificate Template. - privateca.CreateCertificateTemplate - .createCertificateTemplate(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); + privateca.CreateCertificateTemplate.createCertificateTemplate( + PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); // Create an asymmetric key pair using Bouncy Castle crypto framework. KeyPair asymmetricKeyPair = createAsymmetricKeyPair(); @@ -178,8 +178,8 @@ public static void cleanUp() PROJECT_ID, LOCATION, CA_POOL_ID, CSR_CERTIFICATE_NAME); // Delete Certificate Template. - privateca.DeleteCertificateTemplate - .deleteCertificateTemplate(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); + privateca.DeleteCertificateTemplate.deleteCertificateTemplate( + PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); // Delete root CA. privateca.DeleteCertificateAuthority.deleteCertificateAuthority( @@ -281,9 +281,10 @@ public void testUpdateCAPoolIssuancePolicy() throws IOException { .getCaPool(CaPoolName.of(PROJECT_ID, LOCATION, CA_POOL_ID).toString()) .getIssuancePolicy(); - String actualExpression = issuancePolicy.getIdentityConstraints().getCelExpression() - .getExpression(); - String expectedExpression = "subject_alt_names.all(san, san.type == DNS && (san.value == \"us.google.org\" || san.value.endsWith(\".google.com\")) )"; + String actualExpression = + issuancePolicy.getIdentityConstraints().getCelExpression().getExpression(); + String expectedExpression = + "subject_alt_names.all(san, san.type == DNS && (san.value == \"us.google.org\" || san.value.endsWith(\".google.com\")) )"; assertThat(actualExpression).contains(expectedExpression); } } @@ -346,9 +347,12 @@ public void testCreateCertificateTemplate() throws IOException { // Check that the Certificate template has been created as part of the setup. try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = CertificateAuthorityServiceClient.create()) { - String certificateTemplate = certificateAuthorityServiceClient.getCertificateTemplate( - CertificateTemplateName.of(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME).toString()) - .getName(); + String certificateTemplate = + certificateAuthorityServiceClient + .getCertificateTemplate( + CertificateTemplateName.of(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME) + .toString()) + .getName(); assertThat(certificateTemplate) .contains(String.format("projects/%s/locations/%s/", PROJECT_ID, LOCATION)); @@ -365,8 +369,8 @@ public void testListCertificateTemplate() @Test public void updateCertificateTemplate() throws IOException, ExecutionException, InterruptedException, TimeoutException { - privateca.UpdateCertificateTemplate - .updateCertificateTemplate(PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); + privateca.UpdateCertificateTemplate.updateCertificateTemplate( + PROJECT_ID, LOCATION, CERTIFICATE_TEMPLATE_NAME); assertThat(stdOut.toString()).contains("Successfully updated the certificate template ! "); } From 28fc18584c243ea68f78e1ff381c8771fa3893b1 Mon Sep 17 00:00:00 2001 From: SitaLakshmi Date: Tue, 7 Sep 2021 13:24:48 +0530 Subject: [PATCH 6/9] refactor(samples): included filter condition and comments --- .../java/privateca/FilterCertificates.java | 21 +++++++++++-------- .../src/test/java/privateca/SnippetsIT.java | 6 ++---- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java b/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java index 9ba8d93a..07fc2477 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java @@ -30,21 +30,16 @@ public static void main(String[] args) throws IOException { // location: For a list of locations, see: // https://cloud.google.com/certificate-authority-service/docs/locations // pool_Id: Id of the CA pool which contains the certificates to be listed. - // filterCondition: Filter certificates based on the given condition. - // For more info on conditions supported, - // see: - // https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support String project = "your-project-id"; String location = "ca-location"; String pool_Id = "ca-pool-id"; - String filterCondition = "filter-condition"; - filterCertificates(project, location, pool_Id, filterCondition); + filterCertificates(project, location, pool_Id); } // Filter certificates based on a condition and list them. public static void filterCertificates( - String project, String location, String pool_Id, String filterCondition) throws IOException { + String project, String location, String pool_Id) throws IOException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `certificateAuthorityServiceClient.close()` method on the client to safely @@ -63,8 +58,16 @@ public static void filterCertificates( ListCertificatesRequest listCertificatesRequest = ListCertificatesRequest.newBuilder() .setParent(caPool.toString()) - // Filter certificates according to the given condition. - .setFilter(filterCondition) + /* Filter certificates based on the given condition. + For more info on conditions supported, + see: + https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support + Few examples for constructing conditions: + certificate_description.subject_description.not_after_time=timestamp(com.google.protobuf) + certificate_description.subject_description.subject_alt_name.dns_names:my-dns + Here, we are filtering certificates which has organization name = csr-org-name */ + .setFilter( + "certificate_description.subject_description.subject.organization=csr-org-name") .build(); // Retrieve and print the certificate names. diff --git a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java index a42b843a..5b09d2ec 100644 --- a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java +++ b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java @@ -82,7 +82,7 @@ public static void reqEnvVar(String envVarName) { @BeforeClass public static void setUp() throws IOException, ExecutionException, NoSuchProviderException, NoSuchAlgorithmException, - InterruptedException, TimeoutException { + InterruptedException, TimeoutException { reqEnvVar("GOOGLE_APPLICATION_CREDENTIALS"); reqEnvVar("GOOGLE_CLOUD_PROJECT"); @@ -395,10 +395,8 @@ public void testListCertificates() throws IOException { @Test public void testFilterCertificates() throws IOException { // Filter only certificates created using CSR. - String filterCondition = - "certificate_description.subject_description.subject.organization=csr-org-name"; privateca.FilterCertificates.filterCertificates( - PROJECT_ID, LOCATION, CA_POOL_ID, filterCondition); + PROJECT_ID, LOCATION, CA_POOL_ID); assertThat(stdOut.toString()).contains(CSR_CERTIFICATE_NAME); assertThat(stdOut.toString()).doesNotContain(CERTIFICATE_NAME); } From bc3f02333fad5f8a1c42107d97baa0e07e4ae6a2 Mon Sep 17 00:00:00 2001 From: Owl Bot Date: Tue, 7 Sep 2021 07:56:41 +0000 Subject: [PATCH 7/9] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --- .../java/privateca/FilterCertificates.java | 18 +++++++++--------- .../src/test/java/privateca/SnippetsIT.java | 5 ++--- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java b/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java index 07fc2477..6a199f93 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java @@ -38,8 +38,8 @@ public static void main(String[] args) throws IOException { } // Filter certificates based on a condition and list them. - public static void filterCertificates( - String project, String location, String pool_Id) throws IOException { + public static void filterCertificates(String project, String location, String pool_Id) + throws IOException { // Initialize client that will be used to send requests. This client only needs to be created // once, and can be reused for multiple requests. After completing all of your requests, call // the `certificateAuthorityServiceClient.close()` method on the client to safely @@ -59,13 +59,13 @@ public static void filterCertificates( ListCertificatesRequest.newBuilder() .setParent(caPool.toString()) /* Filter certificates based on the given condition. - For more info on conditions supported, - see: - https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support - Few examples for constructing conditions: - certificate_description.subject_description.not_after_time=timestamp(com.google.protobuf) - certificate_description.subject_description.subject_alt_name.dns_names:my-dns - Here, we are filtering certificates which has organization name = csr-org-name */ + For more info on conditions supported, + see: + https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support + Few examples for constructing conditions: + certificate_description.subject_description.not_after_time=timestamp(com.google.protobuf) + certificate_description.subject_description.subject_alt_name.dns_names:my-dns + Here, we are filtering certificates which has organization name = csr-org-name */ .setFilter( "certificate_description.subject_description.subject.organization=csr-org-name") .build(); diff --git a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java index 5b09d2ec..d907faa3 100644 --- a/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java +++ b/samples/snippets/cloud-client/src/test/java/privateca/SnippetsIT.java @@ -82,7 +82,7 @@ public static void reqEnvVar(String envVarName) { @BeforeClass public static void setUp() throws IOException, ExecutionException, NoSuchProviderException, NoSuchAlgorithmException, - InterruptedException, TimeoutException { + InterruptedException, TimeoutException { reqEnvVar("GOOGLE_APPLICATION_CREDENTIALS"); reqEnvVar("GOOGLE_CLOUD_PROJECT"); @@ -395,8 +395,7 @@ public void testListCertificates() throws IOException { @Test public void testFilterCertificates() throws IOException { // Filter only certificates created using CSR. - privateca.FilterCertificates.filterCertificates( - PROJECT_ID, LOCATION, CA_POOL_ID); + privateca.FilterCertificates.filterCertificates(PROJECT_ID, LOCATION, CA_POOL_ID); assertThat(stdOut.toString()).contains(CSR_CERTIFICATE_NAME); assertThat(stdOut.toString()).doesNotContain(CERTIFICATE_NAME); } From 5bf0386978ac3327f251644e2d0d706d55fd803c Mon Sep 17 00:00:00 2001 From: SitaLakshmi Date: Thu, 9 Sep 2021 00:12:16 +0530 Subject: [PATCH 8/9] refactor(samples): included review comments --- .../main/java/privateca/CreateCertificate.java | 4 ++-- .../java/privateca/CreateCertificateTemplate.java | 15 ++++++++++++--- .../main/java/privateca/CreateSubordinateCa.java | 7 +++++-- .../java/privateca/DeleteCertificateTemplate.java | 4 +++- .../java/privateca/ListCertificateTemplates.java | 4 +++- 5 files changed, 25 insertions(+), 9 deletions(-) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java index ec6ac1a3..5cac09dd 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java @@ -84,8 +84,8 @@ public static void createCertificate( // domainName: List the fully qualified domain name. // certificateLifetime: The validity of the certificate in seconds. String commonName = "common-name"; - String orgName = "google"; - String domainName = "test.google.com"; + String orgName = "org-name"; + String domainName = "dns.your-domain.com"; long certificateLifetime = 1000L; // Set the Public Key and its format. diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java index e3c4b5cc..852814bc 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java @@ -70,10 +70,16 @@ public static void createCertificateTemplate( .setDigitalSignature(true) .setKeyEncipherment(true) .build()) - .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build()) + .setExtendedKeyUsage( + ExtendedKeyUsageOptions.newBuilder() + .setServerAuth(true) + .build()) .build(); - CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build(); + CaOptions caOptions = + CaOptions.newBuilder() + .setIsCa(false) + .build(); /* CEL expression that is evaluated against the Subject and Subject Alternative Name of the certificate before it is issued. */ @@ -84,7 +90,10 @@ public static void createCertificateTemplate( CertificateTemplate certificateTemplate = CertificateTemplate.newBuilder() .setPredefinedValues( - X509Parameters.newBuilder().setKeyUsage(keyUsage).setCaOptions(caOptions).build()) + X509Parameters.newBuilder() + .setKeyUsage(keyUsage) + .setCaOptions(caOptions) + .build()) .setIdentityConstraints( CertificateIdentityConstraints.newBuilder() .setCelExpression(expr) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java index d7cb38e3..57e3a0c5 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java @@ -66,7 +66,7 @@ public static void createSubordinateCertificateAuthority( String commonName = "common-name"; String orgName = "csr-org-name"; - String domainName = "test.google.com"; + String domainName = "dns.your-domain.com"; int caDuration = 100000; // Validity of this CA in seconds. // Set the type of Algorithm. @@ -79,7 +79,10 @@ public static void createSubordinateCertificateAuthority( .setSubject( Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build()) // Set the fully qualified domain name. - .setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build()) + .setSubjectAltName( + SubjectAltNames.newBuilder() + .addDnsNames(domainName) + .build()) .build(); // Set the key usage options for X.509 fields. diff --git a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java index 417ffae2..51fd6c3f 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java @@ -61,7 +61,9 @@ public static void deleteCertificateTemplate( .build(); ApiFuture futureCall = - certificateAuthorityServiceClient.deleteCertificateTemplateCallable().futureCall(request); + certificateAuthorityServiceClient + .deleteCertificateTemplateCallable() + .futureCall(request); Operation response = futureCall.get(60, TimeUnit.SECONDS); diff --git a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java index bc574c02..058d1b82 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java @@ -58,7 +58,9 @@ public static void listCertificateTemplates(String project, String location) .build(); ApiFuture futureCall = - certificateAuthorityServiceClient.listCertificateTemplatesCallable().futureCall(request); + certificateAuthorityServiceClient + .listCertificateTemplatesCallable() + .futureCall(request); // Get the response. ListCertificateTemplatesResponse response = futureCall.get(60, TimeUnit.SECONDS); From db9d1dbe87a579cb6e42b46585d57e2eb0f4a18b Mon Sep 17 00:00:00 2001 From: Owl Bot Date: Wed, 8 Sep 2021 18:44:43 +0000 Subject: [PATCH 9/9] =?UTF-8?q?=F0=9F=A6=89=20Updates=20from=20OwlBot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md --- .../java/privateca/CreateCertificateTemplate.java | 15 +++------------ .../main/java/privateca/CreateSubordinateCa.java | 5 +---- .../java/privateca/DeleteCertificateTemplate.java | 4 +--- .../java/privateca/ListCertificateTemplates.java | 4 +--- 4 files changed, 6 insertions(+), 22 deletions(-) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java index 852814bc..e3c4b5cc 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java @@ -70,16 +70,10 @@ public static void createCertificateTemplate( .setDigitalSignature(true) .setKeyEncipherment(true) .build()) - .setExtendedKeyUsage( - ExtendedKeyUsageOptions.newBuilder() - .setServerAuth(true) - .build()) + .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build()) .build(); - CaOptions caOptions = - CaOptions.newBuilder() - .setIsCa(false) - .build(); + CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build(); /* CEL expression that is evaluated against the Subject and Subject Alternative Name of the certificate before it is issued. */ @@ -90,10 +84,7 @@ public static void createCertificateTemplate( CertificateTemplate certificateTemplate = CertificateTemplate.newBuilder() .setPredefinedValues( - X509Parameters.newBuilder() - .setKeyUsage(keyUsage) - .setCaOptions(caOptions) - .build()) + X509Parameters.newBuilder().setKeyUsage(keyUsage).setCaOptions(caOptions).build()) .setIdentityConstraints( CertificateIdentityConstraints.newBuilder() .setCelExpression(expr) diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java index 57e3a0c5..29b3f7ef 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java @@ -79,10 +79,7 @@ public static void createSubordinateCertificateAuthority( .setSubject( Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build()) // Set the fully qualified domain name. - .setSubjectAltName( - SubjectAltNames.newBuilder() - .addDnsNames(domainName) - .build()) + .setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build()) .build(); // Set the key usage options for X.509 fields. diff --git a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java index 51fd6c3f..417ffae2 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java @@ -61,9 +61,7 @@ public static void deleteCertificateTemplate( .build(); ApiFuture futureCall = - certificateAuthorityServiceClient - .deleteCertificateTemplateCallable() - .futureCall(request); + certificateAuthorityServiceClient.deleteCertificateTemplateCallable().futureCall(request); Operation response = futureCall.get(60, TimeUnit.SECONDS); diff --git a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java index 058d1b82..bc574c02 100644 --- a/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java +++ b/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java @@ -58,9 +58,7 @@ public static void listCertificateTemplates(String project, String location) .build(); ApiFuture futureCall = - certificateAuthorityServiceClient - .listCertificateTemplatesCallable() - .futureCall(request); + certificateAuthorityServiceClient.listCertificateTemplatesCallable().futureCall(request); // Get the response. ListCertificateTemplatesResponse response = futureCall.get(60, TimeUnit.SECONDS);