feat(samples): add subordinate CA samples

Author: FrodoTheTrue

privateca/snippets/activate_subordinate_ca.py

@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START privateca_activate_subordinateca]
+import google.cloud.security.privateca_v1 as privateca_v1
+
+
+def activate_subordinate_ca(
+    project_id: str,
+    location: str,
+    ca_pool_name: str,
+    subordinate_ca_name: str,
+    pem_ca_certificate: str,
+    ca_name: str,
+) -> None:
+    """
+    Activate a subordinate Certificate Authority (CA).
+    *Prerequisite*: Get the Certificate Signing Resource (CSR) of the subordinate CA signed by another CA. Pass in the signed
+    certificate and (issuer CA's name or the issuer CA's Certificate chain).
+    *Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
+    Args:
+        project_id: project ID or project number of the Cloud project you want to use.
+        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
+        ca_pool_name: set it to the CA Pool under which the CA should be created.
+        pem_ca_certificate: the signed certificate, obtained by signing the CSR.
+        subordinate_ca_name: the CA to be activated.
+        ca_name: The name of the certificate authority which signed the CSR.
+            If an external CA (CA not present in Google Cloud) was used for signing,
+            then use the CA's issuerCertificateChain.
+    """
+
+    ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
+
+    subordinate_ca_path = ca_service_client.certificate_authority_path(
+        project_id, location, ca_pool_name, subordinate_ca_name
+    )
+    ca_path = ca_service_client.certificate_authority_path(
+        project_id, location, ca_pool_name, ca_name
+    )
+
+    # Set CA subordinate config.
+    subordinate_config = privateca_v1.SubordinateConfig(
+        # Follow one of the below methods:
+        # Method 1: If issuer CA is in Google Cloud, set the Certificate Authority Name.
+        certificate_authority=ca_path,
+        # Method 2: If issuer CA is external to Google Cloud, set the issuer's certificate chain.
+        # The certificate chain of the CA (which signed the CSR) from leaf to root.
+        # pem_issuer_chain=privateca_v1.SubordinateConfig.SubordinateConfigChain(
+        #     pem_certificates=issuer_certificate_chain,
+        # )
+    )
+
+    # Construct the "Activate CA Request".
+    request = privateca_v1.ActivateCertificateAuthorityRequest(
+        name=subordinate_ca_path,
+        # The signed certificate.
+        pem_ca_certificate=pem_ca_certificate,
+        subordinate_config=subordinate_config,
+    )
+
+    # Activate the CA
+    operation = ca_service_client.activate_certificate_authority(request=request)
+    result = operation.result()
+
+    print("Operation result:", result)
+
+    # The current state will be STAGED.
+    # The Subordinate CA has to be ENABLED before issuing certificates.
+    print(
+        f"Current state: {ca_service_client.get_certificate_authority(name=subordinate_ca_path).state}"
+    )
+
+
+# [END privateca_activate_subordinateca]

privateca/snippets/create_certificate_csr.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START privateca_create_certificate_csr]
+import google.cloud.security.privateca_v1 as privateca_v1
+from google.protobuf import duration_pb2
+
+
+def create_certificate_csr(
+    project_id: str,
+    location: str,
+    ca_pool_name: str,
+    ca_name: str,
+    certificate_name: str,
+    certificate_lifetime: int,
+    pem_csr: str,
+) -> None:
+    """
+    Create a Certificate which is issued by the specified Certificate Authority (CA).
+    The certificate details and the public key is provided as a Certificate Signing Request (CSR).
+    Args:
+        project_id: project ID or project number of the Cloud project you want to use.
+        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
+        ca_pool_name: set a unique name for the CA pool.
+        ca_name: the name of the certificate authority to sign the CSR.
+        certificate_name: set a unique name for the certificate.
+        certificate_lifetime: the validity of the certificate in seconds.
+        pem_csr: set the Certificate Issuing Request in the pem encoded format.
+    """
+
+    ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
+
+    # The public key used to sign the certificate can be generated using any crypto library/framework.
+    # Also you can use Cloud KMS to retrieve an already created public key.
+    # For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
+
+    # Create certificate with CSR.
+    # The pem_csr contains the public key and the domain details required.
+    certificate = privateca_v1.Certificate(
+        pem_csr=pem_csr, lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
+    )
+
+    # Create the Certificate Request.
+    # Set the CA which is responsible for creating the certificate with the provided CSR.
+    request = privateca_v1.CreateCertificateRequest(
+        parent=ca_service_client.ca_pool_path(project_id, location, ca_pool_name),
+        certificate_id=certificate_name,
+        certificate=certificate,
+        issuing_certificate_authority_id=ca_name,
+    )
+    response = ca_service_client.create_certificate(request=request)
+
+    print(f"Certificate created successfully: {response.name}")
+
+    # Get the signed certificate and the issuer chain list.
+    print(f"Signed certificate: {response.pem_certificate}")
+    print(f"Issuer chain list: {response.pem_certificate_chain}")
+
+
+# [END privateca_create_certificate_csr]

privateca/snippets/create_subordinate_ca.py

@@ -0,0 +1,97 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START privateca_create_subordinateca]
+import google.cloud.security.privateca_v1 as privateca_v1
+from google.protobuf import duration_pb2
+
+
+def create_subordinate_ca(
+    project_id: str,
+    location: str,
+    ca_pool_name: str,
+    subordinate_ca_name: str,
+    common_name: str,
+    organization: str,
+    domain: str,
+    ca_duration: int,
+) -> None:
+    """
+    Create Certificate Authority (CA) which is the subordinate CA in the given CA Pool.
+    Args:
+        project_id: project ID or project number of the Cloud project you want to use.
+        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
+        ca_pool_name: set it to the CA Pool under which the CA should be created.
+        subordinate_ca_name: unique name for the Subordinate CA.
+        common_name: a title for your certificate authority.
+        organization: the name of your company for your certificate authority.
+        domain: the name of your company for your certificate authority.
+        ca_duration: the validity of the certificate authority in seconds.
+    """
+
+    ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
+
+    # Set the type of Algorithm
+    key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec(
+        algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256
+    )
+
+    # Set CA subject config.
+    subject_config = privateca_v1.CertificateConfig.SubjectConfig(
+        subject=privateca_v1.Subject(
+            common_name=common_name, organization=organization
+        ),
+        # Set the fully qualified domain name.
+        subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain]),
+    )
+
+    # Set the key usage options for X.509 fields.
+    x509_parameters = privateca_v1.X509Parameters(
+        key_usage=privateca_v1.KeyUsage(
+            base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
+                crl_sign=True, cert_sign=True,
+            )
+        ),
+        ca_options=privateca_v1.X509Parameters.CaOptions(is_ca=True,),
+    )
+
+    # Set certificate authority settings.
+    certificate_authority = privateca_v1.CertificateAuthority(
+        type_=privateca_v1.CertificateAuthority.Type.SUBORDINATE,
+        key_spec=key_version_spec,
+        config=privateca_v1.CertificateConfig(
+            subject_config=subject_config, x509_config=x509_parameters,
+        ),
+        # Set the CA validity duration.
+        lifetime=duration_pb2.Duration(seconds=ca_duration),
+    )
+
+    ca_pool_path = ca_service_client.ca_pool_path(project_id, location, ca_pool_name)
+
+    # Create the CertificateAuthorityRequest.
+    request = privateca_v1.CreateCertificateAuthorityRequest(
+        parent=ca_pool_path,
+        certificate_authority_id=subordinate_ca_name,
+        certificate_authority=certificate_authority,
+    )
+
+    operation = ca_service_client.create_certificate_authority(request=request)
+    result = operation.result()
+
+    print(f"Operation result: {result}")
+
+
+# [END privateca_create_subordinateca]

privateca/snippets/test_subordinate_ca.py

@@ -0,0 +1,110 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import re
+import typing
+import uuid
+
+import google.auth
+import google.cloud.security.privateca_v1 as privateca_v1
+
+from activate_subordinate_ca import activate_subordinate_ca
+from create_certificate_csr import create_certificate_csr
+from create_subordinate_ca import create_subordinate_ca
+from revoke_certificate import revoke_certificate
+
+PROJECT = google.auth.default()[1]
+LOCATION = "europe-west1"
+COMMON_NAME = "COMMON_NAME"
+ORGANIZATION = "ORGANIZATION"
+CA_DURATION = CERTIFICATE_LIFETIME = 1000000
+DOMAIN_NAME = "domain.com"
+
+
+def generate_name() -> str:
+    return "test-" + uuid.uuid4().hex[:10]
+
+
+def test_subordinate_certificate_authority(
+    certificate_authority, capsys: typing.Any
+) -> None:
+    CSR_CERT_NAME = generate_name()
+    SUBORDINATE_CA_NAME = generate_name()
+
+    CA_POOL_NAME, ROOT_CA_NAME = certificate_authority
+
+    # 1. Create a Subordinate Certificate Authority.
+    create_subordinate_ca(
+        PROJECT,
+        LOCATION,
+        CA_POOL_NAME,
+        SUBORDINATE_CA_NAME,
+        COMMON_NAME,
+        ORGANIZATION,
+        DOMAIN_NAME,
+        CA_DURATION,
+    )
+
+    # 2. Fetch CSR of the given CA.
+    ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
+
+    ca_path = ca_service_client.certificate_authority_path(
+        PROJECT, LOCATION, CA_POOL_NAME, SUBORDINATE_CA_NAME
+    )
+    response = ca_service_client.fetch_certificate_authority_csr(name=ca_path)
+    pem_csr = response.pem_csr
+
+    # 3. Sign the CSR and create a certificate.
+    create_certificate_csr(
+        PROJECT,
+        LOCATION,
+        CA_POOL_NAME,
+        ROOT_CA_NAME,
+        CSR_CERT_NAME,
+        CERTIFICATE_LIFETIME,
+        pem_csr,
+    )
+
+    # 4. Get certificate PEM format
+    certificate_name = ca_service_client.certificate_path(
+        PROJECT, LOCATION, CA_POOL_NAME, CSR_CERT_NAME
+    )
+    pem_certificate = ca_service_client.get_certificate(
+        name=certificate_name
+    ).pem_certificate
+
+    # 5. Activate Subordinate CA
+    activate_subordinate_ca(
+        PROJECT,
+        LOCATION,
+        CA_POOL_NAME,
+        SUBORDINATE_CA_NAME,
+        pem_certificate,
+        ROOT_CA_NAME,
+    )
+
+    revoke_certificate(
+        PROJECT, LOCATION, CA_POOL_NAME, CSR_CERT_NAME,
+    )
+
+    out, _ = capsys.readouterr()
+
+    assert re.search(
+        f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/caPools/{CA_POOL_NAME}/certificateAuthorities/{SUBORDINATE_CA_NAME}"',
+        out,
+    )
+
+    assert "Certificate created successfully" in out
+    assert f"Current state: {privateca_v1.CertificateAuthority.State.STAGED}" in out