8dZddlmZddlmZddlmZddlmZddlmZ ddlm Z ddlm Z ddl mZdd l m Z dd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlZdZdZ dZ!ejDejFjHejJGddejLZ'y)zCreate a certificate.)absolute_import)division)unicode_literals)cryptokeyversions)base)certificate_utils) request_utils) exceptions)deps)flags)key_generation) pem_utils) resource_args) labels_util)concept_parsers)presentation_specs)log)filesNa7The path where the generated private key file should be written (in PEM format). Note: possession of this key file could allow anybody to act as this certificate's subject. Please make sure that you store this key file in a secure location at all times, and ensure that only authorized users have access to it.c tj|S#tjttf$r%t j dj|wxYw)Nz&Could not read provided CSR file '{}'.)rReadFileContentsErrorOSErrorIOErrorr BadFileExceptionformat)csr_files ,lib/surface/privateca/certificates/create.py_ReadCsrr.sS  ! !( ++ ++w (  % %077A s AAc |g|z}tj|tj|y#tjt t f$r%tjdj|wxYw)Nz$Could not write certificate to '{}'.) rWriteFileContentsrPemChainForOutputrrrr rr)pem_cert issuing_chain cert_file pem_chains r_WritePemChainr&7si ]*I Iy'B'B9'MN ++w (  % %.55i@ s /2AA5cXeZdZdZedZedZdZedZ dZ dZ dZ y ) CreateabCreate a new certificate. ## EXAMPLES To create a certificate using a CSR: $ {command} frontend-server-tls \ --issuer-pool=my-pool --issuer-location=us-west1 \ --csr=./csr.pem \ --cert-output-file=./cert.pem \ --validity=P30D To create a certificate using a client-generated key: $ {command} frontend-server-tls \ --issuer-pool=my-pool --issuer-location=us-west1 \ --generate-key \ --key-output-file=./key \ --cert-output-file=./cert.pem \ --dns-san=www.example.com \ --use-preset-profile=leaf_server_tls c (|jddd}tjdddj|tjdd d dd j|t j |d d dt j||jddd}|jd}tjdddj|tjdddd j||jd}|jddd}|jd}tjddddddj|tjdtdj|tjdd dj||jd!d}t j||jdd"#}t j|dd$%t j|t j|d&} tjtj | t#j$| t&j)gd'd(tj d)t#j*d*d+dd,tj d-t#j,d.|/gd0d1gi2j||j.j1d3y)4NTz Certificate persistence options.)mutexrequiredhelpz--cert-output-fileznThe path where the resulting PEM-encoded certificate chain file should be written (ordered from leaf to root).F)r,r+z--validate-onlyzIf this flag is set, the certificate resource will not be persisted and the returned certificate will not contain the pem_certificate field. store_true)r,actiondefaultr+ certificateP30Dz30 dayszCertificate generation method.z4To issue a certificate from a CSR use the following:)r,--csrz4A PEM-encoded certificate signing request file path.z--rdn-sequence-subjectzyIf this value is set then the issued certificate will use the subject found in the CSR preserving the exact RDN sequence.)r,hiddenr.z?Alternatively, you may describe the certificate and key to use.z]To describe the key that will be used for this certificate, use one of the following options.z.To generate a new key pair, use the following:--generate-keyzTUse this flag to have a new RSA-2048 private key securely generated on your machine. store_const)r,r.constr/r+z--key-output-filez--cazThe name of an existing certificate authority to use for issuing the certificate. If omitted, a certificate authority will be will be chosen from the CA pool by the service on your behalf.z&The subject names for the certificate.z1The x509 configuration used for this certificate.)r*r,r) is_ca_commanddefault_max_chain_length CERTIFICATEa5The name of the certificate to issue. If the certificate ID is omitted, a random identifier will be generated according to the following format: {YYYYMMDD}-{3 random alphanumeric characters}-{3 random alphanumeric characters}. The certificate ID is not required when the issuing CA pool is in the DevOps tier.)r+ --templatecertificate_templateaEThe name of a certificate template to use for issuing this certificate, if desired. A template may overwrite parts of the certificate request, and the use of certificate templates may be required and/or regulated by the issuing CA Pool's CA Manager. The specified template must be in the same location as the issuing CA Pool.)r+prefixes--kms-key-versionz5An existing KMS key version backing this certificate.)groupz--template.locationzCERTIFICATE.issuer-location)command_level_fallthroughszyaml(certificateDescription)) add_grouprArgument AddToParserr AddValidityFlagrAddCreateLabelsFlags_KEY_OUTPUT_HELPAddSubjectFlagsAddInlineX509ParametersFlagsAddUsePresetProfilesFlagAddSubjectKeyIdFlagr ConceptParserrResourcePresentationSpecrCreateCertResourceSpecr(!_GenerateCertificateIdFallthrough%CreateCertificateTemplateResourceSpecCreateKmsKeyVersionResourceSpec display_info AddFormat) parserpersistence_groupcert_generation_group csr_group non_csr_group key_groupkey_generation_group subject_groupx509_parameters_groupcert_args rArgsz Create.Args[s?((T(J) MM > k#$MM & k#$ &-C$$V,",,T(H-&// C0I MMLk)MM  Jk))33 N4M'' , (I%.. =/ MM * k&'MM"2Tk&'MM Ik&!++ 5,M -()33L4 &&UQ ""#89 f%H!!  7 744vGGIJ#    7 7CC**    7 7#==?G  9" H "$A#B$ I'Nk& !!"@AcNd_fd}tj|dddS)NFc:d_tjS)NT)id_fallthrough_was_usedrGenerateCertId)clssr FallthroughFnz?Create._GenerateCertificateIdFallthrough..FallthroughFns$(c!  - - //r]zOPr]cg}|js|jd|jdr|jd|rJdj|}t |dk(rdnd}t j dj||y y ) zNPrints warnings if certain command-line args are used for an unpersisted cert.zcertificate IDlabelsz, waswerez{names} {verb} specified but will not be used since the issuing CA pool is in the DevOps tier, which does not expose certificate lifecycle.)namesverbN)r`appendrmjoinlenrwarningr)rbrq unused_argsrxrys r _PrintWarningsForUnpersistedCertz'Create._PrintWarningsForUnpersistedCertsK  & &)* !"ii $e+&!+Ud kk ##)6D6#Ar]c|jjj}|jr:t j d\}}t j |j||S|rPtj|}tjrt|jSt|jdStjgdd)z]Fetches the public key associated with a non-CSR certificate request, as UTF-8 encoded bytes.izutf-8)r2r4r=zTo create a certificate, please specify either a CSR, the --generate-key flag to create a new key, or the --kms-key-version flag to use an existing KMS key.)CONCEPTSrlParse generate_keyr RSAKeyGenExportPrivateKeykey_output_filer GetPublicKeysixPY2bytespemr rn)rprqrl private_key public_keypublic_key_responses r _GetPublicKeyzCreate._GetPublicKeysmm3399;O  . 8 8 >k:%%d&:&:KH  -::?KWW #'' ((,,g6  6 6 :D r]c|j|}|jj}|jj|_||j_|jjj j|j_tj||_ tj|d|_ tj||j|_|S)NF)r7)rmessagesCertificateConfig PublicKey publicKeykeyFormatValueValuesEnumPEMrr ParseSubjectFlags subjectConfigParseX509Parameters x509ConfigParseSubjectKeyId subjectKeyId)rprequestrqrconfigs r_GenerateCertificateConfigz!Create._GenerateCertificateConfig5s##D)J ]] , , .F}}..0F%F"mm55KKOOF 2248F11$eLF11$ FF Mr]ctjd|_tjd|_|j ||j jj}tj||jjj}|jj}|jj|_|j|_t!j"||j_||j_|j)j+|_t/j0|_|j4|_|j9dr|j:|_|j j>j}|rN|j@|j@k7rtCjDdd|j+|j_#|jHrjtK|jH|j_&|jNr[|jjjPjR|j_*n!|jW|||j_,|jjZj]|}|j4r|Sd}|j^r|dja|j^z }nt\jc||jdrI|dja|jfz }ti|jd|jj|jf|d z }tljnjq|y) Nv1) api_versioncar:zMThe certificate template must be in the same location as the issuing CA Pool.zCreated Certificatez [{}]z and saved it to [{}].)9privateca_baseGetClientInstanceclientGetMessagesModulerrrrr0rrParseCreateArgs Certificate LabelsValue:PrivatecaProjectsLocationsCaPoolsCertificatesCreateRequestName certificateIdr ParseValidityFlaglifetimertParent RelativeNameparentr GenerateRequestId requestId validate_only validateOnlyrmrissuingCertificateAuthorityIdrk locationsIdr InvalidArgumentExceptioncertificateTemplatecsrrpemCsrrdn_sequence_subjectSubjectModeValueValuesEnum RDN_SEQUENCE subjectModerr'projects_locations_caPools_certificatesr(namerrpemCertificatecert_output_filer&pemCertificateChainrstatusPrint)rprqcert_refrtr template_refr0status_messages rRunz Create.RunAs 22tDDK"44FDMt}}((..0H  ( ( dmm''33F PPR --335G$MMOG#(#:#:4#@G !'G__&335GN%779G--G .2ggg+==))//1L  ! !X%9%9 911    1=0I0I0Kg- xx#+DHH#5g " " MM % % @ @ M M '$(#B#B 4$g ++EELLK   *N{'7'788n --d3!!/66t7L7LMMn  $ $  ) )    cNJJ^$r]N) __name__ __module__ __qualname____doc__ staticmethodr\ classmethodrMrrrrrrr]rr(r(As^.NBNB`   Q"6 E%r]r()(r __future__rrrgooglecloudsdk.api_lib.cloudkmsr googlecloudsdk.api_lib.privatecarrrr googlecloudsdk.callioper googlecloudsdk.calliope.conceptsr $googlecloudsdk.command_lib.privatecar r rr$googlecloudsdk.command_lib.util.argsr(googlecloudsdk.command_lib.util.conceptsrrgooglecloudsdk.corergooglecloudsdk.core.utilrrrErr& ReleaseTracks ReleaseTrackGADefaultUniverseOnly CreateCommandr(rr]rrs&'=C>:(.16?:><DG#* CD%%(()C%T  C%*C%r]