-
Notifications
You must be signed in to change notification settings - Fork 594
/
types.go
798 lines (649 loc) · 30.3 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
// Code generated by smithy-go-codegen DO NOT EDIT.
package types
import (
smithydocument "github.com/aws/smithy-go/document"
"time"
)
// Provides access information used by the authorityInfoAccess and
// subjectInfoAccess extensions described in RFC 5280
// (https://datatracker.ietf.org/doc/html/rfc5280).
type AccessDescription struct {
// The location of AccessDescription information.
//
// This member is required.
AccessLocation *GeneralName
// The type and format of AccessDescription information.
//
// This member is required.
AccessMethod *AccessMethod
noSmithyDocumentSerde
}
// Describes the type and format of extension access. Only one of
// CustomObjectIdentifier or AccessMethodType may be provided. Providing both
// results in InvalidArgsException.
type AccessMethod struct {
// Specifies the AccessMethod.
AccessMethodType AccessMethodType
// An object identifier (OID) specifying the AccessMethod. The OID must satisfy the
// regular expression shown below. For more information, see NIST's definition of
// Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier).
CustomObjectIdentifier *string
noSmithyDocumentSerde
}
// Contains X.509 certificate information to be placed in an issued certificate. An
// APIPassthrough or APICSRPassthrough template variant must be selected, or else
// this parameter is ignored. If conflicting or duplicate certificate information
// is supplied from other sources, ACM Private CA applies order of operation rules
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations)
// to determine what information is used.
type ApiPassthrough struct {
// Specifies X.509 extension information for a certificate.
Extensions *Extensions
// Contains information about the certificate subject. The Subject field in the
// certificate identifies the entity that owns or controls the public key in the
// certificate. The entity can be a user, computer, device, or service. The Subject
// must contain an X.500 distinguished name (DN). A DN is a sequence of relative
// distinguished names (RDNs). The RDNs are separated by commas in the certificate.
Subject *ASN1Subject
noSmithyDocumentSerde
}
// Contains information about the certificate subject. The Subject field in the
// certificate identifies the entity that owns or controls the public key in the
// certificate. The entity can be a user, computer, device, or service. The Subject
// must contain an X.500 distinguished name (DN). A DN is a sequence of relative
// distinguished names (RDNs). The RDNs are separated by commas in the certificate.
type ASN1Subject struct {
// For CA and end-entity certificates in a private PKI, the common name (CN) can be
// any string within the length limit. Note: In publicly trusted certificates, the
// common name must be a fully qualified domain name (FQDN) associated with the
// certificate subject.
CommonName *string
// Two-digit code that specifies the country in which the certificate subject
// located.
Country *string
// Contains a sequence of one or more X.500 relative distinguished names (RDNs),
// each of which consists of an object identifier (OID) and a value. For more
// information, see NIST’s definition of Object Identifier (OID)
// (https://csrc.nist.gov/glossary/term/Object_Identifier). Custom attributes
// cannot be used in combination with standard attributes.
CustomAttributes []CustomAttribute
// Disambiguating information for the certificate subject.
DistinguishedNameQualifier *string
// Typically a qualifier appended to the name of an individual. Examples include
// Jr. for junior, Sr. for senior, and III for third.
GenerationQualifier *string
// First name.
GivenName *string
// Concatenation that typically contains the first letter of the GivenName, the
// first letter of the middle name if one exists, and the first letter of the
// Surname.
Initials *string
// The locality (such as a city or town) in which the certificate subject is
// located.
Locality *string
// Legal name of the organization with which the certificate subject is affiliated.
Organization *string
// A subdivision or unit of the organization (such as sales or finance) with which
// the certificate subject is affiliated.
OrganizationalUnit *string
// Typically a shortened version of a longer GivenName. For example, Jonathan is
// often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.
Pseudonym *string
// The certificate serial number.
SerialNumber *string
// State in which the subject of the certificate is located.
State *string
// Family name. In the US and the UK, for example, the surname of an individual is
// ordered last. In Asian cultures the surname is typically ordered first.
Surname *string
// A title such as Mr. or Ms., which is pre-pended to the name to refer formally to
// the certificate subject.
Title *string
noSmithyDocumentSerde
}
// Contains information about your private certificate authority (CA). Your private
// CA can issue and revoke X.509 digital certificates. Digital certificates verify
// that the entity named in the certificate Subject field owns or controls the
// public key contained in the Subject Public Key Info field. Call the
// CreateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html)
// action to create your private CA. You must then call the
// GetCertificateAuthorityCertificate
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)
// action to retrieve a private CA certificate signing request (CSR). Sign the CSR
// with your ACM Private CA-hosted or on-premises root or subordinate CA
// certificate. Call the ImportCertificateAuthorityCertificate
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
// action to import the signed certificate into Certificate Manager (ACM).
type CertificateAuthority struct {
// Amazon Resource Name (ARN) for your private certificate authority (CA). The
// format is 12345678-1234-1234-1234-123456789012 .
Arn *string
// Your private CA configuration.
CertificateAuthorityConfiguration *CertificateAuthorityConfiguration
// Date and time at which your private CA was created.
CreatedAt *time.Time
// Reason the request to create your private CA failed.
FailureReason FailureReason
// Defines a cryptographic key management compliance standard used for handling CA
// keys. Default: FIPS_140_2_LEVEL_3_OR_HIGHER Note: Amazon Web Services Region
// ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must explicitly
// specify this parameter and value when creating a CA in that Region. Specifying a
// different value (or no value) results in an InvalidArgsException with the
// message "A certificate authority cannot be created in this region with the
// specified security standard."
KeyStorageSecurityStandard KeyStorageSecurityStandard
// Date and time at which your private CA was last updated.
LastStateChangeAt *time.Time
// Date and time after which your private CA certificate is not valid.
NotAfter *time.Time
// Date and time before which your private CA certificate is not valid.
NotBefore *time.Time
// The Amazon Web Services account ID that owns the certificate authority.
OwnerAccount *string
// The period during which a deleted CA can be restored. For more information, see
// the PermanentDeletionTimeInDays parameter of the
// DeleteCertificateAuthorityRequest
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html)
// action.
RestorableUntil *time.Time
// Information about the Online Certificate Status Protocol (OCSP) configuration or
// certificate revocation list (CRL) created and maintained by your private CA.
RevocationConfiguration *RevocationConfiguration
// Serial number of your private CA.
Serial *string
// Status of your private CA.
Status CertificateAuthorityStatus
// Type of your private CA.
Type CertificateAuthorityType
noSmithyDocumentSerde
}
// Contains configuration information for your private certificate authority (CA).
// This includes information about the class of public key algorithm and the key
// pair that your private CA creates when it issues a certificate. It also includes
// the signature algorithm that it uses when issuing certificates, and its X.500
// distinguished name. You must specify this information when you call the
// CreateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html)
// action.
type CertificateAuthorityConfiguration struct {
// Type of the public key algorithm and size, in bits, of the key pair that your CA
// creates when it issues a certificate. When you create a subordinate CA, you must
// use a key algorithm supported by the parent CA.
//
// This member is required.
KeyAlgorithm KeyAlgorithm
// Name of the algorithm your private CA uses to sign certificate requests. This
// parameter should not be confused with the SigningAlgorithm parameter used to
// sign certificates when they are issued.
//
// This member is required.
SigningAlgorithm SigningAlgorithm
// Structure that contains X.500 distinguished name information for your private
// CA.
//
// This member is required.
Subject *ASN1Subject
// Specifies information to be added to the extension section of the certificate
// signing request (CSR).
CsrExtensions *CsrExtensions
noSmithyDocumentSerde
}
// Contains configuration information for a certificate revocation list (CRL). Your
// private certificate authority (CA) creates base CRLs. Delta CRLs are not
// supported. You can enable CRLs for your new or an existing private CA by setting
// the Enabled parameter to true. Your private CA writes CRLs to an S3 bucket that
// you specify in the S3BucketName parameter. You can hide the name of your bucket
// by specifying a value for the CustomCname parameter. Your private CA copies the
// CNAME or the S3 bucket name to the CRL Distribution Points extension of each
// certificate it issues. Your S3 bucket policy must give write permission to ACM
// Private CA. ACM Private CA assets that are stored in Amazon S3 can be protected
// with encryption. For more information, see Encrypting Your CRLs
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption).
// Your private CA uses the value in the ExpirationInDays parameter to calculate
// the nextUpdate field in the CRL. The CRL is refreshed prior to a certificate's
// expiration date or when a certificate is revoked. When a certificate is revoked,
// it appears in the CRL until the certificate expires, and then in one additional
// CRL after expiration, and it always appears in the audit report. A CRL is
// typically updated approximately 30 minutes after a certificate is revoked. If
// for any reason a CRL update fails, ACM Private CA makes further attempts every
// 15 minutes. CRLs contain the following fields:
//
// * Version: The current version
// number defined in RFC 5280 is V2. The integer value is 0x1.
//
// * Signature
// Algorithm: The name of the algorithm used to sign the CRL.
//
// * Issuer: The X.500
// distinguished name of your private CA that issued the CRL.
//
// * Last Update: The
// issue date and time of this CRL.
//
// * Next Update: The day and time by which the
// next CRL will be issued.
//
// * Revoked Certificates: List of revoked certificates.
// Each list item contains the following information.
//
// * Serial Number: The serial
// number, in hexadecimal format, of the revoked certificate.
//
// * Revocation Date:
// Date and time the certificate was revoked.
//
// * CRL Entry Extensions: Optional
// extensions for the CRL entry.
//
// * X509v3 CRL Reason Code: Reason the certificate
// was revoked.
//
// * CRL Extensions: Optional extensions for the CRL.
//
// * X509v3
// Authority Key Identifier: Identifies the public key associated with the private
// key used to sign the certificate.
//
// * X509v3 CRL Number:: Decimal sequence number
// for the CRL.
//
// * Signature Algorithm: Algorithm used by your private CA to sign
// the CRL.
//
// * Signature Value: Signature computed over the CRL.
//
// Certificate
// revocation lists created by ACM Private CA are DER-encoded. You can use the
// following OpenSSL command to list a CRL. openssl crl -inform DER -text -in
// crl_path -noout For more information, see Planning a certificate revocation list
// (CRL) (https://docs.aws.amazon.com/acm-pca/latest/userguide/crl-planning.html)
// in the Certificate Manager Private Certificate Authority (PCA) User Guide
type CrlConfiguration struct {
// Boolean value that specifies whether certificate revocation lists (CRLs) are
// enabled. You can use this value to enable certificate revocation for a new CA
// when you call the CreateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html)
// action or for an existing CA when you call the UpdateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html)
// action.
//
// This member is required.
Enabled *bool
// Name inserted into the certificate CRL Distribution Points extension that
// enables the use of an alias for the CRL distribution point. Use this value if
// you don't want the name of your S3 bucket to be public.
CustomCname *string
// Validity period of the CRL in days.
ExpirationInDays *int32
// Name of the S3 bucket that contains the CRL. If you do not provide a value for
// the CustomCname argument, the name of your S3 bucket is placed into the CRL
// Distribution Points extension of the issued certificate. You can change the name
// of your bucket by calling the UpdateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html)
// operation. You must specify a bucket policy
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-policies)
// that allows ACM Private CA to write the CRL to your bucket.
S3BucketName *string
// Determines whether the CRL will be publicly readable or privately held in the
// CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over
// the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of
// the CRL S3 bucket can access the CRL, and your PKI clients may need an
// alternative method of access. If no value is specified, the default is
// PUBLIC_READ. Note: This default can cause CA creation to fail in some
// circumstances. If you have have enabled the Block Public Access (BPA) feature in
// your S3 account, then you must specify the value of this parameter as
// BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have
// disabled BPA in S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or
// PUBLIC_READ as the value. For more information, see Blocking public access to
// the S3 bucket
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-bpa).
S3ObjectAcl S3ObjectAcl
noSmithyDocumentSerde
}
// Describes the certificate extensions to be added to the certificate signing
// request (CSR).
type CsrExtensions struct {
// Indicates the purpose of the certificate and of the key contained in the
// certificate.
KeyUsage *KeyUsage
// For CA certificates, provides a path to additional information pertaining to the
// CA, such as revocation and policy. For more information, see Subject Information
// Access (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.2) in RFC
// 5280.
SubjectInformationAccess []AccessDescription
noSmithyDocumentSerde
}
// Defines the X.500 relative distinguished name (RDN).
type CustomAttribute struct {
// Specifies the object identifier (OID) of the attribute type of the relative
// distinguished name (RDN).
//
// This member is required.
ObjectIdentifier *string
// Specifies the attribute value of relative distinguished name (RDN).
//
// This member is required.
Value *string
noSmithyDocumentSerde
}
// Specifies the X.509 extension information for a certificate. Extensions present
// in CustomExtensions follow the ApiPassthroughtemplate rules
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations).
type CustomExtension struct {
// Specifies the object identifier (OID) of the X.509 extension. For more
// information, see the Global OID reference database. (https://oidref.com/2.5.29)
//
// This member is required.
ObjectIdentifier *string
// Specifies the base64-encoded value of the X.509 extension.
//
// This member is required.
Value *string
// Specifies the critical flag of the X.509 extension.
Critical *bool
noSmithyDocumentSerde
}
// Describes an Electronic Data Interchange (EDI) entity as described in as defined
// in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280) in
// RFC 5280.
type EdiPartyName struct {
// Specifies the party name.
//
// This member is required.
PartyName *string
// Specifies the name assigner.
NameAssigner *string
noSmithyDocumentSerde
}
// Specifies additional purposes for which the certified public key may be used
// other than basic purposes indicated in the KeyUsage extension.
type ExtendedKeyUsage struct {
// Specifies a custom ExtendedKeyUsage with an object identifier (OID).
ExtendedKeyUsageObjectIdentifier *string
// Specifies a standard ExtendedKeyUsage as defined as in RFC 5280
// (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12).
ExtendedKeyUsageType ExtendedKeyUsageType
noSmithyDocumentSerde
}
// Contains X.509 extension information for a certificate.
type Extensions struct {
// Contains a sequence of one or more policy information terms, each of which
// consists of an object identifier (OID) and optional qualifiers. For more
// information, see NIST's definition of Object Identifier (OID)
// (https://csrc.nist.gov/glossary/term/Object_Identifier). In an end-entity
// certificate, these terms indicate the policy under which the certificate was
// issued and the purposes for which it may be used. In a CA certificate, these
// terms limit the set of policies for certification paths that include this
// certificate.
CertificatePolicies []PolicyInformation
// Contains a sequence of one or more X.509 extensions, each of which consists of
// an object identifier (OID), a base64-encoded value, and the critical flag. For
// more information, see the Global OID reference database.
// (https://oidref.com/2.5.29)
CustomExtensions []CustomExtension
// Specifies additional purposes for which the certified public key may be used
// other than basic purposes indicated in the KeyUsage extension.
ExtendedKeyUsage []ExtendedKeyUsage
// Defines one or more purposes for which the key contained in the certificate can
// be used. Default value for each option is false.
KeyUsage *KeyUsage
// The subject alternative name extension allows identities to be bound to the
// subject of the certificate. These identities may be included in addition to or
// in place of the identity in the subject field of the certificate.
SubjectAlternativeNames []GeneralName
noSmithyDocumentSerde
}
// Describes an ASN.1 X.400 GeneralName as defined in RFC 5280
// (https://datatracker.ietf.org/doc/html/rfc5280). Only one of the following
// naming options should be provided. Providing more than one option results in an
// InvalidArgsException error.
type GeneralName struct {
// Contains information about the certificate subject. The Subject field in the
// certificate identifies the entity that owns or controls the public key in the
// certificate. The entity can be a user, computer, device, or service. The Subject
// must contain an X.500 distinguished name (DN). A DN is a sequence of relative
// distinguished names (RDNs). The RDNs are separated by commas in the certificate.
DirectoryName *ASN1Subject
// Represents GeneralName as a DNS name.
DnsName *string
// Represents GeneralName as an EdiPartyName object.
EdiPartyName *EdiPartyName
// Represents GeneralName as an IPv4 or IPv6 address.
IpAddress *string
// Represents GeneralName using an OtherName object.
OtherName *OtherName
// Represents GeneralName as an object identifier (OID).
RegisteredId *string
// Represents GeneralName as an RFC 822
// (https://datatracker.ietf.org/doc/html/rfc822) email address.
Rfc822Name *string
// Represents GeneralName as a URI.
UniformResourceIdentifier *string
noSmithyDocumentSerde
}
// Defines one or more purposes for which the key contained in the certificate can
// be used. Default value for each option is false.
type KeyUsage struct {
// Key can be used to sign CRLs.
CRLSign bool
// Key can be used to decipher data.
DataEncipherment bool
// Key can be used only to decipher data.
DecipherOnly bool
// Key can be used for digital signing.
DigitalSignature bool
// Key can be used only to encipher data.
EncipherOnly bool
// Key can be used in a key-agreement protocol.
KeyAgreement bool
// Key can be used to sign certificates.
KeyCertSign bool
// Key can be used to encipher data.
KeyEncipherment bool
// Key can be used for non-repudiation.
NonRepudiation bool
noSmithyDocumentSerde
}
// Contains information to enable and configure Online Certificate Status Protocol
// (OCSP) for validating certificate revocation status. When you revoke a
// certificate, OCSP responses may take up to 60 minutes to reflect the new status.
type OcspConfiguration struct {
// Flag enabling use of the Online Certificate Status Protocol (OCSP) for
// validating certificate revocation status.
//
// This member is required.
Enabled *bool
// By default, ACM Private CA injects an Amazon Web Services domain into
// certificates being validated by the Online Certificate Status Protocol (OCSP). A
// customer can alternatively use this object to define a CNAME specifying a
// customized OCSP domain. Note: The value of the CNAME must not include a protocol
// prefix such as "http://" or "https://". For more information, see Customizing
// Online Certificate Status Protocol (OCSP)
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/ocsp-customize.html) in
// the Certificate Manager Private Certificate Authority (PCA) User Guide.
OcspCustomCname *string
noSmithyDocumentSerde
}
// Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID) and
// value. The OID must satisfy the regular expression shown below. For more
// information, see NIST's definition of Object Identifier (OID)
// (https://csrc.nist.gov/glossary/term/Object_Identifier).
type OtherName struct {
// Specifies an OID.
//
// This member is required.
TypeId *string
// Specifies an OID value.
//
// This member is required.
Value *string
noSmithyDocumentSerde
}
// Permissions designate which private CA actions can be performed by an Amazon Web
// Services service or entity. In order for ACM to automatically renew private
// certificates, you must give the ACM service principal all available permissions
// (IssueCertificate, GetCertificate, and ListPermissions). Permissions can be
// assigned with the CreatePermission
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html)
// action, removed with the DeletePermission
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html)
// action, and listed with the ListPermissions
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html)
// action.
type Permission struct {
// The private CA actions that can be performed by the designated Amazon Web
// Services service.
Actions []ActionType
// The Amazon Resource Number (ARN) of the private CA from which the permission was
// issued.
CertificateAuthorityArn *string
// The time at which the permission was created.
CreatedAt *time.Time
// The name of the policy that is associated with the permission.
Policy *string
// The Amazon Web Services service or entity that holds the permission. At this
// time, the only valid principal is acm.amazonaws.com.
Principal *string
// The ID of the account that assigned the permission.
SourceAccount *string
noSmithyDocumentSerde
}
// Defines the X.509 CertificatePolicies extension.
type PolicyInformation struct {
// Specifies the object identifier (OID) of the certificate policy under which the
// certificate was issued. For more information, see NIST's definition of Object
// Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier).
//
// This member is required.
CertPolicyId *string
// Modifies the given CertPolicyId with a qualifier. ACM Private CA supports the
// certification practice statement (CPS) qualifier.
PolicyQualifiers []PolicyQualifierInfo
noSmithyDocumentSerde
}
// Modifies the CertPolicyId of a PolicyInformation object with a qualifier. ACM
// Private CA supports the certification practice statement (CPS) qualifier.
type PolicyQualifierInfo struct {
// Identifies the qualifier modifying a CertPolicyId.
//
// This member is required.
PolicyQualifierId PolicyQualifierId
// Defines the qualifier type. ACM Private CA supports the use of a URI for a CPS
// qualifier in this field.
//
// This member is required.
Qualifier *Qualifier
noSmithyDocumentSerde
}
// Defines a PolicyInformation qualifier. ACM Private CA supports the certification
// practice statement (CPS) qualifier
// (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4) defined in RFC
// 5280.
type Qualifier struct {
// Contains a pointer to a certification practice statement (CPS) published by the
// CA.
//
// This member is required.
CpsUri *string
noSmithyDocumentSerde
}
// Certificate revocation information used by the CreateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html)
// and UpdateCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html)
// actions. Your private certificate authority (CA) can configure Online
// Certificate Status Protocol (OCSP) support and/or maintain a certificate
// revocation list (CRL). OCSP returns validation information about certificates as
// requested by clients, and a CRL contains an updated list of certificates revoked
// by your CA. For more information, see RevokeCertificate
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html)
// and Setting up a certificate revocation method
// (https://docs.aws.amazon.com/acm-pca/latest/userguide/revocation-setup.html) in
// the Certificate Manager Private Certificate Authority (PCA) User Guide.
type RevocationConfiguration struct {
// Configuration of the certificate revocation list (CRL), if any, maintained by
// your private CA. A CRL is typically updated approximately 30 minutes after a
// certificate is revoked. If for any reason a CRL update fails, ACM Private CA
// makes further attempts every 15 minutes.
CrlConfiguration *CrlConfiguration
// Configuration of Online Certificate Status Protocol (OCSP) support, if any,
// maintained by your private CA. When you revoke a certificate, OCSP responses may
// take up to 60 minutes to reflect the new status.
OcspConfiguration *OcspConfiguration
noSmithyDocumentSerde
}
// Tags are labels that you can use to identify and organize your private CAs. Each
// tag consists of a key and an optional value. You can associate up to 50 tags
// with a private CA. To add one or more tags to a private CA, call the
// TagCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html)
// action. To remove a tag, call the UntagCertificateAuthority
// (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html)
// action.
type Tag struct {
// Key (name) of the tag.
//
// This member is required.
Key *string
// Value of the tag.
Value *string
noSmithyDocumentSerde
}
// Validity specifies the period of time during which a certificate is valid.
// Validity can be expressed as an explicit date and time when the validity of a
// certificate starts or expires, or as a span of time after issuance, stated in
// days, months, or years. For more information, see Validity
// (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5) in RFC 5280. ACM
// Private CA API consumes the Validity data type differently in two distinct
// parameters of the IssueCertificate action. The required parameter
// IssueCertificate:Validity specifies the end of a certificate's validity period.
// The optional parameter IssueCertificate:ValidityNotBefore specifies a customized
// starting time for the validity period.
type Validity struct {
// Determines how ACM Private CA interprets the Value parameter, an integer.
// Supported validity types include those listed below. Type definitions with
// values include a sample input value and the resulting output. END_DATE: The
// specific date and time when the certificate will expire, expressed using UTCTime
// (YYMMDDHHMMSS) or GeneralizedTime (YYYYMMDDHHMMSS) format. When UTCTime is used,
// if the year field (YY) is greater than or equal to 50, the year is interpreted
// as 19YY. If the year field is less than 50, the year is interpreted as 20YY.
//
// *
// Sample input value: 491231235959 (UTCTime format)
//
// * Output expiration
// date/time: 12/31/2049 23:59:59
//
// ABSOLUTE: The specific date and time when the
// validity of a certificate will start or expire, expressed in seconds since the
// Unix Epoch.
//
// * Sample input value: 2524608000
//
// * Output expiration date/time:
// 01/01/2050 00:00:00
//
// DAYS, MONTHS, YEARS: The relative time from the moment of
// issuance until the certificate will expire, expressed in days, months, or years.
// Example if DAYS, issued on 10/12/2020 at 12:34:54 UTC:
//
// * Sample input value:
// 90
//
// * Output expiration date: 01/10/2020 12:34:54 UTC
//
// The minimum validity
// duration for a certificate using relative time (DAYS) is one day. The minimum
// validity for a certificate using absolute time (ABSOLUTE or END_DATE) is one
// second.
//
// This member is required.
Type ValidityPeriodType
// A long integer interpreted according to the value of Type, below.
//
// This member is required.
Value *int64
noSmithyDocumentSerde
}
type noSmithyDocumentSerde = smithydocument.NoSerde