Chrome Management Certificate Provisioning API 程式碼範例

如需 API 功能總覽,請參閱 Cert Provisioning API

本頁面上的所有要求都會使用下列變數:

  • $TOKEN - OAuth2 權杖或自行簽署的 JWT
  • $CUSTOMER:客戶 ID 或文字常值 my_customer
  • $CERT_PROVISIONING_PROCESS:在初始 Pub/Sub 訊息中傳送至憑證佈建適配器的憑證佈建程序 ID
  • $OPERATION:長時間執行作業的 ID

取得憑證佈建程序

取得 CertificateProvisioningProcess 資源。視憑證佈建程序的狀態而定,回應中不會填入 CertificateProvisioningProcess 資源的所有欄位。

要求

curl -H "Authorization: Bearer $TOKEN" \
https://chromemanagement.googleapis.com/v1/customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS

回應

在要求用戶端簽署資料之前,系統會產生下列回應。

{
  "name": "customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS",
  "provisioningProfileId": "43b413f9-5ecd-4bf6-b431-f2df56ce852e",
  "subjectPublicKeyInfo": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtbosvGe1JzJJYBPsPzFY33xD9fSJhQLZh21ELD2vEZ5OSzxXzQOhlXZ2Mv4C3m4zn8mjuYykprBxaMggryd8kyhycm2DDsL2/KUkdQNPnv6mBQ8iionF84iabh+FWph1CU63j2vCPnw0VYSv7cz+bHsxs3tXFB7PqqQZr7WcWAAxFaIqoTkJrTGMzDFs8GHUA6mFhMj0WsPzp3aicj24uW0AAJjVFmiZ+pz1lOOL4coNsVrujrX2E6lU8AHjmoQT6ThRVnuo1jFXoASB4A1It6dtu/P8L3zhsVWYRtOZjLLVvGryzT8z0A8iW5k+apkb465jgLd2vuxFPekAgPRDwIDAQAB",
  "chromeOsDevice": {
    "deviceDirectoryApiId": "abcdefgh-ijkl-mnop-qrst-uvwxyz0123456",
    "serialNumber": "0123456789"
  },
  "startTime": "2025-03-07T13:38:54.930621Z",
  "genericCaConnection": {
    "caConnectionAdapterConfigReference": "default_ca_config"
  },
  "genericProfile": {
    "profileAdapterConfigReference": "device_profile"
  }
}

聲明憑證佈建程序

憑證佈建適配器會宣告憑證佈建程序。如果有多個 Adapter 例項同時執行,這可確保憑證佈建程序由同一個 Adapter 例項處理。即使只有一個 Adapter 例項,也必須執行這個步驟。

要求

curl -H "Authorization: Bearer $TOKEN" \
--json '{"callerInstanceId": "adapter_instance_1"}' \
https://chromemanagement.googleapis.com/v1/customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS:claim

回應

如果尚未提出憑證佈建程序,系統會傳回空白回應。

{}

如果憑證佈建程序已由其他 Adapter 例項聲明,claim 要求就會失敗,並顯示 400 Bad Request 錯誤。

要求提供擁有權證明簽名

要求要求憑證的用戶端使用指定的 SignatureAlgorithm 簽署部分資料,並使用憑證佈建程序中與公開金鑰相對應的私密金鑰。$DATA_TO_SIGN 代表由用戶端簽署的 Base64 編碼資料。

要求

curl -H "Authorization: Bearer $TOKEN" \
--json '{"signData": "$DATA_TO_SIGN","signatureAlgorithm":"SIGNATURE_ALGORITHM_RSA_PKCS1_V1_5_SHA256"}'\
https://chromemanagement.googleapis.com/v1/customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS:signData

回應

回應包含 Operation,其中中繼資料欄位已填入 SignDataMetadata proto 訊息。

{
  "name": "customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS/operations/$OPERATION",
  "metadata": {
    "@type": "type.googleapis.com/google.chrome.management.versions.v1.SignDataMetadata",
    "startTime": "2025-03-07T14:44:06.156385Z"
  }
}

取得長時間執行的作業

取得從 SignData 要求傳回的長時間執行作業的最新狀態。

要求

curl -H "Authorization: Bearer $TOKEN" \
https://chromemanagement.googleapis.com/v1/customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS/operations/$OPERATION

回應

Operationmetadata 欄位會填入 SignDataMetadata proto 訊息。如果存在,作業的 response 會填入 SignDataResponse proto 訊息。

如果長時間執行的作業仍在進行中:

{
  "name": "customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS/operations/$OPERATION",
  "metadata": {
    "@type": "type.googleapis.com/google.chrome.management.versions.v1.SignDataMetadata",
    "startTime": "2025-03-07T14:44:06.156385Z"
  }
}

如果長時間執行的作業已順利完成:

{
  "name": "customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS/operations/$OPERATION",
  "metadata": {
    "@type": "type.googleapis.com/google.chrome.management.versions.v1.SignDataMetadata",
    "startTime": "2025-03-07T14:44:06.156385Z"
  },
  "done": true,
  "response": {
    "@type": "type.googleapis.com/google.chrome.management.versions.v1.SignDataResponse",
    "certificateProvisioningProcess": {
      "name": "customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS",
      "provisioningProfileId": "43b413f9-5ecd-4bf6-b431-f2df56ce852e",
      "subjectPublicKeyInfo": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtbosvGe1JzJJYBPsPzFY33xD9fSJhQLZh21ELD2vEZ5OSzxXzQOhlXZ2Mv4C3m4zn8mjuYykprBxaMggryd8kyhycm2DDsL2/KUkdQNPnv6mBQ8iionF84iabh+FWph1CU63j2vCPnw0VYSv7cz+bHsxs3tXFB7PqqQZr7WcWAAxFaIqoTkJrTGMzDFs8GHUA6mFhMj0WsPzp3aicj24uW0AAJjVFmiZ+pz1lOOL4coNsVrujrX2E6lU8AHjmoQT6ThRVnuo1jFXoASB4A1It6dtu/P8L3zhsVWYRtOZjLLVvGryzT8z0A8iW5k+apkb465jgLd2vuxFPekAgPRDwIDAQAB",
      "chromeOsDevice": {
        "deviceDirectoryApiId": "abcdefgh-ijkl-mnop-qrst-uvwxyz0123456",
        "serialNumber": "0123456789"
      },
      "startTime": "2025-03-07T13:38:54.930621Z",
      "signData": "ZGF0YSB0byBzaWduCg==",
      "signatureAlgorithm": "SIGNATURE_ALGORITHM_RSA_PKCS1_V1_5_SHA256",
      "signature": "mPfL8v/DR+ZqbtJ6X5cJCTrzfOO3wPHCY8nV/stbokdNZnkRJ8U0PBzgm6pWy08pMmOfrs9ZMBXcQ0i05Oe6AwgHYYN5RHuwdnhAklJYriDT4fXdzewD6KuA6x7ZX1d2xYnh0p2XczcdNOJsrz2T/p+89PLcB6I1PIg1Cwz4I1YCAS2OMAQF5DxS+SvMpPbkdzkNG4SCCL/hJNayxRMr98SbQ0aQE77AtxzpXGof5cBEBOcbQ+T+kBIgArQ87D6bQVHVB3di+TvYepK6hwxiLbhCEDGHgi2DfMp8kEWnAVPVzi6xht5jPNhVqILALRbQQ1nUjlP8UO+/y+WR4M36Yg==",
      "genericCaConnection": {
        "caConnectionAdapterConfigReference": "default_ca_config"
      },
      "genericProfile": {
        "profileAdapterConfigReference": "device_profile"
      }
    }
  }
}

如果長時間執行的作業失敗:

{
  "name": "customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS/operations/$OPERATION",
  "metadata": {
    "@type": "type.googleapis.com/google.chrome.management.versions.v1.SignDataMetadata",
    "startTime": "2025-03-07T14:44:06.156385Z"
  },
  "done": true,
  "error": {
    "code": 3,
    "message": "The requested SignData LRO failed because the corresponding certificate provisioning process is in failure state CERTIFICATE_PROVISIONING_RESULT_ERROR_INVALID_SIGNATURE with the following error message: The proof of possession signature is invalid. [operationId=$OPERATION, cppId=$CERT_PROVISIONING_PROCESS, customerId=$CUSTOMER]"
  }
}

上傳憑證

上傳 PEM 格式的 X.509 憑證。在範例要求中,PEM 編碼的憑證會以 $CERTIFICATE_IN_PEM_FORMAT 變數表示。

要求

curl -H "Authorization: Bearer $TOKEN" \
--json '{"certificatePem": "$CERTIFICATE_IN_PEM_FORMAT"}' \
https://chromemanagement.googleapis.com/v1/customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS:uploadCertificate

回應

{}

回報憑證佈建程序失敗

將憑證佈建程序標示為失敗,並設定適當的錯誤訊息。系統會將錯誤訊息傳播至啟動憑證佈建程序的 ChromeOS 用戶端。

要求

curl -H "Authorization: Bearer $TOKEN" \
--json '{"errorMessage": "The CA could not issue the certificate."}' \
https://chromemanagement.googleapis.com/v1/customers/$CUSTOMER/certificateProvisioningProcesses/$CERT_PROVISIONING_PROCESS:setFailure

回應

{}