Complete CloudCAS tests.

Upgrade cloud.google.com/go
4 years ago · b275758018
parent 10c2ce3071
commit b275758018
6 changed files with 508 additions and 93 deletions
--- a/cas/cloudcas/certificate.go
+++ b/cas/cloudcas/certificate.go
@ -343,6 +343,16 @@ func createKeyVersionSpec(alg kmsapi.SignatureAlgorithm, bits int) (*pb.Certific
 				Algorithm: pb.CertificateAuthority_EC_P384_SHA384,
 			},
 		}, nil
+	case kmsapi.SHA256WithRSA:
+		algo, err := getRSAPKCS1Algorithm(bits)
+		if err != nil {
+			return nil, err
+		}
+		return &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: algo,
+			},
+		}, nil
 	case kmsapi.SHA256WithRSAPSS:
 		algo, err := getRSAPSSAlgorithm(bits)
 		if err != nil {
@ -358,14 +368,27 @@ func createKeyVersionSpec(alg kmsapi.SignatureAlgorithm, bits int) (*pb.Certific
 	}
 }

+func getRSAPKCS1Algorithm(bits int) (pb.CertificateAuthority_SignHashAlgorithm, error) {
+	switch bits {
+	case 0, 3072:
+		return pb.CertificateAuthority_RSA_PKCS1_3072_SHA256, nil
+	case 2048:
+		return pb.CertificateAuthority_RSA_PKCS1_2048_SHA256, nil
+	case 4096:
+		return pb.CertificateAuthority_RSA_PKCS1_4096_SHA256, nil
+	default:
+		return 0, fmt.Errorf("unsupported RSA PKCS #1 key size '%d'", bits)
+	}
+}
+
 func getRSAPSSAlgorithm(bits int) (pb.CertificateAuthority_SignHashAlgorithm, error) {
 	switch bits {
 	case 0, 3072:
-		return pb.CertificateAuthority_RSA_PSS_3072_SHA_256, nil
+		return pb.CertificateAuthority_RSA_PSS_3072_SHA256, nil
 	case 2048:
-		return pb.CertificateAuthority_RSA_PSS_2048_SHA_256, nil
+		return pb.CertificateAuthority_RSA_PSS_2048_SHA256, nil
 	case 4096:
-		return pb.CertificateAuthority_RSA_PSS_4096_SHA_256, nil
+		return pb.CertificateAuthority_RSA_PSS_4096_SHA256, nil
 	default:
 		return 0, fmt.Errorf("unsupported RSA-PSS key size '%d'", bits)
 	}
--- a/cas/cloudcas/certificate_test.go
+++ b/cas/cloudcas/certificate_test.go
@ -14,6 +14,7 @@ import (
 	"reflect"
 	"testing"

+	kmsapi "github.com/smallstep/certificates/kms/apiv1"
 	pb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1"
 	wrapperspb "google.golang.org/protobuf/types/known/wrapperspb"
 )
@ -548,3 +549,76 @@ func Test_isExtraExtension(t *testing.T) {
 		})
 	}
 }
+
+func Test_createKeyVersionSpec(t *testing.T) {
+	type args struct {
+		alg  kmsapi.SignatureAlgorithm
+		bits int
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *pb.CertificateAuthority_KeyVersionSpec
+		wantErr bool
+	}{
+		{"ok P256", args{0, 0}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_EC_P256_SHA256,
+			}}, false},
+		{"ok P256", args{kmsapi.ECDSAWithSHA256, 0}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_EC_P256_SHA256,
+			}}, false},
+		{"ok P384", args{kmsapi.ECDSAWithSHA384, 0}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_EC_P384_SHA384,
+			}}, false},
+		{"ok RSA default", args{kmsapi.SHA256WithRSA, 0}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PKCS1_3072_SHA256,
+			}}, false},
+		{"ok RSA 2048", args{kmsapi.SHA256WithRSA, 2048}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PKCS1_2048_SHA256,
+			}}, false},
+		{"ok RSA 3072", args{kmsapi.SHA256WithRSA, 3072}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PKCS1_3072_SHA256,
+			}}, false},
+		{"ok RSA 4096", args{kmsapi.SHA256WithRSA, 4096}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PKCS1_4096_SHA256,
+			}}, false},
+		{"ok RSA-PSS default", args{kmsapi.SHA256WithRSAPSS, 0}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PSS_3072_SHA256,
+			}}, false},
+		{"ok RSA-PSS 2048", args{kmsapi.SHA256WithRSAPSS, 2048}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PSS_2048_SHA256,
+			}}, false},
+		{"ok RSA-PSS 3072", args{kmsapi.SHA256WithRSAPSS, 3072}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PSS_3072_SHA256,
+			}}, false},
+		{"ok RSA-PSS 4096", args{kmsapi.SHA256WithRSAPSS, 4096}, &pb.CertificateAuthority_KeyVersionSpec{
+			KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
+				Algorithm: pb.CertificateAuthority_RSA_PSS_4096_SHA256,
+			}}, false},
+		{"fail Ed25519", args{kmsapi.PureEd25519, 0}, nil, true},
+		{"fail RSA size", args{kmsapi.SHA256WithRSA, 1024}, nil, true},
+		{"fail RSA-PSS size", args{kmsapi.SHA256WithRSAPSS, 1024}, nil, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := createKeyVersionSpec(tt.args.alg, tt.args.bits)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("createKeyVersionSpec() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("createKeyVersionSpec() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/cas/cloudcas/cloudcas.go
+++ b/cas/cloudcas/cloudcas.go
@ -262,6 +262,16 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
 		return nil, errors.New("createCertificateAuthorityRequest `parent.name` cannot be empty")
 	}

+	var caType pb.CertificateAuthority_Type
+	switch req.Type {
+	case apiv1.RootCA:
+		caType = pb.CertificateAuthority_SELF_SIGNED
+	case apiv1.IntermediateCA:
+		caType = pb.CertificateAuthority_SUBORDINATE
+	default:
+		return nil, errors.Errorf("createCertificateAuthorityRequest `type=%d' is invalid or not supported", req.Type)
+	}
+
 	// Select key and signature algorithm to use
 	var err error
 	var keySpec *pb.CertificateAuthority_KeyVersionSpec
@ -276,17 +286,17 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
 	}

 	// Normalize or generate id.
-	certificateAuthorityID := normalizeCertificateAuthorityName(req.Name)
-	if certificateAuthorityID == "" {
+	caID := normalizeCertificateAuthorityName(req.Name)
+	if caID == "" {
 		id, err := createCertificateID()
 		if err != nil {
 			return nil, err
 		}
-		certificateAuthorityID = id
+		caID = id
 	}

 	// Add CertificateAuthority extension
-	casExtension, err := apiv1.CreateCertificateAuthorityExtension(apiv1.CloudCAS, certificateAuthorityID)
+	casExtension, err := apiv1.CreateCertificateAuthorityExtension(apiv1.CloudCAS, caID)
 	if err != nil {
 		return nil, err
 	}
@ -295,10 +305,10 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
 	// Prepare CreateCertificateAuthorityRequest
 	pbReq := &pb.CreateCertificateAuthorityRequest{
 		Parent:                 "projects/" + c.project + "/locations/" + c.location,
-		CertificateAuthorityId: certificateAuthorityID,
+		CertificateAuthorityId: caID,
 		RequestId:              req.RequestID,
 		CertificateAuthority: &pb.CertificateAuthority{
-			Type: pb.CertificateAuthority_TYPE_UNSPECIFIED,
+			Type: caType,
 			Tier: pb.CertificateAuthority_ENTERPRISE,
 			Config: &pb.CertificateConfig{
 				SubjectConfig: &pb.CertificateConfig_SubjectConfig{
@ -317,15 +327,6 @@ func (c *CloudCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthor
 		},
 	}

-	switch req.Type {
-	case apiv1.RootCA:
-		pbReq.CertificateAuthority.Type = pb.CertificateAuthority_SELF_SIGNED
-	case apiv1.IntermediateCA:
-		pbReq.CertificateAuthority.Type = pb.CertificateAuthority_SUBORDINATE
-	default:
-		return nil, errors.Errorf("createCertificateAuthorityRequest `type=%d' is invalid or not supported", req.Type)
-	}
-
 	// Create certificate authority.
 	ctx, cancel := defaultContext()
 	defer cancel()
--- a/cas/cloudcas/cloudcas_test.go
+++ b/cas/cloudcas/cloudcas_test.go
@ -3,9 +3,14 @@ package cloudcas
 import (
 	"bytes"
 	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/asn1"
+	"encoding/pem"
+	"fmt"
 	"io"
 	"net"
 	"os"
@ -20,6 +25,7 @@ import (
 	gax "github.com/googleapis/gax-go/v2"
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/cas/apiv1"
+	kmsapi "github.com/smallstep/certificates/kms/apiv1"
 	"google.golang.org/api/option"
 	pb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1"
 	longrunningpb "google.golang.org/genproto/googleapis/longrunning"
@ -34,27 +40,25 @@ var (
 	testProject         = "test-project"
 	testLocation        = "us-west1"
 	testRootCertificate = `-----BEGIN CERTIFICATE-----
-MIIBhjCCAS2gAwIBAgIQLbKTuXau4+t3KFbGpJJAADAKBggqhkjOPQQDAjAiMSAw
-HgYDVQQDExdHb29nbGUgQ0FTIFRlc3QgUm9vdCBDQTAeFw0yMDA5MTQyMjQ4NDla
-Fw0zMDA5MTIyMjQ4NDlaMCIxIDAeBgNVBAMTF0dvb2dsZSBDQVMgVGVzdCBSb290
-IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYKGgQ3/0D7+oBTc0CXoYfSC6
-M8hOqLsmzBapPZSYpfwjgEsjdNU84jdrYmW1zF1+p+MrL4c7qJv9NLo/picCuqNF
-MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
-FFVn9V7Qymd7cUJh9KAhnUDAQL5YMAoGCCqGSM49BAMCA0cAMEQCIA4LzttYoT3u
-8TYgSrvFT+Z+cklfi4UrPBU6aSbcUaW2AiAPfaqbyccQT3CxMVyHg+xZZjAirZp8
-lAeA/T4FxAonHA==
+MIIBeDCCAR+gAwIBAgIQcXWWjtSZ/PAyH8D1Ou4L9jAKBggqhkjOPQQDAjAbMRkw
+FwYDVQQDExBDbG91ZENBUyBSb290IENBMB4XDTIwMTAyNzIyNTM1NFoXDTMwMTAy
+NzIyNTM1NFowGzEZMBcGA1UEAxMQQ2xvdWRDQVMgUm9vdCBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIySHA4b78Yu4LuGhZIlv/PhNwXz4ZoV1OUZQ0LrK3vj
+B13O12DLZC5uj1z3kxdQzXUttSbtRv49clMpBiTpsZKjRTBDMA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSZ+t9RMHbFTl5BatM3
+5bJlHPOu3DAKBggqhkjOPQQDAgNHADBEAiASah6gg0tVM3WI0meCQ4SEKk7Mjhbv
+SmhuZHWV1QlXQIgRXNyWcpVUrAoG6Uy1KQg07LDpF5dFeK9InrDxSJAkVo=
 -----END CERTIFICATE-----`
 	testIntermediateCertificate = `-----BEGIN CERTIFICATE-----
-MIIBsDCCAVagAwIBAgIQOb91kHxWKVzSJ9ESW1ViVzAKBggqhkjOPQQDAjAiMSAw
-HgYDVQQDExdHb29nbGUgQ0FTIFRlc3QgUm9vdCBDQTAeFw0yMDA5MTQyMjQ4NDla
-Fw0zMDA5MTIyMjQ4NDlaMCoxKDAmBgNVBAMTH0dvb2dsZSBDQVMgVGVzdCBJbnRl
-cm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUHN1cNyId4Ei/
-4MxD5VrZFc51P50caMUdDZVrPveidChBYCU/9IM6vnRlZHx2HLjQ0qAvqHwY3rT0
-xc7n+PfCo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
-BgNVHQ4EFgQUSDlasiw0pRKyS7llhL0ZuVFNa9UwHwYDVR0jBBgwFoAUVWf1XtDK
-Z3txQmH0oCGdQMBAvlgwCgYIKoZIzj0EAwIDSAAwRQIgMmsLcoC4KriXw+s+cZx2
-bJMf6Mx/WESj31buJJhpzY0CIQCBUa/JtvS3nyce/4DF5tK2v49/NWHREgqAaZ57
-DcYyHQ==
+MIIBpDCCAUmgAwIBAgIRALLKxnxyl0GBeKevIcbx02wwCgYIKoZIzj0EAwIwGzEZ
+MBcGA1UEAxMQQ2xvdWRDQVMgUm9vdCBDQTAeFw0yMDEwMjcyMjUzNTRaFw0zMDEw
+MjcyMjUzNTRaMCMxITAfBgNVBAMTGENsb3VkQ0FTIEludGVybWVkaWF0ZSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABPLuqxgBY+QmaXc8zKIC8FMgjJ6dF/cL
+b+Dig0XKc5GH/T1ORrhgOkRayrQcjPMu+jkjg25qn6vvp43LRtUKPXOjZjBkMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQ8RVQI
+VgXAmRNDX8qItalVpSBEGjAfBgNVHSMEGDAWgBSZ+t9RMHbFTl5BatM35bJlHPOu
+3DAKBggqhkjOPQQDAgNJADBGAiEA70MVYVqjm8SBHJf5cOlWfiXXOfHUsctTJ+/F
+pLsKBogCIQDJJkoQqYl9B59Dq3zydl8bpJevQxsoaa4Wqg+ZBMkvbQ==
 -----END CERTIFICATE-----`
 	testLeafCertificate = `-----BEGIN CERTIFICATE-----
 MIIB1jCCAX2gAwIBAgIQQfOn+COMeuD8VYF1TiDkEzAKBggqhkjOPQQDAjAqMSgw
@ -82,20 +86,22 @@ SM49BAMCA0gAMEUCIGxl+pqJ50WYWUqK2l4V1FHoXSi0Nht5kwTxFxnWZu1xAiEA
 zemu3bhWLFaGg3s8i+HTEhw4RqkHP74vF7AVYp88bAw=
 -----END CERTIFICATE-----`
 	testIntermediateCsr = `-----BEGIN CERTIFICATE REQUEST-----
-MIIBIjCByQIBADAqMSgwJgYDVQQDEx9Hb29nbGUgQ0FTIFRlc3QgSW50ZXJtZWRp
-YXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqoztio0c4XuaaGxHFiU7
-UBk3YRGTae9GtlKwyZJDk740hg6ZIoKcaXrzJT5taUpPiQLi7rP1eRui0dhl/bHo
-o6A9MDsGCSqGSIb3DQEJDjEuMCwwKgYDVR0RBCMwIYIfR29vZ2xlIENBUyBUZXN0
-IEludGVybWVkaWF0ZSBDQTAKBggqhkjOPQQDAgNIADBFAiEAvRKBPE32scAvsMe8
-R7ecx91q58ZmeLaRdSzL7stsnJYCIEBu+vQUSTbUpKL2YQNclT9kbilips5pEMr3
-ojxK6mk3
+MIHeMIGFAgEAMCMxITAfBgNVBAMTGENsb3VkQ0FTIEludGVybWVkaWF0ZSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABPLuqxgBY+QmaXc8zKIC8FMgjJ6dF/cL
+b+Dig0XKc5GH/T1ORrhgOkRayrQcjPMu+jkjg25qn6vvp43LRtUKPXOgADAKBggq
+hkjOPQQDAgNIADBFAiEAn3pkYXb2OzoQZ+AExFqd7qZ7pg2nyP2kBZZ01Pl8KfcC
+IHKplBXDR79/i7kjOtv1iWfgf5S/XQHrz178gXA0YQe7
 -----END CERTIFICATE REQUEST-----`
-
-// 	testIntermediateKey = `-----BEGIN EC PRIVATE KEY-----
-// MHcCAQEEIMM+DSPChJgcYyqDWs0eRA5BctIo+VSNqRzCTL2ARYAqoAoGCCqGSM49
-// AwEHoUQDQgAEqoztio0c4XuaaGxHFiU7UBk3YRGTae9GtlKwyZJDk740hg6ZIoKc
-// aXrzJT5taUpPiQLi7rP1eRui0dhl/bHoow==
-// -----END EC PRIVATE KEY-----`
+	testRootKey = `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIN51Rgg6YcQVLeCRzumdw4pjM3VWqFIdCbnsV3Up1e/goAoGCCqGSM49
+AwEHoUQDQgAEjJIcDhvvxi7gu4aFkiW/8+E3BfPhmhXU5RlDQusre+MHXc7XYMtk
+Lm6PXPeTF1DNdS21Ju1G/j1yUykGJOmxkg==
+-----END EC PRIVATE KEY-----`
+	testIntermediateKey = `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMMX/XkXGnRDD4fYu7Z4rHACdJn/iyOy2UTwsv+oZ0C+oAoGCCqGSM49
+AwEHoUQDQgAE8u6rGAFj5CZpdzzMogLwUyCMnp0X9wtv4OKDRcpzkYf9PU5GuGA6
+RFrKtByM8y76OSODbmqfq++njctG1Qo9cw==
+-----END EC PRIVATE KEY-----`
 )

 type testClient struct {
@ -158,6 +164,29 @@ func setTeeReader(t *testing.T, w *bytes.Buffer) {
 	rand.Reader = io.TeeReader(reader, w)
 }

+type badSigner struct {
+	pub crypto.PublicKey
+}
+
+func createBadSigner(t *testing.T) *badSigner {
+	t.Helper()
+	pub, _, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &badSigner{
+		pub: pub,
+	}
+}
+
+func (b *badSigner) Public() crypto.PublicKey {
+	return b.pub
+}
+
+func (b *badSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	return nil, fmt.Errorf("💥")
+}
+
 func (c *testClient) CreateCertificate(ctx context.Context, req *pb.CreateCertificateRequest, opts ...gax.CallOption) (*pb.Certificate, error) {
 	return c.certificate, c.err
 }
@ -191,6 +220,19 @@ func mustParseCertificate(t *testing.T, pemCert string) *x509.Certificate {
 	return crt
 }

+func mustParseECKey(t *testing.T, pemKey string) *ecdsa.PrivateKey {
+	t.Helper()
+	block, _ := pem.Decode([]byte(pemKey))
+	if block == nil {
+		t.Fatal("failed to parse key")
+	}
+	key, err := x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return key
+}
+
 func TestNew(t *testing.T) {
 	tmp := newCertificateAuthorityClient
 	newCertificateAuthorityClient = func(ctx context.Context, credentialsFile string) (CertificateAuthorityClient, error) {
@ -233,7 +275,10 @@ func TestNew(t *testing.T) {
 			project:  testProject,
 			location: testLocation,
 		}, false},
-		{"fail certificate authority", args{context.Background(), apiv1.Options{}}, nil, true},
+		{"fail certificate authority", args{context.Background(), apiv1.Options{
+			CertificateAuthority: "projects/ok1234/locations/ok1234/certificateAuthorities/ok1234/bad",
+		}}, nil, true},
+		{"fail certificate authority regex", args{context.Background(), apiv1.Options{}}, nil, true},
 		{"fail with credentials", args{context.Background(), apiv1.Options{
 			CertificateAuthority: testAuthorityName, CredentialsFile: "testdata/error.json",
 		}}, nil, true},
@ -735,8 +780,6 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 		return a
 	}

-	// client, close := mockTestClient()
-	// defer close()
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	mosCtrl := gomock.NewController(t)
@ -801,6 +844,31 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
 		PemCsr: testIntermediateCsr,
 	}, nil)
+	m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "ActivateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name:              testAuthorityName,
+				PemCaCertificates: []string{testIntermediateCertificate, testRootCertificate},
+			})).(*anypb.Any),
+		},
+	}, nil)
+	// ok intermediate local signer
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
+		PemCsr: testIntermediateCsr,
+	}, nil)
 	m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{
 		PemCertificate:      testIntermediateCertificate,
 		PemCertificateChain: []string{testRootCertificate},
@ -817,6 +885,126 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 		},
 	}, nil)

+	// ok create key
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name:              testAuthorityName,
+				PemCaCertificates: []string{testRootCertificate},
+			})).(*anypb.Any),
+		},
+	}, nil)
+
+	// fail CreateCertificateAuthority
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(nil, errTest)
+
+	// fail CreateCertificateAuthority.Wait
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(nil, errTest)
+
+	// fail FetchCertificateAuthorityCsr
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(nil, errTest)
+
+	// fail CreateCertificate
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
+		PemCsr: testIntermediateCsr,
+	}, nil)
+	m.EXPECT().CreateCertificate(any, any).Return(nil, errTest)
+
+	// fail ActivateCertificateAuthority
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
+		PemCsr: testIntermediateCsr,
+	}, nil)
+	m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{
+		PemCertificate:      testIntermediateCertificate,
+		PemCertificateChain: []string{testRootCertificate},
+	}, nil)
+	m.EXPECT().ActivateCertificateAuthority(any, any).Return(nil, errTest)
+
+	// fail ActivateCertificateAuthority.Wait
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
+		PemCsr: testIntermediateCsr,
+	}, nil)
+	m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{
+		PemCertificate:      testIntermediateCertificate,
+		PemCertificateChain: []string{testRootCertificate},
+	}, nil)
+	m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(nil, errTest)
+
+	// fail x509util.CreateCertificate
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
+		PemCsr: testIntermediateCsr,
+	}, nil)
+
+	// fail parseCertificateRequest
+	m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil)
+	mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{
+		Name: "CreateCertificateAuthority",
+		Done: true,
+		Result: &longrunningpb.Operation_Response{
+			Response: must(anypb.New(&pb.CertificateAuthority{
+				Name: testAuthorityName,
+			})).(*anypb.Any),
+		},
+	}, nil)
+	m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{
+		PemCsr: "Not a CSR",
+	}, nil)
+
 	rootCrt := mustParseCertificate(t, testRootCertificate)
 	intCrt := mustParseCertificate(t, testIntermediateCertificate)

@ -857,6 +1045,136 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 			Certificate:      intCrt,
 			CertificateChain: []*x509.Certificate{rootCrt},
 		}, false},
+		{"ok intermediate local signer", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Certificate: rootCrt,
+				Signer:      mustParseECKey(t, testRootKey),
+			},
+		}}, &apiv1.CreateCertificateAuthorityResponse{
+			Name:             testAuthorityName,
+			Certificate:      intCrt,
+			CertificateChain: []*x509.Certificate{rootCrt},
+		}, false},
+		{"ok create key", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+			CreateKey: &kmsapi.CreateKeyRequest{
+				SignatureAlgorithm: kmsapi.ECDSAWithSHA256,
+			},
+		}}, &apiv1.CreateCertificateAuthorityResponse{
+			Name:        testAuthorityName,
+			Certificate: rootCrt,
+		}, false},
+		{"fail project", fields{m, "", "", testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail location", fields{m, "", testProject, ""}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail template", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail lifetime", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+		}}, nil, true},
+		{"fail parent", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail parent name", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent:   &apiv1.CreateCertificateAuthorityResponse{},
+		}}, nil, true},
+		{"fail type", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     0,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail create key", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+			CreateKey: &kmsapi.CreateKeyRequest{
+				SignatureAlgorithm: kmsapi.PureEd25519,
+			},
+		}}, nil, true},
+		{"fail CreateCertificateAuthority", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail CreateCertificateAuthority.Wait", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.RootCA,
+			Template: mustParseCertificate(t, testRootCertificate),
+			Lifetime: 24 * time.Hour,
+		}}, nil, true},
+		{"fail FetchCertificateAuthorityCsr", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Name:        testAuthorityName,
+				Certificate: rootCrt,
+			},
+		}}, nil, true},
+		{"fail CreateCertificate", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Name:        testAuthorityName,
+				Certificate: rootCrt,
+			},
+		}}, nil, true},
+		{"fail ActivateCertificateAuthority", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Name:        testAuthorityName,
+				Certificate: rootCrt,
+			},
+		}}, nil, true},
+		{"fail ActivateCertificateAuthority.Wait", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Name:        testAuthorityName,
+				Certificate: rootCrt,
+			},
+		}}, nil, true},
+		{"fail x509util.CreateCertificate", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Certificate: rootCrt,
+				Signer:      createBadSigner(t),
+			},
+		}}, nil, true},
+		{"fail parseCertificateRequest", fields{m, "", testProject, testLocation}, args{&apiv1.CreateCertificateAuthorityRequest{
+			Type:     apiv1.IntermediateCA,
+			Template: mustParseCertificate(t, testIntermediateCertificate),
+			Lifetime: 24 * time.Hour,
+			Parent: &apiv1.CreateCertificateAuthorityResponse{
+				Certificate: rootCrt,
+				Signer:      createBadSigner(t),
+			},
+		}}, nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -877,3 +1195,24 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) {
 		})
 	}
 }
+
+func Test_normalizeCertificateAuthorityName(t *testing.T) {
+	type args struct {
+		name string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{"ok", args{"Test-CA-Name_1234"}, "Test-CA-Name_1234"},
+		{"change", args{"💥 CA"}, "--CA"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := normalizeCertificateAuthorityName(tt.args.name); got != tt.want {
+				t.Errorf("normalizeCertificateAuthorityName() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/go.mod
+++ b/go.mod
@ -3,7 +3,7 @@ module github.com/smallstep/certificates
 go 1.14

 require (
-	cloud.google.com/go v0.65.1-0.20200904011802-3c2db50b5678
+	cloud.google.com/go v0.70.0
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/aws/aws-sdk-go v1.30.29
 	github.com/go-chi/chi v4.0.2+incompatible
@ -28,8 +28,8 @@ require (
 >>>>>>> Update go.step.sm/crypto dependency.
 	golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897
 	golang.org/x/net v0.0.0-20201021035429-f5854403a974
-	google.golang.org/api v0.31.0
-	google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d
+	google.golang.org/api v0.33.0
+	google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154
 	google.golang.org/grpc v1.32.0
 	google.golang.org/protobuf v1.25.0
 	gopkg.in/square/go-jose.v2 v2.5.1
--- a/go.sum
+++ b/go.sum
@ -16,6 +16,8 @@ cloud.google.com/go v0.65.0 h1:Dg9iHVQfrhq82rUNu9ZxUDrJLaxFUe/HlCVaLyRruq8=
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
 cloud.google.com/go v0.65.1-0.20200904011802-3c2db50b5678 h1:5YqZUrIf2QELwPqw1kLpGIE0z0I++b7HhzSNKjZlIY0=
 cloud.google.com/go v0.65.1-0.20200904011802-3c2db50b5678/go.mod h1:Ihp2NV3Qr9BWHCDNA8LXF9fZ1HGBl6Jx1xd7KP3nxkI=
+cloud.google.com/go v0.70.0 h1:ujhG1RejZYi+HYfJNlgBh3j/bVKD8DewM7AkJ5UPyBc=
+cloud.google.com/go v0.70.0/go.mod h1:/UTKYRQTWjVnSe7nGvoSzxEFUELzSI/yAYd0JQT6cRo=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@ -136,6 +138,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@ -160,6 +163,7 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20201009210932-67992a1a5a35/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@ -207,12 +211,7 @@ github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRU
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-<<<<<<< HEAD
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-=======
-github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
->>>>>>> Update go.step.sm/crypto dependency.
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
@ -251,13 +250,6 @@ github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5 h1:lX6ybsQW9Agn3q
 github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5/go.mod h1:TC9A4+RjIOS+HyTH7wG17/gSqVv95uDw2J64dQZx7RE=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
-<<<<<<< HEAD
-=======
-github.com/smallstep/certificates v0.15.5/go.mod h1:T0L78wJmhdj1AyrfrNG5mPP2MG15cRM/9d1frw8NnJ0=
-github.com/smallstep/certinfo v1.4.0/go.mod h1:1gQJekdPwPvUwFWGTi7bZELmQT09cxC9wJ0VBkBNiwU=
-github.com/smallstep/cli v0.15.3 h1:t9LBO53PK4SEG6FSo0UOxI306m9pHb+h632oFZe+ZwA=
-github.com/smallstep/cli v0.15.3/go.mod h1:KBcpj/m28/uhK+lH0/ctbncZqWQvxDFWk8T2cUyeFg0=
->>>>>>> Update go.step.sm/crypto dependency.
 github.com/smallstep/nosql v0.3.0 h1:V1X5vfDsDt89499h3jZFUlR4VnnsYYs5tXaQZ0w8z5U=
 github.com/smallstep/nosql v0.3.0/go.mod h1:QG7gNOpidifn99MjZaiNbm7HPesIyBd97F/OfacNz8Q=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@ -277,16 +269,6 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-<<<<<<< HEAD
-=======
-github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/timakin/bodyclose v0.0.0-20190721030226-87058b9bfcec/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
-github.com/timakin/bodyclose v0.0.0-20190930140734-f7f2e9bca95e/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/tommy-muehle/go-mnd v1.1.1/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
-github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
->>>>>>> Update go.step.sm/crypto dependency.
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
@ -308,21 +290,6 @@ go.step.sm/cli-utils v0.1.0 h1:uuQ73MuAh5P5Eg+3zfqwrtlTLx5DWSfGqGCrSSjYqdk=
 go.step.sm/cli-utils v0.1.0/go.mod h1:+t4qCp5NO+080DdGkJxEh3xL5S4TcYC2JTPLMM72b6Y=
 go.step.sm/crypto v0.6.1 h1:nJoRFGrGNf/mKVVMdWnfLbBfIFt/z4NdJlSL5nipQMQ=
 go.step.sm/crypto v0.6.1/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0=
-<<<<<<< HEAD
-=======
-go.step.sm/crypto v0.7.0 h1:azKRI4CBRzDbhHsLAnvzvGJ0aVbGI+wrh2COrPd/mks=
-go.step.sm/crypto v0.7.0/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.5.1/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
->>>>>>> Update go.step.sm/crypto dependency.
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -395,6 +362,7 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -404,6 +372,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6 h1:pE8b58s1HRDMi8RDc79m0H
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 h1:ld7aEMNHoBnnDAX15v1T6z31v8HwR2A9FYOuAhWqkwc=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -445,6 +415,7 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200828194041-157a740278f4 h1:kCCpuwSAoYJPkNc6x0xT9yTtV4oKtARo4RGBQWOfg9E=
 golang.org/x/sys v0.0.0-20200828194041-157a740278f4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -501,6 +472,9 @@ golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200828161849-5deb26317202/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200903185744-af4cc2cd812e h1:RvNtqusJ+6DJ07/by/M84a6/Dd17XU6n8QvhvknjJno=
 golang.org/x/tools v0.0.0-20200903185744-af4cc2cd812e/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20201017001424-6003fad69a88 h1:ZB1XYzdDo7c/O48jzjMkvIjnC120Z9/CwgDWhePjQdQ=
+golang.org/x/tools v0.0.0-20201017001424-6003fad69a88/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -526,6 +500,8 @@ google.golang.org/api v0.30.0 h1:yfrXXP61wVuLb0vBcG6qaOoIoqYEzOQS8jum51jkv2w=
 google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
 google.golang.org/api v0.31.0 h1:1w5Sz/puhxFo9lTtip2n47k7toB/U2nCqOKNHd3Yrbo=
 google.golang.org/api v0.31.0/go.mod h1:CL+9IBCa2WWU6gRuBWaKqGWLFFwbEUXkfeMkHLQWYWo=
+google.golang.org/api v0.33.0 h1:+gL0XvACeMIvpwLZ5rQZzLn5cwOsgg8dIcfJ2SYfBVw=
+google.golang.org/api v0.33.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -568,6 +544,8 @@ google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200831141814-d751682dd103/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d h1:92D1fum1bJLKSdr11OJ+54YeCMCGYIygTA7R/YZxH5M=
 google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154 h1:bFFRpT+e8JJVY7lMMfvezL1ZIwqiwmPl2bsE2yx4HqM=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=