forked from letsencrypt/boulder
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathca.proto
102 lines (85 loc) · 3.07 KB
/
ca.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
syntax = "proto3";
package ca;
option go_package = "github.com/letsencrypt/boulder/ca/proto";
import "core/proto/core.proto";
import "google/protobuf/timestamp.proto";
// CertificateAuthority issues certificates.
service CertificateAuthority {
rpc IssuePrecertificate(IssueCertificateRequest) returns (IssuePrecertificateResponse) {}
rpc IssueCertificateForPrecertificate(IssueCertificateForPrecertificateRequest) returns (core.Certificate) {}
}
message IssueCertificateRequest {
// Next unused field number: 6
bytes csr = 1;
int64 registrationID = 2;
int64 orderID = 3;
reserved 4; // Previously issuerNameID
// certProfileName is a human readable name provided by the RA and used to
// determine if the CA can issue for that profile. A default name will be
// assigned inside the CA during *Profile construction if no name is provided.
// The value of this field should not be relied upon inside the RA.
string certProfileName = 5;
}
message IssuePrecertificateResponse {
// Next unused field number: 4
bytes DER = 1;
// certProfileHash is a hash over the exported fields of a certificate profile
// to ensure that the profile remains unchanged after multiple roundtrips
// through the RA and CA.
bytes certProfileHash = 2;
// certProfileName is a human readable name returned back to the RA for later
// use. If IssueCertificateRequest.certProfileName was an empty string, the
// CAs default profile name will be assigned.
string certProfileName = 3;
}
message IssueCertificateForPrecertificateRequest {
// Next unused field number: 6
bytes DER = 1;
repeated bytes SCTs = 2;
int64 registrationID = 3;
int64 orderID = 4;
// certProfileHash is a hash over the exported fields of a certificate profile
// to ensure that the profile remains unchanged after multiple roundtrips
// through the RA and CA.
bytes certProfileHash = 5;
}
// OCSPGenerator generates OCSP. We separate this out from
// CertificateAuthority so that we can restrict access to a different subset of
// hosts, so the hosts that need to request OCSP generation don't need to be
// able to request certificate issuance.
service OCSPGenerator {
rpc GenerateOCSP(GenerateOCSPRequest) returns (OCSPResponse) {}
}
// Exactly one of certDER or [serial and issuerID] must be set.
message GenerateOCSPRequest {
// Next unused field number: 8
string status = 2;
int32 reason = 3;
reserved 4; // Previously revokedAtNS
google.protobuf.Timestamp revokedAt = 7;
string serial = 5;
int64 issuerID = 6;
}
message OCSPResponse {
bytes response = 1;
}
// CRLGenerator signs CRLs. It is separated for the same reason as OCSPGenerator.
service CRLGenerator {
rpc GenerateCRL(stream GenerateCRLRequest) returns (stream GenerateCRLResponse) {}
}
message GenerateCRLRequest {
oneof payload {
CRLMetadata metadata = 1;
core.CRLEntry entry = 2;
}
}
message CRLMetadata {
// Next unused field number: 5
int64 issuerNameID = 1;
reserved 2; // Previously thisUpdateNS
google.protobuf.Timestamp thisUpdate = 4;
int64 shardIdx = 3;
}
message GenerateCRLResponse {
bytes chunk = 1;
}