go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/api/admin/v1/certificate_authorities.proto

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/api/admin/v1/certificate_authorities.proto (about)

     1  // Copyright 2016 The LUCI Authors. All rights reserved.
     2  // Use of this source code is governed under the Apache License, Version 2.0
     3  // that can be found in the LICENSE file.
     4  
     5  syntax = "proto3";
     6  
     7  package tokenserver.admin;
     8  
     9  option go_package = "go.chromium.org/luci/tokenserver/api/admin/v1;admin";
    10  
    11  import "google/protobuf/empty.proto";
    12  import "google/protobuf/timestamp.proto";
    13  
    14  import "go.chromium.org/luci/tokenserver/api/admin/v1/config.proto";
    15  
    16  // CertificateAuthorities can be used by service administrators to manage and
    17  // inspect CAs used by The Token Server.
    18  //
    19  // It is callable by the token service itself and by the admins.
    20  service CertificateAuthorities {
    21    // FetchCRL makes the server fetch a CRL for some CA.
    22    rpc FetchCRL(FetchCRLRequest) returns (FetchCRLResponse);
    23  
    24    // ListCAs returns a list of Common Names of registered CAs.
    25    rpc ListCAs(google.protobuf.Empty) returns (ListCAsResponse);
    26  
    27    // GetCAStatus returns configuration of some CA defined in the config.
    28    rpc GetCAStatus(GetCAStatusRequest) returns (GetCAStatusResponse);
    29  
    30    // IsRevokedCert says whether a certificate serial number is in the CRL.
    31    rpc IsRevokedCert(IsRevokedCertRequest) returns (IsRevokedCertResponse);
    32  
    33    // CheckCertificate says whether a certificate is valid or not.
    34    rpc CheckCertificate(CheckCertificateRequest) returns (CheckCertificateResponse);
    35  }
    36  
    37  // FetchCRLRequest identifies a name of CA to fetch CRL for.
    38  message FetchCRLRequest {
    39    string cn = 1;  // Common Name of the CA
    40    bool force = 2; // fetch and parse CRL even if we have it already
    41  }
    42  
    43  // FetchCRLResponse is returned by FetchCRL.
    44  message FetchCRLResponse {
    45    CRLStatus crl_status = 1; // status of the CRL after the fetch
    46  }
    47  
    48  // ListCAsResponse is returned by ListCAs.
    49  message ListCAsResponse {
    50    repeated string cn = 1; // Common Name of the CA
    51  }
    52  
    53  // GetCAStatusRequest identifies a name of CA to fetch.
    54  message GetCAStatusRequest {
    55    string cn = 1; // Common Name of the CA
    56  }
    57  
    58  // GetCAStatusResponse is returned by GetCAStatus method.
    59  //
    60  // If requested CA doesn't exist, all fields are empty.
    61  message GetCAStatusResponse {
    62    CertificateAuthorityConfig config = 1; // current config
    63    string cert = 2;          // pem-encoded CA certificate
    64    bool removed = 3;         // true if this CA was removed from the config
    65    bool ready = 4;           // true if this CA is ready for usage
    66    string added_rev = 5;     // config rev when this CA appeared
    67    string updated_rev = 6;   // config rev when this CA was updated
    68    string removed_rev = 7;   // config rev when this CA was removed
    69    CRLStatus crl_status = 8; // last known status of the CRL for this CA
    70  }
    71  
    72  // IsRevokedCertRequest contains a name of the CA and a cert serial number.
    73  message IsRevokedCertRequest {
    74    string ca = 1; // Common Name of the CA
    75    string sn = 2; // cert's serial number (big.Int encoded as a decimal string)
    76  }
    77  
    78  // IsRevokedCertResponse is returned by IsRevokedCert
    79  message IsRevokedCertResponse {
    80    bool revoked = 1; // true if the cert with given SN is in CRL
    81  }
    82  
    83  // CheckCertificateRequest contains a pem encoded certificate to check.
    84  message CheckCertificateRequest {
    85    string cert_pem = 1; // pem encoded certificate to check for validity
    86  }
    87  
    88  // CheckCertificateResponse is returned by CheckCertificate.
    89  message CheckCertificateResponse {
    90    bool is_valid = 1;         // true when certificate is valid
    91    string invalid_reason = 2; // a reason for certificate invalidity if it is invalid
    92  }
    93  
    94  ///////////////////////////////////////////////////////////////////////////////
    95  
    96  // CRLStatus describes the latest known state of imported CRL.
    97  message CRLStatus {
    98    google.protobuf.Timestamp last_update_time = 1; // time when CRL was generated by the CA
    99    google.protobuf.Timestamp last_fetch_time = 2;  // time when CRL was fetched
   100    string last_fetch_etag = 3;                     // etag of last successfully fetched CRL
   101    int64 revoked_certs_count = 4;                  // number of revoked certificates in the CRL
   102  }