102 lines
3.1 KiB
Protocol Buffer
102 lines
3.1 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package ca;
|
|
option go_package = "github.com/letsencrypt/boulder/ca/proto";
|
|
|
|
import "core/proto/core.proto";
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
// CertificateAuthority issues certificates.
|
|
service CertificateAuthority {
|
|
rpc IssuePrecertificate(IssueCertificateRequest) returns (IssuePrecertificateResponse) {}
|
|
rpc IssueCertificateForPrecertificate(IssueCertificateForPrecertificateRequest) returns (core.Certificate) {}
|
|
}
|
|
|
|
message IssueCertificateRequest {
|
|
// Next unused field number: 6
|
|
bytes csr = 1;
|
|
int64 registrationID = 2;
|
|
int64 orderID = 3;
|
|
reserved 4; // Previously issuerNameID
|
|
|
|
// certProfileName is a human readable name provided by the RA and used to
|
|
// determine if the CA can issue for that profile. A default name will be
|
|
// assigned inside the CA during *Profile construction if no name is provided.
|
|
// The value of this field should not be relied upon inside the RA.
|
|
string certProfileName = 5;
|
|
}
|
|
|
|
message IssuePrecertificateResponse {
|
|
// Next unused field number: 4
|
|
bytes DER = 1;
|
|
|
|
// certProfileHash is a hash over the exported fields of a certificate profile
|
|
// to ensure that the profile remains unchanged after multiple roundtrips
|
|
// through the RA and CA.
|
|
bytes certProfileHash = 2;
|
|
|
|
// certProfileName is a human readable name returned back to the RA for later
|
|
// use. If IssueCertificateRequest.certProfileName was an empty string, the
|
|
// CAs default profile name will be assigned.
|
|
string certProfileName = 3;
|
|
}
|
|
|
|
message IssueCertificateForPrecertificateRequest {
|
|
// Next unused field number: 6
|
|
bytes DER = 1;
|
|
repeated bytes SCTs = 2;
|
|
int64 registrationID = 3;
|
|
int64 orderID = 4;
|
|
|
|
// certProfileHash is a hash over the exported fields of a certificate profile
|
|
// to ensure that the profile remains unchanged after multiple roundtrips
|
|
// through the RA and CA.
|
|
bytes certProfileHash = 5;
|
|
}
|
|
|
|
// OCSPGenerator generates OCSP. We separate this out from
|
|
// CertificateAuthority so that we can restrict access to a different subset of
|
|
// hosts, so the hosts that need to request OCSP generation don't need to be
|
|
// able to request certificate issuance.
|
|
service OCSPGenerator {
|
|
rpc GenerateOCSP(GenerateOCSPRequest) returns (OCSPResponse) {}
|
|
}
|
|
|
|
// Exactly one of certDER or [serial and issuerID] must be set.
|
|
message GenerateOCSPRequest {
|
|
// Next unused field number: 8
|
|
string status = 2;
|
|
int32 reason = 3;
|
|
reserved 4; // Previously revokedAtNS
|
|
google.protobuf.Timestamp revokedAt = 7;
|
|
string serial = 5;
|
|
int64 issuerID = 6;
|
|
}
|
|
|
|
message OCSPResponse {
|
|
bytes response = 1;
|
|
}
|
|
|
|
// CRLGenerator signs CRLs. It is separated for the same reason as OCSPGenerator.
|
|
service CRLGenerator {
|
|
rpc GenerateCRL(stream GenerateCRLRequest) returns (stream GenerateCRLResponse) {}
|
|
}
|
|
|
|
message GenerateCRLRequest {
|
|
oneof payload {
|
|
CRLMetadata metadata = 1;
|
|
core.CRLEntry entry = 2;
|
|
}
|
|
}
|
|
|
|
message CRLMetadata {
|
|
// Next unused field number: 5
|
|
int64 issuerNameID = 1;
|
|
reserved 2; // Previously thisUpdateNS
|
|
google.protobuf.Timestamp thisUpdate = 4;
|
|
int64 shardIdx = 3;
|
|
}
|
|
|
|
message GenerateCRLResponse {
|
|
bytes chunk = 1;
|
|
}
|