/*
 *     Copyright 2022 The Dragonfly Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

syntax = "proto3";

package security;

import "google/protobuf/duration.proto";

// Refer: https://github.com/istio/api/blob/master/security/v1alpha1/ca.proto
// Istio defines similar api for signing certificate, but it's not applicable in Dragonfly.

// Certificate request type.
// Dragonfly supports peers authentication with Mutual TLS(mTLS)
// For mTLS, all peers need to request TLS certificates for communicating
// The server side may overwrite ant requested certificate filed based on its policies.
message CertificateRequest {
  // ASN.1 DER form certificate request.
  // The public key in the CSR is used to generate the certificate,
  // and other fields in the generated certificate may be overwritten by the CA.
  bytes csr = 1;
  // Optional: requested certificate validity period.
  google.protobuf.Duration validity_period = 2;
}

// Certificate response type.
message CertificateResponse {
  // ASN.1 DER form certificate chain.
  repeated bytes certificate_chain = 1;
}

// Service for managing certificates issued by the CA.
service Certificate {
  // Using provided CSR, returns a signed certificate.
  rpc IssueCertificate(CertificateRequest)
      returns (CertificateResponse) {
  }
}