445 lines
15 KiB
Protocol Buffer
445 lines
15 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package sa;
|
|
option go_package = "github.com/letsencrypt/boulder/sa/proto";
|
|
|
|
import "core/proto/core.proto";
|
|
import "google/protobuf/empty.proto";
|
|
import "google/protobuf/timestamp.proto";
|
|
import "google/protobuf/duration.proto";
|
|
|
|
// StorageAuthorityReadOnly exposes only those SA methods which are read-only.
|
|
service StorageAuthorityReadOnly {
|
|
rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
|
|
rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
|
|
rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
|
|
rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
|
|
rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
|
|
rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
|
|
rpc GetCertificate(Serial) returns (core.Certificate) {}
|
|
rpc GetLintPrecertificate(Serial) returns (core.Certificate) {}
|
|
rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
|
|
rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
|
|
rpc GetOrder(OrderRequest) returns (core.Order) {}
|
|
rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
|
|
rpc GetRegistration(RegistrationID) returns (core.Registration) {}
|
|
rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
|
|
rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
|
|
rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
|
|
rpc GetRevokedCertsByShard(GetRevokedCertsByShardRequest) returns (stream core.CRLEntry) {}
|
|
rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
|
|
rpc GetSerialsByAccount(RegistrationID) returns (stream Serial) {}
|
|
rpc GetSerialsByKey(SPKIHash) returns (stream Serial) {}
|
|
rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
|
|
rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
|
|
rpc IncidentsForSerial(Serial) returns (Incidents) {}
|
|
rpc KeyBlocked(SPKIHash) returns (Exists) {}
|
|
rpc ReplacementOrderExists(Serial) returns (Exists) {}
|
|
rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
|
|
rpc CheckIdentifiersPaused (PauseRequest) returns (Identifiers) {}
|
|
rpc GetPausedIdentifiers (RegistrationID) returns (Identifiers) {}
|
|
}
|
|
|
|
// StorageAuthority provides full read/write access to the database.
|
|
service StorageAuthority {
|
|
// Getters: this list must be identical to the StorageAuthorityReadOnly rpcs.
|
|
rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
|
|
rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
|
|
rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
|
|
rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
|
|
rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
|
|
rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
|
|
rpc GetCertificate(Serial) returns (core.Certificate) {}
|
|
rpc GetLintPrecertificate(Serial) returns (core.Certificate) {}
|
|
rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
|
|
rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
|
|
rpc GetOrder(OrderRequest) returns (core.Order) {}
|
|
rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
|
|
rpc GetRegistration(RegistrationID) returns (core.Registration) {}
|
|
rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
|
|
rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
|
|
rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
|
|
rpc GetRevokedCertsByShard(GetRevokedCertsByShardRequest) returns (stream core.CRLEntry) {}
|
|
rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
|
|
rpc GetSerialsByAccount(RegistrationID) returns (stream Serial) {}
|
|
rpc GetSerialsByKey(SPKIHash) returns (stream Serial) {}
|
|
rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
|
|
rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
|
|
rpc IncidentsForSerial(Serial) returns (Incidents) {}
|
|
rpc KeyBlocked(SPKIHash) returns (Exists) {}
|
|
rpc ReplacementOrderExists(Serial) returns (Exists) {}
|
|
rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
|
|
rpc CheckIdentifiersPaused (PauseRequest) returns (Identifiers) {}
|
|
rpc GetPausedIdentifiers (RegistrationID) returns (Identifiers) {}
|
|
// Adders
|
|
rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
|
|
rpc AddCertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
|
|
rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
|
|
rpc SetCertificateStatusReady(Serial) returns (google.protobuf.Empty) {}
|
|
rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {}
|
|
rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
|
|
rpc DeactivateRegistration(RegistrationID) returns (core.Registration) {}
|
|
rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
|
|
rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
|
|
rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
|
|
rpc NewRegistration(core.Registration) returns (core.Registration) {}
|
|
rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
|
|
rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
|
|
rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
|
|
rpc UpdateRegistrationContact(UpdateRegistrationContactRequest) returns (core.Registration) {}
|
|
rpc UpdateRegistrationKey(UpdateRegistrationKeyRequest) returns (core.Registration) {}
|
|
rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
|
|
rpc LeaseCRLShard(LeaseCRLShardRequest) returns (LeaseCRLShardResponse) {}
|
|
rpc UpdateCRLShard(UpdateCRLShardRequest) returns (google.protobuf.Empty) {}
|
|
rpc PauseIdentifiers(PauseRequest) returns (PauseIdentifiersResponse) {}
|
|
rpc UnpauseAccount(RegistrationID) returns (Count) {}
|
|
}
|
|
|
|
message RegistrationID {
|
|
int64 id = 1;
|
|
}
|
|
|
|
message JSONWebKey {
|
|
bytes jwk = 1;
|
|
}
|
|
|
|
message AuthorizationID {
|
|
string id = 1;
|
|
}
|
|
|
|
message GetValidAuthorizationsRequest {
|
|
// Next unused field number: 7
|
|
int64 registrationID = 1;
|
|
// TODO(#7311): dnsNames are being deprecated in favour of identifiers.
|
|
repeated string dnsNames = 2;
|
|
repeated core.Identifier identifiers = 6;
|
|
reserved 3; // Previously nowNS
|
|
google.protobuf.Timestamp validUntil = 4;
|
|
string profile = 5;
|
|
}
|
|
|
|
message Serial {
|
|
string serial = 1;
|
|
}
|
|
|
|
message SerialMetadata {
|
|
// Next unused field number: 7
|
|
string serial = 1;
|
|
int64 registrationID = 2;
|
|
reserved 3; // Previously createdNS
|
|
google.protobuf.Timestamp created = 5;
|
|
reserved 4; // Previously expiresNS
|
|
google.protobuf.Timestamp expires = 6;
|
|
}
|
|
|
|
message Range {
|
|
// Next unused field number: 5
|
|
reserved 1; // Previously earliestNS
|
|
google.protobuf.Timestamp earliest = 3;
|
|
reserved 2; // Previously latestNS
|
|
google.protobuf.Timestamp latest = 4;
|
|
}
|
|
|
|
message Count {
|
|
int64 count = 1;
|
|
}
|
|
|
|
message Timestamps {
|
|
// Next unused field number: 3
|
|
reserved 1; // Previously repeated timestampsNS
|
|
repeated google.protobuf.Timestamp timestamps = 2;
|
|
}
|
|
|
|
message CountInvalidAuthorizationsRequest {
|
|
// Next unused field number: 5
|
|
int64 registrationID = 1;
|
|
reserved 2; // Previously dnsName
|
|
core.Identifier identifier = 4;
|
|
// Count authorizations that expire in this range.
|
|
Range range = 3;
|
|
}
|
|
|
|
message CountFQDNSetsRequest {
|
|
// Next unused field number: 6
|
|
reserved 1; // Previously windowNS
|
|
// TODO(#7311): dnsNames are being deprecated in favour of identifiers.
|
|
repeated string dnsNames = 2;
|
|
repeated core.Identifier identifiers = 5;
|
|
google.protobuf.Duration window = 3;
|
|
int64 limit = 4;
|
|
}
|
|
|
|
message FQDNSetExistsRequest {
|
|
// Next unused field number: 3
|
|
// TODO(#7311): dnsNames are being deprecated in favour of identifiers.
|
|
repeated string dnsNames = 1;
|
|
repeated core.Identifier identifiers = 2;
|
|
}
|
|
|
|
message Exists {
|
|
bool exists = 1;
|
|
}
|
|
|
|
message AddSerialRequest {
|
|
// Next unused field number: 7
|
|
int64 regID = 1;
|
|
string serial = 2;
|
|
reserved 3; // Previously createdNS
|
|
google.protobuf.Timestamp created = 5;
|
|
reserved 4; // Previously expiresNS
|
|
google.protobuf.Timestamp expires = 6;
|
|
}
|
|
|
|
message AddCertificateRequest {
|
|
// Next unused field number: 8
|
|
bytes der = 1;
|
|
int64 regID = 2;
|
|
reserved 3; // previously ocsp
|
|
// An issued time. When not present the SA defaults to using
|
|
// the current time.
|
|
reserved 4; // Previously issuedNS
|
|
google.protobuf.Timestamp issued = 7;
|
|
int64 issuerNameID = 5; // https://pkg.go.dev/github.com/letsencrypt/boulder/issuance#IssuerNameID
|
|
|
|
// If this is set to true, the certificateStatus.status column will be set to
|
|
// "wait", which will cause us to serve internalError responses with OCSP is
|
|
// queried. This allows us to meet the BRs requirement:
|
|
//
|
|
// If the OCSP responder receives a request for the status of a certificate
|
|
// serial number that is “unused”, then ...
|
|
// the responder MUST NOT respond with a “good” status for such requests.
|
|
//
|
|
// Paraphrasing, a certificate serial number is unused if neither a
|
|
// Certificate nor a Precertificate has been issued with it. So when we write
|
|
// a linting certificate to the precertificates table, we want to make sure
|
|
// we never give a "good" response for that serial until the precertificate
|
|
// is actually issued.
|
|
bool ocspNotReady = 6;
|
|
}
|
|
|
|
message OrderRequest {
|
|
int64 id = 1;
|
|
}
|
|
|
|
message NewOrderRequest {
|
|
// Next unused field number: 10
|
|
int64 registrationID = 1;
|
|
reserved 2; // Previously expiresNS
|
|
google.protobuf.Timestamp expires = 5;
|
|
reserved 3; // Previously dnsNames
|
|
repeated core.Identifier identifiers = 9;
|
|
repeated int64 v2Authorizations = 4;
|
|
string certificateProfileName = 7;
|
|
// Replaces is the ARI certificate Id that this order replaces.
|
|
string replaces = 8;
|
|
// ReplacesSerial is the serial number of the certificate that this order
|
|
// replaces.
|
|
string replacesSerial = 6;
|
|
|
|
}
|
|
|
|
// NewAuthzRequest starts with all the same fields as corepb.Authorization,
|
|
// because it is replacing that type in NewOrderAndAuthzsRequest, and then
|
|
// improves from there.
|
|
message NewAuthzRequest {
|
|
// Next unused field number: 13
|
|
reserved 1; // previously id
|
|
reserved 2; // previously dnsName
|
|
core.Identifier identifier = 12;
|
|
int64 registrationID = 3;
|
|
reserved 4; // previously status
|
|
reserved 5; // previously expiresNS
|
|
google.protobuf.Timestamp expires = 9;
|
|
reserved 6; // previously challenges
|
|
reserved 7; // previously ACMEv1 combinations
|
|
reserved 8; // previously v2
|
|
repeated string challengeTypes = 10;
|
|
string token = 11;
|
|
}
|
|
|
|
message NewOrderAndAuthzsRequest {
|
|
NewOrderRequest newOrder = 1;
|
|
repeated NewAuthzRequest newAuthzs = 2;
|
|
}
|
|
|
|
message SetOrderErrorRequest {
|
|
int64 id = 1;
|
|
core.ProblemDetails error = 2;
|
|
}
|
|
|
|
message GetValidOrderAuthorizationsRequest {
|
|
int64 id = 1;
|
|
int64 acctID = 2;
|
|
}
|
|
|
|
message GetOrderForNamesRequest {
|
|
// Next unused field number: 4
|
|
int64 acctID = 1;
|
|
// TODO(#7311): dnsNames are being deprecated in favour of identifiers.
|
|
repeated string dnsNames = 2;
|
|
repeated core.Identifier identifiers = 3;
|
|
}
|
|
|
|
message FinalizeOrderRequest {
|
|
int64 id = 1;
|
|
string certificateSerial = 2;
|
|
}
|
|
|
|
message GetAuthorizationsRequest {
|
|
// Next unused field number: 7
|
|
int64 registrationID = 1;
|
|
// TODO(#7311): dnsNames are being deprecated in favour of identifiers.
|
|
repeated string dnsNames = 2;
|
|
repeated core.Identifier identifiers = 6;
|
|
reserved 3; // Previously nowNS
|
|
google.protobuf.Timestamp validUntil = 4;
|
|
string profile = 5;
|
|
}
|
|
|
|
message Authorizations {
|
|
repeated core.Authorization authzs = 2;
|
|
}
|
|
|
|
message AuthorizationIDs {
|
|
repeated string ids = 1;
|
|
}
|
|
|
|
message AuthorizationID2 {
|
|
int64 id = 1;
|
|
}
|
|
|
|
message RevokeCertificateRequest {
|
|
// Next unused field number: 10
|
|
string serial = 1;
|
|
int64 reason = 2;
|
|
reserved 3; // Previously dateNS
|
|
google.protobuf.Timestamp date = 8;
|
|
reserved 5; // Previously backdateNS
|
|
google.protobuf.Timestamp backdate = 9;
|
|
bytes response = 4;
|
|
int64 issuerID = 6;
|
|
int64 shardIdx = 7;
|
|
}
|
|
|
|
message FinalizeAuthorizationRequest {
|
|
// Next unused field number: 10
|
|
int64 id = 1;
|
|
string status = 2;
|
|
reserved 3; // Previously
|
|
google.protobuf.Timestamp expires = 8;
|
|
string attempted = 4;
|
|
repeated core.ValidationRecord validationRecords = 5;
|
|
core.ProblemDetails validationError = 6;
|
|
reserved 7; // Previously attemptedAtNS
|
|
google.protobuf.Timestamp attemptedAt = 9;
|
|
}
|
|
|
|
message AddBlockedKeyRequest {
|
|
// Next unused field number: 7
|
|
bytes keyHash = 1;
|
|
reserved 2; // Previously addedNS
|
|
google.protobuf.Timestamp added = 6;
|
|
string source = 3;
|
|
string comment = 4;
|
|
int64 revokedBy = 5;
|
|
}
|
|
|
|
message SPKIHash {
|
|
bytes keyHash = 1;
|
|
}
|
|
|
|
message Incident {
|
|
// Next unused field number: 7
|
|
int64 id = 1;
|
|
string serialTable = 2;
|
|
string url = 3;
|
|
reserved 4; // Previously renewByNS
|
|
google.protobuf.Timestamp renewBy = 6;
|
|
bool enabled = 5;
|
|
}
|
|
|
|
message Incidents {
|
|
repeated Incident incidents = 1;
|
|
}
|
|
|
|
message SerialsForIncidentRequest {
|
|
string incidentTable = 1;
|
|
}
|
|
|
|
message IncidentSerial {
|
|
// Next unused field number: 6
|
|
string serial = 1;
|
|
int64 registrationID = 2; // May be 0 (NULL)
|
|
int64 orderID = 3; // May be 0 (NULL)
|
|
reserved 4; // Previously lastNoticeSentNS
|
|
google.protobuf.Timestamp lastNoticeSent = 5;
|
|
}
|
|
|
|
message GetRevokedCertsByShardRequest {
|
|
int64 issuerNameID = 1;
|
|
google.protobuf.Timestamp revokedBefore = 2;
|
|
google.protobuf.Timestamp expiresAfter = 3;
|
|
int64 shardIdx = 4;
|
|
}
|
|
|
|
message GetRevokedCertsRequest {
|
|
// Next unused field number: 9
|
|
int64 issuerNameID = 1;
|
|
reserved 2; // Previously expiresAfterNS
|
|
google.protobuf.Timestamp expiresAfter = 6; // inclusive
|
|
reserved 3; // Previously expiresBeforeNS
|
|
google.protobuf.Timestamp expiresBefore = 7; // exclusive
|
|
reserved 4; // Previously revokedBeforeNS
|
|
google.protobuf.Timestamp revokedBefore = 8;
|
|
reserved 5;
|
|
}
|
|
|
|
message RevocationStatus {
|
|
int64 status = 1;
|
|
int64 revokedReason = 2;
|
|
google.protobuf.Timestamp revokedDate = 3; // Unix timestamp (nanoseconds)
|
|
}
|
|
|
|
message LeaseCRLShardRequest {
|
|
int64 issuerNameID = 1;
|
|
int64 minShardIdx = 2;
|
|
int64 maxShardIdx = 3;
|
|
google.protobuf.Timestamp until = 4;
|
|
}
|
|
|
|
message LeaseCRLShardResponse {
|
|
int64 issuerNameID = 1;
|
|
int64 shardIdx = 2;
|
|
}
|
|
|
|
message UpdateCRLShardRequest {
|
|
int64 issuerNameID = 1;
|
|
int64 shardIdx = 2;
|
|
google.protobuf.Timestamp thisUpdate = 3;
|
|
google.protobuf.Timestamp nextUpdate = 4;
|
|
}
|
|
|
|
message Identifiers {
|
|
repeated core.Identifier identifiers = 1;
|
|
}
|
|
|
|
message PauseRequest {
|
|
int64 registrationID = 1;
|
|
repeated core.Identifier identifiers = 2;
|
|
}
|
|
|
|
message PauseIdentifiersResponse {
|
|
int64 paused = 1;
|
|
int64 repaused = 2;
|
|
}
|
|
|
|
message UpdateRegistrationContactRequest {
|
|
int64 registrationID = 1;
|
|
repeated string contacts = 2;
|
|
}
|
|
|
|
message UpdateRegistrationKeyRequest {
|
|
int64 registrationID = 1;
|
|
bytes jwk = 2;
|
|
}
|