forked from spiffe/spire-plugin-sdk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
keymanager.proto
145 lines (121 loc) · 4.55 KB
/
keymanager.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
syntax = "proto3";
package spire.plugin.server.keymanager.v1;
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1;keymanagerv1";
service KeyManager {
// Generates a new private key with the given ID. If a key already exists
// under that ID, it is overwritten and given a different fingerprint. See
// the PublicKey message for more details on the role of the fingerprint.
rpc GenerateKey(GenerateKeyRequest) returns (GenerateKeyResponse);
// Gets the public key information for the private key managed by the
// plugin with the given ID. If a key with the given ID does not exist,
// NOT_FOUND is returned.
rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse);
// Gets all public key information for the private keys managed by the
// plugin.
rpc GetPublicKeys(GetPublicKeysRequest) returns (GetPublicKeysResponse);
// Signs data with the private key identified by the given ID. If a key
// with the given ID does not exist, NOT_FOUND is returned. The response
// contains the signed data and the fingerprint of the key used to sign the
// data. See the PublicKey message for more details on the role of the
// fingerprint.
rpc SignData(SignDataRequest) returns (SignDataResponse);
}
message PublicKey {
// Required. The ID of the key, as provided when the key was created.
string id = 1;
// Required. The type of the key.
KeyType type = 2;
// Required. The public key data (PKIX encoded).
bytes pkix_data = 3;
// Required. Fingerprint of the public key. The (id,fingerprint) tuple
// uniquely identifies an "instance" of the key. When a key is overwritten
// the fingerprint changes, indicating a different "instance" of that key
// under the given ID.
//
// Proper key rotation requires that SPIRE not overwrite a key while it is
// actively being used to sign data so that if the rotation operation
// fails, SPIRE still has a valid key to use. SPIRE compares the
// fingerprint returned from signing operations with the fingerprint it
// expected for the key as a way to detect when it has mismanaged keys.
// This is a mitigating measure and not expected to fail under normal
// circumstances.
//
// There is no requirement that plugins persist the fingerprint. It can be
// newly generated as long as it remains consistent for a given "instance"
// of the key during runtime.
//
// The fingerprinting algorithm is also left to plugin implementations. A
// native implementation is a non-cryptographic hash over the PKIX data.
string fingerprint = 4;
}
message GenerateKeyRequest {
// Required. The ID to give the generated key (or to identify the existing
// key to overwrite (see GenerateKey).
string key_id = 1;
// Required. The type of the key to generate.
KeyType key_type = 2;
}
message GenerateKeyResponse {
// Required. The generated key.
PublicKey public_key = 1;
}
message GetPublicKeyRequest {
// Required. The ID of the key to retrieve.
string key_id = 1;
}
message GetPublicKeyResponse {
// Required. The public key to return.
PublicKey public_key = 1;
}
message GetPublicKeysRequest {
}
message GetPublicKeysResponse {
// Required. The public keys managed by the KeyManager. May be empty.
repeated PublicKey public_keys = 1;
}
message SignDataRequest {
message PSSOptions {
// Required. The salt length.
int32 salt_length = 1;
// Required. The hash algorithm.
HashAlgorithm hash_algorithm = 2;
}
// Required. The ID of the key to use to sign the data.
string key_id = 1;
// Required. The data to sign.
bytes data = 2;
// Required. The signature options. The PSS options are only valid
// for RSA keys.
oneof signer_opts {
HashAlgorithm hash_algorithm = 3;
PSSOptions pss_options = 4;
}
}
message SignDataResponse {
// Required. The signature of the data.
bytes signature = 1;
// Required. The fingerprint of the key used to sign the data.
string key_fingerprint = 2;
}
enum KeyType {
UNSPECIFIED_KEY_TYPE = 0;
EC_P256 = 1;
EC_P384 = 2;
RSA_2048 = 3;
RSA_4096 = 4;
}
enum HashAlgorithm {
UNSPECIFIED_HASH_ALGORITHM = 0;
// These entries (and their values) line up with a subset of the go
// crypto.Hash constants.
SHA224 = 4;
SHA256 = 5;
SHA384 = 6;
SHA512 = 7;
SHA3_224 = 10;
SHA3_256 = 11;
SHA3_384 = 12;
SHA3_512 = 13;
SHA512_224 = 14;
SHA512_256 = 15;
}