diff --git a/go.mod b/go.mod index 47d50260056..9b4ee03d9d2 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/spiffe/spire go 1.22.3 +replace github.com/spiffe/spire-api-sdk => github.com/MarcosDY/spire-api-sdk v1.0.0-pre.0.20240719151356-bb46a791f8fe + require ( cloud.google.com/go/iam v1.1.10 cloud.google.com/go/kms v1.18.2 diff --git a/go.sum b/go.sum index acef694486d..651546e9224 100644 --- a/go.sum +++ b/go.sum @@ -481,6 +481,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dX github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/GoogleCloudPlatform/cloudsql-proxy v1.36.0 h1:kAtNAWwvTt5+iew6baV0kbOrtjYTXPtWNSyOFlcxkBU= github.com/GoogleCloudPlatform/cloudsql-proxy v1.36.0/go.mod h1:VRKXU8C7Y/aUKjRBTGfw0Ndv4YqNxlB8zAPJJDxbASE= +github.com/MarcosDY/spire-api-sdk v1.0.0-pre.0.20240719151356-bb46a791f8fe h1:a6JXo33Rr/lsrRxU/jNkWS1vZgfQHb4YWCfvgCamI0E= +github.com/MarcosDY/spire-api-sdk v1.0.0-pre.0.20240719151356-bb46a791f8fe/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= @@ -1420,8 +1422,6 @@ github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMV github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk= github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8= github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY= -github.com/spiffe/spire-api-sdk v1.2.5-0.20240627195926-b5ac064f580b h1:k7ei1fQyt6+FbqDEAd90xaXLg52YuXueM+BRcoHZvEU= -github.com/spiffe/spire-api-sdk v1.2.5-0.20240627195926-b5ac064f580b/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI= github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230721151831-bf67dde4721d h1:LCRQGU6vOqKLfRrG+GJQrwMwDILcAddAEIf4/1PaSVc= github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230721151831-bf67dde4721d/go.mod h1:GA6o2PVLwyJdevT6KKt5ZXCY/ziAPna13y/seGk49Ik= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= diff --git a/pkg/common/coretypes/jwtkey/apitypes.go b/pkg/common/coretypes/jwtkey/apitypes.go index 49eaf42c3a6..fcae708f861 100644 --- a/pkg/common/coretypes/jwtkey/apitypes.go +++ b/pkg/common/coretypes/jwtkey/apitypes.go @@ -15,6 +15,7 @@ func ToAPIProto(jwtKey JWTKey) (*apitypes.JWTKey, error) { KeyId: id, PublicKey: publicKey, ExpiresAt: expiresAt, + Tainted: jwtKey.Tainted, }, nil } @@ -23,7 +24,7 @@ func ToAPIFromPluginProto(pb *plugintypes.JWTKey) (*apitypes.JWTKey, error) { return nil, nil } - jwtKey, err := fromProtoFields(pb.KeyId, pb.PublicKey, pb.ExpiresAt) + jwtKey, err := fromProtoFields(pb.KeyId, pb.PublicKey, pb.ExpiresAt, pb.Tainted) if err != nil { return nil, err } diff --git a/pkg/common/coretypes/jwtkey/commontypes.go b/pkg/common/coretypes/jwtkey/commontypes.go index dc5ba1ea6f0..045d8d6e296 100644 --- a/pkg/common/coretypes/jwtkey/commontypes.go +++ b/pkg/common/coretypes/jwtkey/commontypes.go @@ -6,7 +6,7 @@ import ( ) func FromCommonProto(pb *common.PublicKey) (JWTKey, error) { - return fromProtoFields(pb.Kid, pb.PkixBytes, pb.NotAfter) + return fromProtoFields(pb.Kid, pb.PkixBytes, pb.NotAfter, pb.TaintedKey) } func FromCommonProtos(pbs []*common.PublicKey) ([]JWTKey, error) { diff --git a/pkg/common/coretypes/jwtkey/jwtkey.go b/pkg/common/coretypes/jwtkey/jwtkey.go index f7a52006fb3..eac5e8efa30 100644 --- a/pkg/common/coretypes/jwtkey/jwtkey.go +++ b/pkg/common/coretypes/jwtkey/jwtkey.go @@ -12,6 +12,7 @@ type JWTKey struct { ID string PublicKey crypto.PublicKey ExpiresAt time.Time + Tainted bool } func toProtoFields(jwtKey JWTKey) (string, []byte, int64, error) { @@ -35,7 +36,7 @@ func toProtoFields(jwtKey JWTKey) (string, []byte, int64, error) { return jwtKey.ID, publicKey, expiresAt, nil } -func fromProtoFields(keyID string, publicKeyPKIX []byte, expiresAtUnix int64) (JWTKey, error) { +func fromProtoFields(keyID string, publicKeyPKIX []byte, expiresAtUnix int64, tainted bool) (JWTKey, error) { if keyID == "" { return JWTKey{}, errors.New("missing key ID for JWT key") } @@ -57,5 +58,6 @@ func fromProtoFields(keyID string, publicKeyPKIX []byte, expiresAtUnix int64) (J ID: keyID, PublicKey: publicKey, ExpiresAt: expiresAt, + Tainted: tainted, }, nil } diff --git a/pkg/common/coretypes/jwtkey/plugintypes.go b/pkg/common/coretypes/jwtkey/plugintypes.go index bd8677e8a6b..bf51746309b 100644 --- a/pkg/common/coretypes/jwtkey/plugintypes.go +++ b/pkg/common/coretypes/jwtkey/plugintypes.go @@ -7,7 +7,7 @@ import ( ) func FromPluginProto(pb *plugintypes.JWTKey) (JWTKey, error) { - return fromProtoFields(pb.KeyId, pb.PublicKey, pb.ExpiresAt) + return fromProtoFields(pb.KeyId, pb.PublicKey, pb.ExpiresAt, pb.Tainted) } func FromPluginProtos(pbs []*plugintypes.JWTKey) ([]JWTKey, error) { @@ -80,7 +80,7 @@ func ToPluginFromAPIProto(pb *apitypes.JWTKey) (*plugintypes.JWTKey, error) { return nil, nil } - jwtKey, err := fromProtoFields(pb.KeyId, pb.PublicKey, pb.ExpiresAt) + jwtKey, err := fromProtoFields(pb.KeyId, pb.PublicKey, pb.ExpiresAt, pb.Tainted) if err != nil { return nil, err } diff --git a/pkg/common/coretypes/x509certificate/plugintypes.go b/pkg/common/coretypes/x509certificate/plugintypes.go index 5b526ef5872..5d118a15a6e 100644 --- a/pkg/common/coretypes/x509certificate/plugintypes.go +++ b/pkg/common/coretypes/x509certificate/plugintypes.go @@ -114,7 +114,8 @@ func ToPluginFromAPIProto(pb *apitypes.X509Certificate) (*plugintypes.X509Certif return nil, err } return &plugintypes.X509Certificate{ - Asn1: asn1, + Asn1: asn1, + Tainted: pb.Tainted, }, nil } diff --git a/pkg/common/coretypes/x509certificate/x509authority.go b/pkg/common/coretypes/x509certificate/x509authority.go new file mode 100644 index 00000000000..ec8726babe1 --- /dev/null +++ b/pkg/common/coretypes/x509certificate/x509authority.go @@ -0,0 +1,38 @@ +package x509certificate + +import ( + "crypto/x509" + + plugintypes "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types" +) + +// TODO: may we call it Authority? +type X509Authority struct { + Certificate *x509.Certificate + Tainted bool +} + +func ToX509AuthorityFromPluginProtos(pbs []*plugintypes.X509Certificate) ([]*X509Authority, error) { + var authorities []*X509Authority + for _, pb := range pbs { + authority, err := ToX509AuthorityFromPluginProto(pb) + if err != nil { + return nil, err + } + authorities = append(authorities, authority) + } + + return authorities, nil +} + +func ToX509AuthorityFromPluginProto(pb *plugintypes.X509Certificate) (*X509Authority, error) { + cert, err := fromProtoFields(pb.Asn1) + if err != nil { + return nil, err + } + + return &X509Authority{ + Certificate: cert, + Tainted: pb.Tainted, + }, nil +} diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go index e94765de7c2..ec4fecdef1d 100644 --- a/pkg/common/telemetry/names.go +++ b/pkg/common/telemetry/names.go @@ -541,6 +541,9 @@ const ( // with other tags to add clarity Subject = "subject" + // Subject tags a certificate subject key ID + SubjectKeyId = "subject_key_id" + // SVIDMapSize is the gauge key for the size of the LRU cache SVID map SVIDMapSize = "lru_cache_svid_map_size" diff --git a/pkg/common/telemetry/server/datastore/wrapper.go b/pkg/common/telemetry/server/datastore/wrapper.go index 82ed815f94b..7bc7c15a0c0 100644 --- a/pkg/common/telemetry/server/datastore/wrapper.go +++ b/pkg/common/telemetry/server/datastore/wrapper.go @@ -264,10 +264,10 @@ func (w metricsWrapper) SetBundle(ctx context.Context, bundle *common.Bundle) (_ return w.ds.SetBundle(ctx, bundle) } -func (w metricsWrapper) TaintX509CA(ctx context.Context, trustDomainID string, publicKeyToTaint crypto.PublicKey) (err error) { +func (w metricsWrapper) TaintX509CA(ctx context.Context, trustDomainID string, subjectKeyIDToTaint string) (err error) { callCounter := StartTaintX509CAByKeyCall(w.m) defer callCounter.Done(&err) - return w.ds.TaintX509CA(ctx, trustDomainID, publicKeyToTaint) + return w.ds.TaintX509CA(ctx, trustDomainID, subjectKeyIDToTaint) } func (w metricsWrapper) RevokeX509CA(ctx context.Context, trustDomainID string, publicKeyToRevoke crypto.PublicKey) (err error) { diff --git a/pkg/server/api/bundle.go b/pkg/server/api/bundle.go index 940cbc58ac9..983a97a0891 100644 --- a/pkg/server/api/bundle.go +++ b/pkg/server/api/bundle.go @@ -37,7 +37,8 @@ func CertificatesToProto(rootCas []*common.Certificate) []*types.X509Certificate var x509Authorities []*types.X509Certificate for _, rootCA := range rootCas { x509Authorities = append(x509Authorities, &types.X509Certificate{ - Asn1: rootCA.DerBytes, + Asn1: rootCA.DerBytes, + Tainted: rootCA.TaintedKey, }) } diff --git a/pkg/server/api/localauthority/v1/service.go b/pkg/server/api/localauthority/v1/service.go index b8e8978d42e..9b4a9b07d78 100644 --- a/pkg/server/api/localauthority/v1/service.go +++ b/pkg/server/api/localauthority/v1/service.go @@ -6,6 +6,7 @@ import ( "crypto/x509" "errors" "fmt" + "strings" "github.com/sirupsen/logrus" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -33,6 +34,8 @@ type CAManager interface { GetNextX509CASlot() manager.Slot PrepareX509CA(ctx context.Context) error RotateX509CA(ctx context.Context) + + IsUpstreamAuthority() bool } // RegisterService registers the service on the gRPC server. @@ -331,10 +334,15 @@ func (s *Service) ActivateX509Authority(ctx context.Context, req *localauthority func (s *Service) TaintX509Authority(ctx context.Context, req *localauthorityv1.TaintX509AuthorityRequest) (*localauthorityv1.TaintX509AuthorityResponse, error) { rpccontext.AddRPCAuditFields(ctx, buildAuditLogFields(req.AuthorityId)) log := rpccontext.Logger(ctx) + if req.AuthorityId != "" { log = log.WithField(telemetry.LocalAuthorityID, req.AuthorityId) } + if s.ca.IsUpstreamAuthority() { + return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authorit", nil) + } + nextSlot := s.ca.GetNextX509CASlot() switch { @@ -355,7 +363,7 @@ func (s *Service) TaintX509Authority(ctx context.Context, req *localauthorityv1. return nil, api.MakeErr(log, codes.InvalidArgument, "only Old local authorities can be tainted", fmt.Errorf("unsupported local authority status: %v", nextSlot.Status())) } - if err := s.ds.TaintX509CA(ctx, s.td.IDString(), nextSlot.PublicKey()); err != nil { + if err := s.ds.TaintX509CA(ctx, s.td.IDString(), nextSlot.AuthorityID()); err != nil { return nil, api.MakeErr(log, codes.Internal, "failed to taint X.509 authority", err) } @@ -371,6 +379,41 @@ func (s *Service) TaintX509Authority(ctx context.Context, req *localauthorityv1. }, nil } +func (s *Service) TaintX509UpstreamAuthority(ctx context.Context, req *localauthorityv1.TaintX509UpstreamAuthorityRequest) (*localauthorityv1.TaintX509UpstreamAuthorityResponse, error) { + rpccontext.AddRPCAuditFields(ctx, buildAuditLogFields(req.SubjectKeyId)) + log := rpccontext.Logger(ctx) + + if !s.ca.IsUpstreamAuthority() { + return nil, api.MakeErr(log, codes.FailedPrecondition, "upstream authority is not configured", nil) + } + + if req.SubjectKeyId == "" { + return nil, api.MakeErr(log, codes.InvalidArgument, "subject key ID is required", nil) + } + + // TODO: add a new field for SubjectKeyId + log = log.WithField(telemetry.SubjectKeyId, req.SubjectKeyId) + + // Normalize SKID + subjectKeyIDToTaint := strings.ToLower(req.SubjectKeyId) + + // TODO: may we validate that next slot contains an old authority and + // it is using the upstream authority to taint? + currentSlot := s.ca.GetCurrentX509CASlot() + currentSlotAuthorityKID := x509util.SubjectKeyIDToString(currentSlot.SigningAuthorityID()) + + if currentSlotAuthorityKID == subjectKeyIDToTaint { + return nil, api.MakeErr(log, codes.Internal, "unable to taint an active upstream authority", nil) + } + + if err := s.ds.TaintX509CA(ctx, s.td.IDString(), subjectKeyIDToTaint); err != nil { + return nil, api.MakeErr(log, codes.Internal, "failed to taint upstream authority", err) + + } + + return &localauthorityv1.TaintX509UpstreamAuthorityResponse{}, nil +} + func (s *Service) RevokeX509Authority(ctx context.Context, req *localauthorityv1.RevokeX509AuthorityRequest) (*localauthorityv1.RevokeX509AuthorityResponse, error) { rpccontext.AddRPCAuditFields(ctx, buildAuditLogFields(req.AuthorityId)) log := rpccontext.Logger(ctx) diff --git a/pkg/server/ca/manager/manager.go b/pkg/server/ca/manager/manager.go index 9477ce2ea13..d48874c48a6 100644 --- a/pkg/server/ca/manager/manager.go +++ b/pkg/server/ca/manager/manager.go @@ -13,6 +13,7 @@ import ( "github.com/andres-erbsen/clock" "github.com/sirupsen/logrus" "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/spire/pkg/common/coretypes/x509certificate" "github.com/spiffe/spire/pkg/common/telemetry" telemetry_server "github.com/spiffe/spire/pkg/common/telemetry/server" "github.com/spiffe/spire/pkg/common/x509util" @@ -244,6 +245,10 @@ func (m *Manager) PrepareX509CA(ctx context.Context) (err error) { return nil } +func (m *Manager) IsUpstreamAuthority() bool { + return m.upstreamClient != nil +} + func (m *Manager) ActivateX509CA(ctx context.Context) { m.x509CAMutex.RLock() defer m.x509CAMutex.RUnlock() @@ -725,7 +730,7 @@ type bundleUpdater struct { updated func() } -func (u *bundleUpdater) AppendX509Roots(ctx context.Context, roots []*x509.Certificate) error { +func (u *bundleUpdater) AppendX509Roots(ctx context.Context, roots []*x509certificate.X509Authority) error { bundle := &common.Bundle{ TrustDomainId: u.trustDomainID, RootCas: make([]*common.Certificate, 0, len(roots)), @@ -733,7 +738,8 @@ func (u *bundleUpdater) AppendX509Roots(ctx context.Context, roots []*x509.Certi for _, root := range roots { bundle.RootCas = append(bundle.RootCas, &common.Certificate{ - DerBytes: root.Raw, + DerBytes: root.Certificate.Raw, + TaintedKey: root.Tainted, }) } if _, err := u.appendBundle(ctx, bundle); err != nil { diff --git a/pkg/server/ca/manager/slot.go b/pkg/server/ca/manager/slot.go index a7725546319..0bed500523d 100644 --- a/pkg/server/ca/manager/slot.go +++ b/pkg/server/ca/manager/slot.go @@ -40,6 +40,7 @@ type Slot interface { ShouldPrepareNext(now time.Time) bool ShouldActivateNext(now time.Time) bool Status() journal.Status + SigningAuthorityID() []byte AuthorityID() string PublicKey() crypto.PublicKey NotAfter() time.Time @@ -539,6 +540,10 @@ func newX509CASlot(id string) *x509CASlot { } } +func (s *x509CASlot) SigningAuthorityID() []byte { + return s.x509CA.Certificate.AuthorityKeyId +} + func (s *x509CASlot) KmKeyID() string { return x509CAKmKeyID(s.id) } @@ -603,6 +608,10 @@ func (s *jwtKeySlot) AuthorityID() string { return s.authorityID } +func (s *jwtKeySlot) SigningAuthorityID() []byte { + return nil +} + func (s *jwtKeySlot) PublicKey() crypto.PublicKey { if s.jwtKey == nil { return nil diff --git a/pkg/server/ca/upstream_client.go b/pkg/server/ca/upstream_client.go index 125f4dfcfb9..fac687ca55b 100644 --- a/pkg/server/ca/upstream_client.go +++ b/pkg/server/ca/upstream_client.go @@ -8,6 +8,7 @@ import ( "sync" "time" + "github.com/spiffe/spire/pkg/common/coretypes/x509certificate" "github.com/spiffe/spire/pkg/server/plugin/upstreamauthority" "github.com/spiffe/spire/proto/spire/common" "google.golang.org/grpc/codes" @@ -17,7 +18,7 @@ import ( // BundleUpdater is the interface used by the UpstreamClient to append bundle // updates. type BundleUpdater interface { - AppendX509Roots(ctx context.Context, roots []*x509.Certificate) error + AppendX509Roots(ctx context.Context, roots []*x509certificate.X509Authority) error AppendJWTKeys(ctx context.Context, keys []*common.PublicKey) ([]*common.PublicKey, error) LogError(err error, msg string) } @@ -139,10 +140,16 @@ func (u *UpstreamClient) runMintX509CAStream(ctx context.Context, csr []byte, tt } defer x509RootsStream.Close() + // Extract all roots certificates + var x509RootCerts []*x509.Certificate + for _, eachRoot := range x509Roots { + x509RootCerts = append(x509RootCerts, eachRoot.Certificate) + } + // Before we append the roots and return the response, we must first // validate that the minted intermediate can sign a valid, conformant // X509-SVID chain of trust using the provided callback. - if err := validateX509CA(x509CA, x509Roots); err != nil { + if err := validateX509CA(x509CA, x509RootCerts); err != nil { err = status.Errorf(codes.InvalidArgument, "X509 CA minted by upstream authority is invalid: %v", err) firstResultCh <- mintX509CAResult{err: err} return diff --git a/pkg/server/cache/dscache/cache.go b/pkg/server/cache/dscache/cache.go index 5f87a499c69..68afeea4c42 100644 --- a/pkg/server/cache/dscache/cache.go +++ b/pkg/server/cache/dscache/cache.go @@ -104,8 +104,8 @@ func (ds *DatastoreCache) SetBundle(ctx context.Context, b *common.Bundle) (bund return } -func (ds *DatastoreCache) TaintX509CA(ctx context.Context, trustDomainID string, publicKeyToTaint crypto.PublicKey) (err error) { - if err = ds.DataStore.TaintX509CA(ctx, trustDomainID, publicKeyToTaint); err == nil { +func (ds *DatastoreCache) TaintX509CA(ctx context.Context, trustDomainID string, subjectKeyIDToTaint string) (err error) { + if err = ds.DataStore.TaintX509CA(ctx, trustDomainID, subjectKeyIDToTaint); err == nil { ds.invalidateBundleEntry(trustDomainID) } return diff --git a/pkg/server/datastore/datastore.go b/pkg/server/datastore/datastore.go index 8b6f2aa0ef8..c86a22da6cd 100644 --- a/pkg/server/datastore/datastore.go +++ b/pkg/server/datastore/datastore.go @@ -25,7 +25,7 @@ type DataStore interface { UpdateBundle(context.Context, *common.Bundle, *common.BundleMask) (*common.Bundle, error) // Keys - TaintX509CA(ctx context.Context, trustDomainID string, publicKeyToTaint crypto.PublicKey) error + TaintX509CA(ctx context.Context, trustDomainID string, subjectKeyIDToTaint string) error RevokeX509CA(ctx context.Context, trustDomainID string, publicKeyToRevoke crypto.PublicKey) error TaintJWTKey(ctx context.Context, trustDomainID string, authorityID string) (*common.PublicKey, error) RevokeJWTKey(ctx context.Context, trustDomainID string, authorityID string) (*common.PublicKey, error) diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index 685707dcfb2..3e63d505d5c 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -28,6 +28,7 @@ import ( "github.com/spiffe/spire/pkg/common/cryptoutil" "github.com/spiffe/spire/pkg/common/protoutil" "github.com/spiffe/spire/pkg/common/telemetry" + "github.com/spiffe/spire/pkg/common/x509util" "github.com/spiffe/spire/pkg/server/datastore" "github.com/spiffe/spire/proto/private/server/journal" "github.com/spiffe/spire/proto/spire/common" @@ -246,9 +247,9 @@ func (ds *Plugin) PruneBundle(ctx context.Context, trustDomainID string, expires } // TaintX509CAByKey taints an X.509 CA signed using the provided public key -func (ds *Plugin) TaintX509CA(ctx context.Context, trustDoaminID string, publicKeyToTaint crypto.PublicKey) error { +func (ds *Plugin) TaintX509CA(ctx context.Context, trustDoaminID string, subjectKeyIDToTaint string) error { return ds.withReadModifyWriteTx(ctx, func(tx *gorm.DB) (err error) { - return taintX509CA(tx, trustDoaminID, publicKeyToTaint) + return taintX509CA(tx, trustDoaminID, subjectKeyIDToTaint) }) } @@ -1149,10 +1150,6 @@ func applyBundleMask(model *Bundle, newBundle *common.Bundle, inputMask *common. bundle.SequenceNumber = newBundle.SequenceNumber } - if inputMask.X509TaintedKeys { - bundle.X509TaintedKeys = newBundle.X509TaintedKeys - } - newModel, err := bundleToModel(bundle) if err != nil { return nil, nil, err @@ -1376,33 +1373,35 @@ func pruneBundle(tx *gorm.DB, trustDomainID string, expiry time.Time, log logrus return changed, nil } -func taintX509CA(tx *gorm.DB, trustDomainID string, publicKeyToTaint crypto.PublicKey) error { +func taintX509CA(tx *gorm.DB, trustDomainID string, subjectKeyIDToTaint string) error { bundle, err := getBundle(tx, trustDomainID) if err != nil { return err } - for _, eachTaintedKey := range bundle.X509TaintedKeys { - taintedKey, err := x509.ParsePKIXPublicKey(eachTaintedKey.PublicKey) + found := false + for _, eachRootCA := range bundle.RootCas { + x509CA, err := x509.ParseCertificate(eachRootCA.DerBytes) if err != nil { - return status.Errorf(codes.Internal, "failed to parse tainted Key: %v", err) + return status.Errorf(codes.Internal, "failed to parse rootCA: %v", err) } - ok, err := cryptoutil.PublicKeyEqual(taintedKey, publicKeyToTaint) - if err != nil { - return status.Errorf(codes.Internal, "failed to compare public key: %v", err) + caSubjectKeyID := x509util.SubjectKeyIDToString(x509CA.SubjectKeyId) + if subjectKeyIDToTaint != caSubjectKeyID { + continue } - if ok { + + if eachRootCA.TaintedKey { return status.Errorf(codes.InvalidArgument, "root CA is already tainted") } - } - pKey, err := x509.MarshalPKIXPublicKey(publicKeyToTaint) - if err != nil { - return status.Errorf(codes.InvalidArgument, "failed to marshal public key to taint: %v", err) + found = true + eachRootCA.TaintedKey = true } - bundle.X509TaintedKeys = append(bundle.X509TaintedKeys, &common.X509TaintedKey{PublicKey: pKey}) + if !found { + return status.Errorf(codes.NotFound, "no ca found with provided subject key ID") + } _, err = updateBundle(tx, bundle, nil) if err != nil { @@ -1412,41 +1411,15 @@ func taintX509CA(tx *gorm.DB, trustDomainID string, publicKeyToTaint crypto.Publ return nil } +// TODO: review what we can do with upstream authorities + revoke +// this code allows to revoke only bundles func revokeX509CA(tx *gorm.DB, trustDomainID string, publicKeyToRevoke crypto.PublicKey) error { bundle, err := getBundle(tx, trustDomainID) if err != nil { return err } - var taintedKeyFound bool - var taintedKeys []*common.X509TaintedKey - - for _, eachTaintedKey := range bundle.X509TaintedKeys { - taintedKey, err := x509.ParsePKIXPublicKey(eachTaintedKey.PublicKey) - if err != nil { - return status.Errorf(codes.Internal, "failed to parse tainted Key: %v", err) - } - - ok, err := cryptoutil.PublicKeyEqual(taintedKey, publicKeyToRevoke) - if err != nil { - return status.Errorf(codes.Internal, "failed to compare public key: %v", err) - } - if ok { - taintedKeyFound = true - continue - } - - taintedKeys = append(taintedKeys, eachTaintedKey) - } - - if !taintedKeyFound { - return status.Error(codes.InvalidArgument, "it is not possible to revoke an untainted root CA") - } - bundle.X509TaintedKeys = taintedKeys - - // It is possible to keep bundles on journal, when there is no upstream authority, - // this code will be used to remove a CA bundle that is persisted on datastore, - // only in case it is found + keyFound := false var rootCAs []*common.Certificate for _, ca := range bundle.RootCas { cert, err := x509.ParseCertificate(ca.DerBytes) @@ -1460,10 +1433,18 @@ func revokeX509CA(tx *gorm.DB, trustDomainID string, publicKeyToRevoke crypto.Pu } if ok { + if !ca.TaintedKey { + return status.Error(codes.InvalidArgument, "it is not possible to revoke an untainted root CA") + } continue } rootCAs = append(rootCAs, ca) } + + if !keyFound { + return status.Error(codes.InvalidArgument, "no root CA found with provided key") + } + bundle.RootCas = rootCAs if _, err := updateBundle(tx, bundle, nil); err != nil { diff --git a/pkg/server/plugin/upstreamauthority/spire/spire.go b/pkg/server/plugin/upstreamauthority/spire/spire.go index 1df3d7513a7..05a4cd64bc8 100644 --- a/pkg/server/plugin/upstreamauthority/spire/spire.go +++ b/pkg/server/plugin/upstreamauthority/spire/spire.go @@ -139,19 +139,21 @@ func (p *Plugin) MintX509CAAndSubscribe(request *upstreamauthorityv1.MintX509CAR } defer p.unsubscribeToPolling() - certChain, roots, err := p.serverClient.newDownstreamX509CA(stream.Context(), request.Csr, request.PreferredTtl) + // TODO: downstream RPC is not returning authority metadata, like tainted bit + // avoid using it for now in favor of a call to get bundle RPC + certChain, _, err := p.serverClient.newDownstreamX509CA(stream.Context(), request.Csr, request.PreferredTtl) if err != nil { return status.Errorf(codes.Internal, "unable to request a new Downstream X509CA: %v", err) } - var bundles []*plugintypes.X509Certificate - for _, cert := range roots { - pluginCert, err := x509certificate.ToPluginProto(cert) - if err != nil { - return status.Errorf(codes.Internal, "failed to parse X.509 authorities: %v", err) - } + serverBundle, err := p.serverClient.getBundle(stream.Context()) + if err != nil { + return status.Errorf(codes.Internal, "failed to fetch bundle from upstream server: %v", err) + } - bundles = append(bundles, pluginCert) + bundles, err := x509certificate.ToPluginFromAPIProtos(serverBundle.X509Authorities) + if err != nil { + return status.Errorf(codes.Internal, "failed to parse X.509 authorities: %v", err) } // Set X509 Authorities diff --git a/pkg/server/plugin/upstreamauthority/upstreamauthority.go b/pkg/server/plugin/upstreamauthority/upstreamauthority.go index abfa2f99718..a35257c2b2f 100644 --- a/pkg/server/plugin/upstreamauthority/upstreamauthority.go +++ b/pkg/server/plugin/upstreamauthority/upstreamauthority.go @@ -6,6 +6,7 @@ import ( "time" "github.com/spiffe/spire/pkg/common/catalog" + "github.com/spiffe/spire/pkg/common/coretypes/x509certificate" "github.com/spiffe/spire/proto/spire/common" ) @@ -20,7 +21,7 @@ type UpstreamAuthority interface { // closed when the caller is no longer interested in updates. If the // upstream authority does not support streaming updates, the stream will // return io.EOF when called. - MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Duration) (x509CA, upstreamX509Authorities []*x509.Certificate, stream UpstreamX509AuthorityStream, err error) + MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Duration) (x509CA []*x509.Certificate, upstreamX509Authorities []*x509certificate.X509Authority, stream UpstreamX509AuthorityStream, err error) // PublishJWTKey publishes the given JWT key with the upstream authority. // Support for this method is optional. Implementations that do not support @@ -39,7 +40,7 @@ type UpstreamX509AuthorityStream interface { // method is called, or the context originally passed into MintX509CA is // canceled. If the function returns an error, no more updates will be // available over the stream. - RecvUpstreamX509Authorities() ([]*x509.Certificate, error) + RecvUpstreamX509Authorities() ([]*x509certificate.X509Authority, error) // Close() closes the stream. It MUST be called by callers of MintX509CA // when they are done with the stream. diff --git a/pkg/server/plugin/upstreamauthority/v1.go b/pkg/server/plugin/upstreamauthority/v1.go index 9ecf7eb6db2..3186eccbb25 100644 --- a/pkg/server/plugin/upstreamauthority/v1.go +++ b/pkg/server/plugin/upstreamauthority/v1.go @@ -23,7 +23,7 @@ type V1 struct { // MintX509CA provides the V1 implementation of the UpstreamAuthority // interface method of the same name. -func (v1 *V1) MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Duration) (_, _ []*x509.Certificate, _ UpstreamX509AuthorityStream, err error) { +func (v1 *V1) MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Duration) (_ []*x509.Certificate, _ []*x509certificate.X509Authority, _ UpstreamX509AuthorityStream, err error) { ctx, cancel := context.WithCancel(ctx) defer func() { // Only cancel the context if the function fails. Otherwise the @@ -51,6 +51,7 @@ func (v1 *V1) MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Dura return nil, nil, nil, err } + // TODO: may we add a new type to get upstream authority with metadata? return x509CA, upstreamX509Authorities, &v1UpstreamX509AuthorityStream{v1: v1, stream: stream, cancel: cancel}, nil } @@ -91,7 +92,7 @@ func (v1 *V1) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ [] return jwtKeys, &v1UpstreamJWTAuthorityStream{v1: v1, stream: stream, cancel: cancel}, nil } -func (v1 *V1) parseMintX509CAFirstResponse(resp *upstreamauthorityv1.MintX509CAResponse) ([]*x509.Certificate, []*x509.Certificate, error) { +func (v1 *V1) parseMintX509CAFirstResponse(resp *upstreamauthorityv1.MintX509CAResponse) ([]*x509.Certificate, []*x509certificate.X509Authority, error) { x509CA, err := x509certificate.FromPluginProtos(resp.X509CaChain) if err != nil { return nil, nil, v1.Errorf(codes.Internal, "plugin response has malformed X.509 CA chain: %v", err) @@ -106,15 +107,15 @@ func (v1 *V1) parseMintX509CAFirstResponse(resp *upstreamauthorityv1.MintX509CAR return x509CA, x509Authorities, nil } -func (v1 *V1) parseMintX509CABundleUpdate(resp *upstreamauthorityv1.MintX509CAResponse) ([]*x509.Certificate, error) { +func (v1 *V1) parseMintX509CABundleUpdate(resp *upstreamauthorityv1.MintX509CAResponse) ([]*x509certificate.X509Authority, error) { if len(resp.X509CaChain) > 0 { return nil, v1.Error(codes.Internal, "plugin response has an X.509 CA chain after the first response") } return v1.parseX509Authorities(resp.UpstreamX509Roots) } -func (v1 *V1) parseX509Authorities(rawX509Authorities []*types.X509Certificate) ([]*x509.Certificate, error) { - x509Authorities, err := x509certificate.FromPluginProtos(rawX509Authorities) +func (v1 *V1) parseX509Authorities(rawX509Authorities []*types.X509Certificate) ([]*x509certificate.X509Authority, error) { + x509Authorities, err := x509certificate.ToX509AuthorityFromPluginProtos(rawX509Authorities) if err != nil { return nil, v1.Errorf(codes.Internal, "plugin response has malformed upstream X.509 roots: %v", err) } @@ -145,7 +146,7 @@ type v1UpstreamX509AuthorityStream struct { cancel context.CancelFunc } -func (s *v1UpstreamX509AuthorityStream) RecvUpstreamX509Authorities() ([]*x509.Certificate, error) { +func (s *v1UpstreamX509AuthorityStream) RecvUpstreamX509Authorities() ([]*x509certificate.X509Authority, error) { for { resp, err := s.stream.Recv() switch { diff --git a/proto/spire/common/common.pb.go b/proto/spire/common/common.pb.go index ec218ed9ccc..78f9bc3d862 100644 --- a/proto/spire/common/common.pb.go +++ b/proto/spire/common/common.pb.go @@ -719,7 +719,8 @@ type Certificate struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - DerBytes []byte `protobuf:"bytes,1,opt,name=der_bytes,json=derBytes,proto3" json:"der_bytes,omitempty"` + DerBytes []byte `protobuf:"bytes,1,opt,name=der_bytes,json=derBytes,proto3" json:"der_bytes,omitempty"` + TaintedKey bool `protobuf:"varint,2,opt,name=tainted_key,json=taintedKey,proto3" json:"tainted_key,omitempty"` } func (x *Certificate) Reset() { @@ -761,6 +762,13 @@ func (x *Certificate) GetDerBytes() []byte { return nil } +func (x *Certificate) GetTaintedKey() bool { + if x != nil { + return x.TaintedKey + } + return false +} + // * PublicKey represents a PKIX encoded public key type PublicKey struct { state protoimpl.MessageState @@ -854,8 +862,6 @@ type Bundle struct { // * sequence number is a monotonically increasing number that is // incremented every time the bundle is updated SequenceNumber uint64 `protobuf:"varint,5,opt,name=sequence_number,json=sequenceNumber,proto3" json:"sequence_number,omitempty"` - // * list of X.509 tainted keys - X509TaintedKeys []*X509TaintedKey `protobuf:"bytes,6,rep,name=x509_tainted_keys,json=x509TaintedKeys,proto3" json:"x509_tainted_keys,omitempty"` } func (x *Bundle) Reset() { @@ -925,61 +931,6 @@ func (x *Bundle) GetSequenceNumber() uint64 { return 0 } -func (x *Bundle) GetX509TaintedKeys() []*X509TaintedKey { - if x != nil { - return x.X509TaintedKeys - } - return nil -} - -type X509TaintedKey struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // * tainted public key - PublicKey []byte `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` -} - -func (x *X509TaintedKey) Reset() { - *x = X509TaintedKey{} - if protoimpl.UnsafeEnabled { - mi := &file_spire_common_common_proto_msgTypes[11] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *X509TaintedKey) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*X509TaintedKey) ProtoMessage() {} - -func (x *X509TaintedKey) ProtoReflect() protoreflect.Message { - mi := &file_spire_common_common_proto_msgTypes[11] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use X509TaintedKey.ProtoReflect.Descriptor instead. -func (*X509TaintedKey) Descriptor() ([]byte, []int) { - return file_spire_common_common_proto_rawDescGZIP(), []int{11} -} - -func (x *X509TaintedKey) GetPublicKey() []byte { - if x != nil { - return x.PublicKey - } - return nil -} - type BundleMask struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -995,7 +946,7 @@ type BundleMask struct { func (x *BundleMask) Reset() { *x = BundleMask{} if protoimpl.UnsafeEnabled { - mi := &file_spire_common_common_proto_msgTypes[12] + mi := &file_spire_common_common_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1008,7 +959,7 @@ func (x *BundleMask) String() string { func (*BundleMask) ProtoMessage() {} func (x *BundleMask) ProtoReflect() protoreflect.Message { - mi := &file_spire_common_common_proto_msgTypes[12] + mi := &file_spire_common_common_proto_msgTypes[11] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1021,7 +972,7 @@ func (x *BundleMask) ProtoReflect() protoreflect.Message { // Deprecated: Use BundleMask.ProtoReflect.Descriptor instead. func (*BundleMask) Descriptor() ([]byte, []int) { - return file_spire_common_common_proto_rawDescGZIP(), []int{12} + return file_spire_common_common_proto_rawDescGZIP(), []int{11} } func (x *BundleMask) GetRootCas() bool { @@ -1075,7 +1026,7 @@ type AttestedNodeMask struct { func (x *AttestedNodeMask) Reset() { *x = AttestedNodeMask{} if protoimpl.UnsafeEnabled { - mi := &file_spire_common_common_proto_msgTypes[13] + mi := &file_spire_common_common_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1088,7 +1039,7 @@ func (x *AttestedNodeMask) String() string { func (*AttestedNodeMask) ProtoMessage() {} func (x *AttestedNodeMask) ProtoReflect() protoreflect.Message { - mi := &file_spire_common_common_proto_msgTypes[13] + mi := &file_spire_common_common_proto_msgTypes[12] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1101,7 +1052,7 @@ func (x *AttestedNodeMask) ProtoReflect() protoreflect.Message { // Deprecated: Use AttestedNodeMask.ProtoReflect.Descriptor instead. func (*AttestedNodeMask) Descriptor() ([]byte, []int) { - return file_spire_common_common_proto_rawDescGZIP(), []int{13} + return file_spire_common_common_proto_rawDescGZIP(), []int{12} } func (x *AttestedNodeMask) GetAttestationDataType() bool { @@ -1249,75 +1200,69 @@ var file_spire_common_common_proto_rawDesc = []byte{ 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x65, 0x6e, - 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0x2a, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0x4b, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x72, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x64, 0x65, 0x72, 0x42, 0x79, 0x74, 0x65, - 0x73, 0x22, 0x7a, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x1d, - 0x0a, 0x0a, 0x70, 0x6b, 0x69, 0x78, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6b, 0x69, 0x78, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x10, 0x0a, - 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, 0x12, - 0x1b, 0x0a, 0x09, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x03, 0x52, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, - 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x0a, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0xbf, 0x02, - 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x72, 0x75, 0x73, - 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0d, 0x74, 0x72, 0x75, 0x73, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x49, 0x64, - 0x12, 0x34, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x61, 0x73, 0x18, 0x02, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x07, 0x72, - 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x41, 0x0a, 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x69, - 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x17, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, 0x69, - 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x66, - 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x0b, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x12, 0x27, 0x0a, 0x0f, - 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0e, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x4e, - 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x48, 0x0a, 0x11, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x74, 0x61, - 0x69, 0x6e, 0x74, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x1c, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x58, 0x35, 0x30, 0x39, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x52, 0x0f, - 0x78, 0x35, 0x30, 0x39, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x22, - 0x2f, 0x0a, 0x0e, 0x58, 0x35, 0x30, 0x39, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, - 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, - 0x22, 0xc9, 0x01, 0x0a, 0x0a, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x4d, 0x61, 0x73, 0x6b, 0x12, - 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x61, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x07, 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x6a, 0x77, - 0x74, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, - 0x4b, 0x65, 0x79, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, - 0x68, 0x69, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x72, 0x65, 0x66, 0x72, - 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x65, 0x71, 0x75, 0x65, - 0x6e, 0x63, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x0e, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, - 0x12, 0x2a, 0x0a, 0x11, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, - 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x78, 0x35, 0x30, - 0x39, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x22, 0x9f, 0x02, 0x0a, - 0x10, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x4e, 0x6f, 0x64, 0x65, 0x4d, 0x61, 0x73, - 0x6b, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x13, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, - 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, - 0x72, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, - 0x62, 0x65, 0x72, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, - 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x63, 0x65, 0x72, - 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x16, 0x6e, 0x65, 0x77, - 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, - 0x62, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x6e, 0x65, 0x77, 0x43, 0x65, - 0x72, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x2b, - 0x0a, 0x12, 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, - 0x66, 0x74, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6e, 0x65, 0x77, 0x43, - 0x65, 0x72, 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, - 0x61, 0x6e, 0x5f, 0x72, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x0b, 0x63, 0x61, 0x6e, 0x52, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x42, 0x2c, - 0x5a, 0x2a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, - 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, - 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, + 0x65, 0x79, 0x22, 0x7a, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, + 0x1d, 0x0a, 0x0a, 0x70, 0x6b, 0x69, 0x78, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6b, 0x69, 0x78, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x10, + 0x0a, 0x03, 0x6b, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x69, 0x64, + 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x03, 0x52, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x1f, 0x0a, + 0x0b, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x0a, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0xf5, + 0x01, 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x72, 0x75, + 0x73, 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0d, 0x74, 0x72, 0x75, 0x73, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x49, + 0x64, 0x12, 0x34, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x61, 0x73, 0x18, 0x02, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x07, + 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, 0x12, 0x41, 0x0a, 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, + 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x17, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, + 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, + 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x0b, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x12, 0x27, 0x0a, + 0x0f, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0e, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, + 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x22, 0xc9, 0x01, 0x0a, 0x0a, 0x42, 0x75, 0x6e, 0x64, 0x6c, + 0x65, 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x61, + 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x61, 0x73, + 0x12, 0x28, 0x0a, 0x10, 0x6a, 0x77, 0x74, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, + 0x6b, 0x65, 0x79, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x6a, 0x77, 0x74, 0x53, + 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x65, + 0x66, 0x72, 0x65, 0x73, 0x68, 0x5f, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x0b, 0x72, 0x65, 0x66, 0x72, 0x65, 0x73, 0x68, 0x48, 0x69, 0x6e, 0x74, 0x12, 0x27, 0x0a, + 0x0f, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, + 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x11, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x74, + 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x0f, 0x78, 0x35, 0x30, 0x39, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x4b, 0x65, + 0x79, 0x73, 0x22, 0x9f, 0x02, 0x0a, 0x10, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x4e, + 0x6f, 0x64, 0x65, 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x74, 0x74, 0x65, 0x73, + 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2c, 0x0a, 0x12, 0x63, + 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, + 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, + 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x65, 0x72, + 0x74, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, + 0x33, 0x0a, 0x16, 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x13, 0x6e, 0x65, 0x77, 0x43, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, + 0x6d, 0x62, 0x65, 0x72, 0x12, 0x2b, 0x0a, 0x12, 0x6e, 0x65, 0x77, 0x5f, 0x63, 0x65, 0x72, 0x74, + 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x0f, 0x6e, 0x65, 0x77, 0x43, 0x65, 0x72, 0x74, 0x4e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, + 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x61, 0x6e, 0x5f, 0x72, 0x65, 0x61, 0x74, 0x74, 0x65, 0x73, + 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x63, 0x61, 0x6e, 0x52, 0x65, 0x61, 0x74, + 0x74, 0x65, 0x73, 0x74, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1332,7 +1277,7 @@ func file_spire_common_common_proto_rawDescGZIP() []byte { return file_spire_common_common_proto_rawDescData } -var file_spire_common_common_proto_msgTypes = make([]protoimpl.MessageInfo, 14) +var file_spire_common_common_proto_msgTypes = make([]protoimpl.MessageInfo, 13) var file_spire_common_common_proto_goTypes = []any{ (*Empty)(nil), // 0: spire.common.Empty (*AttestationData)(nil), // 1: spire.common.AttestationData @@ -1345,23 +1290,21 @@ var file_spire_common_common_proto_goTypes = []any{ (*Certificate)(nil), // 8: spire.common.Certificate (*PublicKey)(nil), // 9: spire.common.PublicKey (*Bundle)(nil), // 10: spire.common.Bundle - (*X509TaintedKey)(nil), // 11: spire.common.X509TaintedKey - (*BundleMask)(nil), // 12: spire.common.BundleMask - (*AttestedNodeMask)(nil), // 13: spire.common.AttestedNodeMask + (*BundleMask)(nil), // 11: spire.common.BundleMask + (*AttestedNodeMask)(nil), // 12: spire.common.AttestedNodeMask } var file_spire_common_common_proto_depIdxs = []int32{ - 2, // 0: spire.common.Selectors.entries:type_name -> spire.common.Selector - 2, // 1: spire.common.AttestedNode.selectors:type_name -> spire.common.Selector - 2, // 2: spire.common.RegistrationEntry.selectors:type_name -> spire.common.Selector - 5, // 3: spire.common.RegistrationEntries.entries:type_name -> spire.common.RegistrationEntry - 8, // 4: spire.common.Bundle.root_cas:type_name -> spire.common.Certificate - 9, // 5: spire.common.Bundle.jwt_signing_keys:type_name -> spire.common.PublicKey - 11, // 6: spire.common.Bundle.x509_tainted_keys:type_name -> spire.common.X509TaintedKey - 7, // [7:7] is the sub-list for method output_type - 7, // [7:7] is the sub-list for method input_type - 7, // [7:7] is the sub-list for extension type_name - 7, // [7:7] is the sub-list for extension extendee - 0, // [0:7] is the sub-list for field type_name + 2, // 0: spire.common.Selectors.entries:type_name -> spire.common.Selector + 2, // 1: spire.common.AttestedNode.selectors:type_name -> spire.common.Selector + 2, // 2: spire.common.RegistrationEntry.selectors:type_name -> spire.common.Selector + 5, // 3: spire.common.RegistrationEntries.entries:type_name -> spire.common.RegistrationEntry + 8, // 4: spire.common.Bundle.root_cas:type_name -> spire.common.Certificate + 9, // 5: spire.common.Bundle.jwt_signing_keys:type_name -> spire.common.PublicKey + 6, // [6:6] is the sub-list for method output_type + 6, // [6:6] is the sub-list for method input_type + 6, // [6:6] is the sub-list for extension type_name + 6, // [6:6] is the sub-list for extension extendee + 0, // [0:6] is the sub-list for field type_name } func init() { file_spire_common_common_proto_init() } @@ -1503,18 +1446,6 @@ func file_spire_common_common_proto_init() { } } file_spire_common_common_proto_msgTypes[11].Exporter = func(v any, i int) any { - switch v := v.(*X509TaintedKey); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_spire_common_common_proto_msgTypes[12].Exporter = func(v any, i int) any { switch v := v.(*BundleMask); i { case 0: return &v.state @@ -1526,7 +1457,7 @@ func file_spire_common_common_proto_init() { return nil } } - file_spire_common_common_proto_msgTypes[13].Exporter = func(v any, i int) any { + file_spire_common_common_proto_msgTypes[12].Exporter = func(v any, i int) any { switch v := v.(*AttestedNodeMask); i { case 0: return &v.state @@ -1545,7 +1476,7 @@ func file_spire_common_common_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_spire_common_common_proto_rawDesc, NumEnums: 0, - NumMessages: 14, + NumMessages: 13, NumExtensions: 0, NumServices: 0, }, diff --git a/proto/spire/common/common.proto b/proto/spire/common/common.proto index b22f752d1cd..cd1ed63c616 100644 --- a/proto/spire/common/common.proto +++ b/proto/spire/common/common.proto @@ -125,6 +125,7 @@ message RegistrationEntries { /** Certificate represents a ASN.1/DER encoded X509 certificate */ message Certificate { bytes der_bytes = 1; + bool tainted_key = 2; } /** PublicKey represents a PKIX encoded public key */ @@ -159,14 +160,6 @@ message Bundle { /** sequence number is a monotonically increasing number that is * incremented every time the bundle is updated */ uint64 sequence_number = 5; - - /** list of X.509 tainted keys */ - repeated X509TaintedKey x509_tainted_keys = 6; -} - -message X509TaintedKey { - /** tainted public key*/ - bytes public_key = 1; } message BundleMask {