From 848ce7ebd86e458445585a5b7bca88418ded19c0 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 15 Apr 2022 22:04:41 +0000 Subject: [PATCH 1/6] Add CSR support for key delivery and proof of possession Many ecosystems and libraries have support for generating CSRs, but do not have easy-to-use utilities for generating encoded public keys. A CSR provides a simple way to send an encoded public key, along with a proof of possession since CSRs are self-signed. Existing clients do not have to change their behavior, as we will continue to support providing a public key and signed challenge. Signed-off-by: Hayden Blauzvern --- fulcio.proto | 12 +- fulcio_legacy.proto | 15 +- pkg/api/client.go | 7 +- pkg/api/error.go | 1 + pkg/api/grpc_server.go | 30 ++- pkg/api/grpc_server_test.go | 222 +++++++++++++++++- pkg/api/legacy_server.go | 41 ++-- pkg/challenges/challenges.go | 215 ++++++++++------- pkg/challenges/challenges_test.go | 156 +++++++++--- pkg/generated/protobuf/fulcio.pb.go | 198 +++++++++------- .../protobuf/legacy/fulcio_legacy.pb.go | 85 ++++--- 11 files changed, 713 insertions(+), 269 deletions(-) diff --git a/fulcio.proto b/fulcio.proto index d331c9c27..029f5cc71 100644 --- a/fulcio.proto +++ b/fulcio.proto @@ -52,13 +52,21 @@ message CreateSigningCertificateRequest { /* * The public key to be stored in the requested certificate */ - PublicKey public_key = 2 [(google.api.field_behavior) = REQUIRED]; + PublicKey public_key = 2 [(google.api.field_behavior) = OPTIONAL]; /* * Proof that the client possesses the private key; must be verifiable by provided public key * * This is a currently a signature over the `sub` claim from the OIDC identity token */ - bytes proof_of_possession = 3 [(google.api.field_behavior) = REQUIRED]; + bytes proof_of_possession = 3 [(google.api.field_behavior) = OPTIONAL]; + /* + * PKCS#10 encoded certificate signing request + * + * Contains the public key to be stored in the requested certificate. All other CSR fields + * are ignored. Since the CSR is self-signed, it also acts as a proof of posession of + * the private key. + */ + bytes certificate_signing_request = 4 [(google.api.field_behavior) = OPTIONAL]; } message Credentials { diff --git a/fulcio_legacy.proto b/fulcio_legacy.proto index d78d17997..0c0d9a499 100644 --- a/fulcio_legacy.proto +++ b/fulcio_legacy.proto @@ -58,15 +58,26 @@ message CreateSigningCertificateRequest { */ PublicKey publicKey = 1 [ deprecated=true, - (google.api.field_behavior) = REQUIRED + (google.api.field_behavior) = OPTIONAL ]; /* * Proof that the client possesses the private key */ bytes signedEmailAddress = 2 [ deprecated=true, - (google.api.field_behavior) = REQUIRED + (google.api.field_behavior) = OPTIONAL ]; + /* + * Optional: PKCS#10 encoded certificate signing request + * Contains the public key to be stored in the requested + * certificate. All other CSR fields are ignored. Since + * the CSR is self-signed, it also acts as a proof of + * posession of the private key. + */ + bytes certificateSigningRequest = 3 [ + deprecated=true, + (google.api.field_behavior) = OPTIONAL + ]; } message PublicKey { diff --git a/pkg/api/client.go b/pkg/api/client.go index c2a1179b4..5c8fa1e60 100644 --- a/pkg/api/client.go +++ b/pkg/api/client.go @@ -46,11 +46,14 @@ type Key struct { } type CertificateRequest struct { - // +required + // +optional PublicKey Key `json:"publicKey"` - // +required + // +optional SignedEmailAddress []byte `json:"signedEmailAddress"` + + // +optional + CertificateSigningRequest []byte `json:"certificateSigningRequest"` } const ( diff --git a/pkg/api/error.go b/pkg/api/error.go index f6ef06927..41634463d 100644 --- a/pkg/api/error.go +++ b/pkg/api/error.go @@ -26,6 +26,7 @@ import ( const ( invalidSignature = "The signature supplied in the request could not be verified" invalidPublicKey = "The public key supplied in the request could not be parsed" + invalidCSR = "The certificate signing request could not be parsed" failedToEnterCertInCTL = "Error entering certificate in CTL" failedToMarshalSCT = "Error marshaling signed certificate timestamp" failedToMarshalCert = "Error marshaling code signing certificate" diff --git a/pkg/api/grpc_server.go b/pkg/api/grpc_server.go index 3a6bdb457..968ab6a09 100644 --- a/pkg/api/grpc_server.go +++ b/pkg/api/grpc_server.go @@ -76,28 +76,36 @@ func (g *grpcCAServer) CreateSigningCertificate(ctx context.Context, request *fu return nil, handleFulcioGRPCError(ctx, codes.Unauthenticated, err, invalidCredentials) } - if request.PublicKey == nil { + if request.PublicKey == nil && len(request.CertificateSigningRequest) == 0 { return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, errors.New("public key not provided"), invalidPublicKey) } - publicKeyBytes := request.PublicKey.Content - // try to unmarshal as PEM - publicKey, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(publicKeyBytes)) - if err != nil { - // try to unmarshal as DER - logger.Debugf("error parsing public key as PEM, trying DER: %v", err.Error()) - publicKey, err = x509.ParsePKIXPublicKey([]byte(publicKeyBytes)) + // optionally parse CSR + var csr *x509.CertificateRequest + if len(request.CertificateSigningRequest) > 0 { + csr, err = challenges.ParseCSR(request.CertificateSigningRequest) if err != nil { - return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidPublicKey) + return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidCSR) } } - // Validate public key, checking for weak key parameters. + // fetch public key from request or CSR + var pubKeyContent string + if request.PublicKey != nil { + pubKeyContent = request.PublicKey.Content + } + publicKey, err := challenges.ParsePublicKey(pubKeyContent, csr) + if err != nil { + return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidPublicKey) + } + + // validate public key, checking for weak key parameters if err := cryptoutils.ValidatePubKey(publicKey); err != nil { return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, insecurePublicKey) } - subject, err := challenges.ExtractSubject(ctx, principal, publicKey, request.ProofOfPossession) + // verify challenge + subject, err := challenges.ExtractSubject(ctx, principal, publicKey, csr, request.ProofOfPossession) if err != nil { return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidSignature) } diff --git a/pkg/api/grpc_server_test.go b/pkg/api/grpc_server_test.go index eb2ef11ba..310b8402e 100644 --- a/pkg/api/grpc_server_test.go +++ b/pkg/api/grpc_server_test.go @@ -588,6 +588,86 @@ func TestAPIWithGitHub(t *testing.T) { } } +// Tests API with challenge sent as CSR +func TestAPIWithCSRChallenge(t *testing.T) { + emailSigner, emailIssuer := newOIDCIssuer(t) + + // Create a FulcioConfig that supports this issuer. + cfg, err := config.Read([]byte(fmt.Sprintf(`{ + "OIDCIssuers": { + %q: { + "IssuerURL": %q, + "ClientID": "sigstore", + "Type": "email" + } + } + }`, emailIssuer, emailIssuer))) + if err != nil { + t.Fatalf("config.Read() = %v", err) + } + + emailSubject := "foo@example.com" + + // Create an OIDC token using this issuer's signer. + tok, err := jwt.Signed(emailSigner).Claims(jwt.Claims{ + Issuer: emailIssuer, + IssuedAt: jwt.NewNumericDate(time.Now()), + Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), + Subject: emailSubject, + Audience: jwt.Audience{"sigstore"}, + }).Claims(customClaims{Email: emailSubject, EmailVerified: true}).CompactSerialize() + if err != nil { + t.Fatalf("CompactSerialize() = %v", err) + } + + ctClient, eca := createCA(cfg, t) + ctx := context.Background() + server, conn := setupGRPCForTest(ctx, t, cfg, ctClient, eca) + defer func() { + server.Stop() + conn.Close() + }() + + client := protobuf.NewCAClient(conn) + + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("error generating private key: %v", err) + } + csrTmpl := &x509.CertificateRequest{Subject: pkix.Name{CommonName: "test"}} + derCSR, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, priv) + if err != nil { + t.Fatalf("error creating CSR: %v", err) + } + pemCSR := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: derCSR, + }) + + // Hit the API to have it sign our certificate. + resp, err := client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ + Credentials: &protobuf.Credentials{ + Credentials: &protobuf.Credentials_OidcIdentityToken{ + OidcIdentityToken: tok, + }, + }, + CertificateSigningRequest: pemCSR, + }) + if err != nil { + t.Fatalf("SigningCert() = %v", err) + } + + leafCert := verifyResponse(resp, eca, emailIssuer, t) + + // Expect email subject + if len(leafCert.EmailAddresses) != 1 { + t.Fatalf("unexpected length of leaf certificate URIs, expected 1, got %d", len(leafCert.URIs)) + } + if leafCert.EmailAddresses[0] != emailSubject { + t.Fatalf("subjects do not match: Expected %v, got %v", emailSubject, leafCert.EmailAddresses[0]) + } +} + // Tests API with insecure pub key func TestAPIWithInsecurePublicKey(t *testing.T) { emailSigner, emailIssuer := newOIDCIssuer(t) @@ -716,6 +796,146 @@ func TestAPIWithoutPublicKey(t *testing.T) { } } +// Tests API with invalid challenge as proof of possession of private key +func TestAPIWithInvalidChallenge(t *testing.T) { + emailSigner, emailIssuer := newOIDCIssuer(t) + + // Create a FulcioConfig that supports these issuers. + cfg, err := config.Read([]byte(fmt.Sprintf(`{ + "OIDCIssuers": { + %q: { + "IssuerURL": %q, + "ClientID": "sigstore", + "Type": "email" + } + } + }`, emailIssuer, emailIssuer))) + if err != nil { + t.Fatalf("config.Read() = %v", err) + } + + emailSubject := "foo@example.com" + + // Create an OIDC token using this issuer's signer. + tok, err := jwt.Signed(emailSigner).Claims(jwt.Claims{ + Issuer: emailIssuer, + IssuedAt: jwt.NewNumericDate(time.Now()), + Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), + Subject: emailSubject, + Audience: jwt.Audience{"sigstore"}, + }).Claims(customClaims{Email: emailSubject, EmailVerified: true}).CompactSerialize() + if err != nil { + t.Fatalf("CompactSerialize() = %v", err) + } + + ctClient, eca := createCA(cfg, t) + ctx := context.Background() + server, conn := setupGRPCForTest(ctx, t, cfg, ctClient, eca) + defer func() { + server.Stop() + conn.Close() + }() + + client := protobuf.NewCAClient(conn) + + pubBytes, _ := generateKeyAndProof(emailSubject, t) + _, invalidProof := generateKeyAndProof(emailSubject, t) + + _, err = client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ + Credentials: &protobuf.Credentials{ + Credentials: &protobuf.Credentials_OidcIdentityToken{ + OidcIdentityToken: tok, + }, + }, + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: invalidProof, + }) + if err == nil || !strings.Contains(err.Error(), "The signature supplied in the request could not be verified") { + t.Fatalf("expected invalid signature error, got %v", err) + } + if status.Code(err) != codes.InvalidArgument { + t.Fatalf("expected invalid argument, got %v", status.Code(err)) + } +} + +// Tests API with unsigned CSR, which will fail signature verification. +func TestAPIWithInvalidCSRSignature(t *testing.T) { + emailSigner, emailIssuer := newOIDCIssuer(t) + + // Create a FulcioConfig that supports this issuer. + cfg, err := config.Read([]byte(fmt.Sprintf(`{ + "OIDCIssuers": { + %q: { + "IssuerURL": %q, + "ClientID": "sigstore", + "Type": "email" + } + } + }`, emailIssuer, emailIssuer))) + if err != nil { + t.Fatalf("config.Read() = %v", err) + } + + emailSubject := "foo@example.com" + + // Create an OIDC token using this issuer's signer. + tok, err := jwt.Signed(emailSigner).Claims(jwt.Claims{ + Issuer: emailIssuer, + IssuedAt: jwt.NewNumericDate(time.Now()), + Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), + Subject: emailSubject, + Audience: jwt.Audience{"sigstore"}, + }).Claims(customClaims{Email: emailSubject, EmailVerified: true}).CompactSerialize() + if err != nil { + t.Fatalf("CompactSerialize() = %v", err) + } + + ctClient, eca := createCA(cfg, t) + ctx := context.Background() + server, conn := setupGRPCForTest(ctx, t, cfg, ctClient, eca) + defer func() { + server.Stop() + conn.Close() + }() + + client := protobuf.NewCAClient(conn) + + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("error generating private key: %v", err) + } + csrTmpl := &x509.CertificateRequest{Subject: pkix.Name{CommonName: "test"}} + derCSR, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, priv) + if err != nil { + t.Fatalf("error creating CSR: %v", err) + } + // Corrupt signature + derCSR[len(derCSR)-1] = derCSR[len(derCSR)-1] + 1 + pemCSR := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: derCSR, + }) + + // Hit the API to have it sign our certificate. + _, err = client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ + Credentials: &protobuf.Credentials{ + Credentials: &protobuf.Credentials_OidcIdentityToken{ + OidcIdentityToken: tok, + }, + }, + CertificateSigningRequest: pemCSR, + }) + + if err == nil || !strings.Contains(err.Error(), "The signature supplied in the request could not be verified") { + t.Fatalf("expected invalid signature error, got %v", err) + } + if status.Code(err) != codes.InvalidArgument { + t.Fatalf("expected invalid argument, got %v", status.Code(err)) + } +} + // Stand up a very simple OIDC endpoint. func newOIDCIssuer(t *testing.T) (jose.Signer, string) { t.Helper() @@ -879,7 +1099,7 @@ func verifyResponse(resp *protobuf.SigningCertificate, eca *ephemeralca.Ephemera } // Expect leaf certificate values - //TODO: if there are intermediates added, this logic needs to change + // TODO: if there are intermediates added, this logic needs to change block, rest = pem.Decode([]byte(chain.Certificates[0])) if len(rest) != 0 { t.Fatal("expected only one leaf certificate in PEM block") diff --git a/pkg/api/legacy_server.go b/pkg/api/legacy_server.go index 63d08b32e..9ad88ac0d 100644 --- a/pkg/api/legacy_server.go +++ b/pkg/api/legacy_server.go @@ -63,23 +63,30 @@ func (l *legacyGRPCCAServer) CreateSigningCertificate(ctx context.Context, reque }, } - if request.PublicKey == nil { - return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, errors.New("public key not provided"), invalidPublicKey) - } - - // create new CA request mapping fields from legacy to actual - algorithmEnum, ok := fulciogrpc.PublicKeyAlgorithm_value[strings.ToUpper(request.PublicKey.Algorithm)] //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API - if !ok { - algorithmEnum = int32(fulciogrpc.PublicKeyAlgorithm_PUBLIC_KEY_ALGORITHM_UNSPECIFIED) - } - - v2Request := fulciogrpc.CreateSigningCertificateRequest{ - Credentials: &creds, - PublicKey: &fulciogrpc.PublicKey{ - Algorithm: fulciogrpc.PublicKeyAlgorithm(algorithmEnum), - Content: string(request.PublicKey.Content), //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API - }, - ProofOfPossession: request.SignedEmailAddress, //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + var v2Request fulciogrpc.CreateSigningCertificateRequest + if len(request.CertificateSigningRequest) > 0 { + v2Request = fulciogrpc.CreateSigningCertificateRequest{ + Credentials: &creds, + CertificateSigningRequest: request.CertificateSigningRequest, //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + } + } else { + // the CSR and the public key have not been set + if request.PublicKey == nil { + return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, errors.New("public key not provided"), invalidPublicKey) + } + // create new CA request mapping fields from legacy to actual + algorithmEnum, ok := fulciogrpc.PublicKeyAlgorithm_value[strings.ToUpper(request.PublicKey.Algorithm)] //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + if !ok { + algorithmEnum = int32(fulciogrpc.PublicKeyAlgorithm_PUBLIC_KEY_ALGORITHM_UNSPECIFIED) + } + v2Request = fulciogrpc.CreateSigningCertificateRequest{ + Credentials: &creds, + PublicKey: &fulciogrpc.PublicKey{ + Algorithm: fulciogrpc.PublicKeyAlgorithm(algorithmEnum), + Content: string(request.PublicKey.Content), //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + }, + ProofOfPossession: request.SignedEmailAddress, //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + } } v2Response, err := l.v2Server.CreateSigningCertificate(ctx, &v2Request) diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go index ae530773c..87f91ee6a 100644 --- a/pkg/challenges/challenges.go +++ b/pkg/challenges/challenges.go @@ -19,6 +19,8 @@ import ( "bytes" "context" "crypto" + "crypto/x509" + "encoding/pem" "errors" "fmt" "net/url" @@ -28,6 +30,7 @@ import ( "github.com/coreos/go-oidc/v3/oidc" "github.com/sigstore/fulcio/pkg/oauthflow" + "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" ) @@ -66,16 +69,27 @@ type ChallengeResult struct { AdditionalInfo map[AdditionalInfo]string } -func CheckSignature(pub crypto.PublicKey, proof []byte, email string) error { +// preChallengeResult holds an additional value for the subject of the token, +// used to verify the proof of poessession signature. +type preChallengeResult struct { + // Result.PublicKey is not populated. Result.AdditionalInfo is optional. + Result *ChallengeResult + // Subject or email from the OIDC token + Subject string +} + +// CheckSignature verifies a challenge, a signature over the subject or email +// of an OIDC token +func CheckSignature(pub crypto.PublicKey, proof []byte, subject string) error { verifier, err := signature.LoadVerifier(pub, crypto.SHA256) if err != nil { return err } - return verifier.VerifySignature(bytes.NewReader(proof), strings.NewReader(email)) + return verifier.VerifySignature(bytes.NewReader(proof), strings.NewReader(subject)) } -func Email(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func email(ctx context.Context, principal *oidc.IDToken) (*preChallengeResult, error) { emailAddress, emailVerified, err := oauthflow.EmailFromIDToken(principal) if !emailVerified { return nil, errors.New("email_verified claim was false") @@ -83,11 +97,6 @@ func Email(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey return nil, err } - // Check the proof - if err := CheckSignature(pubKey, challenge, emailAddress); err != nil { - return nil, err - } - cfg, ok := config.FromContext(ctx).GetIssuer(principal.Issuer) if !ok { return nil, errors.New("invalid configuration for OIDC ID Token issuer") @@ -98,16 +107,17 @@ func Email(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey return nil, err } - // Now issue cert! - return &ChallengeResult{ - Issuer: issuer, - PublicKey: pubKey, - TypeVal: EmailValue, - Value: emailAddress, + return &preChallengeResult{ + Result: &ChallengeResult{ + Issuer: issuer, + TypeVal: EmailValue, + Value: emailAddress, + }, + Subject: emailAddress, }, nil } -func Spiffe(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func spiffe(ctx context.Context, principal *oidc.IDToken) (*preChallengeResult, error) { spiffeID := principal.Subject @@ -127,36 +137,28 @@ func Spiffe(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKe return nil, fmt.Errorf("%s is not allowed for %s", spiffeID, issuerHostname) } - // Check the proof - if err := CheckSignature(pubKey, challenge, spiffeID); err != nil { - return nil, err - } - issuer, err := oauthflow.IssuerFromIDToken(principal, cfg.IssuerClaim) if err != nil { return nil, err } // Now issue cert! - return &ChallengeResult{ - Issuer: issuer, - PublicKey: pubKey, - TypeVal: SpiffeValue, - Value: spiffeID, + return &preChallengeResult{ + Result: &ChallengeResult{ + Issuer: issuer, + TypeVal: SpiffeValue, + Value: spiffeID, + }, + Subject: spiffeID, }, nil } -func Kubernetes(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func kubernetes(ctx context.Context, principal *oidc.IDToken) (*preChallengeResult, error) { k8sURI, err := kubernetesToken(principal) if err != nil { return nil, err } - // Check the proof - if err := CheckSignature(pubKey, challenge, principal.Subject); err != nil { - return nil, err - } - cfg, ok := config.FromContext(ctx).GetIssuer(principal.Issuer) if !ok { return nil, errors.New("invalid configuration for OIDC ID Token issuer") @@ -167,16 +169,17 @@ func Kubernetes(ctx context.Context, principal *oidc.IDToken, pubKey crypto.Publ return nil, err } - // Now issue cert! - return &ChallengeResult{ - Issuer: issuer, - PublicKey: pubKey, - TypeVal: KubernetesValue, - Value: k8sURI, + return &preChallengeResult{ + Result: &ChallengeResult{ + Issuer: issuer, + TypeVal: KubernetesValue, + Value: k8sURI, + }, + Subject: principal.Subject, }, nil } -func GithubWorkflow(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func githubWorkflow(ctx context.Context, principal *oidc.IDToken) (*preChallengeResult, error) { workflowRef, err := workflowFromIDToken(principal) if err != nil { return nil, err @@ -186,11 +189,6 @@ func GithubWorkflow(ctx context.Context, principal *oidc.IDToken, pubKey crypto. return nil, err } - // Check the proof - if err := CheckSignature(pubKey, challenge, principal.Subject); err != nil { - return nil, err - } - cfg, ok := config.FromContext(ctx).GetIssuer(principal.Issuer) if !ok { return nil, errors.New("invalid configuration for OIDC ID Token issuer") @@ -201,17 +199,18 @@ func GithubWorkflow(ctx context.Context, principal *oidc.IDToken, pubKey crypto. return nil, err } - // Now issue cert! - return &ChallengeResult{ - Issuer: issuer, - PublicKey: pubKey, - TypeVal: GithubWorkflowValue, - Value: workflowRef, - AdditionalInfo: additionalInfo, + return &preChallengeResult{ + Result: &ChallengeResult{ + Issuer: issuer, + TypeVal: GithubWorkflowValue, + Value: workflowRef, + AdditionalInfo: additionalInfo, + }, + Subject: principal.Subject, }, nil } -func URI(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func uri(ctx context.Context, principal *oidc.IDToken) (*preChallengeResult, error) { uriWithSubject := principal.Subject cfg, ok := config.FromContext(ctx).GetIssuer(principal.Issuer) @@ -255,26 +254,22 @@ func URI(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, return nil, fmt.Errorf("subject hostname (%s) must match expected domain (%s)", uSubject.Hostname(), uDomain.Hostname()) } - // Check the proof - A signature over the OIDC token subject - if err := CheckSignature(pubKey, challenge, uriWithSubject); err != nil { - return nil, err - } - issuer, err := oauthflow.IssuerFromIDToken(principal, cfg.IssuerClaim) if err != nil { return nil, err } - // Now issue cert! - return &ChallengeResult{ - Issuer: issuer, - PublicKey: pubKey, - TypeVal: URIValue, - Value: uriWithSubject, + return &preChallengeResult{ + Result: &ChallengeResult{ + Issuer: issuer, + TypeVal: URIValue, + Value: uriWithSubject, + }, + Subject: uriWithSubject, }, nil } -func Username(ctx context.Context, principal *oidc.IDToken, pubKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func username(ctx context.Context, principal *oidc.IDToken) (*preChallengeResult, error) { username := principal.Subject if strings.Contains(username, "@") { @@ -301,11 +296,6 @@ func Username(ctx context.Context, principal *oidc.IDToken, pubKey crypto.Public return nil, err } - // Check the proof - A signature over the OIDC token subject - if err := CheckSignature(pubKey, challenge, username); err != nil { - return nil, err - } - issuer, err := oauthflow.IssuerFromIDToken(principal, cfg.IssuerClaim) if err != nil { return nil, err @@ -313,12 +303,13 @@ func Username(ctx context.Context, principal *oidc.IDToken, pubKey crypto.Public emailSubject := fmt.Sprintf("%s@%s", username, cfg.SubjectDomain) - // Now issue cert! - return &ChallengeResult{ - Issuer: issuer, - PublicKey: pubKey, - TypeVal: UsernameValue, - Value: emailSubject, + return &preChallengeResult{ + Result: &ChallengeResult{ + Issuer: issuer, + TypeVal: UsernameValue, + Value: emailSubject, + }, + Subject: username, }, nil } @@ -443,25 +434,87 @@ func validateAllowedDomain(subjectHostname, issuerHostname string) error { return fmt.Errorf("hostname top-level and second-level domains do not match: %s, %s", subjectHostname, issuerHostname) } -func ExtractSubject(ctx context.Context, tok *oidc.IDToken, publicKey crypto.PublicKey, challenge []byte) (*ChallengeResult, error) { +func ExtractSubject(ctx context.Context, tok *oidc.IDToken, publicKey crypto.PublicKey, csr *x509.CertificateRequest, challenge []byte) (*ChallengeResult, error) { iss, ok := config.FromContext(ctx).GetIssuer(tok.Issuer) if !ok { return nil, fmt.Errorf("configuration can not be loaded for issuer %v", tok.Issuer) } + var result *preChallengeResult + var err error switch iss.Type { case config.IssuerTypeEmail: - return Email(ctx, tok, publicKey, challenge) + result, err = email(ctx, tok) case config.IssuerTypeSpiffe: - return Spiffe(ctx, tok, publicKey, challenge) + result, err = spiffe(ctx, tok) case config.IssuerTypeGithubWorkflow: - return GithubWorkflow(ctx, tok, publicKey, challenge) + result, err = githubWorkflow(ctx, tok) case config.IssuerTypeKubernetes: - return Kubernetes(ctx, tok, publicKey, challenge) + result, err = kubernetes(ctx, tok) case config.IssuerTypeURI: - return URI(ctx, tok, publicKey, challenge) + result, err = uri(ctx, tok) case config.IssuerTypeUsername: - return Username(ctx, tok, publicKey, challenge) + result, err = username(ctx, tok) default: return nil, fmt.Errorf("unsupported issuer: %s", iss.Type) } + if err != nil { + return nil, err + } + + // verify the proof of possession of the private key + if csr != nil { + err = csr.CheckSignature() + if err != nil { + return nil, err + } + } else { + if err := CheckSignature(publicKey, challenge, result.Subject); err != nil { + return nil, err + } + } + + result.Result.PublicKey = publicKey + return result.Result, nil +} + +// TODO: Move to sigstore/sigstore +func ParseCSR(csr []byte) (*x509.CertificateRequest, error) { + derBlock, _ := pem.Decode(csr) + if derBlock == nil || derBlock.Bytes == nil { + return nil, errors.New("no CSR found while decoding") + } + correctType := false + acceptedHeaders := []string{"CERTIFICATE REQUEST", "NEW CERTIFICATE REQUEST"} + for _, v := range acceptedHeaders { + if derBlock.Type == v { + correctType = true + } + } + if !correctType { + return nil, fmt.Errorf("DER type %v is not of any type %v for CSR", derBlock.Type, acceptedHeaders) + } + + return x509.ParseCertificateRequest(derBlock.Bytes) +} + +// ParsePublicKey parses a PEM or DER encoded public key, or extracts the public +// key from the provided CSR. Returns an error if decoding fails or if no public +// key is found. +func ParsePublicKey(encodedPubKey string, csr *x509.CertificateRequest) (crypto.PublicKey, error) { + if csr == nil && len(encodedPubKey) == 0 { + return nil, errors.New("public key not provided") + } + if csr != nil { + return csr.PublicKey, nil + } + // try to unmarshal as PEM + publicKey, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(encodedPubKey)) + if err != nil { + // try to unmarshal as DER + publicKey, err = x509.ParsePKIXPublicKey([]byte(encodedPubKey)) + if err != nil { + return nil, errors.New("error parsing PEM or DER encoded public key") + } + } + return publicKey, err } diff --git a/pkg/challenges/challenges_test.go b/pkg/challenges/challenges_test.go index 6c617dc65..67afb9a28 100644 --- a/pkg/challenges/challenges_test.go +++ b/pkg/challenges/challenges_test.go @@ -23,12 +23,17 @@ import ( "crypto/rand" "crypto/rsa" "crypto/sha256" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" "fmt" "net/url" + "strings" "testing" "github.com/coreos/go-oidc/v3/oidc" "github.com/sigstore/fulcio/pkg/config" + "github.com/sigstore/sigstore/pkg/cryptoutils" ) func Test_isSpiffeIDAllowed(t *testing.T) { @@ -88,24 +93,21 @@ func TestURI(t *testing.T) { issuer := "https://accounts.example.com" token := &oidc.IDToken{Subject: subject, Issuer: issuer} - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - failErr(t, err) - h := sha256.Sum256([]byte(subject)) - signature, err := priv.Sign(rand.Reader, h[:], crypto.SHA256) - failErr(t, err) - - result, err := URI(ctx, token, priv.Public(), signature) + result, err := uri(ctx, token) if err != nil { t.Errorf("Expected test success, got %v", err) } - if result.Issuer != issuer { - t.Errorf("Expected issuer %s, got %s", issuer, result.Issuer) + if result.Result.Issuer != issuer { + t.Errorf("Expected issuer %s, got %s", issuer, result.Result.Issuer) + } + if result.Result.Value != subject { + t.Errorf("Expected subject value %s, got %s", subject, result.Result.Value) } - if result.Value != subject { - t.Errorf("Expected subject %s, got %s", subject, result.Value) + if result.Result.TypeVal != URIValue { + t.Errorf("Expected type %v, got %v", URIValue, result.Result.TypeVal) } - if result.TypeVal != URIValue { - t.Errorf("Expected type %v, got %v", URIValue, result.TypeVal) + if result.Subject != token.Subject { + t.Errorf("Expected subject %v, got %v", token.Subject, result.Subject) } } @@ -121,29 +123,26 @@ func TestUsername(t *testing.T) { }, } ctx := config.With(context.Background(), cfg) - username := "foobar" + usernameVal := "foobar" usernameWithEmail := "foobar@example.com" issuer := "https://accounts.example.com" - token := &oidc.IDToken{Subject: username, Issuer: issuer} + token := &oidc.IDToken{Subject: usernameVal, Issuer: issuer} - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - failErr(t, err) - h := sha256.Sum256([]byte(username)) - signature, err := priv.Sign(rand.Reader, h[:], crypto.SHA256) - failErr(t, err) - - result, err := Username(ctx, token, priv.Public(), signature) + result, err := username(ctx, token) if err != nil { t.Errorf("Expected test success, got %v", err) } - if result.Issuer != issuer { - t.Errorf("Expected issuer %s, got %s", issuer, result.Issuer) + if result.Result.Issuer != issuer { + t.Errorf("Expected issuer %s, got %s", issuer, result.Result.Issuer) + } + if result.Result.Value != usernameWithEmail { + t.Errorf("Expected subject value %s, got %s", usernameWithEmail, result.Result.Value) } - if result.Value != usernameWithEmail { - t.Errorf("Expected subject %s, got %s", usernameWithEmail, result.Value) + if result.Result.TypeVal != UsernameValue { + t.Errorf("Expected type %v, got %v", UsernameValue, result.Result.TypeVal) } - if result.TypeVal != UsernameValue { - t.Errorf("Expected type %v, got %v", UsernameValue, result.TypeVal) + if result.Subject != token.Subject { + t.Errorf("Expected subject %s, got %s", token.Subject, result.Subject) } } @@ -159,11 +158,11 @@ func TestUsernameInvalidChar(t *testing.T) { }, } ctx := config.With(context.Background(), cfg) - username := "foobar@example.com" + usernameVal := "foobar@example.com" issuer := "https://accounts.example.com" - token := &oidc.IDToken{Subject: username, Issuer: issuer} + token := &oidc.IDToken{Subject: usernameVal, Issuer: issuer} - _, err := Username(ctx, token, nil, []byte{}) + _, err := username(ctx, token) if err == nil { t.Errorf("expected test failure, got no error") } @@ -359,3 +358,98 @@ func TestCheckSignatureRSA(t *testing.T) { t.Fatal("check should have failed") } } + +func TestParseCSR(t *testing.T) { + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + failErr(t, err) + csrTmpl := &x509.CertificateRequest{Subject: pkix.Name{CommonName: "test"}} + derCSR, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, priv) + failErr(t, err) + + // success with type CERTIFICATE REQUEST + pemCSR := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: derCSR, + }) + parsedCSR, err := ParseCSR(pemCSR) + failErr(t, err) + if parsedCSR.Subject.CommonName != "test" { + t.Fatalf("unexpected CSR common name") + } + + // success with type NEW CERTIFICATE REQUEST + pemCSR = pem.EncodeToMemory(&pem.Block{ + Type: "NEW CERTIFICATE REQUEST", + Bytes: derCSR, + }) + parsedCSR, err = ParseCSR(pemCSR) + failErr(t, err) + if parsedCSR.Subject.CommonName != "test" { + t.Fatalf("unexpected CSR common name") + } + + // fails with invalid PEM encoded block + _, err = ParseCSR([]byte{1, 2, 3}) + if err == nil || !strings.Contains(err.Error(), "no CSR found while decoding") { + t.Fatalf("expected error parsing invalid CSR, got %v", err) + } + + // fails with invalid DER typr + pemCSR = pem.EncodeToMemory(&pem.Block{ + Type: "BEGIN CERTIFICATE", + Bytes: derCSR, + }) + _, err = ParseCSR(pemCSR) + if err == nil || !strings.Contains(err.Error(), "DER type BEGIN CERTIFICATE is not of any type") { + t.Fatalf("expected error parsing invalid CSR, got %v", err) + } +} + +func TestParsePublicKey(t *testing.T) { + // succeeds with CSR + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + failErr(t, err) + csrTmpl := &x509.CertificateRequest{Subject: pkix.Name{CommonName: "test"}} + derCSR, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, priv) + pemCSR := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: derCSR, + }) + parsedCSR, err := ParseCSR(pemCSR) + pubKey, err := ParsePublicKey("", parsedCSR) + failErr(t, err) + if err := cryptoutils.EqualKeys(pubKey, priv.Public()); err != nil { + t.Fatalf("expected equal public keys") + } + + // succeeds with PEM-encoded key + pemKey, err := cryptoutils.MarshalPublicKeyToPEM(priv.Public()) + failErr(t, err) + pubKey, err = ParsePublicKey(string(pemKey), nil) + failErr(t, err) + if err := cryptoutils.EqualKeys(pubKey, priv.Public()); err != nil { + t.Fatalf("expected equal public keys") + } + + // succeeds with DER-encoded key + derKey, err := cryptoutils.MarshalPublicKeyToDER(priv.Public()) + failErr(t, err) + pubKey, err = ParsePublicKey(string(derKey), nil) + failErr(t, err) + if err := cryptoutils.EqualKeys(pubKey, priv.Public()); err != nil { + t.Fatalf("expected equal public keys") + } + + // fails with no public key + _, err = ParsePublicKey("", nil) + if err == nil || err.Error() != "public key not provided" { + t.Fatalf("expected error parsing no public key, got %v", err) + } + + // fails with invalid public key (private key) + pemPrivKey, err := cryptoutils.MarshalPrivateKeyToPEM(priv) + _, err = ParsePublicKey(string(pemPrivKey), nil) + if err == nil || err.Error() != "error parsing PEM or DER encoded public key" { + t.Fatalf("expected error parsing invalid public key, got %v", err) + } +} diff --git a/pkg/generated/protobuf/fulcio.pb.go b/pkg/generated/protobuf/fulcio.pb.go index bc21171b6..dc9369795 100644 --- a/pkg/generated/protobuf/fulcio.pb.go +++ b/pkg/generated/protobuf/fulcio.pb.go @@ -104,6 +104,13 @@ type CreateSigningCertificateRequest struct { // // This is a currently a signature over the `sub` claim from the OIDC identity token ProofOfPossession []byte `protobuf:"bytes,3,opt,name=proof_of_possession,json=proofOfPossession,proto3" json:"proof_of_possession,omitempty"` + // + // PKCS#10 encoded certificate signing request + // + // Contains the public key to be stored in the requested certificate. All other CSR fields + // are ignored. Since the CSR is self-signed, it also acts as a proof of posession of + // the private key. + CertificateSigningRequest []byte `protobuf:"bytes,4,opt,name=certificate_signing_request,json=certificateSigningRequest,proto3" json:"certificate_signing_request,omitempty"` } func (x *CreateSigningCertificateRequest) Reset() { @@ -159,6 +166,13 @@ func (x *CreateSigningCertificateRequest) GetProofOfPossession() []byte { return nil } +func (x *CreateSigningCertificateRequest) GetCertificateSigningRequest() []byte { + if x != nil { + return x.CertificateSigningRequest + } + return nil +} + type Credentials struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -631,7 +645,7 @@ var file_fulcio_proto_rawDesc = []byte{ 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe9, 0x01, 0x0a, 0x1f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xae, 0x02, 0x0a, 0x1f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x4a, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, @@ -642,99 +656,103 @@ var file_fulcio_proto_rawDesc = []byte{ 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x03, 0xe0, 0x41, - 0x02, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x13, + 0x01, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x13, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x5f, 0x6f, 0x66, 0x5f, 0x70, 0x6f, 0x73, 0x73, 0x65, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x11, + 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x01, 0x52, 0x11, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x4f, 0x66, 0x50, 0x6f, 0x73, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x22, 0x4e, 0x0a, 0x0b, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, - 0x12, 0x30, 0x0a, 0x13, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, - 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, - 0x11, 0x6f, 0x69, 0x64, 0x63, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, - 0x65, 0x6e, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, - 0x73, 0x22, 0x74, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x48, - 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0e, 0x32, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x09, 0x61, - 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1d, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, - 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x07, - 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0xa3, 0x02, 0x0a, 0x12, 0x53, 0x69, 0x67, 0x6e, - 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x7e, - 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x5f, 0x73, 0x63, - 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, - 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, - 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x43, 0x54, 0x48, 0x00, - 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x63, 0x74, 0x12, 0x7e, - 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x5f, 0x73, 0x63, - 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, - 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, - 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x53, 0x43, 0x54, 0x48, 0x00, - 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x53, 0x63, 0x74, 0x42, 0x0d, - 0x0a, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0xa1, 0x01, - 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x43, 0x54, 0x12, - 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, - 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, - 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x12, - 0x40, 0x0a, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x1a, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x22, 0x5f, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x53, - 0x43, 0x54, 0x12, 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x05, 0x63, 0x68, 0x61, - 0x69, 0x6e, 0x22, 0x17, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, - 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x4f, 0x0a, 0x0b, 0x54, - 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x40, 0x0a, 0x06, 0x63, 0x68, - 0x61, 0x69, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, - 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, - 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, - 0x68, 0x61, 0x69, 0x6e, 0x52, 0x06, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x22, 0x36, 0x0a, 0x10, + 0x6e, 0x12, 0x43, 0x0a, 0x1b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x01, 0x52, 0x19, 0x63, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x4e, 0x0a, 0x0b, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x30, 0x0a, 0x13, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x48, 0x00, 0x52, 0x11, 0x6f, 0x69, 0x64, 0x63, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, + 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x22, 0x74, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x12, 0x48, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, + 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, + 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1d, 0x0a, + 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, + 0xe0, 0x41, 0x02, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0xa3, 0x02, 0x0a, + 0x12, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x12, 0x7e, 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x63, 0x68, + 0x65, 0x64, 0x5f, 0x73, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, + 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, + 0x53, 0x43, 0x54, 0x48, 0x00, 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, + 0x53, 0x63, 0x74, 0x12, 0x7e, 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x62, 0x65, 0x64, 0x64, + 0x65, 0x64, 0x5f, 0x73, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, + 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, + 0x53, 0x43, 0x54, 0x48, 0x00, 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, + 0x53, 0x63, 0x74, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x22, 0xa1, 0x01, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, + 0x64, 0x53, 0x43, 0x54, 0x12, 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x05, 0x63, + 0x68, 0x61, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x1a, 0x73, 0x69, 0x67, 0x6e, + 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x5f, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, + 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, + 0x64, 0x64, 0x65, 0x64, 0x53, 0x43, 0x54, 0x12, 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, - 0x12, 0x22, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x73, 0x2a, 0x5f, 0x0a, 0x12, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, - 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x24, 0x0a, 0x20, 0x50, 0x55, - 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, - 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, - 0x12, 0x0b, 0x0a, 0x07, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x01, 0x12, 0x09, 0x0a, - 0x05, 0x45, 0x43, 0x44, 0x53, 0x41, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x44, 0x32, 0x35, - 0x35, 0x31, 0x39, 0x10, 0x03, 0x32, 0xaa, 0x02, 0x0a, 0x02, 0x43, 0x41, 0x12, 0x9f, 0x01, 0x0a, - 0x18, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x37, 0x2e, 0x64, 0x65, 0x76, 0x2e, - 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, - 0x76, 0x32, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, - 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, - 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x1e, - 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x22, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, - 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x3a, 0x01, 0x2a, 0x12, 0x81, - 0x01, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, - 0x65, 0x12, 0x2d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x72, + 0x52, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x22, 0x17, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x23, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, - 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, - 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, - 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, - 0x6c, 0x65, 0x42, 0x5a, 0x0a, 0x16, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x42, 0x0b, 0x46, 0x75, - 0x6c, 0x63, 0x69, 0x6f, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x31, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2f, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x65, - 0x72, 0x61, 0x74, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, + 0x40, 0x0a, 0x06, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, + 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x06, 0x63, 0x68, 0x61, 0x69, 0x6e, + 0x73, 0x22, 0x36, 0x0a, 0x10, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x22, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2a, 0x5f, 0x0a, 0x12, 0x50, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, + 0x24, 0x0a, 0x20, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, + 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, + 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, + 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x43, 0x44, 0x53, 0x41, 0x10, 0x02, 0x12, 0x0b, 0x0a, + 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x03, 0x32, 0xaa, 0x02, 0x0a, 0x02, 0x43, + 0x41, 0x12, 0x9f, 0x01, 0x0a, 0x18, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, + 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x37, + 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, + 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, + 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, + 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x22, 0x13, 0x2f, 0x61, 0x70, + 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, + 0x3a, 0x01, 0x2a, 0x12, 0x81, 0x01, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, + 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x2d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, + 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, + 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, + 0x02, 0x15, 0x12, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x74, 0x72, 0x75, 0x73, + 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x42, 0x5a, 0x0a, 0x16, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, + 0x32, 0x42, 0x0b, 0x46, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, + 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2f, 0x70, 0x6b, 0x67, + 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go index 5a5ca26fa..768c55882 100644 --- a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go +++ b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go @@ -53,6 +53,15 @@ type CreateSigningCertificateRequest struct { // // Deprecated: Do not use. SignedEmailAddress []byte `protobuf:"bytes,2,opt,name=signedEmailAddress,proto3" json:"signedEmailAddress,omitempty"` + // + // Optional: PKCS#10 encoded certificate signing request + // Contains the public key to be stored in the requested + // certificate. All other CSR fields are ignored. Since + // the CSR is self-signed, it also acts as a proof of + // posession of the private key. + // + // Deprecated: Do not use. + CertificateSigningRequest []byte `protobuf:"bytes,3,opt,name=certificateSigningRequest,proto3" json:"certificateSigningRequest,omitempty"` } func (x *CreateSigningCertificateRequest) Reset() { @@ -103,6 +112,14 @@ func (x *CreateSigningCertificateRequest) GetSignedEmailAddress() []byte { return nil } +// Deprecated: Do not use. +func (x *CreateSigningCertificateRequest) GetCertificateSigningRequest() []byte { + if x != nil { + return x.CertificateSigningRequest + } + return nil +} + type PublicKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -181,45 +198,49 @@ var file_fulcio_legacy_proto_rawDesc = []byte{ 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x62, 0x6f, 0x64, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, - 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa4, 0x01, 0x0a, 0x1f, 0x43, 0x72, 0x65, + 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe9, 0x01, 0x0a, 0x1f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x4a, 0x0a, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x2e, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x05, 0x18, 0x01, 0xe0, 0x41, 0x02, 0x52, 0x09, 0x70, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x05, 0x18, 0x01, 0xe0, 0x41, 0x01, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x35, 0x0a, 0x12, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0c, 0x42, 0x05, 0x18, 0x01, 0xe0, 0x41, 0x02, 0x52, 0x12, 0x73, 0x69, 0x67, - 0x6e, 0x65, 0x64, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, - 0x4e, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x09, - 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, - 0x02, 0x18, 0x01, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1f, - 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x42, - 0x05, 0x18, 0x01, 0xe0, 0x41, 0x02, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x32, - 0xf8, 0x01, 0x0a, 0x02, 0x43, 0x41, 0x12, 0x90, 0x01, 0x0a, 0x18, 0x43, 0x72, 0x65, 0x61, 0x74, - 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x12, 0x3b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, - 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x48, 0x74, - 0x74, 0x70, 0x42, 0x6f, 0x64, 0x79, 0x22, 0x21, 0x88, 0x02, 0x01, 0x82, 0xd3, 0xe4, 0x93, 0x02, - 0x18, 0x22, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69, - 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x3a, 0x01, 0x2a, 0x12, 0x5f, 0x0a, 0x12, 0x47, 0x65, 0x74, - 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, - 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x42, 0x6f, 0x64, 0x79, 0x22, 0x1b, 0x88, - 0x02, 0x01, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x12, 0x12, 0x10, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, - 0x31, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x42, 0x65, 0x0a, 0x1a, 0x64, 0x65, - 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, - 0x6f, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x42, 0x0b, 0x46, 0x75, 0x6c, 0x63, 0x69, 0x6f, - 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x38, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x66, 0x75, 0x6c, - 0x63, 0x69, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, - 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x6c, 0x65, 0x67, 0x61, 0x63, - 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x20, 0x01, 0x28, 0x0c, 0x42, 0x05, 0x18, 0x01, 0xe0, 0x41, 0x01, 0x52, 0x12, 0x73, 0x69, 0x67, + 0x6e, 0x65, 0x64, 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, + 0x43, 0x0a, 0x19, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x69, + 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x0c, 0x42, 0x05, 0x18, 0x01, 0xe0, 0x41, 0x01, 0x52, 0x19, 0x63, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x22, 0x4e, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, + 0x79, 0x12, 0x20, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x42, 0x02, 0x18, 0x01, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, + 0x74, 0x68, 0x6d, 0x12, 0x1f, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0c, 0x42, 0x05, 0x18, 0x01, 0xe0, 0x41, 0x02, 0x52, 0x07, 0x63, 0x6f, 0x6e, + 0x74, 0x65, 0x6e, 0x74, 0x32, 0xf8, 0x01, 0x0a, 0x02, 0x43, 0x41, 0x12, 0x90, 0x01, 0x0a, 0x18, + 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x3b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, + 0x31, 0x62, 0x65, 0x74, 0x61, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, + 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, + 0x70, 0x69, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x42, 0x6f, 0x64, 0x79, 0x22, 0x21, 0x88, 0x02, 0x01, + 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x22, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, + 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x3a, 0x01, 0x2a, 0x12, 0x5f, + 0x0a, 0x12, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x42, 0x6f, + 0x64, 0x79, 0x22, 0x1b, 0x88, 0x02, 0x01, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x12, 0x12, 0x10, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x42, + 0x65, 0x0a, 0x1a, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x42, 0x0b, 0x46, + 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x38, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2f, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, + 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, + 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( From e671fa81918ca3dcf5b34beba02201fb4d7a87cf Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 15 Apr 2022 23:34:09 +0000 Subject: [PATCH 2/6] Fix linter Signed-off-by: Hayden Blauzvern --- pkg/challenges/challenges_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/challenges/challenges_test.go b/pkg/challenges/challenges_test.go index 67afb9a28..00d226364 100644 --- a/pkg/challenges/challenges_test.go +++ b/pkg/challenges/challenges_test.go @@ -411,11 +411,13 @@ func TestParsePublicKey(t *testing.T) { failErr(t, err) csrTmpl := &x509.CertificateRequest{Subject: pkix.Name{CommonName: "test"}} derCSR, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, priv) + failErr(t, err) pemCSR := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: derCSR, }) parsedCSR, err := ParseCSR(pemCSR) + failErr(t, err) pubKey, err := ParsePublicKey("", parsedCSR) failErr(t, err) if err := cryptoutils.EqualKeys(pubKey, priv.Public()); err != nil { @@ -448,6 +450,7 @@ func TestParsePublicKey(t *testing.T) { // fails with invalid public key (private key) pemPrivKey, err := cryptoutils.MarshalPrivateKeyToPEM(priv) + failErr(t, err) _, err = ParsePublicKey(string(pemPrivKey), nil) if err == nil || err.Error() != "error parsing PEM or DER encoded public key" { t.Fatalf("expected error parsing invalid public key, got %v", err) From 100ac7651f3089a576097e84959f51cdd8a2e262 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Mon, 18 Apr 2022 17:43:17 +0000 Subject: [PATCH 3/6] Change gRPC proto to have oneof for pubkey and CSR This provides a cleaner API. Signed-off-by: Hayden Blauzvern --- fulcio.proto | 46 +-- pkg/api/grpc_server.go | 19 +- pkg/api/grpc_server_test.go | 148 ++++++++-- pkg/api/legacy_server.go | 22 +- pkg/generated/protobuf/fulcio.pb.go | 444 +++++++++++++++++----------- 5 files changed, 453 insertions(+), 226 deletions(-) diff --git a/fulcio.proto b/fulcio.proto index 029f5cc71..cbe02e314 100644 --- a/fulcio.proto +++ b/fulcio.proto @@ -49,24 +49,21 @@ message CreateSigningCertificateRequest { * Identity information about who possesses the private / public key pair presented */ Credentials credentials = 1 [(google.api.field_behavior) = REQUIRED]; - /* - * The public key to be stored in the requested certificate - */ - PublicKey public_key = 2 [(google.api.field_behavior) = OPTIONAL]; - /* - * Proof that the client possesses the private key; must be verifiable by provided public key - * - * This is a currently a signature over the `sub` claim from the OIDC identity token - */ - bytes proof_of_possession = 3 [(google.api.field_behavior) = OPTIONAL]; - /* - * PKCS#10 encoded certificate signing request - * - * Contains the public key to be stored in the requested certificate. All other CSR fields - * are ignored. Since the CSR is self-signed, it also acts as a proof of posession of - * the private key. - */ - bytes certificate_signing_request = 4 [(google.api.field_behavior) = OPTIONAL]; + oneof key { + /* + * The public key to be stored in the requested certificate along with a signed + * challenge as proof of possession of the private key. + */ + PublicKeyRequest public_key_request = 2 [(google.api.field_behavior) = REQUIRED]; + /* + * PKCS#10 encoded certificate signing request + * + * Contains the public key to be stored in the requested certificate. All other CSR fields + * are ignored. Since the CSR is self-signed, it also acts as a proof of posession of + * the private key. + */ + bytes certificate_signing_request = 3 [(google.api.field_behavior) = REQUIRED]; + } } message Credentials { @@ -78,6 +75,19 @@ message Credentials { } } +message PublicKeyRequest { + /* + * The public key to be stored in the requested certificate + */ + PublicKey public_key = 1 [(google.api.field_behavior) = REQUIRED]; + /* + * Proof that the client possesses the private key; must be verifiable by provided public key + * + * This is a currently a signature over the `sub` claim from the OIDC identity token + */ + bytes proof_of_possession = 2 [(google.api.field_behavior) = REQUIRED]; +} + message PublicKey { /* * The cryptographic algorithm to use with the key material diff --git a/pkg/api/grpc_server.go b/pkg/api/grpc_server.go index 968ab6a09..af6b6f410 100644 --- a/pkg/api/grpc_server.go +++ b/pkg/api/grpc_server.go @@ -20,7 +20,6 @@ import ( "crypto/x509" "encoding/base64" "encoding/json" - "errors" "fmt" "strings" @@ -76,14 +75,10 @@ func (g *grpcCAServer) CreateSigningCertificate(ctx context.Context, request *fu return nil, handleFulcioGRPCError(ctx, codes.Unauthenticated, err, invalidCredentials) } - if request.PublicKey == nil && len(request.CertificateSigningRequest) == 0 { - return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, errors.New("public key not provided"), invalidPublicKey) - } - // optionally parse CSR var csr *x509.CertificateRequest - if len(request.CertificateSigningRequest) > 0 { - csr, err = challenges.ParseCSR(request.CertificateSigningRequest) + if len(request.GetCertificateSigningRequest()) > 0 { + csr, err = challenges.ParseCSR(request.GetCertificateSigningRequest()) if err != nil { return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidCSR) } @@ -91,8 +86,12 @@ func (g *grpcCAServer) CreateSigningCertificate(ctx context.Context, request *fu // fetch public key from request or CSR var pubKeyContent string - if request.PublicKey != nil { - pubKeyContent = request.PublicKey.Content + var proofOfPossession []byte + if request.GetPublicKeyRequest() != nil { + if request.GetPublicKeyRequest().PublicKey != nil { + pubKeyContent = request.GetPublicKeyRequest().PublicKey.Content + } + proofOfPossession = request.GetPublicKeyRequest().ProofOfPossession } publicKey, err := challenges.ParsePublicKey(pubKeyContent, csr) if err != nil { @@ -105,7 +104,7 @@ func (g *grpcCAServer) CreateSigningCertificate(ctx context.Context, request *fu } // verify challenge - subject, err := challenges.ExtractSubject(ctx, principal, publicKey, csr, request.ProofOfPossession) + subject, err := challenges.ExtractSubject(ctx, principal, publicKey, csr, proofOfPossession) if err != nil { return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidSignature) } diff --git a/pkg/api/grpc_server_test.go b/pkg/api/grpc_server_test.go index 310b8402e..4686abe5a 100644 --- a/pkg/api/grpc_server_test.go +++ b/pkg/api/grpc_server_test.go @@ -256,10 +256,14 @@ func TestAPIWithEmail(t *testing.T) { OidcIdentityToken: tok, }, }, - PublicKey: &protobuf.PublicKey{ - Content: pubBytes, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: proof, + }, }, - ProofOfPossession: proof, }) if err != nil { t.Fatalf("SigningCert() = %v", err) @@ -345,10 +349,14 @@ func TestAPIWithUriSubject(t *testing.T) { OidcIdentityToken: tok, }, }, - PublicKey: &protobuf.PublicKey{ - Content: pubBytes, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: proof, + }, }, - ProofOfPossession: proof, }) if err != nil { t.Fatalf("SigningCert() = %v", err) @@ -435,10 +443,14 @@ func TestAPIWithKubernetes(t *testing.T) { OidcIdentityToken: tok, }, }, - PublicKey: &protobuf.PublicKey{ - Content: pubBytes, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: proof, + }, }, - ProofOfPossession: proof, }) if err != nil { t.Fatalf("SigningCert() = %v", err) @@ -528,10 +540,14 @@ func TestAPIWithGitHub(t *testing.T) { OidcIdentityToken: tok, }, }, - PublicKey: &protobuf.PublicKey{ - Content: pubBytes, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: proof, + }, }, - ProofOfPossession: proof, }) if err != nil { t.Fatalf("SigningCert() = %v", err) @@ -651,7 +667,9 @@ func TestAPIWithCSRChallenge(t *testing.T) { OidcIdentityToken: tok, }, }, - CertificateSigningRequest: pemCSR, + Key: &protobuf.CreateSigningCertificateRequest_CertificateSigningRequest{ + CertificateSigningRequest: pemCSR, + }, }) if err != nil { t.Fatalf("SigningCert() = %v", err) @@ -726,10 +744,14 @@ func TestAPIWithInsecurePublicKey(t *testing.T) { OidcIdentityToken: tok, }, }, - PublicKey: &protobuf.PublicKey{ - Content: string(cryptoutils.PEMEncode(cryptoutils.CertificatePEMType, pubBytes)), + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: string(cryptoutils.PEMEncode(cryptoutils.CertificatePEMType, pubBytes)), + }, + ProofOfPossession: []byte{}, + }, }, - ProofOfPossession: []byte{}, }) if err == nil || !strings.Contains(err.Error(), "The public key supplied in the request is insecure") { t.Fatalf("expected insecure public key error, got %v", err) @@ -781,12 +803,31 @@ func TestAPIWithoutPublicKey(t *testing.T) { client := protobuf.NewCAClient(conn) + // Test with no key proto specified + _, err = client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ + Credentials: &protobuf.Credentials{ + Credentials: &protobuf.Credentials_OidcIdentityToken{ + OidcIdentityToken: tok, + }, + }, + }) + if err == nil || !strings.Contains(err.Error(), "The public key supplied in the request could not be parsed") { + t.Fatalf("expected parsing public key error, got %v", err) + } + if status.Code(err) != codes.InvalidArgument { + t.Fatalf("expected invalid argument, got %v", status.Code(err)) + } + + // Test with no public key specified _, err = client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ Credentials: &protobuf.Credentials{ Credentials: &protobuf.Credentials_OidcIdentityToken{ OidcIdentityToken: tok, }, }, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{}, + }, }) if err == nil || !strings.Contains(err.Error(), "The public key supplied in the request could not be parsed") { t.Fatalf("expected parsing public key error, got %v", err) @@ -847,10 +888,14 @@ func TestAPIWithInvalidChallenge(t *testing.T) { OidcIdentityToken: tok, }, }, - PublicKey: &protobuf.PublicKey{ - Content: pubBytes, + Key: &protobuf.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &protobuf.PublicKeyRequest{ + PublicKey: &protobuf.PublicKey{ + Content: pubBytes, + }, + ProofOfPossession: invalidProof, + }, }, - ProofOfPossession: invalidProof, }) if err == nil || !strings.Contains(err.Error(), "The signature supplied in the request could not be verified") { t.Fatalf("expected invalid signature error, got %v", err) @@ -860,6 +905,67 @@ func TestAPIWithInvalidChallenge(t *testing.T) { } } +// Tests API with an invalid CSR. +func TestAPIWithInvalidCSR(t *testing.T) { + emailSigner, emailIssuer := newOIDCIssuer(t) + + // Create a FulcioConfig that supports this issuer. + cfg, err := config.Read([]byte(fmt.Sprintf(`{ + "OIDCIssuers": { + %q: { + "IssuerURL": %q, + "ClientID": "sigstore", + "Type": "email" + } + } + }`, emailIssuer, emailIssuer))) + if err != nil { + t.Fatalf("config.Read() = %v", err) + } + + emailSubject := "foo@example.com" + + // Create an OIDC token using this issuer's signer. + tok, err := jwt.Signed(emailSigner).Claims(jwt.Claims{ + Issuer: emailIssuer, + IssuedAt: jwt.NewNumericDate(time.Now()), + Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), + Subject: emailSubject, + Audience: jwt.Audience{"sigstore"}, + }).Claims(customClaims{Email: emailSubject, EmailVerified: true}).CompactSerialize() + if err != nil { + t.Fatalf("CompactSerialize() = %v", err) + } + + ctClient, eca := createCA(cfg, t) + ctx := context.Background() + server, conn := setupGRPCForTest(ctx, t, cfg, ctClient, eca) + defer func() { + server.Stop() + conn.Close() + }() + + client := protobuf.NewCAClient(conn) + + _, err = client.CreateSigningCertificate(ctx, &protobuf.CreateSigningCertificateRequest{ + Credentials: &protobuf.Credentials{ + Credentials: &protobuf.Credentials_OidcIdentityToken{ + OidcIdentityToken: tok, + }, + }, + Key: &protobuf.CreateSigningCertificateRequest_CertificateSigningRequest{ + CertificateSigningRequest: []byte("invalid"), + }, + }) + + if err == nil || !strings.Contains(err.Error(), "The certificate signing request could not be parsed") { + t.Fatalf("expected invalid signature error, got %v", err) + } + if status.Code(err) != codes.InvalidArgument { + t.Fatalf("expected invalid argument, got %v", status.Code(err)) + } +} + // Tests API with unsigned CSR, which will fail signature verification. func TestAPIWithInvalidCSRSignature(t *testing.T) { emailSigner, emailIssuer := newOIDCIssuer(t) @@ -925,7 +1031,9 @@ func TestAPIWithInvalidCSRSignature(t *testing.T) { OidcIdentityToken: tok, }, }, - CertificateSigningRequest: pemCSR, + Key: &protobuf.CreateSigningCertificateRequest_CertificateSigningRequest{ + CertificateSigningRequest: pemCSR, + }, }) if err == nil || !strings.Contains(err.Error(), "The signature supplied in the request could not be verified") { diff --git a/pkg/api/legacy_server.go b/pkg/api/legacy_server.go index 9ad88ac0d..d419ab04c 100644 --- a/pkg/api/legacy_server.go +++ b/pkg/api/legacy_server.go @@ -65,10 +65,13 @@ func (l *legacyGRPCCAServer) CreateSigningCertificate(ctx context.Context, reque var v2Request fulciogrpc.CreateSigningCertificateRequest if len(request.CertificateSigningRequest) > 0 { - v2Request = fulciogrpc.CreateSigningCertificateRequest{ - Credentials: &creds, + key := fulciogrpc.CreateSigningCertificateRequest_CertificateSigningRequest{ CertificateSigningRequest: request.CertificateSigningRequest, //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API } + v2Request = fulciogrpc.CreateSigningCertificateRequest{ + Credentials: &creds, + Key: &key, + } } else { // the CSR and the public key have not been set if request.PublicKey == nil { @@ -79,13 +82,18 @@ func (l *legacyGRPCCAServer) CreateSigningCertificate(ctx context.Context, reque if !ok { algorithmEnum = int32(fulciogrpc.PublicKeyAlgorithm_PUBLIC_KEY_ALGORITHM_UNSPECIFIED) } + key := fulciogrpc.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &fulciogrpc.PublicKeyRequest{ + PublicKey: &fulciogrpc.PublicKey{ + Algorithm: fulciogrpc.PublicKeyAlgorithm(algorithmEnum), + Content: string(request.PublicKey.Content), //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + }, + ProofOfPossession: request.SignedEmailAddress, //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API, + }, + } v2Request = fulciogrpc.CreateSigningCertificateRequest{ Credentials: &creds, - PublicKey: &fulciogrpc.PublicKey{ - Algorithm: fulciogrpc.PublicKeyAlgorithm(algorithmEnum), - Content: string(request.PublicKey.Content), //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API - }, - ProofOfPossession: request.SignedEmailAddress, //lint:ignore SA1019 this is valid because we're converting from v1beta to v1 API + Key: &key, } } diff --git a/pkg/generated/protobuf/fulcio.pb.go b/pkg/generated/protobuf/fulcio.pb.go index dc9369795..2baf38fcd 100644 --- a/pkg/generated/protobuf/fulcio.pb.go +++ b/pkg/generated/protobuf/fulcio.pb.go @@ -96,21 +96,10 @@ type CreateSigningCertificateRequest struct { // // Identity information about who possesses the private / public key pair presented Credentials *Credentials `protobuf:"bytes,1,opt,name=credentials,proto3" json:"credentials,omitempty"` - // - // The public key to be stored in the requested certificate - PublicKey *PublicKey `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` - // - // Proof that the client possesses the private key; must be verifiable by provided public key - // - // This is a currently a signature over the `sub` claim from the OIDC identity token - ProofOfPossession []byte `protobuf:"bytes,3,opt,name=proof_of_possession,json=proofOfPossession,proto3" json:"proof_of_possession,omitempty"` - // - // PKCS#10 encoded certificate signing request - // - // Contains the public key to be stored in the requested certificate. All other CSR fields - // are ignored. Since the CSR is self-signed, it also acts as a proof of posession of - // the private key. - CertificateSigningRequest []byte `protobuf:"bytes,4,opt,name=certificate_signing_request,json=certificateSigningRequest,proto3" json:"certificate_signing_request,omitempty"` + // Types that are assignable to Key: + // *CreateSigningCertificateRequest_PublicKeyRequest + // *CreateSigningCertificateRequest_CertificateSigningRequest + Key isCreateSigningCertificateRequest_Key `protobuf_oneof:"key"` } func (x *CreateSigningCertificateRequest) Reset() { @@ -152,27 +141,53 @@ func (x *CreateSigningCertificateRequest) GetCredentials() *Credentials { return nil } -func (x *CreateSigningCertificateRequest) GetPublicKey() *PublicKey { - if x != nil { - return x.PublicKey +func (m *CreateSigningCertificateRequest) GetKey() isCreateSigningCertificateRequest_Key { + if m != nil { + return m.Key } return nil } -func (x *CreateSigningCertificateRequest) GetProofOfPossession() []byte { - if x != nil { - return x.ProofOfPossession +func (x *CreateSigningCertificateRequest) GetPublicKeyRequest() *PublicKeyRequest { + if x, ok := x.GetKey().(*CreateSigningCertificateRequest_PublicKeyRequest); ok { + return x.PublicKeyRequest } return nil } func (x *CreateSigningCertificateRequest) GetCertificateSigningRequest() []byte { - if x != nil { + if x, ok := x.GetKey().(*CreateSigningCertificateRequest_CertificateSigningRequest); ok { return x.CertificateSigningRequest } return nil } +type isCreateSigningCertificateRequest_Key interface { + isCreateSigningCertificateRequest_Key() +} + +type CreateSigningCertificateRequest_PublicKeyRequest struct { + // + // The public key to be stored in the requested certificate along with a signed + // challenge as proof of possession of the private key. + PublicKeyRequest *PublicKeyRequest `protobuf:"bytes,2,opt,name=public_key_request,json=publicKeyRequest,proto3,oneof"` +} + +type CreateSigningCertificateRequest_CertificateSigningRequest struct { + // + // PKCS#10 encoded certificate signing request + // + // Contains the public key to be stored in the requested certificate. All other CSR fields + // are ignored. Since the CSR is self-signed, it also acts as a proof of posession of + // the private key. + CertificateSigningRequest []byte `protobuf:"bytes,3,opt,name=certificate_signing_request,json=certificateSigningRequest,proto3,oneof"` +} + +func (*CreateSigningCertificateRequest_PublicKeyRequest) isCreateSigningCertificateRequest_Key() {} + +func (*CreateSigningCertificateRequest_CertificateSigningRequest) isCreateSigningCertificateRequest_Key() { +} + type Credentials struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -241,6 +256,67 @@ type Credentials_OidcIdentityToken struct { func (*Credentials_OidcIdentityToken) isCredentials_Credentials() {} +type PublicKeyRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // + // The public key to be stored in the requested certificate + PublicKey *PublicKey `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // + // Proof that the client possesses the private key; must be verifiable by provided public key + // + // This is a currently a signature over the `sub` claim from the OIDC identity token + ProofOfPossession []byte `protobuf:"bytes,2,opt,name=proof_of_possession,json=proofOfPossession,proto3" json:"proof_of_possession,omitempty"` +} + +func (x *PublicKeyRequest) Reset() { + *x = PublicKeyRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_fulcio_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PublicKeyRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PublicKeyRequest) ProtoMessage() {} + +func (x *PublicKeyRequest) ProtoReflect() protoreflect.Message { + mi := &file_fulcio_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PublicKeyRequest.ProtoReflect.Descriptor instead. +func (*PublicKeyRequest) Descriptor() ([]byte, []int) { + return file_fulcio_proto_rawDescGZIP(), []int{2} +} + +func (x *PublicKeyRequest) GetPublicKey() *PublicKey { + if x != nil { + return x.PublicKey + } + return nil +} + +func (x *PublicKeyRequest) GetProofOfPossession() []byte { + if x != nil { + return x.ProofOfPossession + } + return nil +} + type PublicKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -257,7 +333,7 @@ type PublicKey struct { func (x *PublicKey) Reset() { *x = PublicKey{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[2] + mi := &file_fulcio_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -270,7 +346,7 @@ func (x *PublicKey) String() string { func (*PublicKey) ProtoMessage() {} func (x *PublicKey) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[2] + mi := &file_fulcio_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -283,7 +359,7 @@ func (x *PublicKey) ProtoReflect() protoreflect.Message { // Deprecated: Use PublicKey.ProtoReflect.Descriptor instead. func (*PublicKey) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{2} + return file_fulcio_proto_rawDescGZIP(), []int{3} } func (x *PublicKey) GetAlgorithm() PublicKeyAlgorithm { @@ -314,7 +390,7 @@ type SigningCertificate struct { func (x *SigningCertificate) Reset() { *x = SigningCertificate{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[3] + mi := &file_fulcio_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -327,7 +403,7 @@ func (x *SigningCertificate) String() string { func (*SigningCertificate) ProtoMessage() {} func (x *SigningCertificate) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[3] + mi := &file_fulcio_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -340,7 +416,7 @@ func (x *SigningCertificate) ProtoReflect() protoreflect.Message { // Deprecated: Use SigningCertificate.ProtoReflect.Descriptor instead. func (*SigningCertificate) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{3} + return file_fulcio_proto_rawDescGZIP(), []int{4} } func (m *SigningCertificate) GetCertificate() isSigningCertificate_Certificate { @@ -403,7 +479,7 @@ type SigningCertificateDetachedSCT struct { func (x *SigningCertificateDetachedSCT) Reset() { *x = SigningCertificateDetachedSCT{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[4] + mi := &file_fulcio_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -416,7 +492,7 @@ func (x *SigningCertificateDetachedSCT) String() string { func (*SigningCertificateDetachedSCT) ProtoMessage() {} func (x *SigningCertificateDetachedSCT) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[4] + mi := &file_fulcio_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -429,7 +505,7 @@ func (x *SigningCertificateDetachedSCT) ProtoReflect() protoreflect.Message { // Deprecated: Use SigningCertificateDetachedSCT.ProtoReflect.Descriptor instead. func (*SigningCertificateDetachedSCT) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{4} + return file_fulcio_proto_rawDescGZIP(), []int{5} } func (x *SigningCertificateDetachedSCT) GetChain() *CertificateChain { @@ -462,7 +538,7 @@ type SigningCertificateEmbeddedSCT struct { func (x *SigningCertificateEmbeddedSCT) Reset() { *x = SigningCertificateEmbeddedSCT{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[5] + mi := &file_fulcio_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -475,7 +551,7 @@ func (x *SigningCertificateEmbeddedSCT) String() string { func (*SigningCertificateEmbeddedSCT) ProtoMessage() {} func (x *SigningCertificateEmbeddedSCT) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[5] + mi := &file_fulcio_proto_msgTypes[6] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -488,7 +564,7 @@ func (x *SigningCertificateEmbeddedSCT) ProtoReflect() protoreflect.Message { // Deprecated: Use SigningCertificateEmbeddedSCT.ProtoReflect.Descriptor instead. func (*SigningCertificateEmbeddedSCT) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{5} + return file_fulcio_proto_rawDescGZIP(), []int{6} } func (x *SigningCertificateEmbeddedSCT) GetChain() *CertificateChain { @@ -508,7 +584,7 @@ type GetTrustBundleRequest struct { func (x *GetTrustBundleRequest) Reset() { *x = GetTrustBundleRequest{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[6] + mi := &file_fulcio_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -521,7 +597,7 @@ func (x *GetTrustBundleRequest) String() string { func (*GetTrustBundleRequest) ProtoMessage() {} func (x *GetTrustBundleRequest) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[6] + mi := &file_fulcio_proto_msgTypes[7] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -534,7 +610,7 @@ func (x *GetTrustBundleRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GetTrustBundleRequest.ProtoReflect.Descriptor instead. func (*GetTrustBundleRequest) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{6} + return file_fulcio_proto_rawDescGZIP(), []int{7} } type TrustBundle struct { @@ -551,7 +627,7 @@ type TrustBundle struct { func (x *TrustBundle) Reset() { *x = TrustBundle{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[7] + mi := &file_fulcio_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -564,7 +640,7 @@ func (x *TrustBundle) String() string { func (*TrustBundle) ProtoMessage() {} func (x *TrustBundle) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[7] + mi := &file_fulcio_proto_msgTypes[8] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -577,7 +653,7 @@ func (x *TrustBundle) ProtoReflect() protoreflect.Message { // Deprecated: Use TrustBundle.ProtoReflect.Descriptor instead. func (*TrustBundle) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{7} + return file_fulcio_proto_rawDescGZIP(), []int{8} } func (x *TrustBundle) GetChains() []*CertificateChain { @@ -600,7 +676,7 @@ type CertificateChain struct { func (x *CertificateChain) Reset() { *x = CertificateChain{} if protoimpl.UnsafeEnabled { - mi := &file_fulcio_proto_msgTypes[8] + mi := &file_fulcio_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -613,7 +689,7 @@ func (x *CertificateChain) String() string { func (*CertificateChain) ProtoMessage() {} func (x *CertificateChain) ProtoReflect() protoreflect.Message { - mi := &file_fulcio_proto_msgTypes[8] + mi := &file_fulcio_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -626,7 +702,7 @@ func (x *CertificateChain) ProtoReflect() protoreflect.Message { // Deprecated: Use CertificateChain.ProtoReflect.Descriptor instead. func (*CertificateChain) Descriptor() ([]byte, []int) { - return file_fulcio_proto_rawDescGZIP(), []int{8} + return file_fulcio_proto_rawDescGZIP(), []int{9} } func (x *CertificateChain) GetCertificates() []string { @@ -645,114 +721,122 @@ var file_fulcio_proto_rawDesc = []byte{ 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xae, 0x02, 0x0a, 0x1f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9a, 0x02, 0x0a, 0x1f, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x4a, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x45, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, - 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x5d, 0x0a, 0x12, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, + 0x6b, 0x65, 0x79, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x03, 0xe0, 0x41, 0x02, + 0x48, 0x00, 0x52, 0x10, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x45, 0x0a, 0x1b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, + 0x52, 0x19, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, + 0x6e, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x05, 0x0a, 0x03, 0x6b, + 0x65, 0x79, 0x22, 0x4e, 0x0a, 0x0b, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, + 0x73, 0x12, 0x30, 0x0a, 0x13, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, + 0x52, 0x11, 0x6f, 0x69, 0x64, 0x63, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, + 0x6b, 0x65, 0x6e, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, + 0x6c, 0x73, 0x22, 0x8e, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x45, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, + 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x03, + 0xe0, 0x41, 0x02, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x33, + 0x0a, 0x13, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x5f, 0x6f, 0x66, 0x5f, 0x70, 0x6f, 0x73, 0x73, 0x65, + 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x02, + 0x52, 0x11, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x4f, 0x66, 0x50, 0x6f, 0x73, 0x73, 0x65, 0x73, 0x73, + 0x69, 0x6f, 0x6e, 0x22, 0x74, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x12, 0x48, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0e, 0x32, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x50, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, + 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1d, 0x0a, 0x07, 0x63, 0x6f, + 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, + 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0xa3, 0x02, 0x0a, 0x12, 0x53, 0x69, + 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x12, 0x7e, 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x5f, + 0x73, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, - 0x76, 0x32, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x03, 0xe0, 0x41, - 0x01, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x33, 0x0a, 0x13, - 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x5f, 0x6f, 0x66, 0x5f, 0x70, 0x6f, 0x73, 0x73, 0x65, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x01, 0x52, 0x11, - 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x4f, 0x66, 0x50, 0x6f, 0x73, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x12, 0x43, 0x0a, 0x1b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x03, 0xe0, 0x41, 0x01, 0x52, 0x19, 0x63, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x4e, 0x0a, 0x0b, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x30, 0x0a, 0x13, 0x6f, 0x69, 0x64, 0x63, 0x5f, 0x69, 0x64, - 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x48, 0x00, 0x52, 0x11, 0x6f, 0x69, 0x64, 0x63, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x22, 0x74, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x12, 0x48, 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, - 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, - 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1d, 0x0a, - 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, - 0xe0, 0x41, 0x02, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0xa3, 0x02, 0x0a, - 0x12, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x12, 0x7e, 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x63, 0x68, - 0x65, 0x64, 0x5f, 0x73, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, - 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, - 0x53, 0x43, 0x54, 0x48, 0x00, 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, - 0x53, 0x63, 0x74, 0x12, 0x7e, 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x62, 0x65, 0x64, 0x64, - 0x65, 0x64, 0x5f, 0x73, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, - 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, - 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, - 0x53, 0x43, 0x54, 0x48, 0x00, 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, - 0x53, 0x63, 0x74, 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x22, 0xa1, 0x01, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, + 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x43, 0x54, + 0x48, 0x00, 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x63, 0x74, + 0x12, 0x7e, 0x0a, 0x1f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x5f, + 0x73, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, + 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x53, 0x43, 0x54, + 0x48, 0x00, 0x52, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x53, 0x63, 0x74, + 0x42, 0x0d, 0x0a, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, + 0xa1, 0x01, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x44, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x43, + 0x54, 0x12, 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x05, 0x63, 0x68, 0x61, 0x69, + 0x6e, 0x12, 0x40, 0x0a, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, + 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x1a, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x43, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x22, 0x5f, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x65, 0x64, 0x53, 0x43, 0x54, 0x12, 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x05, 0x63, - 0x68, 0x61, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x1c, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x63, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, - 0x74, 0x61, 0x6d, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x1a, 0x73, 0x69, 0x67, 0x6e, - 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, - 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x5f, 0x0a, 0x1d, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, - 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x45, 0x6d, 0x62, 0x65, - 0x64, 0x64, 0x65, 0x64, 0x53, 0x43, 0x54, 0x12, 0x3e, 0x0a, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, - 0x52, 0x05, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x22, 0x17, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x54, 0x72, - 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, - 0x40, 0x0a, 0x06, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, - 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x06, 0x63, 0x68, 0x61, 0x69, 0x6e, - 0x73, 0x22, 0x36, 0x0a, 0x10, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x22, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2a, 0x5f, 0x0a, 0x12, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, - 0x24, 0x0a, 0x20, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, - 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, - 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, - 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x43, 0x44, 0x53, 0x41, 0x10, 0x02, 0x12, 0x0b, 0x0a, - 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x03, 0x32, 0xaa, 0x02, 0x0a, 0x02, 0x43, - 0x41, 0x12, 0x9f, 0x01, 0x0a, 0x18, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, - 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x37, - 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, - 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, + 0x68, 0x61, 0x69, 0x6e, 0x22, 0x17, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, + 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x4f, 0x0a, + 0x0b, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x40, 0x0a, 0x06, + 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, + 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x06, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x22, 0x36, + 0x0a, 0x10, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, + 0x69, 0x6e, 0x12, 0x22, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2a, 0x5f, 0x0a, 0x12, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x24, 0x0a, 0x20, + 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x4f, 0x52, + 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, + 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x01, 0x12, + 0x09, 0x0a, 0x05, 0x45, 0x43, 0x44, 0x53, 0x41, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x44, + 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x03, 0x32, 0xaa, 0x02, 0x0a, 0x02, 0x43, 0x41, 0x12, 0x9f, + 0x01, 0x0a, 0x18, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x37, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, + 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x69, + 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, + 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, - 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, - 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x22, 0x13, 0x2f, 0x61, 0x70, - 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, - 0x3a, 0x01, 0x2a, 0x12, 0x81, 0x01, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, - 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x2d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, - 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, - 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, - 0x02, 0x15, 0x12, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x74, 0x72, 0x75, 0x73, - 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x42, 0x5a, 0x0a, 0x16, 0x64, 0x65, 0x76, 0x2e, 0x73, - 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, - 0x32, 0x42, 0x0b, 0x46, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2f, 0x70, 0x6b, 0x67, - 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x22, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, + 0x32, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x65, 0x72, 0x74, 0x3a, 0x01, 0x2a, + 0x12, 0x81, 0x01, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, + 0x64, 0x6c, 0x65, 0x12, 0x2d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x47, 0x65, 0x74, + 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, + 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x2e, 0x54, 0x72, 0x75, 0x73, + 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, + 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, + 0x6e, 0x64, 0x6c, 0x65, 0x42, 0x5a, 0x0a, 0x16, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2e, 0x76, 0x32, 0x42, 0x0b, + 0x46, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x31, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2f, 0x66, 0x75, 0x6c, 0x63, 0x69, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, + 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -768,37 +852,39 @@ func file_fulcio_proto_rawDescGZIP() []byte { } var file_fulcio_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_fulcio_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_fulcio_proto_msgTypes = make([]protoimpl.MessageInfo, 10) var file_fulcio_proto_goTypes = []interface{}{ (PublicKeyAlgorithm)(0), // 0: dev.sigstore.fulcio.v2.PublicKeyAlgorithm (*CreateSigningCertificateRequest)(nil), // 1: dev.sigstore.fulcio.v2.CreateSigningCertificateRequest (*Credentials)(nil), // 2: dev.sigstore.fulcio.v2.Credentials - (*PublicKey)(nil), // 3: dev.sigstore.fulcio.v2.PublicKey - (*SigningCertificate)(nil), // 4: dev.sigstore.fulcio.v2.SigningCertificate - (*SigningCertificateDetachedSCT)(nil), // 5: dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT - (*SigningCertificateEmbeddedSCT)(nil), // 6: dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT - (*GetTrustBundleRequest)(nil), // 7: dev.sigstore.fulcio.v2.GetTrustBundleRequest - (*TrustBundle)(nil), // 8: dev.sigstore.fulcio.v2.TrustBundle - (*CertificateChain)(nil), // 9: dev.sigstore.fulcio.v2.CertificateChain + (*PublicKeyRequest)(nil), // 3: dev.sigstore.fulcio.v2.PublicKeyRequest + (*PublicKey)(nil), // 4: dev.sigstore.fulcio.v2.PublicKey + (*SigningCertificate)(nil), // 5: dev.sigstore.fulcio.v2.SigningCertificate + (*SigningCertificateDetachedSCT)(nil), // 6: dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT + (*SigningCertificateEmbeddedSCT)(nil), // 7: dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT + (*GetTrustBundleRequest)(nil), // 8: dev.sigstore.fulcio.v2.GetTrustBundleRequest + (*TrustBundle)(nil), // 9: dev.sigstore.fulcio.v2.TrustBundle + (*CertificateChain)(nil), // 10: dev.sigstore.fulcio.v2.CertificateChain } var file_fulcio_proto_depIdxs = []int32{ 2, // 0: dev.sigstore.fulcio.v2.CreateSigningCertificateRequest.credentials:type_name -> dev.sigstore.fulcio.v2.Credentials - 3, // 1: dev.sigstore.fulcio.v2.CreateSigningCertificateRequest.public_key:type_name -> dev.sigstore.fulcio.v2.PublicKey - 0, // 2: dev.sigstore.fulcio.v2.PublicKey.algorithm:type_name -> dev.sigstore.fulcio.v2.PublicKeyAlgorithm - 5, // 3: dev.sigstore.fulcio.v2.SigningCertificate.signed_certificate_detached_sct:type_name -> dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT - 6, // 4: dev.sigstore.fulcio.v2.SigningCertificate.signed_certificate_embedded_sct:type_name -> dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT - 9, // 5: dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT.chain:type_name -> dev.sigstore.fulcio.v2.CertificateChain - 9, // 6: dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT.chain:type_name -> dev.sigstore.fulcio.v2.CertificateChain - 9, // 7: dev.sigstore.fulcio.v2.TrustBundle.chains:type_name -> dev.sigstore.fulcio.v2.CertificateChain - 1, // 8: dev.sigstore.fulcio.v2.CA.CreateSigningCertificate:input_type -> dev.sigstore.fulcio.v2.CreateSigningCertificateRequest - 7, // 9: dev.sigstore.fulcio.v2.CA.GetTrustBundle:input_type -> dev.sigstore.fulcio.v2.GetTrustBundleRequest - 4, // 10: dev.sigstore.fulcio.v2.CA.CreateSigningCertificate:output_type -> dev.sigstore.fulcio.v2.SigningCertificate - 8, // 11: dev.sigstore.fulcio.v2.CA.GetTrustBundle:output_type -> dev.sigstore.fulcio.v2.TrustBundle - 10, // [10:12] is the sub-list for method output_type - 8, // [8:10] is the sub-list for method input_type - 8, // [8:8] is the sub-list for extension type_name - 8, // [8:8] is the sub-list for extension extendee - 0, // [0:8] is the sub-list for field type_name + 3, // 1: dev.sigstore.fulcio.v2.CreateSigningCertificateRequest.public_key_request:type_name -> dev.sigstore.fulcio.v2.PublicKeyRequest + 4, // 2: dev.sigstore.fulcio.v2.PublicKeyRequest.public_key:type_name -> dev.sigstore.fulcio.v2.PublicKey + 0, // 3: dev.sigstore.fulcio.v2.PublicKey.algorithm:type_name -> dev.sigstore.fulcio.v2.PublicKeyAlgorithm + 6, // 4: dev.sigstore.fulcio.v2.SigningCertificate.signed_certificate_detached_sct:type_name -> dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT + 7, // 5: dev.sigstore.fulcio.v2.SigningCertificate.signed_certificate_embedded_sct:type_name -> dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT + 10, // 6: dev.sigstore.fulcio.v2.SigningCertificateDetachedSCT.chain:type_name -> dev.sigstore.fulcio.v2.CertificateChain + 10, // 7: dev.sigstore.fulcio.v2.SigningCertificateEmbeddedSCT.chain:type_name -> dev.sigstore.fulcio.v2.CertificateChain + 10, // 8: dev.sigstore.fulcio.v2.TrustBundle.chains:type_name -> dev.sigstore.fulcio.v2.CertificateChain + 1, // 9: dev.sigstore.fulcio.v2.CA.CreateSigningCertificate:input_type -> dev.sigstore.fulcio.v2.CreateSigningCertificateRequest + 8, // 10: dev.sigstore.fulcio.v2.CA.GetTrustBundle:input_type -> dev.sigstore.fulcio.v2.GetTrustBundleRequest + 5, // 11: dev.sigstore.fulcio.v2.CA.CreateSigningCertificate:output_type -> dev.sigstore.fulcio.v2.SigningCertificate + 9, // 12: dev.sigstore.fulcio.v2.CA.GetTrustBundle:output_type -> dev.sigstore.fulcio.v2.TrustBundle + 11, // [11:13] is the sub-list for method output_type + 9, // [9:11] is the sub-list for method input_type + 9, // [9:9] is the sub-list for extension type_name + 9, // [9:9] is the sub-list for extension extendee + 0, // [0:9] is the sub-list for field type_name } func init() { file_fulcio_proto_init() } @@ -832,7 +918,7 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PublicKey); i { + switch v := v.(*PublicKeyRequest); i { case 0: return &v.state case 1: @@ -844,7 +930,7 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SigningCertificate); i { + switch v := v.(*PublicKey); i { case 0: return &v.state case 1: @@ -856,7 +942,7 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SigningCertificateDetachedSCT); i { + switch v := v.(*SigningCertificate); i { case 0: return &v.state case 1: @@ -868,7 +954,7 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SigningCertificateEmbeddedSCT); i { + switch v := v.(*SigningCertificateDetachedSCT); i { case 0: return &v.state case 1: @@ -880,7 +966,7 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GetTrustBundleRequest); i { + switch v := v.(*SigningCertificateEmbeddedSCT); i { case 0: return &v.state case 1: @@ -892,7 +978,7 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*TrustBundle); i { + switch v := v.(*GetTrustBundleRequest); i { case 0: return &v.state case 1: @@ -904,6 +990,18 @@ func file_fulcio_proto_init() { } } file_fulcio_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*TrustBundle); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_fulcio_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*CertificateChain); i { case 0: return &v.state @@ -916,10 +1014,14 @@ func file_fulcio_proto_init() { } } } + file_fulcio_proto_msgTypes[0].OneofWrappers = []interface{}{ + (*CreateSigningCertificateRequest_PublicKeyRequest)(nil), + (*CreateSigningCertificateRequest_CertificateSigningRequest)(nil), + } file_fulcio_proto_msgTypes[1].OneofWrappers = []interface{}{ (*Credentials_OidcIdentityToken)(nil), } - file_fulcio_proto_msgTypes[3].OneofWrappers = []interface{}{ + file_fulcio_proto_msgTypes[4].OneofWrappers = []interface{}{ (*SigningCertificate_SignedCertificateDetachedSct)(nil), (*SigningCertificate_SignedCertificateEmbeddedSct)(nil), } @@ -929,7 +1031,7 @@ func file_fulcio_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_fulcio_proto_rawDesc, NumEnums: 1, - NumMessages: 9, + NumMessages: 10, NumExtensions: 0, NumServices: 1, }, From 2d6b3638fe6c47c663968566c5870f05b2fd9bc4 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Mon, 18 Apr 2022 18:00:52 +0000 Subject: [PATCH 4/6] Fix proto in example Signed-off-by: Hayden Blauzvern --- examples/request-certificate/main.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/examples/request-certificate/main.go b/examples/request-certificate/main.go index 51df28d9a..619444cb7 100644 --- a/examples/request-certificate/main.go +++ b/examples/request-certificate/main.go @@ -67,10 +67,14 @@ func GetCert(signer *signature.RSAPKCS1v15SignerVerifier, fc fulciopb.CAClient, OidcIdentityToken: tok.RawString, }, }, - PublicKey: &fulciopb.PublicKey{ - Content: string(pubBytesPEM), + Key: &fulciopb.CreateSigningCertificateRequest_PublicKeyRequest{ + PublicKeyRequest: &fulciopb.PublicKeyRequest{ + PublicKey: &fulciopb.PublicKey{ + Content: string(pubBytesPEM), + }, + ProofOfPossession: proof, + }, }, - ProofOfPossession: proof, } return fc.CreateSigningCertificate(context.Background(), cscr) } From ab41e0b7c629b824b067b62a7998ce9a519a7986 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Mon, 18 Apr 2022 21:36:57 +0000 Subject: [PATCH 5/6] Fix spelling Signed-off-by: Hayden Blauzvern --- pkg/challenges/challenges_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/challenges/challenges_test.go b/pkg/challenges/challenges_test.go index 00d226364..18d4c7326 100644 --- a/pkg/challenges/challenges_test.go +++ b/pkg/challenges/challenges_test.go @@ -394,7 +394,7 @@ func TestParseCSR(t *testing.T) { t.Fatalf("expected error parsing invalid CSR, got %v", err) } - // fails with invalid DER typr + // fails with invalid DER type pemCSR = pem.EncodeToMemory(&pem.Block{ Type: "BEGIN CERTIFICATE", Bytes: derCSR, From fdb5d989897fe9e1146b77704974ffd08d7fc6e5 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Tue, 19 Apr 2022 19:45:50 +0000 Subject: [PATCH 6/6] Update comment to specify support public key types Signed-off-by: Hayden Blauzvern --- fulcio.proto | 5 +++-- fulcio_legacy.proto | 5 +++-- pkg/generated/protobuf/fulcio.pb.go | 5 +++-- pkg/generated/protobuf/legacy/fulcio_legacy.pb.go | 5 +++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/fulcio.proto b/fulcio.proto index cbe02e314..2db4e11ee 100644 --- a/fulcio.proto +++ b/fulcio.proto @@ -56,7 +56,7 @@ message CreateSigningCertificateRequest { */ PublicKeyRequest public_key_request = 2 [(google.api.field_behavior) = REQUIRED]; /* - * PKCS#10 encoded certificate signing request + * PKCS#10 PEM-encoded certificate signing request * * Contains the public key to be stored in the requested certificate. All other CSR fields * are ignored. Since the CSR is self-signed, it also acts as a proof of posession of @@ -94,7 +94,8 @@ message PublicKey { */ PublicKeyAlgorithm algorithm = 1; /* - * PEM encoded public key + * PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically + * of type PUBLIC KEY. */ string content = 2 [(google.api.field_behavior) = REQUIRED]; } diff --git a/fulcio_legacy.proto b/fulcio_legacy.proto index 0c0d9a499..2b1728bfb 100644 --- a/fulcio_legacy.proto +++ b/fulcio_legacy.proto @@ -68,7 +68,7 @@ message CreateSigningCertificateRequest { (google.api.field_behavior) = OPTIONAL ]; /* - * Optional: PKCS#10 encoded certificate signing request + * Optional: PKCS#10 PEM-encoded certificate signing request * Contains the public key to be stored in the requested * certificate. All other CSR fields are ignored. Since * the CSR is self-signed, it also acts as a proof of @@ -86,7 +86,8 @@ message PublicKey { */ string algorithm = 1 [ deprecated=true ]; /* - * DER or PEM encoded public key + * PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically + * of type PUBLIC KEY. */ bytes content = 2 [ deprecated=true, diff --git a/pkg/generated/protobuf/fulcio.pb.go b/pkg/generated/protobuf/fulcio.pb.go index 2baf38fcd..ed684292d 100644 --- a/pkg/generated/protobuf/fulcio.pb.go +++ b/pkg/generated/protobuf/fulcio.pb.go @@ -175,7 +175,7 @@ type CreateSigningCertificateRequest_PublicKeyRequest struct { type CreateSigningCertificateRequest_CertificateSigningRequest struct { // - // PKCS#10 encoded certificate signing request + // PKCS#10 PEM-encoded certificate signing request // // Contains the public key to be stored in the requested certificate. All other CSR fields // are ignored. Since the CSR is self-signed, it also acts as a proof of posession of @@ -326,7 +326,8 @@ type PublicKey struct { // The cryptographic algorithm to use with the key material Algorithm PublicKeyAlgorithm `protobuf:"varint,1,opt,name=algorithm,proto3,enum=dev.sigstore.fulcio.v2.PublicKeyAlgorithm" json:"algorithm,omitempty"` // - // PEM encoded public key + // PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically + // of type PUBLIC KEY. Content string `protobuf:"bytes,2,opt,name=content,proto3" json:"content,omitempty"` } diff --git a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go index 768c55882..75161372e 100644 --- a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go +++ b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go @@ -54,7 +54,7 @@ type CreateSigningCertificateRequest struct { // Deprecated: Do not use. SignedEmailAddress []byte `protobuf:"bytes,2,opt,name=signedEmailAddress,proto3" json:"signedEmailAddress,omitempty"` // - // Optional: PKCS#10 encoded certificate signing request + // Optional: PKCS#10 PEM-encoded certificate signing request // Contains the public key to be stored in the requested // certificate. All other CSR fields are ignored. Since // the CSR is self-signed, it also acts as a proof of @@ -131,7 +131,8 @@ type PublicKey struct { // Deprecated: Do not use. Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"` // - // DER or PEM encoded public key + // PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically + // of type PUBLIC KEY. // // Deprecated: Do not use. Content []byte `protobuf:"bytes,2,opt,name=content,proto3" json:"content,omitempty"`