Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force upstream proposal #51

Closed
wants to merge 2 commits into from
Closed

Force upstream proposal #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
57872f9
Propagate tainted keys from upstream interface
MarcosDY Aug 18, 2023
fe607c9
add comments
MarcosDY Sep 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ protos := \
proto/spire/plugin/types/bundle.proto \
proto/spire/plugin/types/jwtkey.proto \
proto/spire/plugin/types/x509certificate.proto \
proto/spire/plugin/types/x509taintedkey.proto \

############################################################################
# OS/ARCH detection
Expand Down
154 changes: 86 additions & 68 deletions proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions proto/spire/plugin/server/upstreamauthority/v1/upstreamauthority.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/serve

import "spire/plugin/types/jwtkey.proto";
import "spire/plugin/types/x509certificate.proto";
import "spire/plugin/types/x509taintedkey.proto";

service UpstreamAuthority {
// Mints an X.509 CA and responds with the signed X.509 CA certificate
Expand Down Expand Up @@ -50,6 +51,9 @@ message MintX509CAResponse {

// Required. The trusted X.509 root authorities for the upstream authority.
repeated spire.plugin.types.X509Certificate upstream_x509_roots = 2;

// X.509 authorities that are no longer secure.
repeated spire.plugin.types.X509TaintedKey x509_tainted_keys = 3;
}

message PublishJWTKeyRequest {
Expand Down
73 changes: 46 additions & 27 deletions proto/spire/plugin/types/bundle.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions proto/spire/plugin/types/bundle.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types

import "spire/plugin/types/jwtkey.proto";
import "spire/plugin/types/x509certificate.proto";
import "spire/plugin/types/x509taintedkey.proto";

message Bundle {
// The name of the trust domain the bundle belongs to (e.g., "example.org").
Expand All @@ -21,4 +22,7 @@ message Bundle {

// The sequence number of the bundle.
uint64 sequence_number = 5;

// X.509 authorities that are no longer secure.
repeated X509TaintedKey x509_tainted_keys = 6;
}
23 changes: 6 additions & 17 deletions proto/spire/plugin/types/x509certificate.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 0 additions & 3 deletions proto/spire/plugin/types/x509certificate.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,4 @@ option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types
message X509Certificate {
// The ASN.1 DER encoded bytes of the X.509 certificate.
bytes asn1 = 1;

// Indicates if the authority has been tainted. A tainted authority is not safe to be used anymore.
bool tainted = 2;
}
148 changes: 148 additions & 0 deletions proto/spire/plugin/types/x509taintedkey.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions proto/spire/plugin/types/x509taintedkey.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
syntax = "proto3";
package spire.plugin.types;
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types";

message X509TaintedKey {
// Public key of a X.509 authority that is no longer secure to use.
bytes key = 1;
}