syntax = "proto3";

package connect;

option go_package = "github.com/hashicorp/consul/proto/pbconnect";

import "google/protobuf/timestamp.proto";
import "proto/pbcommon/common.proto";

// CARoots is the list of all currently trusted CA Roots.
message CARoots {
   // ActiveRootID is the ID of a root in Roots that is the active CA root.
	// Other roots are still valid if they're in the Roots list but are in
	// the process of being rotated out.
   string ActiveRootID = 1;
   
   // TrustDomain is the identification root for this Consul cluster. All
	// certificates signed by the cluster's CA must have their identifying URI in
	// this domain.
	//
	// This does not include the protocol (currently spiffe://) since we may
	// implement other protocols in future with equivalent semantics. It should be
	// compared against the "authority" section of a URI (i.e. host:port).
	//
	// We need to support migrating a cluster between trust domains to support
	// Multi-DC migration in Enterprise. In this case the current trust domain is
	// here but entries in Roots may also have ExternalTrustDomain set to a
	// non-empty value implying they were previous roots that are still trusted
	// but under a different trust domain.
	//
	// Note that we DON'T validate trust domain during AuthZ since it causes
	// issues of loss of connectivity during migration between trust domains. The
	// only time the additional validation adds value is where the cluster shares
	// an external root (e.g. organization-wide root) with another distinct Consul
	// cluster or PKI system. In this case, x509 Name Constraints can be added to
	// enforce that Consul's CA can only validly sign or trust certs within the
	// same trust-domain. Name constraints as enforced by TLS handshake also allow
	// seamless rotation between trust domains thanks to cross-signing.
   string TrustDomain = 2;
   
   // Roots is a list of root CA certs to trust.
   repeated CARoot Roots = 3;
	
	// QueryMeta here is mainly used to contain the latest Raft Index that could
	// be used to perform a blocking query.
	common.QueryMeta QueryMeta = 4;
}

message CARoot {
   // ID is a globally unique ID (UUID) representing this CA root.
	string ID = 1;

	// Name is a human-friendly name for this CA root. This value is
	// opaque to Consul and is not used for anything internally.
	string Name = 2;

	// SerialNumber is the x509 serial number of the certificate.
	uint64 SerialNumber = 3;

	// SigningKeyID is the ID of the public key that corresponds to the private
	// key used to sign leaf certificates. Is is the HexString format of the
	// raw AuthorityKeyID bytes.
	string SigningKeyID = 4;

	// ExternalTrustDomain is the trust domain this root was generated under. It
	// is usually empty implying "the current cluster trust-domain". It is set
	// only in the case that a cluster changes trust domain and then all old roots
	// that are still trusted have the old trust domain set here.
	//
	// We currently DON'T validate these trust domains explicitly anywhere, see
	// IndexedRoots.TrustDomain doc. We retain this information for debugging and
	// future flexibility.
	string ExternalTrustDomain = 5;

	// Time validity bounds.
	google.protobuf.Timestamp NotBefore = 6;
	google.protobuf.Timestamp NotAfter = 7;

	// RootCert is the PEM-encoded public certificate.
	string RootCert = 8;

	// IntermediateCerts is a list of PEM-encoded intermediate certs to
	// attach to any leaf certs signed by this CA.
	repeated string IntermediateCerts = 9;

	// SigningCert is the PEM-encoded signing certificate and SigningKey
	// is the PEM-encoded private key for the signing certificate. These
	// may actually be empty if the CA plugin in use manages these for us.
	string SigningCert = 10;
	string SigningKey = 11;

	// Active is true if this is the current active CA. This must only
	// be true for exactly one CA. For any method that modifies roots in the
	// state store, tests should be written to verify that multiple roots
	// cannot be active.
	bool Active = 12;

	// RotatedOutAt is the time at which this CA was removed from the state.
	// This will only be set on roots that have been rotated out from being the
	// active root.
	google.protobuf.Timestamp RotatedOutAt = 13;

	// PrivateKeyType is the type of the private key used to sign certificates. It
	// may be "rsa" or "ec". This is provided as a convenience to avoid parsing
	// the public key to from the certificate to infer the type.
	string PrivateKeyType = 14;

	// PrivateKeyBits is the length of the private key used to sign certificates.
	// This is provided as a convenience to avoid parsing the public key from the
	// certificate to infer the type.
	int32 PrivateKeyBits = 15;
   
   common.RaftIndex RaftIndex = 16;
}

message IssuedCert {
   // SerialNumber is the unique serial number for this certificate.
	// This is encoded in standard hex separated by :.
	string SerialNumber = 1;

	// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private
	// key for that cert, respectively. This should not be stored in the
	// state store, but is present in the sign API response.
	string CertPEM = 2;
	string PrivateKeyPEM = 3;

	// Service is the name of the service for which the cert was issued.
	// ServiceURI is the cert URI value.
	string Service = 4;
	string ServiceURI = 5;

	// Agent is the name of the node for which the cert was issued.
	// AgentURI is the cert URI value.
	string Agent = 6;
   string AgentURI = 7;

	// ValidAfter and ValidBefore are the validity periods for the
	// certificate.
	google.protobuf.Timestamp ValidAfter = 8;
	google.protobuf.Timestamp ValidBefore = 9;

	// EnterpriseMeta is the Consul Enterprise specific metadata
	common.EnterpriseMeta EnterpriseMeta = 10;

	common.RaftIndex RaftIndex = 11;
}