1// Copyright 2017 Google LLC. All Rights Reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17option go_package = "github.com/google/certificate-transparency-go/trillian/ctfe/configpb";
18
19package configpb;
20
21import "crypto/keyspb/keyspb.proto";
22import "google/protobuf/any.proto";
23import "google/protobuf/timestamp.proto";
24
25message LogBackend {
26 // name defines the name of the log backend for use in LogConfig messages and must be unique.
27 string name = 1;
28 // backend_spec defines the RPC endpoint that clients should use to send requests
29 // to this log backend. These should be in the same format as rpcBackendFlag in the
30 // CTFE main and must not be an empty string.
31 string backend_spec = 2;
32}
33
34// LogBackendSet supports a configuration where a single set of frontends handle
35// requests for multiple backends. For example this could be used to run different
36// backends in different geographic regions.
37message LogBackendSet {
38 repeated LogBackend backend = 1;
39}
40
41// LogConfigSet is a set of LogConfig messages.
42message LogConfigSet {
43 repeated LogConfig config = 1;
44}
45
46// LogConfig describes the configuration options for a log instance.
47//
48// NEXT_ID: 20
49message LogConfig {
50 // The ID of a Trillian tree that stores the log data. The tree type must be
51 // LOG for regular CT logs. For mirror logs it must be either PREORDERED_LOG
52 // or LOG, and can change at runtime. CTFE in mirror mode uses only read API
53 // which is common for both types.
54 int64 log_id = 1;
55 // prefix is the name of the log. It will come after the global or
56 // override handler prefix. For example if the handler prefix is "/logs"
57 // and prefix is "vogon" the get-sth handler for this log will be
58 // available at "/logs/vogon/ct/v1/get-sth". The prefix cannot be empty
59 // and must not include "/" path separator characters.
60 string prefix = 2;
61 // override_handler_prefix if set to a non empty value overrides the global
62 // handler prefix for an individual log. For example this field is set to
63 // "/otherlogs" then a log with prefix "vogon" will make it's get-sth handler
64 // available at "/otherlogs/vogon/ct/v1/get-sth" regardless of what the
65 // global prefix is. Can be set to '/' to make the get-sth handler register
66 // at "/vogon/ct/v1/get-sth".
67 string override_handler_prefix = 13;
68 // Paths to the files containing root certificates that are acceptable to the
69 // log. The certs are served through get-roots endpoint. Optional in mirrors.
70 repeated string roots_pem_file = 3;
71 // The private key used for signing STHs etc. Not required for mirrors.
72 google.protobuf.Any private_key = 4;
73 // The public key matching the above private key (if both are present). It is
74 // used only by mirror logs for verifying the source log's signatures, but can
75 // be specified for regular logs as well for the convenience of test tools.
76 keyspb.PublicKey public_key = 5;
77 // If reject_expired is true then the certificate validity period will be
78 // checked against the current time during the validation of submissions.
79 // This will cause expired certificates to be rejected.
80 bool reject_expired = 6;
81 // If reject_unexpired is true then CTFE rejects certificates that are either
82 // currently valid or not yet valid.
83 bool reject_unexpired = 17;
84 // If set, ext_key_usages will restrict the set of such usages that the
85 // server will accept. By default all are accepted. The values specified
86 // must be ones known to the x509 package.
87 repeated string ext_key_usages = 7;
88 // not_after_start defines the start of the range of acceptable NotAfter
89 // values, inclusive.
90 // Leaving this unset implies no lower bound to the range.
91 google.protobuf.Timestamp not_after_start = 8;
92 // not_after_limit defines the end of the range of acceptable NotAfter values,
93 // exclusive.
94 // Leaving this unset implies no upper bound to the range.
95 google.protobuf.Timestamp not_after_limit = 9;
96 // accept_only_ca controls whether or not *only* certificates with the CA bit
97 // set will be accepted.
98 bool accept_only_ca = 10;
99 // backend_name if set indicates which backend serves this log. The name must be
100 // one of those defined in the LogBackendSet.
101 string log_backend_name = 11;
102 // If set, the log is a mirror, i.e. it serves the data of another (source)
103 // log. It doesn't handle write requests (add-chain, etc.), so it's not a
104 // fully fledged RFC-6962 log, but the tree read requests like get-entries and
105 // get-consistency-proof are compatible. A mirror doesn't have the source
106 // log's key and can't sign STHs. Consequently, the log operator must ensure
107 // to channel source log's STHs into CTFE.
108 bool is_mirror = 12;
109
110 // If set, the log serves only read endpoints, and rejects writes through the
111 // add-[pre-]chain endpoint.
112 bool is_readonly = 19;
113
114 // The Maximum Merge Delay (MMD) of this log in seconds. See RFC6962 section 3
115 // for definition of MMD. If zero, the log does not provide an MMD guarantee
116 // (for example, it is a frozen log).
117 int32 max_merge_delay_sec = 14;
118 // The merge delay that the underlying log implementation is able/targeting to
119 // provide. This option is exposed in CTFE metrics, and can be particularly
120 // useful to catch when the log is behind but has not yet violated the strict
121 // MMD limit.
122 // Log operator should decide what exactly EMD means for them. For example, it
123 // can be a 99-th percentile of merge delays that they observe, and they can
124 // alert on the actual merge delay going above a certain multiple of this EMD.
125 int32 expected_merge_delay_sec = 15;
126
127 // The STH that this log will serve permanently (if present). Frozen STH must
128 // be signed by this log's private key, and will be verified using the public
129 // key specified in this config.
130 SignedTreeHead frozen_sth = 16;
131
132 // A list of X.509 extension OIDs, in dotted string form (e.g. "2.3.4.5")
133 // which should cause submissions to be rejected.
134 repeated string reject_extensions = 18;
135}
136
137// LogMultiConfig wraps up a LogBackendSet and corresponding LogConfigSet so
138// that they can easily be parsed as a single proto.
139message LogMultiConfig {
140 // The set of backends that this configuration will use to send requests to.
141 // The names of the backends in the LogBackendSet must all be distinct.
142 LogBackendSet backends = 1;
143 // The set of logs that will use the above backends. All the protos in this
144 // LogConfigSet must set a valid log_backend_name for the config to be usable.
145 LogConfigSet log_configs = 2;
146}
147
148// SignedTreeHead represents the structure returned by the get-sth CT method.
149// See RFC6962 sections 3.5 and 4.3 for reference.
150// TODO(pavelkalinnikov): Find a better place for this type.
151message SignedTreeHead {
152 int64 tree_size = 1;
153 int64 timestamp = 2;
154 bytes sha256_root_hash = 3;
155 bytes tree_head_signature = 4;
156}
View as plain text