1syntax = "proto3";
2
3package sa;
4option go_package = "github.com/letsencrypt/boulder/sa/proto";
5
6import "core/proto/core.proto";
7import "google/protobuf/empty.proto";
8import "google/protobuf/timestamp.proto";
9import "google/protobuf/duration.proto";
10
11// StorageAuthorityReadOnly exposes only those SA methods which are read-only.
12service StorageAuthorityReadOnly {
13 rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
14 rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
15 rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
16 rpc CountOrders(CountOrdersRequest) returns (Count) {}
17 rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
18 rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
19 rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
20 rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
21 rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
22 rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
23 rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
24 rpc GetCertificate(Serial) returns (core.Certificate) {}
25 rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
26 rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
27 rpc GetOrder(OrderRequest) returns (core.Order) {}
28 rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
29 rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
30 rpc GetRegistration(RegistrationID) returns (core.Registration) {}
31 rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
32 rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
33 rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
34 rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
35 rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
36 rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
37 rpc IncidentsForSerial(Serial) returns (Incidents) {}
38 rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
39 rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
40 rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
41}
42
43// StorageAuthority provides full read/write access to the database.
44service StorageAuthority {
45 // Getters: this list must be identical to the StorageAuthorityReadOnly rpcs.
46 rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
47 rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
48 rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
49 rpc CountOrders(CountOrdersRequest) returns (Count) {}
50 rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
51 rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
52 rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
53 rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
54 rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {}
55 rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
56 rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
57 rpc GetCertificate(Serial) returns (core.Certificate) {}
58 rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
59 rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {}
60 rpc GetOrder(OrderRequest) returns (core.Order) {}
61 rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
62 rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
63 rpc GetRegistration(RegistrationID) returns (core.Registration) {}
64 rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
65 rpc GetRevocationStatus(Serial) returns (RevocationStatus) {}
66 rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {}
67 rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
68 rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
69 rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
70 rpc IncidentsForSerial(Serial) returns (Incidents) {}
71 rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
72 rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
73 rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {}
74 // Adders
75 rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
76 rpc AddCertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
77 rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
78 rpc SetCertificateStatusReady(Serial) returns (google.protobuf.Empty) {}
79 rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {}
80 rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
81 rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {}
82 rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
83 rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
84 rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
85 rpc NewRegistration(core.Registration) returns (core.Registration) {}
86 rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
87 rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
88 rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
89 rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
90 rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
91 rpc LeaseCRLShard(LeaseCRLShardRequest) returns (LeaseCRLShardResponse) {}
92 rpc UpdateCRLShard(UpdateCRLShardRequest) returns (google.protobuf.Empty) {}
93}
94
95message RegistrationID {
96 int64 id = 1;
97}
98
99message JSONWebKey {
100 bytes jwk = 1;
101}
102
103message AuthorizationID {
104 string id = 1;
105}
106
107message GetPendingAuthorizationRequest {
108 // Next unused field number: 6
109 int64 registrationID = 1;
110 string identifierType = 2;
111 string identifierValue = 3;
112 // Result must be valid until at least this Unix timestamp (nanos)
113 int64 validUntilNS = 4;
114 google.protobuf.Timestamp validUntil = 5; // Result must be valid until at least this timestamp
115}
116
117message GetValidAuthorizationsRequest {
118 // Next unused field number: 5
119 int64 registrationID = 1;
120 repeated string domains = 2;
121 int64 nowNS = 3; // Unix timestamp (nanoseconds)
122 google.protobuf.Timestamp now = 4;
123}
124
125message ValidAuthorizations {
126 message MapElement {
127 string domain = 1;
128 core.Authorization authz = 2;
129 }
130 repeated MapElement valid = 1;
131}
132
133message Serial {
134 string serial = 1;
135}
136
137message SerialMetadata {
138 // Next unused field number: 7
139 string serial = 1;
140 int64 registrationID = 2;
141 int64 createdNS = 3; // Unix timestamp (nanoseconds)
142 google.protobuf.Timestamp created = 5;
143 int64 expiresNS = 4; // Unix timestamp (nanoseconds)
144 google.protobuf.Timestamp expires = 6;
145}
146
147message Range {
148 // Next unused field number: 5
149 int64 earliestNS = 1; // Unix timestamp (nanoseconds)
150 google.protobuf.Timestamp earliest = 3;
151 int64 latestNS = 2; // Unix timestamp (nanoseconds)
152 google.protobuf.Timestamp latest = 4;
153}
154
155message Count {
156 int64 count = 1;
157}
158
159message Timestamps {
160 // Next unused field number: 3
161 repeated int64 timestampsNS = 1; // Unix timestamp (nanoseconds)
162 repeated google.protobuf.Timestamp timestamps = 2;
163}
164
165message CountCertificatesByNamesRequest {
166 Range range = 1;
167 repeated string names = 2;
168}
169
170message CountByNames {
171 map<string, int64> counts = 1;
172 google.protobuf.Timestamp earliest = 2; // Unix timestamp (nanoseconds)
173}
174
175message CountRegistrationsByIPRequest {
176 bytes ip = 1;
177 Range range = 2;
178}
179
180message CountInvalidAuthorizationsRequest {
181 int64 registrationID = 1;
182 string hostname = 2;
183 // Count authorizations that expire in this range.
184 Range range = 3;
185}
186
187message CountOrdersRequest {
188 int64 accountID = 1;
189 Range range = 2;
190}
191
192message CountFQDNSetsRequest {
193 // Next unused field number: 4
194 int64 windowNS = 1;
195 repeated string domains = 2;
196 google.protobuf.Duration window = 3;
197}
198
199message FQDNSetExistsRequest {
200 repeated string domains = 1;
201}
202
203message PreviousCertificateExistsRequest {
204 string domain = 1;
205 int64 regID = 2;
206}
207
208message Exists {
209 bool exists = 1;
210}
211
212message AddSerialRequest {
213 // Next unused field number: 7
214 int64 regID = 1;
215 string serial = 2;
216 int64 createdNS = 3; // Unix timestamp (nanoseconds)
217 google.protobuf.Timestamp created = 5;
218 int64 expiresNS = 4; // Unix timestamp (nanoseconds)
219 google.protobuf.Timestamp expires = 6;
220}
221
222message AddCertificateRequest {
223 // Next unused field number: 8
224 bytes der = 1;
225 int64 regID = 2;
226 reserved 3; // previously ocsp
227 // An issued time. When not present the SA defaults to using
228 // the current time.
229 int64 issuedNS = 4; // Unix timestamp (nanoseconds)
230 google.protobuf.Timestamp issued = 7;
231 int64 issuerNameID = 5; // https://pkg.go.dev/github.com/letsencrypt/boulder/issuance#IssuerNameID
232
233 // If this is set to true, the certificateStatus.status column will be set to
234 // "wait", which will cause us to serve internalError responses with OCSP is
235 // queried. This allows us to meet the BRs requirement:
236 //
237 // If the OCSP responder receives a request for the status of a certificate
238 // serial number that is “unused”, then ...
239 // the responder MUST NOT respond with a “good” status for such requests.
240 //
241 // Paraphrasing, a certificate serial number is unused if neither a
242 // Certificate nor a Precertificate has been issued with it. So when we write
243 // a linting certificate to the precertificates table, we want to make sure
244 // we never give a "good" response for that serial until the precertificate
245 // is actually issued.
246 bool ocspNotReady = 6;
247}
248
249message OrderRequest {
250 int64 id = 1;
251}
252
253message NewOrderRequest {
254 // Next unused field number: 6
255 int64 registrationID = 1;
256 int64 expiresNS = 2; // Unix timestamp (nanoseconds)
257 google.protobuf.Timestamp expires = 5;
258 repeated string names = 3;
259 repeated int64 v2Authorizations = 4;
260}
261
262message NewOrderAndAuthzsRequest {
263 NewOrderRequest newOrder = 1;
264 repeated core.Authorization newAuthzs = 2;
265}
266
267message SetOrderErrorRequest {
268 int64 id = 1;
269 core.ProblemDetails error = 2;
270}
271
272message GetValidOrderAuthorizationsRequest {
273 int64 id = 1;
274 int64 acctID = 2;
275}
276
277message GetOrderForNamesRequest {
278 int64 acctID = 1;
279 repeated string names = 2;
280}
281
282message FinalizeOrderRequest {
283 int64 id = 1;
284 string certificateSerial = 2;
285}
286
287message GetAuthorizationsRequest {
288 // Next unused field number: 5
289 int64 registrationID = 1;
290 repeated string domains = 2;
291 int64 nowNS = 3; // Unix timestamp (nanoseconds)
292 google.protobuf.Timestamp now = 4;
293}
294
295message Authorizations {
296 message MapElement {
297 string domain = 1;
298 core.Authorization authz = 2;
299 }
300 repeated MapElement authz = 1;
301}
302
303message AuthorizationIDs {
304 repeated string ids = 1;
305}
306
307message AuthorizationID2 {
308 int64 id = 1;
309}
310
311message RevokeCertificateRequest {
312 // Next unused field number: 10
313 string serial = 1;
314 int64 reason = 2;
315 int64 dateNS = 3; // Unix timestamp (nanoseconds)
316 google.protobuf.Timestamp date = 8;
317 int64 backdateNS = 5; // Unix timestamp (nanoseconds)
318 google.protobuf.Timestamp backdate = 9;
319 bytes response = 4;
320 int64 issuerID = 6;
321 int64 shardIdx = 7;
322}
323
324message FinalizeAuthorizationRequest {
325 // Next unused field number: 10
326 int64 id = 1;
327 string status = 2;
328 int64 expiresNS = 3; // Unix timestamp (nanoseconds)
329 google.protobuf.Timestamp expires = 8;
330 string attempted = 4;
331 repeated core.ValidationRecord validationRecords = 5;
332 core.ProblemDetails validationError = 6;
333 int64 attemptedAtNS = 7; // Unix timestamp (nanoseconds)
334 google.protobuf.Timestamp attemptedAt = 9;
335}
336
337message AddBlockedKeyRequest {
338 // Next unused field number: 7
339 bytes keyHash = 1;
340 int64 addedNS = 2; // Unix timestamp (nanoseconds)
341 google.protobuf.Timestamp added = 6;
342 string source = 3;
343 string comment = 4;
344 int64 revokedBy = 5;
345}
346
347message KeyBlockedRequest {
348 bytes keyHash = 1;
349}
350
351message Incident {
352 // Next unused field number: 7
353 int64 id = 1;
354 string serialTable = 2;
355 string url = 3;
356 int64 renewByNS = 4; // Unix timestamp (nanoseconds)
357 google.protobuf.Timestamp renewBy = 6;
358 bool enabled = 5;
359}
360
361message Incidents {
362 repeated Incident incidents = 1;
363}
364
365message SerialsForIncidentRequest {
366 string incidentTable = 1;
367}
368
369message IncidentSerial {
370 // Next unused field number: 6
371 string serial = 1;
372 int64 registrationID = 2; // May be 0 (NULL)
373 int64 orderID = 3; // May be 0 (NULL)
374 int64 lastNoticeSentNS = 4; // Unix timestamp (nanoseconds), may be 0 (NULL)
375 google.protobuf.Timestamp lastNoticeSent = 5;
376}
377
378message GetRevokedCertsRequest {
379 // Next unused field number: 9
380 int64 issuerNameID = 1;
381 int64 expiresAfterNS = 2; // Unix timestamp (nanoseconds), inclusive
382 google.protobuf.Timestamp expiresAfter = 6; // inclusive
383 int64 expiresBeforeNS = 3; // Unix timestamp (nanoseconds), exclusive
384 google.protobuf.Timestamp expiresBefore = 7; // exclusive
385 int64 revokedBeforeNS = 4; // Unix timestamp (nanoseconds)
386 google.protobuf.Timestamp revokedBefore = 8;
387 int64 shardIdx = 5; // Must not be set until the revokedCertificates table has 90+ days of entries.
388}
389
390message RevocationStatus {
391 int64 status = 1;
392 int64 revokedReason = 2;
393 google.protobuf.Timestamp revokedDate = 3; // Unix timestamp (nanoseconds)
394}
395
396message LeaseCRLShardRequest {
397 int64 issuerNameID = 1;
398 int64 minShardIdx = 2;
399 int64 maxShardIdx = 3;
400 google.protobuf.Timestamp until = 4;
401}
402
403message LeaseCRLShardResponse {
404 int64 issuerNameID = 1;
405 int64 shardIdx = 2;
406}
407
408message UpdateCRLShardRequest {
409 int64 issuerNameID = 1;
410 int64 shardIdx = 2;
411 google.protobuf.Timestamp thisUpdate = 3;
412 google.protobuf.Timestamp nextUpdate = 4;
413}
View as plain text