syntax = "proto3"; package sa; option go_package = "github.com/letsencrypt/boulder/sa/proto"; import "core/proto/core.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/duration.proto"; // StorageAuthorityReadOnly exposes only those SA methods which are read-only. service StorageAuthorityReadOnly { rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {} rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {} rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {} rpc CountOrders(CountOrdersRequest) returns (Count) {} rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {} rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {} rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {} rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {} rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {} rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {} rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {} rpc GetCertificate(Serial) returns (core.Certificate) {} rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {} rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {} rpc GetOrder(OrderRequest) returns (core.Order) {} rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {} rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {} rpc GetRegistration(RegistrationID) returns (core.Registration) {} rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {} rpc GetRevocationStatus(Serial) returns (RevocationStatus) {} rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {} rpc GetSerialMetadata(Serial) returns (SerialMetadata) {} rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {} rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {} rpc IncidentsForSerial(Serial) returns (Incidents) {} rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {} rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {} rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {} } // StorageAuthority provides full read/write access to the database. service StorageAuthority { // Getters: this list must be identical to the StorageAuthorityReadOnly rpcs. rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {} rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {} rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {} rpc CountOrders(CountOrdersRequest) returns (Count) {} rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {} rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {} rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {} rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {} rpc FQDNSetTimestampsForWindow(CountFQDNSetsRequest) returns (Timestamps) {} rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {} rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {} rpc GetCertificate(Serial) returns (core.Certificate) {} rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {} rpc GetMaxExpiration(google.protobuf.Empty) returns (google.protobuf.Timestamp) {} rpc GetOrder(OrderRequest) returns (core.Order) {} rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {} rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {} rpc GetRegistration(RegistrationID) returns (core.Registration) {} rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {} rpc GetRevocationStatus(Serial) returns (RevocationStatus) {} rpc GetRevokedCerts(GetRevokedCertsRequest) returns (stream core.CRLEntry) {} rpc GetSerialMetadata(Serial) returns (SerialMetadata) {} rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {} rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {} rpc IncidentsForSerial(Serial) returns (Incidents) {} rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {} rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {} rpc SerialsForIncident (SerialsForIncidentRequest) returns (stream IncidentSerial) {} // Adders rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {} rpc AddCertificate(AddCertificateRequest) returns (google.protobuf.Empty) {} rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {} rpc SetCertificateStatusReady(Serial) returns (google.protobuf.Empty) {} rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {} rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {} rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {} rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {} rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {} rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {} rpc NewRegistration(core.Registration) returns (core.Registration) {} rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {} rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {} rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {} rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {} rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {} rpc LeaseCRLShard(LeaseCRLShardRequest) returns (LeaseCRLShardResponse) {} rpc UpdateCRLShard(UpdateCRLShardRequest) returns (google.protobuf.Empty) {} } message RegistrationID { int64 id = 1; } message JSONWebKey { bytes jwk = 1; } message AuthorizationID { string id = 1; } message GetPendingAuthorizationRequest { // Next unused field number: 6 int64 registrationID = 1; string identifierType = 2; string identifierValue = 3; // Result must be valid until at least this Unix timestamp (nanos) int64 validUntilNS = 4; google.protobuf.Timestamp validUntil = 5; // Result must be valid until at least this timestamp } message GetValidAuthorizationsRequest { // Next unused field number: 5 int64 registrationID = 1; repeated string domains = 2; int64 nowNS = 3; // Unix timestamp (nanoseconds) google.protobuf.Timestamp now = 4; } message ValidAuthorizations { message MapElement { string domain = 1; core.Authorization authz = 2; } repeated MapElement valid = 1; } message Serial { string serial = 1; } message SerialMetadata { // Next unused field number: 7 string serial = 1; int64 registrationID = 2; int64 createdNS = 3; // Unix timestamp (nanoseconds) google.protobuf.Timestamp created = 5; int64 expiresNS = 4; // Unix timestamp (nanoseconds) google.protobuf.Timestamp expires = 6; } message Range { // Next unused field number: 5 int64 earliestNS = 1; // Unix timestamp (nanoseconds) google.protobuf.Timestamp earliest = 3; int64 latestNS = 2; // Unix timestamp (nanoseconds) google.protobuf.Timestamp latest = 4; } message Count { int64 count = 1; } message Timestamps { // Next unused field number: 3 repeated int64 timestampsNS = 1; // Unix timestamp (nanoseconds) repeated google.protobuf.Timestamp timestamps = 2; } message CountCertificatesByNamesRequest { Range range = 1; repeated string names = 2; } message CountByNames { map counts = 1; google.protobuf.Timestamp earliest = 2; // Unix timestamp (nanoseconds) } message CountRegistrationsByIPRequest { bytes ip = 1; Range range = 2; } message CountInvalidAuthorizationsRequest { int64 registrationID = 1; string hostname = 2; // Count authorizations that expire in this range. Range range = 3; } message CountOrdersRequest { int64 accountID = 1; Range range = 2; } message CountFQDNSetsRequest { // Next unused field number: 4 int64 windowNS = 1; repeated string domains = 2; google.protobuf.Duration window = 3; } message FQDNSetExistsRequest { repeated string domains = 1; } message PreviousCertificateExistsRequest { string domain = 1; int64 regID = 2; } message Exists { bool exists = 1; } message AddSerialRequest { // Next unused field number: 7 int64 regID = 1; string serial = 2; int64 createdNS = 3; // Unix timestamp (nanoseconds) google.protobuf.Timestamp created = 5; int64 expiresNS = 4; // Unix timestamp (nanoseconds) google.protobuf.Timestamp expires = 6; } message AddCertificateRequest { // Next unused field number: 8 bytes der = 1; int64 regID = 2; reserved 3; // previously ocsp // An issued time. When not present the SA defaults to using // the current time. int64 issuedNS = 4; // Unix timestamp (nanoseconds) google.protobuf.Timestamp issued = 7; int64 issuerNameID = 5; // https://pkg.go.dev/github.com/letsencrypt/boulder/issuance#IssuerNameID // If this is set to true, the certificateStatus.status column will be set to // "wait", which will cause us to serve internalError responses with OCSP is // queried. This allows us to meet the BRs requirement: // // If the OCSP responder receives a request for the status of a certificate // serial number that is “unused”, then ... // the responder MUST NOT respond with a “good” status for such requests. // // Paraphrasing, a certificate serial number is unused if neither a // Certificate nor a Precertificate has been issued with it. So when we write // a linting certificate to the precertificates table, we want to make sure // we never give a "good" response for that serial until the precertificate // is actually issued. bool ocspNotReady = 6; } message OrderRequest { int64 id = 1; } message NewOrderRequest { // Next unused field number: 6 int64 registrationID = 1; int64 expiresNS = 2; // Unix timestamp (nanoseconds) google.protobuf.Timestamp expires = 5; repeated string names = 3; repeated int64 v2Authorizations = 4; } message NewOrderAndAuthzsRequest { NewOrderRequest newOrder = 1; repeated core.Authorization newAuthzs = 2; } message SetOrderErrorRequest { int64 id = 1; core.ProblemDetails error = 2; } message GetValidOrderAuthorizationsRequest { int64 id = 1; int64 acctID = 2; } message GetOrderForNamesRequest { int64 acctID = 1; repeated string names = 2; } message FinalizeOrderRequest { int64 id = 1; string certificateSerial = 2; } message GetAuthorizationsRequest { // Next unused field number: 5 int64 registrationID = 1; repeated string domains = 2; int64 nowNS = 3; // Unix timestamp (nanoseconds) google.protobuf.Timestamp now = 4; } message Authorizations { message MapElement { string domain = 1; core.Authorization authz = 2; } repeated MapElement authz = 1; } message AuthorizationIDs { repeated string ids = 1; } message AuthorizationID2 { int64 id = 1; } message RevokeCertificateRequest { // Next unused field number: 10 string serial = 1; int64 reason = 2; int64 dateNS = 3; // Unix timestamp (nanoseconds) google.protobuf.Timestamp date = 8; int64 backdateNS = 5; // Unix timestamp (nanoseconds) google.protobuf.Timestamp backdate = 9; bytes response = 4; int64 issuerID = 6; int64 shardIdx = 7; } message FinalizeAuthorizationRequest { // Next unused field number: 10 int64 id = 1; string status = 2; int64 expiresNS = 3; // Unix timestamp (nanoseconds) google.protobuf.Timestamp expires = 8; string attempted = 4; repeated core.ValidationRecord validationRecords = 5; core.ProblemDetails validationError = 6; int64 attemptedAtNS = 7; // Unix timestamp (nanoseconds) google.protobuf.Timestamp attemptedAt = 9; } message AddBlockedKeyRequest { // Next unused field number: 7 bytes keyHash = 1; int64 addedNS = 2; // Unix timestamp (nanoseconds) google.protobuf.Timestamp added = 6; string source = 3; string comment = 4; int64 revokedBy = 5; } message KeyBlockedRequest { bytes keyHash = 1; } message Incident { // Next unused field number: 7 int64 id = 1; string serialTable = 2; string url = 3; int64 renewByNS = 4; // Unix timestamp (nanoseconds) google.protobuf.Timestamp renewBy = 6; bool enabled = 5; } message Incidents { repeated Incident incidents = 1; } message SerialsForIncidentRequest { string incidentTable = 1; } message IncidentSerial { // Next unused field number: 6 string serial = 1; int64 registrationID = 2; // May be 0 (NULL) int64 orderID = 3; // May be 0 (NULL) int64 lastNoticeSentNS = 4; // Unix timestamp (nanoseconds), may be 0 (NULL) google.protobuf.Timestamp lastNoticeSent = 5; } message GetRevokedCertsRequest { // Next unused field number: 9 int64 issuerNameID = 1; int64 expiresAfterNS = 2; // Unix timestamp (nanoseconds), inclusive google.protobuf.Timestamp expiresAfter = 6; // inclusive int64 expiresBeforeNS = 3; // Unix timestamp (nanoseconds), exclusive google.protobuf.Timestamp expiresBefore = 7; // exclusive int64 revokedBeforeNS = 4; // Unix timestamp (nanoseconds) google.protobuf.Timestamp revokedBefore = 8; int64 shardIdx = 5; // Must not be set until the revokedCertificates table has 90+ days of entries. } message RevocationStatus { int64 status = 1; int64 revokedReason = 2; google.protobuf.Timestamp revokedDate = 3; // Unix timestamp (nanoseconds) } message LeaseCRLShardRequest { int64 issuerNameID = 1; int64 minShardIdx = 2; int64 maxShardIdx = 3; google.protobuf.Timestamp until = 4; } message LeaseCRLShardResponse { int64 issuerNameID = 1; int64 shardIdx = 2; } message UpdateCRLShardRequest { int64 issuerNameID = 1; int64 shardIdx = 2; google.protobuf.Timestamp thisUpdate = 3; google.protobuf.Timestamp nextUpdate = 4; }