// https://github.com/spiffe/go-spiffe/blob/master/v2/proto/spiffe/workload/workload.proto syntax = "proto3"; package workload; message X509SVIDRequest { } // The X509SVIDResponse message carries a set of X.509 SVIDs and their // associated information. It also carries a set of global CRLs, and a // TTL to inform the workload when it should check back next. message X509SVIDResponse { // A list of X509SVID messages, each of which includes a single // SPIFFE Verifiable Identity Document, along with its private key // and bundle. repeated X509SVID svids = 1; // ASN.1 DER encoded repeated bytes crl = 2; // CA certificate bundles belonging to foreign Trust Domains that the // workload should trust, keyed by the SPIFFE ID of the foreign // domain. Bundles are ASN.1 DER encoded. map federated_bundles = 3; } // The X509SVID message carries a single SVID and all associated // information, including CA bundles. message X509SVID { // The SPIFFE ID of the SVID in this entry string spiffe_id = 1; // ASN.1 DER encoded certificate chain. MAY include intermediates, // the leaf certificate (or SVID itself) MUST come first. bytes x509_svid = 2; // ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted. bytes x509_svid_key = 3; // CA certificates belonging to the Trust Domain // ASN.1 DER encoded bytes bundle = 4; // List of trust domains the SVID federates with, which corresponds to // keys in the federated_bundles map in the X509SVIDResponse message. repeated string federates_with = 5; } message JWTBundlesRequest { } message JWTBundlesResponse { // JWK sets, keyed by trust domain URI map bundles = 1; } service SpiffeWorkloadAPI { // JWT-SVID Profile rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse); // X.509-SVID Profile // Fetch all SPIFFE identities the workload is entitled to, as // well as related information like trust bundles and CRLs. As // this information changes, subsequent messages will be sent. rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse); }