package dev.sigstore.fulcio.v2

Get desktop application:
View/edit binary Protocol Buffers messages

• rpc CreateSigningCertificate (CreateSigningCertificateRequest, SigningCertificate)

  fulcio.proto:31

  * Returns an X.509 certificate created by the Fulcio certificate authority for the given request parameters

  message CreateSigningCertificateRequest

  fulcio.proto:47

  • optional Credentials credentials = 1

    Identity information about who possesses the private / public key pair presented

  • oneof key

    • PublicKeyRequest public_key_request = 2

      The public key to be stored in the requested certificate along with a signed challenge as proof of possession of the private key.

    • bytes certificate_signing_request = 3

      PKCS#10 PEM-encoded certificate signing request Contains the public key to be stored in the requested certificate. All other CSR fields are ignored. Since the CSR is self-signed, it also acts as a proof of posession of the private key.

  message SigningCertificate

  fulcio.proto:103

  • oneof certificate

    • SigningCertificateDetachedSCT signed_certificate_detached_sct = 1

    • SigningCertificateEmbeddedSCT signed_certificate_embedded_sct = 2

• rpc GetTrustBundle (GetTrustBundleRequest, TrustBundle)

  fulcio.proto:40

  * Returns the bundle of certificates that can be used to validate code signing certificates issued by this Fulcio instance

  message GetTrustBundleRequest

  fulcio.proto:139

  This is created for forward compatibility in case we want to add fields to the TrustBundle service in the future

  (message has no fields)

  message TrustBundle

  fulcio.proto:142

  • repeated CertificateChain chains = 1

    The set of PEM-encoded certificate chains for this Fulcio instance; each chain will start with any intermediate certificates (if present), finishing with the root certificate.

Used in: SigningCertificateDetachedSCT, SigningCertificateEmbeddedSCT, TrustBundle

• repeated string certificates = 1

  The PEM-encoded certificate chain, ordered from leaf to intermediate to root as applicable.

Used in: CreateSigningCertificateRequest

• oneof credentials

  • string oidc_identity_token = 1

    The OIDC token that identifies the caller

Used in: PublicKeyRequest

• PublicKeyAlgorithm algorithm = 1

  The cryptographic algorithm to use with the key material

• string content = 2

  PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically of type PUBLIC KEY.

Used in: PublicKey

• PUBLIC_KEY_ALGORITHM_UNSPECIFIED = 0

• RSA_PSS = 1

• ECDSA = 2

• ED25519 = 3

Used in: CreateSigningCertificateRequest

• optional PublicKey public_key = 1

  The public key to be stored in the requested certificate

• bytes proof_of_possession = 2

  Proof that the client possesses the private key; must be verifiable by provided public key This is a currently a signature over the `sub` claim from the OIDC identity token

(-- api-linter: core::0142::time-field-type=disabled aip.dev/not-precedent: SCT is defined in RFC6962 and we keep the name consistent for easier understanding. --)

Used in: SigningCertificate

• optional CertificateChain chain = 1

  The certificate chain serialized with the leaf certificate first, followed by all intermediate certificates (if present), finishing with the root certificate. All values are PEM-encoded certificates.

• bytes signed_certificate_timestamp = 2

  The signed certificate timestamp is a promise for including the certificate in a certificate transparency log. It can be "stapled" to verify the inclusion of a certificate in the log in an offline fashion.

Used in: SigningCertificate

• optional CertificateChain chain = 1

  The certificate chain serialized with the leaf certificate first, followed by all intermediate certificates (if present), finishing with the root certificate. All values are PEM-encoded certificates.