[pa] add protos / stub for EndorseCerts RPC

This adds protos and a function stub for the `EndorseCerts` RPC call which the PA must implement to support OpenTitan A1 provisioning flows. Signed-off-by: Tim Trippel <ttrippel@google.com>
lowRISC · Sep 27, 2024 · 76ec561 · 76ec561
1 parent 6e18294
commit 76ec561
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/src/pa/proto/pa.proto b/src/pa/proto/pa.proto
@@ -20,9 +20,28 @@ service ProvisioningApplianceService {
   rpc CloseSession(CloseSessionRequest)
     returns (CloseSessionResponse) {}
   rpc CreateKeyAndCert(CreateKeyAndCertRequest)
-      returns (CreateKeyAndCertResponse) {}
+    returns (CreateKeyAndCertResponse) {}
+  rpc EndorseCerts(EndorseCertsRequest)
+    returns (EndorseCertsResponse) {}
   rpc SendDeviceRegistrationPayload(RegistrationRequest)
-      returns (RegistrationResponse) {}
+    returns (RegistrationResponse) {}
+}
+
+// Endorse certs request.
+message EndorseCertsRequest {
+  // SKU identifier. Required.
+  string sku = 1;
+  // (Per SKU) Serial number of CA that should endorse these certificates.
+  // Required. Size enforced by SKU implementation.
+  bytes ca_serial_number = 2;
+  // Array of TBS certificates to be endorsed.
+  repeated crypto.cert.Certificate certs = 3;
+}
+
+// Endorse certs response.
+message EndorseCertsResponse {
+  // Array of complete (endorsed) certificates to be installed in a device.
+  repeated crypto.cert.Certificate certs = 1;
 }
 
 // Create key and endorsement certificates request.

diff --git a/src/pa/services/pa.go b/src/pa/services/pa.go
@@ -100,6 +100,14 @@ func (s *server) CreateKeyAndCert(ctx context.Context, request *pbp.CreateKeyAnd
 	return r, nil
 }
 
+// EndorseCerts endorses a set of TBS certificates and returns them.
+func (s *server) EndorseCerts(ctx context.Context, request *pbp.EndorseCertsRequest) (*pbp.EndorseCertsResponse, error) {
+	log.Printf("In PA - Recieved EndorseCerts request with Sku=%s", request.Sku)
+
+	// TODO(#4) implement backend operations.
+	return nil, nil
+}
+
 // SendDeviceRegistrationPayload registers a new device record to the local MySql DB.
 func (s *server) SendDeviceRegistrationPayload(ctx context.Context, request *pbp.RegistrationRequest) (*pbp.RegistrationResponse, error) {
 	log.Printf("In PA - Received SendDeviceRegistrationPayload request with DeviceID: %v", request.DeviceRecord.Id)

diff --git a/src/proto/crypto/cert.proto b/src/proto/crypto/cert.proto
@@ -27,7 +27,8 @@ message CertParams {
 
 // A Certificate.
 message Certificate {
-  // Opaque bytes.
+  // Opaque bytes that may be used to represent a complete certificate, or only
+  // the TBS (To Be Signed) portion.
   //
   // Protobuf knows nothing about internal structure of this blob;
   // that's handled at a higher level, not by protobuf.