spiffe-workload 0.2.0

data/lib/spiffe/workload/messages.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'google/protobuf'
+require 'google/protobuf/struct_pb'
+
+# Protobuf message definitions for SPIFFE Workload API
+# These mirror the definitions in proto/spiffe/workload.proto
+
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file('spiffe/workload.proto', syntax: :proto3) do
+    # X509SVID message
+    add_message 'spiffe.workload.X509SVID' do
+      optional :spiffe_id, :string, 1
+      optional :x509_svid, :bytes, 2
+      optional :x509_svid_key, :bytes, 3
+      optional :bundle, :bytes, 4
+      optional :hint, :string, 5
+    end
+
+    # X509SVIDRequest message (empty)
+    add_message 'spiffe.workload.X509SVIDRequest' do
+    end
+
+    # X509SVIDResponse message
+    add_message 'spiffe.workload.X509SVIDResponse' do
+      repeated :svids, :message, 1, 'spiffe.workload.X509SVID'
+      repeated :crl, :bytes, 2
+      map :federated_bundles, :string, :bytes, 3
+    end
+
+    # X509BundlesRequest message (empty)
+    add_message 'spiffe.workload.X509BundlesRequest' do
+    end
+
+    # X509BundlesResponse message
+    add_message 'spiffe.workload.X509BundlesResponse' do
+      repeated :crl, :bytes, 1
+      map :bundles, :string, :bytes, 2
+    end
+
+    # JWTSVID message
+    add_message 'spiffe.workload.JWTSVID' do
+      optional :spiffe_id, :string, 1
+      optional :svid, :string, 2
+      optional :hint, :string, 3
+    end
+
+    # JWTSVIDRequest message
+    add_message 'spiffe.workload.JWTSVIDRequest' do
+      repeated :audience, :string, 1
+      optional :spiffe_id, :string, 2
+    end
+
+    # JWTSVIDResponse message
+    add_message 'spiffe.workload.JWTSVIDResponse' do
+      repeated :svids, :message, 1, 'spiffe.workload.JWTSVID'
+    end
+
+    # JWTBundlesRequest message (empty)
+    add_message 'spiffe.workload.JWTBundlesRequest' do
+    end
+
+    # JWTBundlesResponse message
+    add_message 'spiffe.workload.JWTBundlesResponse' do
+      map :bundles, :string, :bytes, 1
+    end
+
+    # ValidateJWTSVIDRequest message
+    add_message 'spiffe.workload.ValidateJWTSVIDRequest' do
+      optional :audience, :string, 1
+      optional :svid, :string, 2
+    end
+
+    # ValidateJWTSVIDResponse message
+    add_message 'spiffe.workload.ValidateJWTSVIDResponse' do
+      optional :spiffe_id, :string, 1
+      optional :claims, :message, 2, 'google.protobuf.Struct'
+    end
+  end
+end
+
+module Spiffe
+  module Workload
+    # Load message classes
+    X509SVIDProto = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.X509SVID').msgclass
+    X509SVIDRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.X509SVIDRequest').msgclass
+    X509SVIDResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.X509SVIDResponse').msgclass
+    
+    X509BundlesRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.X509BundlesRequest').msgclass
+    X509BundlesResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.X509BundlesResponse').msgclass
+    
+    JWTSVIDProto = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.JWTSVID').msgclass
+    JWTSVIDRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.JWTSVIDRequest').msgclass
+    JWTSVIDResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.JWTSVIDResponse').msgclass
+    
+    JWTBundlesRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.JWTBundlesRequest').msgclass
+    JWTBundlesResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.JWTBundlesResponse').msgclass
+    
+    ValidateJWTSVIDRequest = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.ValidateJWTSVIDRequest').msgclass
+    ValidateJWTSVIDResponse = Google::Protobuf::DescriptorPool.generated_pool.lookup('spiffe.workload.ValidateJWTSVIDResponse').msgclass
+  end
+end

data/lib/spiffe/workload/proto_helper.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+# This file provides proto generation instructions
+# Run `rake generate_protos` to generate proper gRPC stubs
+
+# The generate_protos task will:
+# 1. Use grpc-tools-ruby-protoc to compile proto/spiffe/workload.proto
+# 2. Generate workload_pb.rb and workload_services_pb.rb
+# 3. Place them in lib/spiffe/workload/
+#
+# After generation, update client.rb to use:
+#   require 'spiffe/workload/workload_pb'
+#   require 'spiffe/workload/workload_services_pb'
+#
+# And replace grpc_stub.rb with the generated service stub
+
+module Spiffe
+  module Workload
+    module ProtoHelper
+      PROTO_PATH = File.expand_path('../../../proto/spiffe/workload.proto', __dir__)
+      
+      def self.generate_instructions
+        <<~INSTRUCTIONS
+          To generate Ruby gRPC stubs from proto files:
+          
+          1. Install grpc-tools:
+             gem install grpc-tools
+          
+          2. Generate the stubs:
+             rake generate_protos
+          
+          Or manually:
+             grpc_tools_ruby_protoc \\
+               -I proto \\
+               --ruby_out=lib \\
+               --grpc_out=lib \\
+               proto/spiffe/workload.proto
+          
+          This will create:
+             - lib/spiffe/workload_pb.rb (message definitions)
+             - lib/spiffe/workload_services_pb.rb (gRPC service client)
+        INSTRUCTIONS
+      end
+    end
+  end
+end

data/lib/spiffe/workload/service.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'grpc'
+require_relative 'messages'
+
+module Spiffe
+  module Workload
+    # gRPC service definition for SPIFFE Workload API
+    module SpiffeWorkloadAPI
+      class Service
+        include GRPC::GenericService
+
+        self.marshal_class_method = :encode
+        self.unmarshal_class_method = :decode
+        self.service_name = 'SpiffeWorkloadAPI'
+
+        # FetchX509SVID - streaming server RPC  
+        rpc :FetchX509SVID, X509SVIDRequest, stream(X509SVIDResponse)
+        
+        # FetchX509Bundles - streaming server RPC
+        rpc :FetchX509Bundles, X509BundlesRequest, stream(X509BundlesResponse)
+        
+        # FetchJWTSVID - unary RPC
+        rpc :FetchJWTSVID, JWTSVIDRequest, JWTSVIDResponse
+        
+        # FetchJWTBundles - streaming server RPC
+        rpc :FetchJWTBundles, JWTBundlesRequest, stream(JWTBundlesResponse)
+        
+        # ValidateJWTSVID - unary RPC
+        rpc :ValidateJWTSVID, ValidateJWTSVIDRequest, ValidateJWTSVIDResponse
+      end
+
+      Stub = Service.rpc_stub_class
+    end
+  end
+end

data/lib/spiffe/workload/tls_config.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Spiffe
+  module Workload
+    # TLS configuration helper for SPIFFE
+    class TLSConfig
+      # Create an SSL context from an X.509 SVID
+      # @param svid [X509SVID] The SVID to use
+      # @param verify_mode [Integer] OpenSSL verify mode
+      # @return [OpenSSL::SSL::SSLContext]
+      def self.create_context(svid, verify_mode: OpenSSL::SSL::VERIFY_PEER)
+        context = OpenSSL::SSL::SSLContext.new
+        context.cert = svid.leaf_certificate
+        context.key = svid.private_key
+        context.extra_chain_cert = svid.cert_chain[1..-1] if svid.cert_chain.length > 1
+        context.cert_store = svid.trust_bundle
+        context.verify_mode = verify_mode
+        context.min_version = OpenSSL::SSL::TLS1_2_VERSION
+        context
+      end
+
+      # Create an SSL context that automatically updates with SVID rotation
+      # @param client [Client] The workload API client
+      # @param verify_mode [Integer] OpenSSL verify mode
+      # @return [OpenSSL::SSL::SSLContext]
+      def self.create_auto_updating_context(client, verify_mode: OpenSSL::SSL::VERIFY_PEER)
+        context = create_context(client.x509_svid, verify_mode: verify_mode)
+        
+        # Register callback to update context on rotation
+        client.on_x509_svid_update do |new_svid|
+          context.cert = new_svid.leaf_certificate
+          context.key = new_svid.private_key
+          context.extra_chain_cert = new_svid.cert_chain[1..-1] if new_svid.cert_chain.length > 1
+          context.cert_store = new_svid.trust_bundle
+        end
+        
+        context
+      end
+    end
+  end
+end

data/lib/spiffe/workload/x509_svid.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Spiffe
+  module Workload
+    # Represents an X.509 SVID with certificate chain, private key, and trust bundle
+    class X509SVIDWrapper
+      attr_reader :spiffe_id, :cert_chain, :private_key, :trust_bundle, :hint
+
+      # @param spiffe_id [String] The SPIFFE ID of this SVID
+      # @param cert_chain [Array<OpenSSL::X509::Certificate>] Certificate chain
+      # @param private_key [OpenSSL::PKey::RSA, OpenSSL::PKey::EC] Private key
+      # @param trust_bundle [OpenSSL::X509::Store] Trust bundle for the trust domain
+      # @param hint [String, nil] Optional hint for SVID usage
+      def initialize(spiffe_id:, cert_chain:, private_key:, trust_bundle:, hint: nil)
+        @spiffe_id = spiffe_id
+        @cert_chain = cert_chain
+        @private_key = private_key
+        @trust_bundle = trust_bundle
+        @hint = hint
+      end
+
+      # Get the leaf certificate (first in chain)
+      # @return [OpenSSL::X509::Certificate]
+      def leaf_certificate
+        @cert_chain.first
+      end
+
+      # Check if the SVID is expired
+      # @return [Boolean]
+      def expired?
+        leaf_certificate.not_after < Time.now
+      end
+
+      # Get time until expiration
+      # @return [Float] Seconds until expiration
+      def ttl
+        leaf_certificate.not_after - Time.now
+      end
+
+      # Parse X.509 SVID from proto response
+      # @param proto_svid [Spiffe::Workload::X509SVIDProto] Proto message
+      # @return [X509SVID]
+      def self.from_proto(proto_svid)
+        # Parse certificate chain
+        cert_chain = []
+        cert_data = proto_svid.x509_svid
+        
+        # The cert data may contain multiple certificates
+        # We need to extract all of them
+        offset = 0
+        while offset < cert_data.bytesize
+          begin
+            cert = OpenSSL::X509::Certificate.new(cert_data[offset..-1])
+            cert_chain << cert
+            # Move offset forward by the size of the DER-encoded cert
+            offset += cert.to_der.bytesize
+          rescue OpenSSL::X509::CertificateError
+            break
+          end
+        end
+
+        # Parse private key (PKCS#8 unencrypted)
+        private_key = OpenSSL::PKey.read(proto_svid.x509_svid_key)
+
+        # Parse trust bundle
+        trust_bundle = OpenSSL::X509::Store.new
+        bundle_data = proto_svid.bundle
+        
+        # Parse all certificates in the bundle
+        offset = 0
+        while offset < bundle_data.bytesize
+          begin
+            ca_cert = OpenSSL::X509::Certificate.new(bundle_data[offset..-1])
+            trust_bundle.add_cert(ca_cert)
+            offset += ca_cert.to_der.bytesize
+          rescue OpenSSL::X509::CertificateError
+            break
+          end
+        end
+
+        new(
+          spiffe_id: proto_svid.spiffe_id,
+          cert_chain: cert_chain,
+          private_key: private_key,
+          trust_bundle: trust_bundle,
+          hint: proto_svid.hint.empty? ? nil : proto_svid.hint
+        )
+      end
+    end
+  end
+end

data/lib/spiffe/workload_pb.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: spiffe/workload.proto
+
+require 'google/protobuf'
+
+require 'google/protobuf/struct_pb'
+
+
+descriptor_data = "\n\x15spiffe/workload.proto\x12\x0fspiffe.workload\x1a\x1cgoogle/protobuf/struct.proto\"\x11\n\x0fX509SVIDRequest\"\xd6\x01\n\x10X509SVIDResponse\x12(\n\x05svids\x18\x01 \x03(\x0b\x32\x19.spiffe.workload.X509SVID\x12\x0b\n\x03\x63rl\x18\x02 \x03(\x0c\x12R\n\x11\x66\x65\x64\x65rated_bundles\x18\x03 \x03(\x0b\x32\x37.spiffe.workload.X509SVIDResponse.FederatedBundlesEntry\x1a\x37\n\x15\x46\x65\x64\x65ratedBundlesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\"e\n\x08X509SVID\x12\x11\n\tspiffe_id\x18\x01 \x01(\t\x12\x11\n\tx509_svid\x18\x02 \x01(\x0c\x12\x15\n\rx509_svid_key\x18\x03 \x01(\x0c\x12\x0e\n\x06\x62undle\x18\x04 \x01(\x0c\x12\x0c\n\x04hint\x18\x05 \x01(\t\"\x14\n\x12X509BundlesRequest\"\x96\x01\n\x13X509BundlesResponse\x12\x0b\n\x03\x63rl\x18\x01 \x03(\x0c\x12\x42\n\x07\x62undles\x18\x02 \x03(\x0b\x32\x31.spiffe.workload.X509BundlesResponse.BundlesEntry\x1a.\n\x0c\x42undlesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\"5\n\x0eJWTSVIDRequest\x12\x10\n\x08\x61udience\x18\x01 \x03(\t\x12\x11\n\tspiffe_id\x18\x02 \x01(\t\":\n\x0fJWTSVIDResponse\x12\'\n\x05svids\x18\x01 \x03(\x0b\x32\x18.spiffe.workload.JWTSVID\"8\n\x07JWTSVID\x12\x11\n\tspiffe_id\x18\x01 \x01(\t\x12\x0c\n\x04svid\x18\x02 \x01(\t\x12\x0c\n\x04hint\x18\x03 \x01(\t\"\x13\n\x11JWTBundlesRequest\"\x87\x01\n\x12JWTBundlesResponse\x12\x41\n\x07\x62undles\x18\x01 \x03(\x0b\x32\x30.spiffe.workload.JWTBundlesResponse.BundlesEntry\x1a.\n\x0c\x42undlesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\"8\n\x16ValidateJWTSVIDRequest\x12\x10\n\x08\x61udience\x18\x01 \x01(\t\x12\x0c\n\x04svid\x18\x02 \x01(\t\"U\n\x17ValidateJWTSVIDResponse\x12\x11\n\tspiffe_id\x18\x01 \x01(\t\x12\'\n\x06\x63laims\x18\x02 \x01(\x0b\x32\x17.google.protobuf.Struct2\xe3\x03\n\x11SpiffeWorkloadAPI\x12V\n\rFetchX509SVID\x12 .spiffe.workload.X509SVIDRequest\x1a!.spiffe.workload.X509SVIDResponse0\x01\x12_\n\x10\x46\x65tchX509Bundles\x12#.spiffe.workload.X509BundlesRequest\x1a$.spiffe.workload.X509BundlesResponse0\x01\x12Q\n\x0c\x46\x65tchJWTSVID\x12\x1f.spiffe.workload.JWTSVIDRequest\x1a .spiffe.workload.JWTSVIDResponse\x12\\\n\x0f\x46\x65tchJWTBundles\x12\".spiffe.workload.JWTBundlesRequest\x1a#.spiffe.workload.JWTBundlesResponse0\x01\x12\x64\n\x0fValidateJWTSVID\x12\'.spiffe.workload.ValidateJWTSVIDRequest\x1a(.spiffe.workload.ValidateJWTSVIDResponseB?Z=github.com/spiffe/go-spiffe/v2/proto/spiffe/workload;workloadb\x06proto3"
+
+pool = ::Google::Protobuf::DescriptorPool.generated_pool
+pool.add_serialized_file(descriptor_data)
+
+module Spiffe
+  module Workload
+    X509SVIDRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.X509SVIDRequest").msgclass
+    X509SVIDResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.X509SVIDResponse").msgclass
+    X509SVID = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.X509SVID").msgclass
+    X509BundlesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.X509BundlesRequest").msgclass
+    X509BundlesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.X509BundlesResponse").msgclass
+    JWTSVIDRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.JWTSVIDRequest").msgclass
+    JWTSVIDResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.JWTSVIDResponse").msgclass
+    JWTSVID = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.JWTSVID").msgclass
+    JWTBundlesRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.JWTBundlesRequest").msgclass
+    JWTBundlesResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.JWTBundlesResponse").msgclass
+    ValidateJWTSVIDRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.ValidateJWTSVIDRequest").msgclass
+    ValidateJWTSVIDResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("spiffe.workload.ValidateJWTSVIDResponse").msgclass
+  end
+end

data/lib/spiffe/workload_services_pb.rb

@@ -0,0 +1,51 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# Source: spiffe/workload.proto for package 'spiffe.workload'
+
+require 'grpc'
+require 'spiffe/workload_pb'
+
+module Spiffe
+  module Workload
+    module SpiffeWorkloadAPI
+      class Service
+
+        include ::GRPC::GenericService
+
+        self.marshal_class_method = :encode
+        self.unmarshal_class_method = :decode
+        self.service_name = 'SpiffeWorkloadAPI'
+
+        # Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to,
+        # as well as related information like trust bundles and CRLs. As this
+        # information changes, subsequent messages will be streamed from the
+        # server.
+        rpc :FetchX509SVID, ::Spiffe::Workload::X509SVIDRequest, stream(::Spiffe::Workload::X509SVIDResponse)
+        # Fetch trust bundles and CRLs. Useful for clients that only need to
+        # validate SVIDs without obtaining an SVID for themself. As this
+        # information changes, subsequent messages will be streamed from the
+        # server.
+        rpc :FetchX509Bundles, ::Spiffe::Workload::X509BundlesRequest, stream(::Spiffe::Workload::X509BundlesResponse)
+        # ///////////////////////////////////////////////////////////////////////
+        # JWT-SVID Profile
+        # ///////////////////////////////////////////////////////////////////////
+        #
+        # Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to,
+        # for the requested audience. If an optional SPIFFE ID is requested, only
+        # the JWT-SVID for that SPIFFE ID is returned.
+        rpc :FetchJWTSVID, ::Spiffe::Workload::JWTSVIDRequest, ::Spiffe::Workload::JWTSVIDResponse
+        # Fetches the JWT bundles, formatted as JWKS documents, keyed by the
+        # SPIFFE ID of the trust domain. As this information changes, subsequent
+        # messages will be streamed from the server.
+        rpc :FetchJWTBundles, ::Spiffe::Workload::JWTBundlesRequest, stream(::Spiffe::Workload::JWTBundlesResponse)
+        # Validates a JWT-SVID against the requested audience. Returns the SPIFFE
+        # ID of the JWT-SVID and JWT claims.
+        rpc :ValidateJWTSVID, ::Spiffe::Workload::ValidateJWTSVIDRequest, ::Spiffe::Workload::ValidateJWTSVIDResponse
+      end
+
+      Stub = Service.rpc_stub_class
+    end
+    # ///////////////////////////////////////////////////////////////////////
+    # X509-SVID Profile
+    # ///////////////////////////////////////////////////////////////////////
+  end
+end

data/lib/spiffe.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative 'spiffe/version'
+require_relative 'spiffe/workload/client'
+require_relative 'spiffe/workload/x509_svid'
+require_relative 'spiffe/workload/jwt_svid'
+require_relative 'spiffe/workload/tls_config'
+require_relative 'spiffe/workload/http_client'
+
+module Spiffe
+  class Error < StandardError; end
+  class SocketError < Error; end
+  class AuthenticationError < Error; end
+  class RotationError < Error; end
+
+  # Convenience method to create a new Workload API client
+  # @param socket_path [String, nil] Optional socket path
+  # @return [Workload::Client]
+  def self.workload_api_client(socket_path: nil)
+    Workload::Client.new(socket_path: socket_path)
+  end
+end

data/proto/spiffe/workload.proto

@@ -0,0 +1,168 @@
+syntax = "proto3";
+
+package spiffe.workload;
+
+import "google/protobuf/struct.proto";
+
+service SpiffeWorkloadAPI {
+    /////////////////////////////////////////////////////////////////////////
+    // X509-SVID Profile
+    /////////////////////////////////////////////////////////////////////////
+
+    // Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to,
+    // as well as related information like trust bundles and CRLs. As this
+    // information changes, subsequent messages will be streamed from the
+    // server.
+    rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse);
+
+    // Fetch trust bundles and CRLs. Useful for clients that only need to
+    // validate SVIDs without obtaining an SVID for themself. As this
+    // information changes, subsequent messages will be streamed from the
+    // server.
+    rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse);
+
+    /////////////////////////////////////////////////////////////////////////
+    // JWT-SVID Profile
+    /////////////////////////////////////////////////////////////////////////
+
+    // Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to,
+    // for the requested audience. If an optional SPIFFE ID is requested, only
+    // the JWT-SVID for that SPIFFE ID is returned.
+    rpc FetchJWTSVID(JWTSVIDRequest) returns (JWTSVIDResponse);
+
+    // Fetches the JWT bundles, formatted as JWKS documents, keyed by the
+    // SPIFFE ID of the trust domain. As this information changes, subsequent
+    // messages will be streamed from the server.
+    rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse);
+
+    // Validates a JWT-SVID against the requested audience. Returns the SPIFFE
+    // ID of the JWT-SVID and JWT claims.
+    rpc ValidateJWTSVID(ValidateJWTSVIDRequest) returns (ValidateJWTSVIDResponse);
+}
+
+// The X509SVIDRequest message conveys parameters for requesting an X.509-SVID.
+// There are currently no request parameters.
+message X509SVIDRequest {  }
+
+// The X509SVIDResponse message carries X.509-SVIDs and related information,
+// including a set of global CRLs and a list of bundles the workload may use
+// for federating with foreign trust domains.
+message X509SVIDResponse {
+    // Required. A list of X509SVID messages, each of which includes a single
+    // X.509-SVID, its private key, and the bundle for the trust domain.
+    repeated X509SVID svids = 1;
+
+    // Optional. ASN.1 DER encoded certificate revocation lists.
+    repeated bytes crl = 2;
+
+    // Optional. CA certificate bundles belonging to foreign trust domains that
+    // the workload should trust, keyed by the SPIFFE ID of the foreign trust
+    // domain. Bundles are ASN.1 DER encoded.
+    map<string, bytes> federated_bundles = 3;
+}
+
+// The X509SVID message carries a single SVID and all associated information,
+// including the X.509 bundle for the trust domain.
+message X509SVID {
+    // Required. The SPIFFE ID of the SVID in this entry
+    string spiffe_id = 1;
+
+    // Required. ASN.1 DER encoded certificate chain. MAY include
+    // intermediates, the leaf certificate (or SVID itself) MUST come first.
+    bytes x509_svid = 2;
+
+    // Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
+    bytes x509_svid_key = 3;
+
+    // Required. ASN.1 DER encoded X.509 bundle for the trust domain.
+    bytes bundle = 4;
+
+    // Optional. An operator-specified string used to provide guidance on how this
+    // identity should be used by a workload when more than one SVID is returned.
+    // For example, `internal` and `external` to indicate an SVID for internal or
+    // external use, respectively.
+    string hint = 5;
+}
+
+// The X509BundlesRequest message conveys parameters for requesting X.509
+// bundles. There are currently no such parameters.
+message X509BundlesRequest {
+}
+
+// The X509BundlesResponse message carries a set of global CRLs and a map of
+// trust bundles the workload should trust.
+message X509BundlesResponse {
+    // Optional. ASN.1 DER encoded certificate revocation lists.
+    repeated bytes crl = 1;
+
+    // Required. CA certificate bundles belonging to trust domains that the
+    // workload should trust, keyed by the SPIFFE ID of the trust domain.
+    // Bundles are ASN.1 DER encoded.
+    map<string, bytes> bundles = 2;
+}
+
+message JWTSVIDRequest {
+    // Required. The audience(s) the workload intends to authenticate against.
+    repeated string audience = 1;
+
+    // Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all
+    // JWT-SVIDs to which the workload is entitled are requested.
+    string spiffe_id = 2;
+}
+
+// The JWTSVIDResponse message conveys JWT-SVIDs.
+message JWTSVIDResponse {
+    // Required. The list of returned JWT-SVIDs.
+    repeated JWTSVID svids = 1;
+}
+
+// The JWTSVID message carries the JWT-SVID token and associated metadata.
+message JWTSVID {
+    // Required. The SPIFFE ID of the JWT-SVID.
+    string spiffe_id = 1;
+
+    // Required. Encoded JWT using JWS Compact Serialization.
+    string svid = 2;
+
+    // Optional. An operator-specified string used to provide guidance on how this
+    // identity should be used by a workload when more than one SVID is returned.
+    // For example, `internal` and `external` to indicate an SVID for internal or
+    // external use, respectively.
+    string hint = 3;
+}
+
+// The JWTBundlesRequest message conveys parameters for requesting JWT bundles.
+// There are currently no such parameters.
+message JWTBundlesRequest { }
+
+// The JWTBundlesReponse conveys JWT bundles.
+message JWTBundlesResponse {
+    // Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust
+    // domain.
+    map<string, bytes> bundles = 1;
+}
+
+// The ValidateJWTSVIDRequest message conveys request parameters for
+// JWT-SVID validation.
+message ValidateJWTSVIDRequest {
+    // Required. The audience of the validating party. The JWT-SVID must
+    // contain an audience claim which contains this value in order to
+    // succesfully validate.
+    string audience = 1;
+
+    // Required. The JWT-SVID to validate, encoded using JWS Compact
+    // Serialization.
+    string svid = 2;
+}
+
+// The ValidateJWTSVIDReponse message conveys the JWT-SVID validation results.
+message ValidateJWTSVIDResponse {
+    // Required. The SPIFFE ID of the validated JWT-SVID.
+    string spiffe_id = 1;
+
+    // Optional. Arbitrary claims contained within the payload of the validated
+    // JWT-SVID.
+    google.protobuf.Struct claims = 2;
+}
+
+option go_package = "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload;workload";