feat(tls): implement TLS certificate management and rotation

2026-02-16 15:57:00 +01:00
parent 4bac70a6e9
commit 8cb6f4abe0
24 changed files with 1796 additions and 244 deletions
--- a/protobufs/arbiter.proto
+++ b/protobufs/arbiter.proto
@@ -7,23 +7,27 @@ import "auth.proto";
 message ClientRequest {
  oneof payload {
    arbiter.auth.ClientMessage auth_message = 1;
+    CertRotationAck cert_rotation_ack = 2;
  }
 }

 message ClientResponse {
  oneof payload {
    arbiter.auth.ServerMessage auth_message = 1;
+    CertRotationNotification cert_rotation_notification = 2;
  }
 }

 message UserAgentRequest {
  oneof payload {
    arbiter.auth.ClientMessage auth_message = 1;
+    CertRotationAck cert_rotation_ack = 2;
  }
 }
 message UserAgentResponse {
  oneof payload {
    arbiter.auth.ServerMessage auth_message = 1;
+    CertRotationNotification cert_rotation_notification = 2;
  }
 }

@@ -32,6 +36,32 @@ message ServerInfo {
  bytes cert_public_key = 2;
 }

+// TLS Certificate Rotation Protocol
+message CertRotationNotification {
+  // New public certificate (DER-encoded)
+  bytes new_cert = 1;
+
+  // Unix timestamp when rotation will be executed (if all ACKs received)
+  int64 rotation_scheduled_at = 2;
+
+  // Unix timestamp deadline for ACK (7 days from now)
+  int64 ack_deadline = 3;
+
+  // Rotation ID for tracking
+  int32 rotation_id = 4;
+}
+
+message CertRotationAck {
+  // Rotation ID (from CertRotationNotification)
+  int32 rotation_id = 1;
+
+  // Client public key for identification
+  bytes client_public_key = 2;
+
+  // Confirmation that client saved the new certificate
+  bool cert_saved = 3;
+}
+
 service ArbiterService {
  rpc Client(stream ClientRequest) returns (stream ClientResponse);
  rpc UserAgent(stream UserAgentRequest) returns (stream UserAgentResponse);