From ec0edb60f60a97bf31d152f7b3a8462709a7dc29 Mon Sep 17 00:00:00 2001 From: Chris Morrow Date: Tue, 24 Mar 2026 01:25:52 -0400 Subject: [PATCH 1/4] Docuemntation Update: SSL Profile clarity. Clarify that the content in an SSL Profile is in no way intended to be unique or non-repeating among the various SSL Profiles configured on a particular system. --- certz/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/certz/README.md b/certz/README.md index 4781bce0..26bab1b7 100644 --- a/certz/README.md +++ b/certz/README.md @@ -45,6 +45,10 @@ which is vendor provided. This profile cannot be changed or deleted. See the the [System default SSL profile](#system-default-ssl-profile) section below. +The profiles defined may include entirely different TLS artifacts, or there may +be repeated content in the profiles. There should be no assumptions made about +the content being either unique or repetitive when setting or using the profile. + Profiles existing on a target can be discovered using the `Certz.GetProfileList()` RPC. From f56b295f3884fbf84bbd3cea7290f4939262b48c Mon Sep 17 00:00:00 2001 From: Chris Morrow Date: Tue, 24 Mar 2026 22:24:46 -0400 Subject: [PATCH 2/4] Fix lint errors. --- certz/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/certz/README.md b/certz/README.md index 26bab1b7..1584ec29 100644 --- a/certz/README.md +++ b/certz/README.md @@ -1,7 +1,7 @@ # gNSI.certz ## gNSI certz Service Protobuf Definition -**Contributors**: hines@google.com, morrowc@google.com, tmadejski@google.com +**Contributors**: , , **Last Updated**: 2023-05-31 ### Background @@ -40,9 +40,9 @@ Certificate Authority chain of certificates (a.k.a. a CA trust bundle) and a set of Certificate Revocation Lists into a set that then can be assigned as a whole to a gRPC service. -There is always at least one profile present on a target - the `system_default_profile` -which is vendor provided. -This profile cannot be changed or deleted. +There is always at least one profile present on a target - the +`system_default_profile` which is vendor provided. This profile cannot +be changed or deleted. See the the [System default SSL profile](#system-default-ssl-profile) section below. The profiles defined may include entirely different TLS artifacts, or there may From 52d435824f6dde32071a16aa3fe8feef0bcd70b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Mar 2026 02:18:16 +0000 Subject: [PATCH 3/4] Bump google.golang.org/grpc from 1.77.0 to 1.79.3 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.77.0 to 1.79.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.77.0...v1.79.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 10 +++++----- go.sum | 42 ++++++++++++++++++++++-------------------- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/go.mod b/go.mod index 68b61520..0b1ec475 100644 --- a/go.mod +++ b/go.mod @@ -6,14 +6,14 @@ toolchain go1.25.4 require ( github.com/openconfig/gnmi v0.14.1 - google.golang.org/grpc v1.77.0 + google.golang.org/grpc v1.79.3 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 google.golang.org/protobuf v1.36.10 ) require ( - golang.org/x/net v0.47.0 // indirect - golang.org/x/sys v0.38.0 // indirect - golang.org/x/text v0.31.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba // indirect + golang.org/x/net v0.48.0 // indirect + golang.org/x/sys v0.39.0 // indirect + golang.org/x/text v0.32.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect ) diff --git a/go.sum b/go.sum index 70de5db6..4cf068db 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= @@ -12,28 +14,28 @@ github.com/openconfig/gnmi v0.14.1 h1:qKMuFvhIRR2/xxCOsStPQ25aKpbMDdWr3kI+nP9bhM github.com/openconfig/gnmi v0.14.1/go.mod h1:whr6zVq9PCU8mV1D0K9v7Ajd3+swoN6Yam9n8OH3eT0= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= -go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= -go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= -go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= -go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= -go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= -go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= -go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= -go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= -go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= -go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= -golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= -golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= -golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= -golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= -golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= +golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= -google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM= -google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA= google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= From 8a7a6d34d8ef0f0e94a508b856c351c2b144b0f0 Mon Sep 17 00:00:00 2001 From: Chris Morrow Date: Wed, 25 Mar 2026 02:43:17 +0000 Subject: [PATCH 4/4] Fix lint problems for certz/README.md --- certz/README.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/certz/README.md b/certz/README.md index 4781bce0..7f6535fd 100644 --- a/certz/README.md +++ b/certz/README.md @@ -1,7 +1,8 @@ # gNSI.certz ## gNSI certz Service Protobuf Definition -**Contributors**: hines@google.com, morrowc@google.com, tmadejski@google.com + +**Contributors**: , , **Last Updated**: 2023-05-31 ### Background @@ -27,11 +28,11 @@ a clear and direct method for installation and update. verification of function, of any of the PKI elements. The normal use-case would be to: -* send an CertificateBundle to a network system as a +- send an CertificateBundle to a network system as a `RotateCertificateRequest`. -* verify that the services which will use the new certificate bundle +- verify that the services which will use the new certificate bundle continue to operate normally. -* send a `FinalizeRequest` to finish the rotation process. +- send a `FinalizeRequest` to finish the rotation process. #### SSL profiles @@ -202,14 +203,14 @@ Send a `Certz.GenerateCSRRequest` to the `Certz.Rotate` endpoint, containing a `Certz.ReferenceIntegritySpec`. Using the returned `Certz.GenerateCSRResponse` and the `MBMData` within, do the following: -* Verify the `ek_leaf_cert` using the `ek_cert_chain` and your trust anchor. -* Optional: Verify that the AK matches your expectations, using the +- Verify the `ek_leaf_cert` using the `ek_cert_chain` and your trust anchor. +- Optional: Verify that the AK matches your expectations, using the `ak_creation_data` struct. -* Validate the `ak_signature` over the `ak_attestation` struct which was +- Validate the `ak_signature` over the `ak_attestation` struct which was certified by the EK, and validate its contents. This verifies the AK. -* Validate the `signature` over `quoted` by the AK. Then validate that the PCRs +- Validate the `signature` over `quoted` by the AK. Then validate that the PCRs match one of the allowed ones. -* Validate the `csr_signature` over the `certificate_signing_request` by the AK. +- Validate the `csr_signature` over the `certificate_signing_request` by the AK. This verifies the CSR. Get a new certificate issued by a trusted CA using the CSR. Then `Certz.Rotate` @@ -221,4 +222,4 @@ None to date. ## OpenConfig Data models for gNSI certz -Yang data models for certz are defined in the [OpenConfig public repository(https://github.com/openconfig/public/tree/master/release/models/gnsi)]. Documentation for OpenConfig including searchable list of paths and tree representations are at [OpenConfig.net](https://openconfig.net/projects/models/) +Yang data models for certz are defined in the [OpenConfig public repository(https://github.com/openconfig/public/tree/master/release/models/gnsi)]. Documentation for OpenConfig including searchable list of paths and tree representations are at [OpenConfig.net](https://openconfig.net/projects/models/)