From f6af4bcf4c8e01c6659d601632489f483414ab12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mauricio=20V=C3=A1squez?= <mauricio@kinvolk.io>
Date: Mon, 31 May 2021 14:12:18 -0500
Subject: [PATCH] proto/agent: add privileged API
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add proto definitios for new privileged API. This API includes (for now)
the FetchX509SVIDBySelectors that allows a privileged client to get
the X509-SVID of a given workload by passing a set of selectors.
X509-SVID for registration entries matching *all* the passed selectors
are returned.

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
---
 Makefile                                      |   1 +
 .../api/agent/privileged/v1/privileged.pb.go  | 390 ++++++++++++++++++
 .../api/agent/privileged/v1/privileged.proto  |  53 +++
 .../agent/privileged/v1/privileged_grpc.pb.go | 130 ++++++
 4 files changed, 574 insertions(+)
 create mode 100644 proto/spire/api/agent/privileged/v1/privileged.pb.go
 create mode 100644 proto/spire/api/agent/privileged/v1/privileged.proto
 create mode 100644 proto/spire/api/agent/privileged/v1/privileged_grpc.pb.go

diff --git a/Makefile b/Makefile
index f79a383..de08b4b 100644
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,7 @@ protos := \
 
 apiprotos := \
 	proto/spire/api/agent/debug/v1/debug.proto \
+	proto/spire/api/agent/privileged/v1/privileged.proto \
 	proto/spire/api/server/agent/v1/agent.proto \
 	proto/spire/api/server/bundle/v1/bundle.proto \
 	proto/spire/api/server/debug/v1/debug.proto \
diff --git a/proto/spire/api/agent/privileged/v1/privileged.pb.go b/proto/spire/api/agent/privileged/v1/privileged.pb.go
new file mode 100644
index 0000000..ff62afa
--- /dev/null
+++ b/proto/spire/api/agent/privileged/v1/privileged.pb.go
@@ -0,0 +1,390 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: spire/api/agent/privileged/v1/privileged.proto
+
+package privilegedv1
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	types "github.com/spiffe/spire-api-sdk/proto/spire/api/types"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type FetchX509SVIDBySelectorsRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Selectors []*types.Selector `protobuf:"bytes,1,rep,name=selectors,proto3" json:"selectors,omitempty"`
+}
+
+func (x *FetchX509SVIDBySelectorsRequest) Reset() {
+	*x = FetchX509SVIDBySelectorsRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *FetchX509SVIDBySelectorsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FetchX509SVIDBySelectorsRequest) ProtoMessage() {}
+
+func (x *FetchX509SVIDBySelectorsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FetchX509SVIDBySelectorsRequest.ProtoReflect.Descriptor instead.
+func (*FetchX509SVIDBySelectorsRequest) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_privileged_v1_privileged_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *FetchX509SVIDBySelectorsRequest) GetSelectors() []*types.Selector {
+	if x != nil {
+		return x.Selectors
+	}
+	return nil
+}
+
+// The FetchX509SVIDBySelectorsResponse message carries a set of X.509 SVIDs and
+// their associated information. It also carries a set of global CRLs, and a TTL
+// to inform the workload when it should check back next.
+type FetchX509SVIDBySelectorsResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// A list of X509SVID messages, each of which includes a single
+	// SPIFFE Verifiable Identity Document, along with its private key
+	// and bundle.
+	Svids []*X509SVID `protobuf:"bytes,1,rep,name=svids,proto3" json:"svids,omitempty"`
+	// ASN.1 DER encoded
+	Crl [][]byte `protobuf:"bytes,2,rep,name=crl,proto3" json:"crl,omitempty"`
+	// CA certificate bundles belonging to foreign Trust Domains that the
+	// workload should trust, keyed by the SPIFFE ID of the foreign
+	// domain. Bundles are ASN.1 DER encoded.
+	FederatedBundles map[string][]byte `protobuf:"bytes,3,rep,name=federated_bundles,json=federatedBundles,proto3" json:"federated_bundles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (x *FetchX509SVIDBySelectorsResponse) Reset() {
+	*x = FetchX509SVIDBySelectorsResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *FetchX509SVIDBySelectorsResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FetchX509SVIDBySelectorsResponse) ProtoMessage() {}
+
+func (x *FetchX509SVIDBySelectorsResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FetchX509SVIDBySelectorsResponse.ProtoReflect.Descriptor instead.
+func (*FetchX509SVIDBySelectorsResponse) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_privileged_v1_privileged_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *FetchX509SVIDBySelectorsResponse) GetSvids() []*X509SVID {
+	if x != nil {
+		return x.Svids
+	}
+	return nil
+}
+
+func (x *FetchX509SVIDBySelectorsResponse) GetCrl() [][]byte {
+	if x != nil {
+		return x.Crl
+	}
+	return nil
+}
+
+func (x *FetchX509SVIDBySelectorsResponse) GetFederatedBundles() map[string][]byte {
+	if x != nil {
+		return x.FederatedBundles
+	}
+	return nil
+}
+
+// The X509SVID message carries a single SVID and all associated
+// information, including CA bundles.
+type X509SVID struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The SPIFFE ID of the SVID in this entry
+	Id *types.SPIFFEID `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	// ASN.1 DER encoded certificate chain. MAY include intermediates,
+	// the leaf certificate (or SVID itself) MUST come first.
+	X509Svid []byte `protobuf:"bytes,2,opt,name=x509_svid,json=x509Svid,proto3" json:"x509_svid,omitempty"`
+	// ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
+	X509SvidKey []byte `protobuf:"bytes,3,opt,name=x509_svid_key,json=x509SvidKey,proto3" json:"x509_svid_key,omitempty"`
+	// CA certificates belonging to the Trust Domain
+	// ASN.1 DER encoded
+	Bundle []byte `protobuf:"bytes,4,opt,name=bundle,proto3" json:"bundle,omitempty"`
+}
+
+func (x *X509SVID) Reset() {
+	*x = X509SVID{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *X509SVID) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*X509SVID) ProtoMessage() {}
+
+func (x *X509SVID) ProtoReflect() protoreflect.Message {
+	mi := &file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use X509SVID.ProtoReflect.Descriptor instead.
+func (*X509SVID) Descriptor() ([]byte, []int) {
+	return file_spire_api_agent_privileged_v1_privileged_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *X509SVID) GetId() *types.SPIFFEID {
+	if x != nil {
+		return x.Id
+	}
+	return nil
+}
+
+func (x *X509SVID) GetX509Svid() []byte {
+	if x != nil {
+		return x.X509Svid
+	}
+	return nil
+}
+
+func (x *X509SVID) GetX509SvidKey() []byte {
+	if x != nil {
+		return x.X509SvidKey
+	}
+	return nil
+}
+
+func (x *X509SVID) GetBundle() []byte {
+	if x != nil {
+		return x.Bundle
+	}
+	return nil
+}
+
+var File_spire_api_agent_privileged_v1_privileged_proto protoreflect.FileDescriptor
+
+var file_spire_api_agent_privileged_v1_privileged_proto_rawDesc = []byte{
+	0x0a, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x67, 0x65, 0x6e,
+	0x74, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x2f, 0x76, 0x31, 0x2f,
+	0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x1d, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e,
+	0x74, 0x2e, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x2e, 0x76, 0x31, 0x1a,
+	0x1e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73,
+	0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x1e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73,
+	0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x69, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0x5a, 0x0a, 0x1f, 0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44,
+	0x42, 0x79, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x37, 0x0a, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70,
+	0x69, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
+	0x52, 0x09, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x22, 0xbd, 0x02, 0x0a, 0x20,
+	0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x42, 0x79, 0x53,
+	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x3d, 0x0a, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x27, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e,
+	0x74, 0x2e, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x2e, 0x76, 0x31, 0x2e,
+	0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x52, 0x05, 0x73, 0x76, 0x69, 0x64, 0x73, 0x12,
+	0x10, 0x0a, 0x03, 0x63, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x03, 0x63, 0x72,
+	0x6c, 0x12, 0x82, 0x01, 0x0a, 0x11, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x5f,
+	0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x55, 0x2e,
+	0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e,
+	0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x46, 0x65,
+	0x74, 0x63, 0x68, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x42, 0x79, 0x53, 0x65, 0x6c,
+	0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x46,
+	0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45,
+	0x6e, 0x74, 0x72, 0x79, 0x52, 0x10, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x42,
+	0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x1a, 0x43, 0x0a, 0x15, 0x46, 0x65, 0x64, 0x65, 0x72, 0x61,
+	0x74, 0x65, 0x64, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12,
+	0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65,
+	0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c,
+	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x8e, 0x01, 0x0a, 0x08,
+	0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x12, 0x29, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x49, 0x44, 0x52,
+	0x02, 0x69, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69, 0x64,
+	0x12, 0x22, 0x0a, 0x0d, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x73, 0x76, 0x69, 0x64, 0x5f, 0x6b, 0x65,
+	0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x78, 0x35, 0x30, 0x39, 0x53, 0x76, 0x69,
+	0x64, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x32, 0xac, 0x01, 0x0a,
+	0x0a, 0x50, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x12, 0x9d, 0x01, 0x0a, 0x18,
+	0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35, 0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x42, 0x79, 0x53,
+	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x12, 0x3e, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65,
+	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x70, 0x72, 0x69, 0x76, 0x69,
+	0x6c, 0x65, 0x67, 0x65, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35,
+	0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x42, 0x79, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
+	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3f, 0x2e, 0x73, 0x70, 0x69, 0x72, 0x65,
+	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2e, 0x70, 0x72, 0x69, 0x76, 0x69,
+	0x6c, 0x65, 0x67, 0x65, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x46, 0x65, 0x74, 0x63, 0x68, 0x58, 0x35,
+	0x30, 0x39, 0x53, 0x56, 0x49, 0x44, 0x42, 0x79, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x30, 0x01, 0x42, 0x52, 0x5a, 0x50, 0x67,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65,
+	0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2d, 0x61, 0x70, 0x69, 0x2d, 0x73, 0x64, 0x6b, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x73, 0x70, 0x69, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61,
+	0x67, 0x65, 0x6e, 0x74, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x2f,
+	0x76, 0x31, 0x3b, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x76, 0x31, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_spire_api_agent_privileged_v1_privileged_proto_rawDescOnce sync.Once
+	file_spire_api_agent_privileged_v1_privileged_proto_rawDescData = file_spire_api_agent_privileged_v1_privileged_proto_rawDesc
+)
+
+func file_spire_api_agent_privileged_v1_privileged_proto_rawDescGZIP() []byte {
+	file_spire_api_agent_privileged_v1_privileged_proto_rawDescOnce.Do(func() {
+		file_spire_api_agent_privileged_v1_privileged_proto_rawDescData = protoimpl.X.CompressGZIP(file_spire_api_agent_privileged_v1_privileged_proto_rawDescData)
+	})
+	return file_spire_api_agent_privileged_v1_privileged_proto_rawDescData
+}
+
+var file_spire_api_agent_privileged_v1_privileged_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_spire_api_agent_privileged_v1_privileged_proto_goTypes = []interface{}{
+	(*FetchX509SVIDBySelectorsRequest)(nil),  // 0: spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsRequest
+	(*FetchX509SVIDBySelectorsResponse)(nil), // 1: spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsResponse
+	(*X509SVID)(nil),                         // 2: spire.api.agent.privileged.v1.X509SVID
+	nil,                                      // 3: spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsResponse.FederatedBundlesEntry
+	(*types.Selector)(nil),                   // 4: spire.api.types.Selector
+	(*types.SPIFFEID)(nil),                   // 5: spire.api.types.SPIFFEID
+}
+var file_spire_api_agent_privileged_v1_privileged_proto_depIdxs = []int32{
+	4, // 0: spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsRequest.selectors:type_name -> spire.api.types.Selector
+	2, // 1: spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsResponse.svids:type_name -> spire.api.agent.privileged.v1.X509SVID
+	3, // 2: spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsResponse.federated_bundles:type_name -> spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsResponse.FederatedBundlesEntry
+	5, // 3: spire.api.agent.privileged.v1.X509SVID.id:type_name -> spire.api.types.SPIFFEID
+	0, // 4: spire.api.agent.privileged.v1.Privileged.FetchX509SVIDBySelectors:input_type -> spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsRequest
+	1, // 5: spire.api.agent.privileged.v1.Privileged.FetchX509SVIDBySelectors:output_type -> spire.api.agent.privileged.v1.FetchX509SVIDBySelectorsResponse
+	5, // [5:6] is the sub-list for method output_type
+	4, // [4:5] is the sub-list for method input_type
+	4, // [4:4] is the sub-list for extension type_name
+	4, // [4:4] is the sub-list for extension extendee
+	0, // [0:4] is the sub-list for field type_name
+}
+
+func init() { file_spire_api_agent_privileged_v1_privileged_proto_init() }
+func file_spire_api_agent_privileged_v1_privileged_proto_init() {
+	if File_spire_api_agent_privileged_v1_privileged_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*FetchX509SVIDBySelectorsRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*FetchX509SVIDBySelectorsResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_spire_api_agent_privileged_v1_privileged_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*X509SVID); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_spire_api_agent_privileged_v1_privileged_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   4,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_spire_api_agent_privileged_v1_privileged_proto_goTypes,
+		DependencyIndexes: file_spire_api_agent_privileged_v1_privileged_proto_depIdxs,
+		MessageInfos:      file_spire_api_agent_privileged_v1_privileged_proto_msgTypes,
+	}.Build()
+	File_spire_api_agent_privileged_v1_privileged_proto = out.File
+	file_spire_api_agent_privileged_v1_privileged_proto_rawDesc = nil
+	file_spire_api_agent_privileged_v1_privileged_proto_goTypes = nil
+	file_spire_api_agent_privileged_v1_privileged_proto_depIdxs = nil
+}
diff --git a/proto/spire/api/agent/privileged/v1/privileged.proto b/proto/spire/api/agent/privileged/v1/privileged.proto
new file mode 100644
index 0000000..c5d26a8
--- /dev/null
+++ b/proto/spire/api/agent/privileged/v1/privileged.proto
@@ -0,0 +1,53 @@
+syntax = "proto3";
+package spire.api.agent.privileged.v1;
+option go_package = "github.com/spiffe/spire-api-sdk/proto/spire/api/agent/privileged/v1;privilegedv1";
+
+import "spire/api/types/selector.proto";
+import "spire/api/types/spiffeid.proto";
+
+service Privileged {
+    // Fetch X.509-SVIDs for identities that match the given selectors.
+    //
+    // The caller must be local.
+    rpc FetchX509SVIDBySelectors(FetchX509SVIDBySelectorsRequest) returns (stream FetchX509SVIDBySelectorsResponse);
+}
+
+message FetchX509SVIDBySelectorsRequest {
+    repeated spire.api.types.Selector selectors = 1;
+}
+
+// The FetchX509SVIDBySelectorsResponse message carries a set of X.509 SVIDs and
+// their associated information. It also carries a set of global CRLs, and a TTL
+// to inform the workload when it should check back next.
+message FetchX509SVIDBySelectorsResponse {
+    // A list of X509SVID messages, each of which includes a single
+    // SPIFFE Verifiable Identity Document, along with its private key
+    // and bundle.
+    repeated X509SVID svids = 1;
+
+    // ASN.1 DER encoded
+    repeated bytes crl = 2;
+
+    // CA certificate bundles belonging to foreign Trust Domains that the
+    // workload should trust, keyed by the SPIFFE ID of the foreign
+    // domain. Bundles are ASN.1 DER encoded.
+    map<string, bytes> federated_bundles = 3;
+}
+
+// The X509SVID message carries a single SVID and all associated
+// information, including CA bundles.
+message X509SVID {
+    // The SPIFFE ID of the SVID in this entry
+    spire.api.types.SPIFFEID id = 1;
+
+    // ASN.1 DER encoded certificate chain. MAY include intermediates,
+    // the leaf certificate (or SVID itself) MUST come first.
+    bytes x509_svid = 2;
+
+    // ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
+    bytes x509_svid_key = 3;
+
+    // CA certificates belonging to the Trust Domain
+    // ASN.1 DER encoded
+    bytes bundle = 4;
+}
diff --git a/proto/spire/api/agent/privileged/v1/privileged_grpc.pb.go b/proto/spire/api/agent/privileged/v1/privileged_grpc.pb.go
new file mode 100644
index 0000000..2f91ad1
--- /dev/null
+++ b/proto/spire/api/agent/privileged/v1/privileged_grpc.pb.go
@@ -0,0 +1,130 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package privilegedv1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion7
+
+// PrivilegedClient is the client API for Privileged service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type PrivilegedClient interface {
+	// Fetch X.509-SVIDs for identities that match the given selectors.
+	//
+	// The caller must be local.
+	FetchX509SVIDBySelectors(ctx context.Context, in *FetchX509SVIDBySelectorsRequest, opts ...grpc.CallOption) (Privileged_FetchX509SVIDBySelectorsClient, error)
+}
+
+type privilegedClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewPrivilegedClient(cc grpc.ClientConnInterface) PrivilegedClient {
+	return &privilegedClient{cc}
+}
+
+func (c *privilegedClient) FetchX509SVIDBySelectors(ctx context.Context, in *FetchX509SVIDBySelectorsRequest, opts ...grpc.CallOption) (Privileged_FetchX509SVIDBySelectorsClient, error) {
+	stream, err := c.cc.NewStream(ctx, &_Privileged_serviceDesc.Streams[0], "/spire.api.agent.privileged.v1.Privileged/FetchX509SVIDBySelectors", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &privilegedFetchX509SVIDBySelectorsClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type Privileged_FetchX509SVIDBySelectorsClient interface {
+	Recv() (*FetchX509SVIDBySelectorsResponse, error)
+	grpc.ClientStream
+}
+
+type privilegedFetchX509SVIDBySelectorsClient struct {
+	grpc.ClientStream
+}
+
+func (x *privilegedFetchX509SVIDBySelectorsClient) Recv() (*FetchX509SVIDBySelectorsResponse, error) {
+	m := new(FetchX509SVIDBySelectorsResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// PrivilegedServer is the server API for Privileged service.
+// All implementations must embed UnimplementedPrivilegedServer
+// for forward compatibility
+type PrivilegedServer interface {
+	// Fetch X.509-SVIDs for identities that match the given selectors.
+	//
+	// The caller must be local.
+	FetchX509SVIDBySelectors(*FetchX509SVIDBySelectorsRequest, Privileged_FetchX509SVIDBySelectorsServer) error
+	mustEmbedUnimplementedPrivilegedServer()
+}
+
+// UnimplementedPrivilegedServer must be embedded to have forward compatible implementations.
+type UnimplementedPrivilegedServer struct {
+}
+
+func (UnimplementedPrivilegedServer) FetchX509SVIDBySelectors(*FetchX509SVIDBySelectorsRequest, Privileged_FetchX509SVIDBySelectorsServer) error {
+	return status.Errorf(codes.Unimplemented, "method FetchX509SVIDBySelectors not implemented")
+}
+func (UnimplementedPrivilegedServer) mustEmbedUnimplementedPrivilegedServer() {}
+
+// UnsafePrivilegedServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to PrivilegedServer will
+// result in compilation errors.
+type UnsafePrivilegedServer interface {
+	mustEmbedUnimplementedPrivilegedServer()
+}
+
+func RegisterPrivilegedServer(s grpc.ServiceRegistrar, srv PrivilegedServer) {
+	s.RegisterService(&_Privileged_serviceDesc, srv)
+}
+
+func _Privileged_FetchX509SVIDBySelectors_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(FetchX509SVIDBySelectorsRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(PrivilegedServer).FetchX509SVIDBySelectors(m, &privilegedFetchX509SVIDBySelectorsServer{stream})
+}
+
+type Privileged_FetchX509SVIDBySelectorsServer interface {
+	Send(*FetchX509SVIDBySelectorsResponse) error
+	grpc.ServerStream
+}
+
+type privilegedFetchX509SVIDBySelectorsServer struct {
+	grpc.ServerStream
+}
+
+func (x *privilegedFetchX509SVIDBySelectorsServer) Send(m *FetchX509SVIDBySelectorsResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+var _Privileged_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "spire.api.agent.privileged.v1.Privileged",
+	HandlerType: (*PrivilegedServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "FetchX509SVIDBySelectors",
+			Handler:       _Privileged_FetchX509SVIDBySelectors_Handler,
+			ServerStreams: true,
+		},
+	},
+	Metadata: "spire/api/agent/privileged/v1/privileged.proto",
+}