Add WIT keys to bundle

Makefile

@@ -64,6 +64,7 @@ protos := \
 	proto/spire/plugin/types/bundle.proto \
 	proto/spire/plugin/types/jwtkey.proto \
 	proto/spire/plugin/types/x509certificate.proto \
+	proto/spire/plugin/types/witkey.proto \
 
 ############################################################################
 # OS/ARCH detection

proto/spire/plugin/types/bundle.proto

@@ -4,6 +4,7 @@ option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types
 
 import "spire/plugin/types/jwtkey.proto";
 import "spire/plugin/types/x509certificate.proto";
+import "spire/plugin/types/witkey.proto";
 
 message Bundle {
     // The name of the trust domain the bundle belongs to (e.g., "example.org").
@@ -21,4 +22,7 @@ message Bundle {
 
     // The sequence number of the bundle.
     uint64 sequence_number = 5;
+
+    // WIT authorities for authenticating WIT-SVIDs.
+    repeated WITKey wit_authorities = 6;
 }

proto/spire/plugin/types/witkey.proto

@@ -0,0 +1,18 @@
+syntax = "proto3";
+package spire.plugin.types;
+option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types";
+
+message WITKey {
+    // The PKIX encoded public key.
+    bytes public_key = 1;
+
+    // The key identifier.
+    string key_id = 2;
+
+    // When the key expires (seconds since Unix epoch). If zero, the key does
+    // not expire.
+    int64 expires_at = 3;
+
+    // Indicates if the key has been tainted. A tainted key is not safe to be used anymore.
+    bool tainted = 4;
+}