1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS-IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package privacy.ppn; 18 19import "quiche/blind_sign_auth/proto/attestation.proto"; 20import "quiche/blind_sign_auth/proto/key_services.proto"; 21import "quiche/blind_sign_auth/proto/proxy_layer.proto"; 22import "quiche/blind_sign_auth/proto/public_metadata.proto"; 23 24option java_multiple_files = true; 25option java_package = "com.google.privacy.ppn.proto"; 26 27// Client is requesting to auth using the provided auth token. 28// Next ID: 17 29message AuthAndSignRequest { 30 reserved 3, 13; 31 32 // A 'bearer' oauth token to be validated. 33 // https://datatracker.ietf.org/doc/html/rfc6750#section-6.1.1 34 string oauth_token = 1; 35 36 // A string uniquely identifying the strategy this client should be 37 // authenticated with. 38 string service_type = 2; 39 40 // A set of blinded tokens to be signed by zinc. b64 encoded. 41 repeated string blinded_token = 4; 42 43 // A sha256 of the public key PEM used in generated `blinded_token`. This 44 // Ensures the signer signs with the matching key. Only required if key_type 45 // is ZINC_KEY_TYPE. 46 string public_key_hash = 5; 47 48 oneof attestation_data { 49 AndroidAttestationData android_attestation_data = 6; 50 IosAttestationData ios_attestation_data = 7; 51 } 52 privacy.ppn.AttestationData attestation = 8; 53 54 privacy.ppn.KeyType key_type = 10; 55 56 privacy.ppn.PublicMetadataInfo public_metadata_info = 11; 57 58 // Indicates which key to use for signing. Only set if key type is 59 // PUBLIC_METADATA. 60 uint64 key_version = 12; 61 62 // Only set one of this or public_metadata_info. Uses IETF privacy pass 63 // extensions spec for format. 64 bytes public_metadata_extensions = 14; 65 66 // For PUBLIC_METADATA key types, if this value is set to false, the 67 // final public exponent is derived by using the RSA public exponent, the 68 // RSA modulus and the public metadata. If this value is set to true, only 69 // the RSA modulus and the public metadata will be used. 70 bool do_not_use_rsa_public_exponent = 15; 71 72 // Only set for some service types where multi layer proxies are supported. 73 ProxyLayer proxy_layer = 16; 74} 75 76message AuthAndSignResponse { 77 reserved 1, 2, 3; 78 79 // A set of signatures corresponding by index to `blinded_token` in the 80 // request. b64 encoded. 81 repeated string blinded_token_signature = 4; 82 83 // The marconi server hostname bridge-proxy used to set up tunnel. 84 string copper_controller_hostname = 5; 85 86 // The base64 encoding of override_region token and signature for white listed 87 // users in the format of "${Region}.${timestamp}.${signature}". 88 string region_token_and_signature = 6; 89 90 // The APN type bridge-proxy use to deside which APN to use for connecting. 91 string apn_type = 7; 92} 93