1*e7b1675dSTing-Kang Chang// Copyright 2020 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Changsyntax = "proto3"; 15*e7b1675dSTing-Kang Chang 16*e7b1675dSTing-Kang Changpackage tink_testing_api; 17*e7b1675dSTing-Kang Chang 18*e7b1675dSTing-Kang Changimport "google/protobuf/duration.proto"; 19*e7b1675dSTing-Kang Changimport "google/protobuf/timestamp.proto"; 20*e7b1675dSTing-Kang Changimport "google/protobuf/wrappers.proto"; 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Changoption java_package = "com.google.crypto.tink.testing.proto"; 23*e7b1675dSTing-Kang Changoption java_multiple_files = true; 24*e7b1675dSTing-Kang Changoption go_package = "github.com/google/tink/testing/go/proto/testing_api_go_proto"; 25*e7b1675dSTing-Kang Chang// Placeholder for java_stubby_library 26*e7b1675dSTing-Kang Chang 27*e7b1675dSTing-Kang Chang// Service providing metadata about the server. 28*e7b1675dSTing-Kang Changservice Metadata { 29*e7b1675dSTing-Kang Chang // Returns some server information. A test may use this information to verify 30*e7b1675dSTing-Kang Chang // that it is talking to the right server. 31*e7b1675dSTing-Kang Chang rpc GetServerInfo(ServerInfoRequest) returns (ServerInfoResponse) {} 32*e7b1675dSTing-Kang Chang} 33*e7b1675dSTing-Kang Chang 34*e7b1675dSTing-Kang Changmessage ServerInfoRequest {} 35*e7b1675dSTing-Kang Chang 36*e7b1675dSTing-Kang Changmessage ServerInfoResponse { 37*e7b1675dSTing-Kang Chang string tink_version = 1; // For example '1.4' 38*e7b1675dSTing-Kang Chang string language = 2; // For example 'cc', 'java', 'go' or 'python'. 39*e7b1675dSTing-Kang Chang} 40*e7b1675dSTing-Kang Chang 41*e7b1675dSTing-Kang Chang// Service for Keyset operations. 42*e7b1675dSTing-Kang Changservice Keyset { 43*e7b1675dSTing-Kang Chang // Generates a key template from a key template name. 44*e7b1675dSTing-Kang Chang rpc GetTemplate(KeysetTemplateRequest) returns (KeysetTemplateResponse) {} 45*e7b1675dSTing-Kang Chang // Generates a new keyset from a template. 46*e7b1675dSTing-Kang Chang rpc Generate(KeysetGenerateRequest) returns (KeysetGenerateResponse) {} 47*e7b1675dSTing-Kang Chang // Generates a public-key keyset from a private-key keyset. 48*e7b1675dSTing-Kang Chang rpc Public(KeysetPublicRequest) returns (KeysetPublicResponse) {} 49*e7b1675dSTing-Kang Chang // Converts a Keyset from Binary to Json Format 50*e7b1675dSTing-Kang Chang rpc ToJson(KeysetToJsonRequest) returns (KeysetToJsonResponse) {} 51*e7b1675dSTing-Kang Chang // Converts a Keyset from Json to Binary Format 52*e7b1675dSTing-Kang Chang rpc FromJson(KeysetFromJsonRequest) returns (KeysetFromJsonResponse) {} 53*e7b1675dSTing-Kang Chang // Reads an encrypted keyset using KeysetHandle.read() or 54*e7b1675dSTing-Kang Chang // KeysetHandle.readWithAssociatedData() and the BinaryKeysetReader. 55*e7b1675dSTing-Kang Chang rpc ReadEncrypted(KeysetReadEncryptedRequest) 56*e7b1675dSTing-Kang Chang returns (KeysetReadEncryptedResponse) {} 57*e7b1675dSTing-Kang Chang // Writes an encrypted keyset using KeysetHandle.write() or 58*e7b1675dSTing-Kang Chang // KeysetHandle.writeWithAssociatedData() and the BinaryKeysetWriter. 59*e7b1675dSTing-Kang Chang rpc WriteEncrypted(KeysetWriteEncryptedRequest) 60*e7b1675dSTing-Kang Chang returns (KeysetWriteEncryptedResponse) {} 61*e7b1675dSTing-Kang Chang} 62*e7b1675dSTing-Kang Chang 63*e7b1675dSTing-Kang Changmessage KeysetTemplateRequest { 64*e7b1675dSTing-Kang Chang string template_name = 1; // template name used by Tinkey 65*e7b1675dSTing-Kang Chang} 66*e7b1675dSTing-Kang Chang 67*e7b1675dSTing-Kang Changmessage KeysetTemplateResponse { 68*e7b1675dSTing-Kang Chang oneof result { 69*e7b1675dSTing-Kang Chang bytes key_template = 1; // serialized google.crypto.tink.KeyTemplate. 70*e7b1675dSTing-Kang Chang string err = 2; 71*e7b1675dSTing-Kang Chang } 72*e7b1675dSTing-Kang Chang} 73*e7b1675dSTing-Kang Chang 74*e7b1675dSTing-Kang Changmessage KeysetGenerateRequest { 75*e7b1675dSTing-Kang Chang bytes template = 1; // serialized google.crypto.tink.KeyTemplate. 76*e7b1675dSTing-Kang Chang} 77*e7b1675dSTing-Kang Chang 78*e7b1675dSTing-Kang Changmessage KeysetGenerateResponse { 79*e7b1675dSTing-Kang Chang oneof result { 80*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 81*e7b1675dSTing-Kang Chang string err = 2; 82*e7b1675dSTing-Kang Chang } 83*e7b1675dSTing-Kang Chang} 84*e7b1675dSTing-Kang Chang 85*e7b1675dSTing-Kang Changmessage KeysetPublicRequest { 86*e7b1675dSTing-Kang Chang bytes private_keyset = 1; // serialized google.crypto.tink.Keyset. 87*e7b1675dSTing-Kang Chang} 88*e7b1675dSTing-Kang Chang 89*e7b1675dSTing-Kang Changmessage KeysetPublicResponse { 90*e7b1675dSTing-Kang Chang oneof result { 91*e7b1675dSTing-Kang Chang bytes public_keyset = 1; // serialized google.crypto.tink.Keyset. 92*e7b1675dSTing-Kang Chang string err = 2; 93*e7b1675dSTing-Kang Chang } 94*e7b1675dSTing-Kang Chang} 95*e7b1675dSTing-Kang Chang 96*e7b1675dSTing-Kang Changmessage KeysetToJsonRequest { 97*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 98*e7b1675dSTing-Kang Chang} 99*e7b1675dSTing-Kang Chang 100*e7b1675dSTing-Kang Changmessage KeysetToJsonResponse { 101*e7b1675dSTing-Kang Chang oneof result { 102*e7b1675dSTing-Kang Chang string json_keyset = 1; 103*e7b1675dSTing-Kang Chang string err = 2; 104*e7b1675dSTing-Kang Chang } 105*e7b1675dSTing-Kang Chang} 106*e7b1675dSTing-Kang Chang 107*e7b1675dSTing-Kang Changmessage KeysetFromJsonRequest { 108*e7b1675dSTing-Kang Chang string json_keyset = 1; 109*e7b1675dSTing-Kang Chang} 110*e7b1675dSTing-Kang Chang 111*e7b1675dSTing-Kang Changmessage KeysetFromJsonResponse { 112*e7b1675dSTing-Kang Chang oneof result { 113*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 114*e7b1675dSTing-Kang Chang string err = 2; 115*e7b1675dSTing-Kang Chang } 116*e7b1675dSTing-Kang Chang} 117*e7b1675dSTing-Kang Chang 118*e7b1675dSTing-Kang Chang// Copy of google.protobuf.BytesValue 119*e7b1675dSTing-Kang Changmessage BytesValue { 120*e7b1675dSTing-Kang Chang // The bytes value. 121*e7b1675dSTing-Kang Chang bytes value = 1; 122*e7b1675dSTing-Kang Chang} 123*e7b1675dSTing-Kang Chang 124*e7b1675dSTing-Kang Changenum KeysetReaderType { 125*e7b1675dSTing-Kang Chang KEYSET_READER_UNKNOWN = 0; 126*e7b1675dSTing-Kang Chang KEYSET_READER_BINARY = 1; 127*e7b1675dSTing-Kang Chang KEYSET_READER_JSON = 2; 128*e7b1675dSTing-Kang Chang} 129*e7b1675dSTing-Kang Chang 130*e7b1675dSTing-Kang Changmessage KeysetReadEncryptedRequest { 131*e7b1675dSTing-Kang Chang bytes encrypted_keyset = 1; 132*e7b1675dSTing-Kang Chang bytes master_keyset = 2; // serialized google.crypto.tink.Keyset. 133*e7b1675dSTing-Kang Chang BytesValue associated_data = 3; 134*e7b1675dSTing-Kang Chang KeysetReaderType keyset_reader_type = 4; 135*e7b1675dSTing-Kang Chang} 136*e7b1675dSTing-Kang Chang 137*e7b1675dSTing-Kang Changmessage KeysetReadEncryptedResponse { 138*e7b1675dSTing-Kang Chang oneof result { 139*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 140*e7b1675dSTing-Kang Chang string err = 2; 141*e7b1675dSTing-Kang Chang } 142*e7b1675dSTing-Kang Chang} 143*e7b1675dSTing-Kang Chang 144*e7b1675dSTing-Kang Changenum KeysetWriterType { 145*e7b1675dSTing-Kang Chang KEYSET_WRITER_UNKNOWN = 0; 146*e7b1675dSTing-Kang Chang KEYSET_WRITER_BINARY = 1; 147*e7b1675dSTing-Kang Chang KEYSET_WRITER_JSON = 2; 148*e7b1675dSTing-Kang Chang} 149*e7b1675dSTing-Kang Chang 150*e7b1675dSTing-Kang Changmessage KeysetWriteEncryptedRequest { 151*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 152*e7b1675dSTing-Kang Chang bytes master_keyset = 2; // serialized google.crypto.tink.Keyset. 153*e7b1675dSTing-Kang Chang BytesValue associated_data = 3; 154*e7b1675dSTing-Kang Chang KeysetWriterType keyset_writer_type = 4; 155*e7b1675dSTing-Kang Chang} 156*e7b1675dSTing-Kang Chang 157*e7b1675dSTing-Kang Changmessage KeysetWriteEncryptedResponse { 158*e7b1675dSTing-Kang Chang oneof result { 159*e7b1675dSTing-Kang Chang bytes encrypted_keyset = 1; 160*e7b1675dSTing-Kang Chang string err = 2; 161*e7b1675dSTing-Kang Chang } 162*e7b1675dSTing-Kang Chang} 163*e7b1675dSTing-Kang Chang 164*e7b1675dSTing-Kang Changmessage AnnotatedKeyset { 165*e7b1675dSTing-Kang Chang bytes serialized_keyset = 1; // serialized google.crypto.tink.Keyset. 166*e7b1675dSTing-Kang Chang map<string, string> annotations = 2; 167*e7b1675dSTing-Kang Chang} 168*e7b1675dSTing-Kang Chang 169*e7b1675dSTing-Kang Changmessage CreationRequest { 170*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 171*e7b1675dSTing-Kang Chang} 172*e7b1675dSTing-Kang Chang 173*e7b1675dSTing-Kang Changmessage CreationResponse { 174*e7b1675dSTing-Kang Chang // Empty means no error 175*e7b1675dSTing-Kang Chang string err = 1; 176*e7b1675dSTing-Kang Chang} 177*e7b1675dSTing-Kang Chang 178*e7b1675dSTing-Kang Chang// Service for AEAD encryption and decryption 179*e7b1675dSTing-Kang Changservice Aead { 180*e7b1675dSTing-Kang Chang // Creates an Aead object without using it. 181*e7b1675dSTing-Kang Chang rpc Create(CreationRequest) returns (CreationResponse) {} 182*e7b1675dSTing-Kang Chang // Encrypts a plaintext with the provided keyset. The client must call 183*e7b1675dSTing-Kang Chang // "Create" first to see if creation succeeds before calling this. 184*e7b1675dSTing-Kang Chang rpc Encrypt(AeadEncryptRequest) returns (AeadEncryptResponse) {} 185*e7b1675dSTing-Kang Chang // Decrypts a ciphertext with the provided keyset. The client must call 186*e7b1675dSTing-Kang Chang // "Create" first to see if creation succeeds before calling this. 187*e7b1675dSTing-Kang Chang rpc Decrypt(AeadDecryptRequest) returns (AeadDecryptResponse) {} 188*e7b1675dSTing-Kang Chang} 189*e7b1675dSTing-Kang Chang 190*e7b1675dSTing-Kang Changmessage AeadEncryptRequest { 191*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 192*e7b1675dSTing-Kang Chang bytes plaintext = 2; 193*e7b1675dSTing-Kang Chang bytes associated_data = 3; 194*e7b1675dSTing-Kang Chang} 195*e7b1675dSTing-Kang Chang 196*e7b1675dSTing-Kang Changmessage AeadEncryptResponse { 197*e7b1675dSTing-Kang Chang oneof result { 198*e7b1675dSTing-Kang Chang bytes ciphertext = 1; 199*e7b1675dSTing-Kang Chang string err = 2; 200*e7b1675dSTing-Kang Chang } 201*e7b1675dSTing-Kang Chang} 202*e7b1675dSTing-Kang Chang 203*e7b1675dSTing-Kang Changmessage AeadDecryptRequest { 204*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 205*e7b1675dSTing-Kang Chang bytes ciphertext = 2; 206*e7b1675dSTing-Kang Chang bytes associated_data = 3; 207*e7b1675dSTing-Kang Chang} 208*e7b1675dSTing-Kang Chang 209*e7b1675dSTing-Kang Changmessage AeadDecryptResponse { 210*e7b1675dSTing-Kang Chang oneof result { 211*e7b1675dSTing-Kang Chang bytes plaintext = 1; 212*e7b1675dSTing-Kang Chang string err = 2; 213*e7b1675dSTing-Kang Chang } 214*e7b1675dSTing-Kang Chang} 215*e7b1675dSTing-Kang Chang 216*e7b1675dSTing-Kang Chang// Service for Deterministic AEAD encryption and decryption 217*e7b1675dSTing-Kang Changservice DeterministicAead { 218*e7b1675dSTing-Kang Chang // Creates a Deterministic AEAD object without using it. 219*e7b1675dSTing-Kang Chang rpc Create(CreationRequest) returns (CreationResponse) {} 220*e7b1675dSTing-Kang Chang // Encrypts a plaintext with the provided keyset. The client must call 221*e7b1675dSTing-Kang Chang // "Create" first to see if creation succeeds before calling 222*e7b1675dSTing-Kang Chang // this. 223*e7b1675dSTing-Kang Chang rpc EncryptDeterministically(DeterministicAeadEncryptRequest) 224*e7b1675dSTing-Kang Chang returns (DeterministicAeadEncryptResponse) {} 225*e7b1675dSTing-Kang Chang // Decrypts a ciphertext with the provided keyset. The client must call 226*e7b1675dSTing-Kang Chang // "Create" first to see if creation succeeds before calling 227*e7b1675dSTing-Kang Chang // this. 228*e7b1675dSTing-Kang Chang rpc DecryptDeterministically(DeterministicAeadDecryptRequest) 229*e7b1675dSTing-Kang Chang returns (DeterministicAeadDecryptResponse) {} 230*e7b1675dSTing-Kang Chang} 231*e7b1675dSTing-Kang Chang 232*e7b1675dSTing-Kang Changmessage DeterministicAeadEncryptRequest { 233*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 234*e7b1675dSTing-Kang Chang bytes plaintext = 2; 235*e7b1675dSTing-Kang Chang bytes associated_data = 3; 236*e7b1675dSTing-Kang Chang} 237*e7b1675dSTing-Kang Chang 238*e7b1675dSTing-Kang Changmessage DeterministicAeadEncryptResponse { 239*e7b1675dSTing-Kang Chang oneof result { 240*e7b1675dSTing-Kang Chang bytes ciphertext = 1; 241*e7b1675dSTing-Kang Chang string err = 2; 242*e7b1675dSTing-Kang Chang } 243*e7b1675dSTing-Kang Chang} 244*e7b1675dSTing-Kang Chang 245*e7b1675dSTing-Kang Changmessage DeterministicAeadDecryptRequest { 246*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 247*e7b1675dSTing-Kang Chang bytes ciphertext = 2; 248*e7b1675dSTing-Kang Chang bytes associated_data = 3; 249*e7b1675dSTing-Kang Chang} 250*e7b1675dSTing-Kang Chang 251*e7b1675dSTing-Kang Changmessage DeterministicAeadDecryptResponse { 252*e7b1675dSTing-Kang Chang oneof result { 253*e7b1675dSTing-Kang Chang bytes plaintext = 1; 254*e7b1675dSTing-Kang Chang string err = 2; 255*e7b1675dSTing-Kang Chang } 256*e7b1675dSTing-Kang Chang} 257*e7b1675dSTing-Kang Chang 258*e7b1675dSTing-Kang Chang// Service for Streaming AEAD encryption and decryption 259*e7b1675dSTing-Kang Changservice StreamingAead { 260*e7b1675dSTing-Kang Chang // Creates a StreamingAead object without using it. 261*e7b1675dSTing-Kang Chang rpc Create(CreationRequest) returns (CreationResponse) {} 262*e7b1675dSTing-Kang Chang 263*e7b1675dSTing-Kang Chang // Encrypts a plaintext with the provided keyset. The client must call 264*e7b1675dSTing-Kang Chang // "Create" first to see if creation succeeds before calling this. 265*e7b1675dSTing-Kang Chang rpc Encrypt(StreamingAeadEncryptRequest) 266*e7b1675dSTing-Kang Chang returns (StreamingAeadEncryptResponse) {} 267*e7b1675dSTing-Kang Chang // Decrypts a ciphertext with the provided keyset. The client must call 268*e7b1675dSTing-Kang Chang // "Create" first to see if creation succeeds before calling this. 269*e7b1675dSTing-Kang Chang rpc Decrypt(StreamingAeadDecryptRequest) 270*e7b1675dSTing-Kang Chang returns (StreamingAeadDecryptResponse) {} 271*e7b1675dSTing-Kang Chang} 272*e7b1675dSTing-Kang Chang 273*e7b1675dSTing-Kang Changmessage StreamingAeadEncryptRequest { 274*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 275*e7b1675dSTing-Kang Chang bytes plaintext = 2; 276*e7b1675dSTing-Kang Chang bytes associated_data = 3; 277*e7b1675dSTing-Kang Chang} 278*e7b1675dSTing-Kang Chang 279*e7b1675dSTing-Kang Changmessage StreamingAeadEncryptResponse { 280*e7b1675dSTing-Kang Chang oneof result { 281*e7b1675dSTing-Kang Chang bytes ciphertext = 1; 282*e7b1675dSTing-Kang Chang string err = 2; 283*e7b1675dSTing-Kang Chang } 284*e7b1675dSTing-Kang Chang} 285*e7b1675dSTing-Kang Chang 286*e7b1675dSTing-Kang Changmessage StreamingAeadDecryptRequest { 287*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 288*e7b1675dSTing-Kang Chang bytes ciphertext = 2; 289*e7b1675dSTing-Kang Chang bytes associated_data = 3; 290*e7b1675dSTing-Kang Chang} 291*e7b1675dSTing-Kang Chang 292*e7b1675dSTing-Kang Changmessage StreamingAeadDecryptResponse { 293*e7b1675dSTing-Kang Chang oneof result { 294*e7b1675dSTing-Kang Chang bytes plaintext = 1; 295*e7b1675dSTing-Kang Chang string err = 2; 296*e7b1675dSTing-Kang Chang } 297*e7b1675dSTing-Kang Chang} 298*e7b1675dSTing-Kang Chang 299*e7b1675dSTing-Kang Chang// Service to compute and verify MACs 300*e7b1675dSTing-Kang Changservice Mac { 301*e7b1675dSTing-Kang Chang // Creates a Mac object without using it. 302*e7b1675dSTing-Kang Chang rpc Create(CreationRequest) returns (CreationResponse) {} 303*e7b1675dSTing-Kang Chang // Computes a MAC for given data. The client must call "Create" first to see 304*e7b1675dSTing-Kang Chang // if creation succeeds before calling this. 305*e7b1675dSTing-Kang Chang rpc ComputeMac(ComputeMacRequest) returns (ComputeMacResponse) {} 306*e7b1675dSTing-Kang Chang // Verifies the validity of the MAC value, no error means success. The client 307*e7b1675dSTing-Kang Chang // must call "Create" first to see if creation succeeds before calling this. 308*e7b1675dSTing-Kang Chang rpc VerifyMac(VerifyMacRequest) returns (VerifyMacResponse) {} 309*e7b1675dSTing-Kang Chang} 310*e7b1675dSTing-Kang Chang 311*e7b1675dSTing-Kang Changmessage ComputeMacRequest { 312*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 313*e7b1675dSTing-Kang Chang bytes data = 2; 314*e7b1675dSTing-Kang Chang} 315*e7b1675dSTing-Kang Chang 316*e7b1675dSTing-Kang Changmessage ComputeMacResponse { 317*e7b1675dSTing-Kang Chang oneof result { 318*e7b1675dSTing-Kang Chang bytes mac_value = 1; 319*e7b1675dSTing-Kang Chang string err = 2; 320*e7b1675dSTing-Kang Chang } 321*e7b1675dSTing-Kang Chang} 322*e7b1675dSTing-Kang Chang 323*e7b1675dSTing-Kang Changmessage VerifyMacRequest { 324*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 325*e7b1675dSTing-Kang Chang bytes mac_value = 2; 326*e7b1675dSTing-Kang Chang bytes data = 3; 327*e7b1675dSTing-Kang Chang} 328*e7b1675dSTing-Kang Chang 329*e7b1675dSTing-Kang Changmessage VerifyMacResponse { 330*e7b1675dSTing-Kang Chang string err = 1; 331*e7b1675dSTing-Kang Chang} 332*e7b1675dSTing-Kang Chang 333*e7b1675dSTing-Kang Chang// Service to hybrid encrypt and decrypt 334*e7b1675dSTing-Kang Changservice Hybrid { 335*e7b1675dSTing-Kang Chang // Creates a HybridEncrypt object without using it. 336*e7b1675dSTing-Kang Chang rpc CreateHybridEncrypt(CreationRequest) returns (CreationResponse) {} 337*e7b1675dSTing-Kang Chang // Creates a HybridDecrypt object without using it. 338*e7b1675dSTing-Kang Chang rpc CreateHybridDecrypt(CreationRequest) returns (CreationResponse) {} 339*e7b1675dSTing-Kang Chang 340*e7b1675dSTing-Kang Chang // Encrypts plaintext binding context_info to the resulting ciphertext. The 341*e7b1675dSTing-Kang Chang // client must call "CreateHybridEncrypt" first to see if creation succeeds 342*e7b1675dSTing-Kang Chang // before calling this. 343*e7b1675dSTing-Kang Chang rpc Encrypt(HybridEncryptRequest) returns (HybridEncryptResponse) {} 344*e7b1675dSTing-Kang Chang // Decrypts ciphertext verifying the integrity of context_info. The client 345*e7b1675dSTing-Kang Chang // must call "CreateHybridDecrypt" first to see if creation succeeds before 346*e7b1675dSTing-Kang Chang // calling this. 347*e7b1675dSTing-Kang Chang rpc Decrypt(HybridDecryptRequest) returns (HybridDecryptResponse) {} 348*e7b1675dSTing-Kang Chang} 349*e7b1675dSTing-Kang Chang 350*e7b1675dSTing-Kang Changmessage HybridEncryptRequest { 351*e7b1675dSTing-Kang Chang AnnotatedKeyset public_annotated_keyset = 1; 352*e7b1675dSTing-Kang Chang bytes plaintext = 2; 353*e7b1675dSTing-Kang Chang bytes context_info = 3; 354*e7b1675dSTing-Kang Chang} 355*e7b1675dSTing-Kang Chang 356*e7b1675dSTing-Kang Changmessage HybridEncryptResponse { 357*e7b1675dSTing-Kang Chang oneof result { 358*e7b1675dSTing-Kang Chang bytes ciphertext = 1; 359*e7b1675dSTing-Kang Chang string err = 2; 360*e7b1675dSTing-Kang Chang } 361*e7b1675dSTing-Kang Chang} 362*e7b1675dSTing-Kang Chang 363*e7b1675dSTing-Kang Changmessage HybridDecryptRequest { 364*e7b1675dSTing-Kang Chang AnnotatedKeyset private_annotated_keyset = 1; 365*e7b1675dSTing-Kang Chang bytes ciphertext = 2; 366*e7b1675dSTing-Kang Chang bytes context_info = 3; 367*e7b1675dSTing-Kang Chang} 368*e7b1675dSTing-Kang Chang 369*e7b1675dSTing-Kang Changmessage HybridDecryptResponse { 370*e7b1675dSTing-Kang Chang oneof result { 371*e7b1675dSTing-Kang Chang bytes plaintext = 1; 372*e7b1675dSTing-Kang Chang string err = 2; 373*e7b1675dSTing-Kang Chang } 374*e7b1675dSTing-Kang Chang} 375*e7b1675dSTing-Kang Chang 376*e7b1675dSTing-Kang Chang// Service to sign and verify signatures. 377*e7b1675dSTing-Kang Changservice Signature { 378*e7b1675dSTing-Kang Chang // Creates a PublicKeySign object without using it. 379*e7b1675dSTing-Kang Chang rpc CreatePublicKeySign(CreationRequest) returns (CreationResponse) {} 380*e7b1675dSTing-Kang Chang // Creates a PublicKeyVerify object without using it. 381*e7b1675dSTing-Kang Chang rpc CreatePublicKeyVerify(CreationRequest) returns (CreationResponse) {} 382*e7b1675dSTing-Kang Chang 383*e7b1675dSTing-Kang Chang // Computes the signature for data. The client must call "CreatePublicKeySign" 384*e7b1675dSTing-Kang Chang // first to see if creation succeeds before calling this. 385*e7b1675dSTing-Kang Chang rpc Sign(SignatureSignRequest) returns (SignatureSignResponse) {} 386*e7b1675dSTing-Kang Chang // Verifies that signature is a digital signature for data. The client must 387*e7b1675dSTing-Kang Chang // call "CreatePublicKeyVerify" first to see if creation succeeds before 388*e7b1675dSTing-Kang Chang // calling this. 389*e7b1675dSTing-Kang Chang rpc Verify(SignatureVerifyRequest) returns (SignatureVerifyResponse) {} 390*e7b1675dSTing-Kang Chang} 391*e7b1675dSTing-Kang Chang 392*e7b1675dSTing-Kang Changmessage SignatureSignRequest { 393*e7b1675dSTing-Kang Chang AnnotatedKeyset private_annotated_keyset = 1; 394*e7b1675dSTing-Kang Chang bytes data = 2; 395*e7b1675dSTing-Kang Chang} 396*e7b1675dSTing-Kang Chang 397*e7b1675dSTing-Kang Changmessage SignatureSignResponse { 398*e7b1675dSTing-Kang Chang oneof result { 399*e7b1675dSTing-Kang Chang bytes signature = 1; 400*e7b1675dSTing-Kang Chang string err = 2; 401*e7b1675dSTing-Kang Chang } 402*e7b1675dSTing-Kang Chang} 403*e7b1675dSTing-Kang Chang 404*e7b1675dSTing-Kang Changmessage SignatureVerifyRequest { 405*e7b1675dSTing-Kang Chang AnnotatedKeyset public_annotated_keyset = 1; 406*e7b1675dSTing-Kang Chang bytes signature = 2; 407*e7b1675dSTing-Kang Chang bytes data = 3; 408*e7b1675dSTing-Kang Chang} 409*e7b1675dSTing-Kang Chang 410*e7b1675dSTing-Kang Changmessage SignatureVerifyResponse { 411*e7b1675dSTing-Kang Chang string err = 1; 412*e7b1675dSTing-Kang Chang} 413*e7b1675dSTing-Kang Chang 414*e7b1675dSTing-Kang Chang// Service for PrfSet computation 415*e7b1675dSTing-Kang Changservice PrfSet { 416*e7b1675dSTing-Kang Chang // Creates a PrfSet object without using it. 417*e7b1675dSTing-Kang Chang rpc Create(CreationRequest) returns (CreationResponse) {} 418*e7b1675dSTing-Kang Chang 419*e7b1675dSTing-Kang Chang // Returns the key ids and the primary key id in the keyset.The client must 420*e7b1675dSTing-Kang Chang // call "Create" first to see if creation succeeds before calling this. 421*e7b1675dSTing-Kang Chang rpc KeyIds(PrfSetKeyIdsRequest) returns (PrfSetKeyIdsResponse) {} 422*e7b1675dSTing-Kang Chang // Computes the output of the PRF with the given key_id in the PrfSet.The 423*e7b1675dSTing-Kang Chang // client must call "Create" first to see if creation succeeds before calling 424*e7b1675dSTing-Kang Chang // this. 425*e7b1675dSTing-Kang Chang rpc Compute(PrfSetComputeRequest) returns (PrfSetComputeResponse) {} 426*e7b1675dSTing-Kang Chang} 427*e7b1675dSTing-Kang Chang 428*e7b1675dSTing-Kang Changmessage PrfSetKeyIdsRequest { 429*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 430*e7b1675dSTing-Kang Chang} 431*e7b1675dSTing-Kang Chang 432*e7b1675dSTing-Kang Changmessage PrfSetKeyIdsResponse { 433*e7b1675dSTing-Kang Chang message Output { 434*e7b1675dSTing-Kang Chang uint32 primary_key_id = 1; 435*e7b1675dSTing-Kang Chang repeated uint32 key_id = 2; 436*e7b1675dSTing-Kang Chang } 437*e7b1675dSTing-Kang Chang oneof result { 438*e7b1675dSTing-Kang Chang Output output = 1; 439*e7b1675dSTing-Kang Chang string err = 2; 440*e7b1675dSTing-Kang Chang } 441*e7b1675dSTing-Kang Chang} 442*e7b1675dSTing-Kang Chang 443*e7b1675dSTing-Kang Changmessage PrfSetComputeRequest { 444*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 445*e7b1675dSTing-Kang Chang uint32 key_id = 2; 446*e7b1675dSTing-Kang Chang bytes input_data = 3; 447*e7b1675dSTing-Kang Chang int32 output_length = 4; 448*e7b1675dSTing-Kang Chang} 449*e7b1675dSTing-Kang Chang 450*e7b1675dSTing-Kang Changmessage PrfSetComputeResponse { 451*e7b1675dSTing-Kang Chang oneof result { 452*e7b1675dSTing-Kang Chang bytes output = 1; 453*e7b1675dSTing-Kang Chang string err = 2; 454*e7b1675dSTing-Kang Chang } 455*e7b1675dSTing-Kang Chang} 456*e7b1675dSTing-Kang Chang 457*e7b1675dSTing-Kang Chang// Service for JSON Web Tokens (JWT) 458*e7b1675dSTing-Kang Changservice Jwt { 459*e7b1675dSTing-Kang Chang // Creates a JwtMac object without using it. 460*e7b1675dSTing-Kang Chang rpc CreateJwtMac(CreationRequest) returns (CreationResponse) {} 461*e7b1675dSTing-Kang Chang // Creates a JwtPublicKeySign object without using it. 462*e7b1675dSTing-Kang Chang rpc CreateJwtPublicKeySign(CreationRequest) returns (CreationResponse) {} 463*e7b1675dSTing-Kang Chang // Creates a JwtPublicKeyVerify object without using it. 464*e7b1675dSTing-Kang Chang rpc CreateJwtPublicKeyVerify(CreationRequest) returns (CreationResponse) {} 465*e7b1675dSTing-Kang Chang 466*e7b1675dSTing-Kang Chang // Computes a signed compact JWT token. 467*e7b1675dSTing-Kang Chang rpc ComputeMacAndEncode(JwtSignRequest) returns (JwtSignResponse) {} 468*e7b1675dSTing-Kang Chang // Verifies the validity of the signed compact JWT token 469*e7b1675dSTing-Kang Chang rpc VerifyMacAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {} 470*e7b1675dSTing-Kang Chang // Computes a signed compact JWT token. 471*e7b1675dSTing-Kang Chang rpc PublicKeySignAndEncode(JwtSignRequest) returns (JwtSignResponse) {} 472*e7b1675dSTing-Kang Chang // Verifies the validity of the signed compact JWT token 473*e7b1675dSTing-Kang Chang rpc PublicKeyVerifyAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {} 474*e7b1675dSTing-Kang Chang // Converts a Keyset from Tink Binary to JWK Set Format 475*e7b1675dSTing-Kang Chang rpc ToJwkSet(JwtToJwkSetRequest) returns (JwtToJwkSetResponse) {} 476*e7b1675dSTing-Kang Chang // Converts a Keyset from JWK Set to Tink Binary Format 477*e7b1675dSTing-Kang Chang rpc FromJwkSet(JwtFromJwkSetRequest) returns (JwtFromJwkSetResponse) {} 478*e7b1675dSTing-Kang Chang} 479*e7b1675dSTing-Kang Chang 480*e7b1675dSTing-Kang Chang// Used to represent the JSON null value. 481*e7b1675dSTing-Kang Changenum NullValue { 482*e7b1675dSTing-Kang Chang NULL_VALUE = 0; 483*e7b1675dSTing-Kang Chang} 484*e7b1675dSTing-Kang Chang 485*e7b1675dSTing-Kang Changmessage JwtClaimValue { 486*e7b1675dSTing-Kang Chang oneof kind { 487*e7b1675dSTing-Kang Chang NullValue null_value = 2; 488*e7b1675dSTing-Kang Chang double number_value = 3; 489*e7b1675dSTing-Kang Chang string string_value = 4; 490*e7b1675dSTing-Kang Chang bool bool_value = 5; 491*e7b1675dSTing-Kang Chang string json_object_value = 6; 492*e7b1675dSTing-Kang Chang string json_array_value = 7; 493*e7b1675dSTing-Kang Chang } 494*e7b1675dSTing-Kang Chang} 495*e7b1675dSTing-Kang Chang 496*e7b1675dSTing-Kang Changmessage JwtToken { 497*e7b1675dSTing-Kang Chang google.protobuf.StringValue issuer = 1; 498*e7b1675dSTing-Kang Chang google.protobuf.StringValue subject = 2; 499*e7b1675dSTing-Kang Chang repeated string audiences = 3; 500*e7b1675dSTing-Kang Chang google.protobuf.StringValue jwt_id = 4; 501*e7b1675dSTing-Kang Chang google.protobuf.Timestamp expiration = 5; 502*e7b1675dSTing-Kang Chang google.protobuf.Timestamp not_before = 6; 503*e7b1675dSTing-Kang Chang google.protobuf.Timestamp issued_at = 7; 504*e7b1675dSTing-Kang Chang map<string, JwtClaimValue> custom_claims = 8; 505*e7b1675dSTing-Kang Chang google.protobuf.StringValue type_header = 9; 506*e7b1675dSTing-Kang Chang} 507*e7b1675dSTing-Kang Chang 508*e7b1675dSTing-Kang Changmessage JwtValidator { 509*e7b1675dSTing-Kang Chang google.protobuf.StringValue expected_type_header = 7; 510*e7b1675dSTing-Kang Chang google.protobuf.StringValue expected_issuer = 1; 511*e7b1675dSTing-Kang Chang google.protobuf.StringValue expected_audience = 3; 512*e7b1675dSTing-Kang Chang bool ignore_type_header = 8; 513*e7b1675dSTing-Kang Chang bool ignore_issuer = 9; 514*e7b1675dSTing-Kang Chang bool ignore_audience = 11; 515*e7b1675dSTing-Kang Chang bool allow_missing_expiration = 12; 516*e7b1675dSTing-Kang Chang bool expect_issued_in_the_past = 13; 517*e7b1675dSTing-Kang Chang google.protobuf.Timestamp now = 5; 518*e7b1675dSTing-Kang Chang google.protobuf.Duration clock_skew = 6; 519*e7b1675dSTing-Kang Chang} 520*e7b1675dSTing-Kang Chang 521*e7b1675dSTing-Kang Changmessage JwtSignRequest { 522*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 523*e7b1675dSTing-Kang Chang JwtToken raw_jwt = 2; 524*e7b1675dSTing-Kang Chang} 525*e7b1675dSTing-Kang Chang 526*e7b1675dSTing-Kang Changmessage JwtSignResponse { 527*e7b1675dSTing-Kang Chang oneof result { 528*e7b1675dSTing-Kang Chang string signed_compact_jwt = 1; 529*e7b1675dSTing-Kang Chang string err = 2; 530*e7b1675dSTing-Kang Chang } 531*e7b1675dSTing-Kang Chang} 532*e7b1675dSTing-Kang Chang 533*e7b1675dSTing-Kang Changmessage JwtVerifyRequest { 534*e7b1675dSTing-Kang Chang AnnotatedKeyset annotated_keyset = 1; 535*e7b1675dSTing-Kang Chang string signed_compact_jwt = 2; 536*e7b1675dSTing-Kang Chang JwtValidator validator = 3; 537*e7b1675dSTing-Kang Chang} 538*e7b1675dSTing-Kang Chang 539*e7b1675dSTing-Kang Changmessage JwtVerifyResponse { 540*e7b1675dSTing-Kang Chang oneof result { 541*e7b1675dSTing-Kang Chang JwtToken verified_jwt = 1; 542*e7b1675dSTing-Kang Chang string err = 2; 543*e7b1675dSTing-Kang Chang } 544*e7b1675dSTing-Kang Chang} 545*e7b1675dSTing-Kang Chang 546*e7b1675dSTing-Kang Changmessage JwtToJwkSetRequest { 547*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 548*e7b1675dSTing-Kang Chang} 549*e7b1675dSTing-Kang Chang 550*e7b1675dSTing-Kang Changmessage JwtToJwkSetResponse { 551*e7b1675dSTing-Kang Chang oneof result { 552*e7b1675dSTing-Kang Chang string jwk_set = 1; 553*e7b1675dSTing-Kang Chang string err = 2; 554*e7b1675dSTing-Kang Chang } 555*e7b1675dSTing-Kang Chang} 556*e7b1675dSTing-Kang Chang 557*e7b1675dSTing-Kang Changmessage JwtFromJwkSetRequest { 558*e7b1675dSTing-Kang Chang string jwk_set = 1; 559*e7b1675dSTing-Kang Chang} 560*e7b1675dSTing-Kang Chang 561*e7b1675dSTing-Kang Changmessage JwtFromJwkSetResponse { 562*e7b1675dSTing-Kang Chang oneof result { 563*e7b1675dSTing-Kang Chang bytes keyset = 1; // serialized google.crypto.tink.Keyset. 564*e7b1675dSTing-Kang Chang string err = 2; 565*e7b1675dSTing-Kang Chang } 566*e7b1675dSTing-Kang Chang} 567