xref: /aosp_15_r20/external/tink/testing/cross_language/protos/testing_api.proto (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2020 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14syntax = "proto3";
15
16package tink_testing_api;
17
18import "google/protobuf/duration.proto";
19import "google/protobuf/timestamp.proto";
20import "google/protobuf/wrappers.proto";
21
22option java_package = "com.google.crypto.tink.testing.proto";
23option java_multiple_files = true;
24option go_package = "github.com/google/tink/testing/go/proto/testing_api_go_proto";
25// Placeholder for java_stubby_library
26
27// Service providing metadata about the server.
28service Metadata {
29  // Returns some server information. A test may use this information to verify
30  // that it is talking to the right server.
31  rpc GetServerInfo(ServerInfoRequest) returns (ServerInfoResponse) {}
32}
33
34message ServerInfoRequest {}
35
36message ServerInfoResponse {
37  string tink_version = 1;  // For example '1.4'
38  string language = 2;      // For example 'cc', 'java', 'go' or 'python'.
39}
40
41// Service for Keyset operations.
42service Keyset {
43  // Generates a key template from a key template name.
44  rpc GetTemplate(KeysetTemplateRequest) returns (KeysetTemplateResponse) {}
45  // Generates a new keyset from a template.
46  rpc Generate(KeysetGenerateRequest) returns (KeysetGenerateResponse) {}
47  // Generates a public-key keyset from a private-key keyset.
48  rpc Public(KeysetPublicRequest) returns (KeysetPublicResponse) {}
49  // Converts a Keyset from Binary to Json Format
50  rpc ToJson(KeysetToJsonRequest) returns (KeysetToJsonResponse) {}
51  // Converts a Keyset from Json to Binary Format
52  rpc FromJson(KeysetFromJsonRequest) returns (KeysetFromJsonResponse) {}
53  // Reads an encrypted keyset using KeysetHandle.read() or
54  // KeysetHandle.readWithAssociatedData() and the BinaryKeysetReader.
55  rpc ReadEncrypted(KeysetReadEncryptedRequest)
56      returns (KeysetReadEncryptedResponse) {}
57  // Writes an encrypted keyset using KeysetHandle.write() or
58  // KeysetHandle.writeWithAssociatedData() and the BinaryKeysetWriter.
59  rpc WriteEncrypted(KeysetWriteEncryptedRequest)
60      returns (KeysetWriteEncryptedResponse) {}
61}
62
63message KeysetTemplateRequest {
64  string template_name = 1;  // template name used by Tinkey
65}
66
67message KeysetTemplateResponse {
68  oneof result {
69    bytes key_template = 1;  // serialized google.crypto.tink.KeyTemplate.
70    string err = 2;
71  }
72}
73
74message KeysetGenerateRequest {
75  bytes template = 1;  // serialized google.crypto.tink.KeyTemplate.
76}
77
78message KeysetGenerateResponse {
79  oneof result {
80    bytes keyset = 1;  // serialized google.crypto.tink.Keyset.
81    string err = 2;
82  }
83}
84
85message KeysetPublicRequest {
86  bytes private_keyset = 1;  // serialized google.crypto.tink.Keyset.
87}
88
89message KeysetPublicResponse {
90  oneof result {
91    bytes public_keyset = 1;  // serialized google.crypto.tink.Keyset.
92    string err = 2;
93  }
94}
95
96message KeysetToJsonRequest {
97  bytes keyset = 1;  // serialized google.crypto.tink.Keyset.
98}
99
100message KeysetToJsonResponse {
101  oneof result {
102    string json_keyset = 1;
103    string err = 2;
104  }
105}
106
107message KeysetFromJsonRequest {
108  string json_keyset = 1;
109}
110
111message KeysetFromJsonResponse {
112  oneof result {
113    bytes keyset = 1;  // serialized google.crypto.tink.Keyset.
114    string err = 2;
115  }
116}
117
118// Copy of google.protobuf.BytesValue
119message BytesValue {
120  // The bytes value.
121  bytes value = 1;
122}
123
124enum KeysetReaderType {
125  KEYSET_READER_UNKNOWN = 0;
126  KEYSET_READER_BINARY = 1;
127  KEYSET_READER_JSON = 2;
128}
129
130message KeysetReadEncryptedRequest {
131  bytes encrypted_keyset = 1;
132  bytes master_keyset = 2;  // serialized google.crypto.tink.Keyset.
133  BytesValue associated_data = 3;
134  KeysetReaderType keyset_reader_type = 4;
135}
136
137message KeysetReadEncryptedResponse {
138  oneof result {
139    bytes keyset = 1;  // serialized google.crypto.tink.Keyset.
140    string err = 2;
141  }
142}
143
144enum KeysetWriterType {
145  KEYSET_WRITER_UNKNOWN = 0;
146  KEYSET_WRITER_BINARY = 1;
147  KEYSET_WRITER_JSON = 2;
148}
149
150message KeysetWriteEncryptedRequest {
151  bytes keyset = 1;         // serialized google.crypto.tink.Keyset.
152  bytes master_keyset = 2;  // serialized google.crypto.tink.Keyset.
153  BytesValue associated_data = 3;
154  KeysetWriterType keyset_writer_type = 4;
155}
156
157message KeysetWriteEncryptedResponse {
158  oneof result {
159    bytes encrypted_keyset = 1;
160    string err = 2;
161  }
162}
163
164message AnnotatedKeyset {
165  bytes serialized_keyset = 1;  // serialized google.crypto.tink.Keyset.
166  map<string, string> annotations = 2;
167}
168
169message CreationRequest {
170  AnnotatedKeyset annotated_keyset = 1;
171}
172
173message CreationResponse {
174  // Empty means no error
175  string err = 1;
176}
177
178// Service for AEAD encryption and decryption
179service Aead {
180  // Creates an Aead object without using it.
181  rpc Create(CreationRequest) returns (CreationResponse) {}
182  // Encrypts a plaintext with the provided keyset. The client must call
183  // "Create" first to see if creation succeeds before calling this.
184  rpc Encrypt(AeadEncryptRequest) returns (AeadEncryptResponse) {}
185  // Decrypts a ciphertext with the provided keyset. The client must call
186  // "Create" first to see if creation succeeds before calling this.
187  rpc Decrypt(AeadDecryptRequest) returns (AeadDecryptResponse) {}
188}
189
190message AeadEncryptRequest {
191  AnnotatedKeyset annotated_keyset = 1;
192  bytes plaintext = 2;
193  bytes associated_data = 3;
194}
195
196message AeadEncryptResponse {
197  oneof result {
198    bytes ciphertext = 1;
199    string err = 2;
200  }
201}
202
203message AeadDecryptRequest {
204  AnnotatedKeyset annotated_keyset = 1;
205  bytes ciphertext = 2;
206  bytes associated_data = 3;
207}
208
209message AeadDecryptResponse {
210  oneof result {
211    bytes plaintext = 1;
212    string err = 2;
213  }
214}
215
216// Service for Deterministic AEAD encryption and decryption
217service DeterministicAead {
218  // Creates a Deterministic AEAD object without using it.
219  rpc Create(CreationRequest) returns (CreationResponse) {}
220  // Encrypts a plaintext with the provided keyset. The client must call
221  // "Create" first to see if creation succeeds before calling
222  // this.
223  rpc EncryptDeterministically(DeterministicAeadEncryptRequest)
224      returns (DeterministicAeadEncryptResponse) {}
225  // Decrypts a ciphertext with the provided keyset. The client must call
226  // "Create" first to see if creation succeeds before calling
227  // this.
228  rpc DecryptDeterministically(DeterministicAeadDecryptRequest)
229      returns (DeterministicAeadDecryptResponse) {}
230}
231
232message DeterministicAeadEncryptRequest {
233  AnnotatedKeyset annotated_keyset = 1;
234  bytes plaintext = 2;
235  bytes associated_data = 3;
236}
237
238message DeterministicAeadEncryptResponse {
239  oneof result {
240    bytes ciphertext = 1;
241    string err = 2;
242  }
243}
244
245message DeterministicAeadDecryptRequest {
246  AnnotatedKeyset annotated_keyset = 1;
247  bytes ciphertext = 2;
248  bytes associated_data = 3;
249}
250
251message DeterministicAeadDecryptResponse {
252  oneof result {
253    bytes plaintext = 1;
254    string err = 2;
255  }
256}
257
258// Service for Streaming AEAD encryption and decryption
259service StreamingAead {
260  // Creates a StreamingAead object without using it.
261  rpc Create(CreationRequest) returns (CreationResponse) {}
262
263  // Encrypts a plaintext with the provided keyset. The client must call
264  // "Create" first to see if creation succeeds before calling this.
265  rpc Encrypt(StreamingAeadEncryptRequest)
266      returns (StreamingAeadEncryptResponse) {}
267  // Decrypts a ciphertext with the provided keyset. The client must call
268  // "Create" first to see if creation succeeds before calling this.
269  rpc Decrypt(StreamingAeadDecryptRequest)
270      returns (StreamingAeadDecryptResponse) {}
271}
272
273message StreamingAeadEncryptRequest {
274  AnnotatedKeyset annotated_keyset = 1;
275  bytes plaintext = 2;
276  bytes associated_data = 3;
277}
278
279message StreamingAeadEncryptResponse {
280  oneof result {
281    bytes ciphertext = 1;
282    string err = 2;
283  }
284}
285
286message StreamingAeadDecryptRequest {
287  AnnotatedKeyset annotated_keyset = 1;
288  bytes ciphertext = 2;
289  bytes associated_data = 3;
290}
291
292message StreamingAeadDecryptResponse {
293  oneof result {
294    bytes plaintext = 1;
295    string err = 2;
296  }
297}
298
299// Service to compute and verify MACs
300service Mac {
301  // Creates a Mac object without using it.
302  rpc Create(CreationRequest) returns (CreationResponse) {}
303  // Computes a MAC for given data. The client must call "Create" first to see
304  // if creation succeeds before calling this.
305  rpc ComputeMac(ComputeMacRequest) returns (ComputeMacResponse) {}
306  // Verifies the validity of the MAC value, no error means success. The client
307  // must call "Create" first to see if creation succeeds before calling this.
308  rpc VerifyMac(VerifyMacRequest) returns (VerifyMacResponse) {}
309}
310
311message ComputeMacRequest {
312  AnnotatedKeyset annotated_keyset = 1;
313  bytes data = 2;
314}
315
316message ComputeMacResponse {
317  oneof result {
318    bytes mac_value = 1;
319    string err = 2;
320  }
321}
322
323message VerifyMacRequest {
324  AnnotatedKeyset annotated_keyset = 1;
325  bytes mac_value = 2;
326  bytes data = 3;
327}
328
329message VerifyMacResponse {
330  string err = 1;
331}
332
333// Service to hybrid encrypt and decrypt
334service Hybrid {
335  // Creates a HybridEncrypt object without using it.
336  rpc CreateHybridEncrypt(CreationRequest) returns (CreationResponse) {}
337  // Creates a HybridDecrypt object without using it.
338  rpc CreateHybridDecrypt(CreationRequest) returns (CreationResponse) {}
339
340  // Encrypts plaintext binding context_info to the resulting ciphertext. The
341  // client must call "CreateHybridEncrypt" first to see if creation succeeds
342  // before calling this.
343  rpc Encrypt(HybridEncryptRequest) returns (HybridEncryptResponse) {}
344  // Decrypts ciphertext verifying the integrity of context_info. The client
345  // must call "CreateHybridDecrypt" first to see if creation succeeds before
346  // calling this.
347  rpc Decrypt(HybridDecryptRequest) returns (HybridDecryptResponse) {}
348}
349
350message HybridEncryptRequest {
351  AnnotatedKeyset public_annotated_keyset = 1;
352  bytes plaintext = 2;
353  bytes context_info = 3;
354}
355
356message HybridEncryptResponse {
357  oneof result {
358    bytes ciphertext = 1;
359    string err = 2;
360  }
361}
362
363message HybridDecryptRequest {
364  AnnotatedKeyset private_annotated_keyset = 1;
365  bytes ciphertext = 2;
366  bytes context_info = 3;
367}
368
369message HybridDecryptResponse {
370  oneof result {
371    bytes plaintext = 1;
372    string err = 2;
373  }
374}
375
376// Service to sign and verify signatures.
377service Signature {
378  // Creates a PublicKeySign object without using it.
379  rpc CreatePublicKeySign(CreationRequest) returns (CreationResponse) {}
380  // Creates a PublicKeyVerify object without using it.
381  rpc CreatePublicKeyVerify(CreationRequest) returns (CreationResponse) {}
382
383  // Computes the signature for data. The client must call "CreatePublicKeySign"
384  // first to see if creation succeeds before calling this.
385  rpc Sign(SignatureSignRequest) returns (SignatureSignResponse) {}
386  // Verifies that signature is a digital signature for data. The client must
387  // call "CreatePublicKeyVerify" first to see if creation succeeds before
388  // calling this.
389  rpc Verify(SignatureVerifyRequest) returns (SignatureVerifyResponse) {}
390}
391
392message SignatureSignRequest {
393  AnnotatedKeyset private_annotated_keyset = 1;
394  bytes data = 2;
395}
396
397message SignatureSignResponse {
398  oneof result {
399    bytes signature = 1;
400    string err = 2;
401  }
402}
403
404message SignatureVerifyRequest {
405  AnnotatedKeyset public_annotated_keyset = 1;
406  bytes signature = 2;
407  bytes data = 3;
408}
409
410message SignatureVerifyResponse {
411  string err = 1;
412}
413
414// Service for PrfSet computation
415service PrfSet {
416  // Creates a PrfSet object without using it.
417  rpc Create(CreationRequest) returns (CreationResponse) {}
418
419  // Returns the key ids and the primary key id in the keyset.The client must
420  // call "Create" first to see if creation succeeds before calling this.
421  rpc KeyIds(PrfSetKeyIdsRequest) returns (PrfSetKeyIdsResponse) {}
422  // Computes the output of the PRF with the given key_id in the PrfSet.The
423  // client must call "Create" first to see if creation succeeds before calling
424  // this.
425  rpc Compute(PrfSetComputeRequest) returns (PrfSetComputeResponse) {}
426}
427
428message PrfSetKeyIdsRequest {
429  AnnotatedKeyset annotated_keyset = 1;
430}
431
432message PrfSetKeyIdsResponse {
433  message Output {
434    uint32 primary_key_id = 1;
435    repeated uint32 key_id = 2;
436  }
437  oneof result {
438    Output output = 1;
439    string err = 2;
440  }
441}
442
443message PrfSetComputeRequest {
444  AnnotatedKeyset annotated_keyset = 1;
445  uint32 key_id = 2;
446  bytes input_data = 3;
447  int32 output_length = 4;
448}
449
450message PrfSetComputeResponse {
451  oneof result {
452    bytes output = 1;
453    string err = 2;
454  }
455}
456
457// Service for JSON Web Tokens (JWT)
458service Jwt {
459  // Creates a JwtMac object without using it.
460  rpc CreateJwtMac(CreationRequest) returns (CreationResponse) {}
461  // Creates a JwtPublicKeySign object without using it.
462  rpc CreateJwtPublicKeySign(CreationRequest) returns (CreationResponse) {}
463  // Creates a JwtPublicKeyVerify object without using it.
464  rpc CreateJwtPublicKeyVerify(CreationRequest) returns (CreationResponse) {}
465
466  // Computes a signed compact JWT token.
467  rpc ComputeMacAndEncode(JwtSignRequest) returns (JwtSignResponse) {}
468  // Verifies the validity of the signed compact JWT token
469  rpc VerifyMacAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {}
470  // Computes a signed compact JWT token.
471  rpc PublicKeySignAndEncode(JwtSignRequest) returns (JwtSignResponse) {}
472  // Verifies the validity of the signed compact JWT token
473  rpc PublicKeyVerifyAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {}
474  // Converts a Keyset from Tink Binary to JWK Set Format
475  rpc ToJwkSet(JwtToJwkSetRequest) returns (JwtToJwkSetResponse) {}
476  // Converts a Keyset from JWK Set to Tink Binary Format
477  rpc FromJwkSet(JwtFromJwkSetRequest) returns (JwtFromJwkSetResponse) {}
478}
479
480//  Used to represent the JSON null value.
481enum NullValue {
482  NULL_VALUE = 0;
483}
484
485message JwtClaimValue {
486  oneof kind {
487    NullValue null_value = 2;
488    double number_value = 3;
489    string string_value = 4;
490    bool bool_value = 5;
491    string json_object_value = 6;
492    string json_array_value = 7;
493  }
494}
495
496message JwtToken {
497  google.protobuf.StringValue issuer = 1;
498  google.protobuf.StringValue subject = 2;
499  repeated string audiences = 3;
500  google.protobuf.StringValue jwt_id = 4;
501  google.protobuf.Timestamp expiration = 5;
502  google.protobuf.Timestamp not_before = 6;
503  google.protobuf.Timestamp issued_at = 7;
504  map<string, JwtClaimValue> custom_claims = 8;
505  google.protobuf.StringValue type_header = 9;
506}
507
508message JwtValidator {
509  google.protobuf.StringValue expected_type_header = 7;
510  google.protobuf.StringValue expected_issuer = 1;
511  google.protobuf.StringValue expected_audience = 3;
512  bool ignore_type_header = 8;
513  bool ignore_issuer = 9;
514  bool ignore_audience = 11;
515  bool allow_missing_expiration = 12;
516  bool expect_issued_in_the_past = 13;
517  google.protobuf.Timestamp now = 5;
518  google.protobuf.Duration clock_skew = 6;
519}
520
521message JwtSignRequest {
522  AnnotatedKeyset annotated_keyset = 1;
523  JwtToken raw_jwt = 2;
524}
525
526message JwtSignResponse {
527  oneof result {
528    string signed_compact_jwt = 1;
529    string err = 2;
530  }
531}
532
533message JwtVerifyRequest {
534  AnnotatedKeyset annotated_keyset = 1;
535  string signed_compact_jwt = 2;
536  JwtValidator validator = 3;
537}
538
539message JwtVerifyResponse {
540  oneof result {
541    JwtToken verified_jwt = 1;
542    string err = 2;
543  }
544}
545
546message JwtToJwkSetRequest {
547  bytes keyset = 1;  // serialized google.crypto.tink.Keyset.
548}
549
550message JwtToJwkSetResponse {
551  oneof result {
552    string jwk_set = 1;
553    string err = 2;
554  }
555}
556
557message JwtFromJwkSetRequest {
558  string jwk_set = 1;
559}
560
561message JwtFromJwkSetResponse {
562  oneof result {
563    bytes keyset = 1;  // serialized google.crypto.tink.Keyset.
564    string err = 2;
565  }
566}
567