1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS-IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package privacy.ppn; 18 19import "quiche/blind_sign_auth/proto/attestation.proto"; 20import "quiche/blind_sign_auth/proto/key_services.proto"; 21import "quiche/blind_sign_auth/proto/proxy_layer.proto"; 22import "quiche/blind_sign_auth/proto/public_metadata.proto"; 23 24// Client is requesting to auth using the provided auth token. 25// Next ID: 17 26message AuthAndSignRequest { 27 reserved 3, 13; 28 29 // A 'bearer' oauth token to be validated. 30 // https://datatracker.ietf.org/doc/html/rfc6750#section-6.1.1 31 string oauth_token = 1; 32 33 // A string uniquely identifying the strategy this client should be 34 // authenticated with. 35 string service_type = 2; 36 37 // A set of blinded tokens to be signed by zinc. b64 encoded. 38 repeated string blinded_token = 4; 39 40 // A sha256 of the public key PEM used in generated `blinded_token`. This 41 // Ensures the signer signs with the matching key. Only required if key_type 42 // is ZINC_KEY_TYPE. 43 string public_key_hash = 5; 44 45 oneof attestation_data { 46 AndroidAttestationData android_attestation_data = 6; 47 IosAttestationData ios_attestation_data = 7; 48 } 49 privacy.ppn.AttestationData attestation = 8; 50 51 privacy.ppn.KeyType key_type = 10; 52 53 privacy.ppn.PublicMetadataInfo public_metadata_info = 11; 54 55 // Indicates which key to use for signing. Only set if key type is 56 // PUBLIC_METADATA. 57 int64 key_version = 12; 58 59 // Only set one of this or public_metadata_info. Uses IETF privacy pass 60 // extensions spec for format. 61 bytes public_metadata_extensions = 14; 62 63 // For PUBLIC_METADATA key types, if this value is set to false, the 64 // final public exponent is derived by using the RSA public exponent, the 65 // RSA modulus and the public metadata. If this value is set to true, only 66 // the RSA modulus and the public metadata will be used. 67 bool do_not_use_rsa_public_exponent = 15; 68 69 // Only set for some service types where multi layer proxies are supported. 70 ProxyLayer proxy_layer = 16; 71} 72 73message AuthAndSignResponse { 74 reserved 1, 2, 3; 75 76 // A set of signatures corresponding by index to `blinded_token` in the 77 // request. b64 encoded. 78 repeated string blinded_token_signature = 4; 79 80 // The marconi server hostname bridge-proxy used to set up tunnel. 81 string copper_controller_hostname = 5; 82 83 // The base64 encoding of override_region token and signature for white listed 84 // users in the format of "${Region}.${timestamp}.${signature}". 85 string region_token_and_signature = 6; 86 87 // The APN type bridge-proxy use to deside which APN to use for connecting. 88 string apn_type = 7; 89} 90