1 // Copyright 2020 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 syntax = "proto3"; 15 16 package tink_testing_api; 17 18 import "google/protobuf/duration.proto"; 19 import "google/protobuf/timestamp.proto"; 20 import "google/protobuf/wrappers.proto"; 21 22 option java_package = "com.google.crypto.tink.testing.proto"; 23 option java_multiple_files = true; 24 option go_package = "github.com/google/tink/testing/go/proto/testing_api_go_proto"; 25 // Placeholder for java_stubby_library 26 27 // Service providing metadata about the server. 28 service Metadata { 29 // Returns some server information. A test may use this information to verify 30 // that it is talking to the right server. 31 rpc GetServerInfo(ServerInfoRequest) returns (ServerInfoResponse) {} 32 } 33 34 message ServerInfoRequest {} 35 36 message ServerInfoResponse { 37 string tink_version = 1; // For example '1.4' 38 string language = 2; // For example 'cc', 'java', 'go' or 'python'. 39 } 40 41 // Service for Keyset operations. 42 service Keyset { 43 // Generates a key template from a key template name. 44 rpc GetTemplate(KeysetTemplateRequest) returns (KeysetTemplateResponse) {} 45 // Generates a new keyset from a template. 46 rpc Generate(KeysetGenerateRequest) returns (KeysetGenerateResponse) {} 47 // Generates a public-key keyset from a private-key keyset. 48 rpc Public(KeysetPublicRequest) returns (KeysetPublicResponse) {} 49 // Converts a Keyset from Binary to Json Format 50 rpc ToJson(KeysetToJsonRequest) returns (KeysetToJsonResponse) {} 51 // Converts a Keyset from Json to Binary Format 52 rpc FromJson(KeysetFromJsonRequest) returns (KeysetFromJsonResponse) {} 53 // Reads an encrypted keyset using KeysetHandle.read() or 54 // KeysetHandle.readWithAssociatedData() and the BinaryKeysetReader. 55 rpc ReadEncrypted(KeysetReadEncryptedRequest) 56 returns (KeysetReadEncryptedResponse) {} 57 // Writes an encrypted keyset using KeysetHandle.write() or 58 // KeysetHandle.writeWithAssociatedData() and the BinaryKeysetWriter. 59 rpc WriteEncrypted(KeysetWriteEncryptedRequest) 60 returns (KeysetWriteEncryptedResponse) {} 61 } 62 63 message KeysetTemplateRequest { 64 string template_name = 1; // template name used by Tinkey 65 } 66 67 message KeysetTemplateResponse { 68 oneof result { 69 bytes key_template = 1; // serialized google.crypto.tink.KeyTemplate. 70 string err = 2; 71 } 72 } 73 74 message KeysetGenerateRequest { 75 bytes template = 1; // serialized google.crypto.tink.KeyTemplate. 76 } 77 78 message KeysetGenerateResponse { 79 oneof result { 80 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 81 string err = 2; 82 } 83 } 84 85 message KeysetPublicRequest { 86 bytes private_keyset = 1; // serialized google.crypto.tink.Keyset. 87 } 88 89 message KeysetPublicResponse { 90 oneof result { 91 bytes public_keyset = 1; // serialized google.crypto.tink.Keyset. 92 string err = 2; 93 } 94 } 95 96 message KeysetToJsonRequest { 97 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 98 } 99 100 message KeysetToJsonResponse { 101 oneof result { 102 string json_keyset = 1; 103 string err = 2; 104 } 105 } 106 107 message KeysetFromJsonRequest { 108 string json_keyset = 1; 109 } 110 111 message KeysetFromJsonResponse { 112 oneof result { 113 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 114 string err = 2; 115 } 116 } 117 118 // Copy of google.protobuf.BytesValue 119 message BytesValue { 120 // The bytes value. 121 bytes value = 1; 122 } 123 124 enum KeysetReaderType { 125 KEYSET_READER_UNKNOWN = 0; 126 KEYSET_READER_BINARY = 1; 127 KEYSET_READER_JSON = 2; 128 } 129 130 message KeysetReadEncryptedRequest { 131 bytes encrypted_keyset = 1; 132 bytes master_keyset = 2; // serialized google.crypto.tink.Keyset. 133 BytesValue associated_data = 3; 134 KeysetReaderType keyset_reader_type = 4; 135 } 136 137 message KeysetReadEncryptedResponse { 138 oneof result { 139 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 140 string err = 2; 141 } 142 } 143 144 enum KeysetWriterType { 145 KEYSET_WRITER_UNKNOWN = 0; 146 KEYSET_WRITER_BINARY = 1; 147 KEYSET_WRITER_JSON = 2; 148 } 149 150 message KeysetWriteEncryptedRequest { 151 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 152 bytes master_keyset = 2; // serialized google.crypto.tink.Keyset. 153 BytesValue associated_data = 3; 154 KeysetWriterType keyset_writer_type = 4; 155 } 156 157 message KeysetWriteEncryptedResponse { 158 oneof result { 159 bytes encrypted_keyset = 1; 160 string err = 2; 161 } 162 } 163 164 message AnnotatedKeyset { 165 bytes serialized_keyset = 1; // serialized google.crypto.tink.Keyset. 166 map<string, string> annotations = 2; 167 } 168 169 message CreationRequest { 170 AnnotatedKeyset annotated_keyset = 1; 171 } 172 173 message CreationResponse { 174 // Empty means no error 175 string err = 1; 176 } 177 178 // Service for AEAD encryption and decryption 179 service Aead { 180 // Creates an Aead object without using it. 181 rpc Create(CreationRequest) returns (CreationResponse) {} 182 // Encrypts a plaintext with the provided keyset. The client must call 183 // "Create" first to see if creation succeeds before calling this. 184 rpc Encrypt(AeadEncryptRequest) returns (AeadEncryptResponse) {} 185 // Decrypts a ciphertext with the provided keyset. The client must call 186 // "Create" first to see if creation succeeds before calling this. 187 rpc Decrypt(AeadDecryptRequest) returns (AeadDecryptResponse) {} 188 } 189 190 message AeadEncryptRequest { 191 AnnotatedKeyset annotated_keyset = 1; 192 bytes plaintext = 2; 193 bytes associated_data = 3; 194 } 195 196 message AeadEncryptResponse { 197 oneof result { 198 bytes ciphertext = 1; 199 string err = 2; 200 } 201 } 202 203 message AeadDecryptRequest { 204 AnnotatedKeyset annotated_keyset = 1; 205 bytes ciphertext = 2; 206 bytes associated_data = 3; 207 } 208 209 message AeadDecryptResponse { 210 oneof result { 211 bytes plaintext = 1; 212 string err = 2; 213 } 214 } 215 216 // Service for Deterministic AEAD encryption and decryption 217 service DeterministicAead { 218 // Creates a Deterministic AEAD object without using it. 219 rpc Create(CreationRequest) returns (CreationResponse) {} 220 // Encrypts a plaintext with the provided keyset. The client must call 221 // "Create" first to see if creation succeeds before calling 222 // this. 223 rpc EncryptDeterministically(DeterministicAeadEncryptRequest) 224 returns (DeterministicAeadEncryptResponse) {} 225 // Decrypts a ciphertext with the provided keyset. The client must call 226 // "Create" first to see if creation succeeds before calling 227 // this. 228 rpc DecryptDeterministically(DeterministicAeadDecryptRequest) 229 returns (DeterministicAeadDecryptResponse) {} 230 } 231 232 message DeterministicAeadEncryptRequest { 233 AnnotatedKeyset annotated_keyset = 1; 234 bytes plaintext = 2; 235 bytes associated_data = 3; 236 } 237 238 message DeterministicAeadEncryptResponse { 239 oneof result { 240 bytes ciphertext = 1; 241 string err = 2; 242 } 243 } 244 245 message DeterministicAeadDecryptRequest { 246 AnnotatedKeyset annotated_keyset = 1; 247 bytes ciphertext = 2; 248 bytes associated_data = 3; 249 } 250 251 message DeterministicAeadDecryptResponse { 252 oneof result { 253 bytes plaintext = 1; 254 string err = 2; 255 } 256 } 257 258 // Service for Streaming AEAD encryption and decryption 259 service StreamingAead { 260 // Creates a StreamingAead object without using it. 261 rpc Create(CreationRequest) returns (CreationResponse) {} 262 263 // Encrypts a plaintext with the provided keyset. The client must call 264 // "Create" first to see if creation succeeds before calling this. 265 rpc Encrypt(StreamingAeadEncryptRequest) 266 returns (StreamingAeadEncryptResponse) {} 267 // Decrypts a ciphertext with the provided keyset. The client must call 268 // "Create" first to see if creation succeeds before calling this. 269 rpc Decrypt(StreamingAeadDecryptRequest) 270 returns (StreamingAeadDecryptResponse) {} 271 } 272 273 message StreamingAeadEncryptRequest { 274 AnnotatedKeyset annotated_keyset = 1; 275 bytes plaintext = 2; 276 bytes associated_data = 3; 277 } 278 279 message StreamingAeadEncryptResponse { 280 oneof result { 281 bytes ciphertext = 1; 282 string err = 2; 283 } 284 } 285 286 message StreamingAeadDecryptRequest { 287 AnnotatedKeyset annotated_keyset = 1; 288 bytes ciphertext = 2; 289 bytes associated_data = 3; 290 } 291 292 message StreamingAeadDecryptResponse { 293 oneof result { 294 bytes plaintext = 1; 295 string err = 2; 296 } 297 } 298 299 // Service to compute and verify MACs 300 service Mac { 301 // Creates a Mac object without using it. 302 rpc Create(CreationRequest) returns (CreationResponse) {} 303 // Computes a MAC for given data. The client must call "Create" first to see 304 // if creation succeeds before calling this. 305 rpc ComputeMac(ComputeMacRequest) returns (ComputeMacResponse) {} 306 // Verifies the validity of the MAC value, no error means success. The client 307 // must call "Create" first to see if creation succeeds before calling this. 308 rpc VerifyMac(VerifyMacRequest) returns (VerifyMacResponse) {} 309 } 310 311 message ComputeMacRequest { 312 AnnotatedKeyset annotated_keyset = 1; 313 bytes data = 2; 314 } 315 316 message ComputeMacResponse { 317 oneof result { 318 bytes mac_value = 1; 319 string err = 2; 320 } 321 } 322 323 message VerifyMacRequest { 324 AnnotatedKeyset annotated_keyset = 1; 325 bytes mac_value = 2; 326 bytes data = 3; 327 } 328 329 message VerifyMacResponse { 330 string err = 1; 331 } 332 333 // Service to hybrid encrypt and decrypt 334 service Hybrid { 335 // Creates a HybridEncrypt object without using it. 336 rpc CreateHybridEncrypt(CreationRequest) returns (CreationResponse) {} 337 // Creates a HybridDecrypt object without using it. 338 rpc CreateHybridDecrypt(CreationRequest) returns (CreationResponse) {} 339 340 // Encrypts plaintext binding context_info to the resulting ciphertext. The 341 // client must call "CreateHybridEncrypt" first to see if creation succeeds 342 // before calling this. 343 rpc Encrypt(HybridEncryptRequest) returns (HybridEncryptResponse) {} 344 // Decrypts ciphertext verifying the integrity of context_info. The client 345 // must call "CreateHybridDecrypt" first to see if creation succeeds before 346 // calling this. 347 rpc Decrypt(HybridDecryptRequest) returns (HybridDecryptResponse) {} 348 } 349 350 message HybridEncryptRequest { 351 AnnotatedKeyset public_annotated_keyset = 1; 352 bytes plaintext = 2; 353 bytes context_info = 3; 354 } 355 356 message HybridEncryptResponse { 357 oneof result { 358 bytes ciphertext = 1; 359 string err = 2; 360 } 361 } 362 363 message HybridDecryptRequest { 364 AnnotatedKeyset private_annotated_keyset = 1; 365 bytes ciphertext = 2; 366 bytes context_info = 3; 367 } 368 369 message HybridDecryptResponse { 370 oneof result { 371 bytes plaintext = 1; 372 string err = 2; 373 } 374 } 375 376 // Service to sign and verify signatures. 377 service Signature { 378 // Creates a PublicKeySign object without using it. 379 rpc CreatePublicKeySign(CreationRequest) returns (CreationResponse) {} 380 // Creates a PublicKeyVerify object without using it. 381 rpc CreatePublicKeyVerify(CreationRequest) returns (CreationResponse) {} 382 383 // Computes the signature for data. The client must call "CreatePublicKeySign" 384 // first to see if creation succeeds before calling this. 385 rpc Sign(SignatureSignRequest) returns (SignatureSignResponse) {} 386 // Verifies that signature is a digital signature for data. The client must 387 // call "CreatePublicKeyVerify" first to see if creation succeeds before 388 // calling this. 389 rpc Verify(SignatureVerifyRequest) returns (SignatureVerifyResponse) {} 390 } 391 392 message SignatureSignRequest { 393 AnnotatedKeyset private_annotated_keyset = 1; 394 bytes data = 2; 395 } 396 397 message SignatureSignResponse { 398 oneof result { 399 bytes signature = 1; 400 string err = 2; 401 } 402 } 403 404 message SignatureVerifyRequest { 405 AnnotatedKeyset public_annotated_keyset = 1; 406 bytes signature = 2; 407 bytes data = 3; 408 } 409 410 message SignatureVerifyResponse { 411 string err = 1; 412 } 413 414 // Service for PrfSet computation 415 service PrfSet { 416 // Creates a PrfSet object without using it. 417 rpc Create(CreationRequest) returns (CreationResponse) {} 418 419 // Returns the key ids and the primary key id in the keyset.The client must 420 // call "Create" first to see if creation succeeds before calling this. 421 rpc KeyIds(PrfSetKeyIdsRequest) returns (PrfSetKeyIdsResponse) {} 422 // Computes the output of the PRF with the given key_id in the PrfSet.The 423 // client must call "Create" first to see if creation succeeds before calling 424 // this. 425 rpc Compute(PrfSetComputeRequest) returns (PrfSetComputeResponse) {} 426 } 427 428 message PrfSetKeyIdsRequest { 429 AnnotatedKeyset annotated_keyset = 1; 430 } 431 432 message PrfSetKeyIdsResponse { 433 message Output { 434 uint32 primary_key_id = 1; 435 repeated uint32 key_id = 2; 436 } 437 oneof result { 438 Output output = 1; 439 string err = 2; 440 } 441 } 442 443 message PrfSetComputeRequest { 444 AnnotatedKeyset annotated_keyset = 1; 445 uint32 key_id = 2; 446 bytes input_data = 3; 447 int32 output_length = 4; 448 } 449 450 message PrfSetComputeResponse { 451 oneof result { 452 bytes output = 1; 453 string err = 2; 454 } 455 } 456 457 // Service for JSON Web Tokens (JWT) 458 service Jwt { 459 // Creates a JwtMac object without using it. 460 rpc CreateJwtMac(CreationRequest) returns (CreationResponse) {} 461 // Creates a JwtPublicKeySign object without using it. 462 rpc CreateJwtPublicKeySign(CreationRequest) returns (CreationResponse) {} 463 // Creates a JwtPublicKeyVerify object without using it. 464 rpc CreateJwtPublicKeyVerify(CreationRequest) returns (CreationResponse) {} 465 466 // Computes a signed compact JWT token. 467 rpc ComputeMacAndEncode(JwtSignRequest) returns (JwtSignResponse) {} 468 // Verifies the validity of the signed compact JWT token 469 rpc VerifyMacAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {} 470 // Computes a signed compact JWT token. 471 rpc PublicKeySignAndEncode(JwtSignRequest) returns (JwtSignResponse) {} 472 // Verifies the validity of the signed compact JWT token 473 rpc PublicKeyVerifyAndDecode(JwtVerifyRequest) returns (JwtVerifyResponse) {} 474 // Converts a Keyset from Tink Binary to JWK Set Format 475 rpc ToJwkSet(JwtToJwkSetRequest) returns (JwtToJwkSetResponse) {} 476 // Converts a Keyset from JWK Set to Tink Binary Format 477 rpc FromJwkSet(JwtFromJwkSetRequest) returns (JwtFromJwkSetResponse) {} 478 } 479 480 // Used to represent the JSON null value. 481 enum NullValue { 482 NULL_VALUE = 0; 483 } 484 485 message JwtClaimValue { 486 oneof kind { 487 NullValue null_value = 2; 488 double number_value = 3; 489 string string_value = 4; 490 bool bool_value = 5; 491 string json_object_value = 6; 492 string json_array_value = 7; 493 } 494 } 495 496 message JwtToken { 497 google.protobuf.StringValue issuer = 1; 498 google.protobuf.StringValue subject = 2; 499 repeated string audiences = 3; 500 google.protobuf.StringValue jwt_id = 4; 501 google.protobuf.Timestamp expiration = 5; 502 google.protobuf.Timestamp not_before = 6; 503 google.protobuf.Timestamp issued_at = 7; 504 map<string, JwtClaimValue> custom_claims = 8; 505 google.protobuf.StringValue type_header = 9; 506 } 507 508 message JwtValidator { 509 google.protobuf.StringValue expected_type_header = 7; 510 google.protobuf.StringValue expected_issuer = 1; 511 google.protobuf.StringValue expected_audience = 3; 512 bool ignore_type_header = 8; 513 bool ignore_issuer = 9; 514 bool ignore_audience = 11; 515 bool allow_missing_expiration = 12; 516 bool expect_issued_in_the_past = 13; 517 google.protobuf.Timestamp now = 5; 518 google.protobuf.Duration clock_skew = 6; 519 } 520 521 message JwtSignRequest { 522 AnnotatedKeyset annotated_keyset = 1; 523 JwtToken raw_jwt = 2; 524 } 525 526 message JwtSignResponse { 527 oneof result { 528 string signed_compact_jwt = 1; 529 string err = 2; 530 } 531 } 532 533 message JwtVerifyRequest { 534 AnnotatedKeyset annotated_keyset = 1; 535 string signed_compact_jwt = 2; 536 JwtValidator validator = 3; 537 } 538 539 message JwtVerifyResponse { 540 oneof result { 541 JwtToken verified_jwt = 1; 542 string err = 2; 543 } 544 } 545 546 message JwtToJwkSetRequest { 547 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 548 } 549 550 message JwtToJwkSetResponse { 551 oneof result { 552 string jwk_set = 1; 553 string err = 2; 554 } 555 } 556 557 message JwtFromJwkSetRequest { 558 string jwk_set = 1; 559 } 560 561 message JwtFromJwkSetResponse { 562 oneof result { 563 bytes keyset = 1; // serialized google.crypto.tink.Keyset. 564 string err = 2; 565 } 566 } 567