common.security
io.token.proto.common.security common/src/main/proto/security.proto
syntax = "proto3";
package io.token.proto.common.security;
option java_outer_classname = "SecurityProtos";
option csharp_namespace = "Tokenio.Proto.Common.SecurityProtos";
import "extensions/field.proto";
// Public key
message Key {
string id = 1; // Key ID
string public_key = 2; // Base64url encoded public key.
Level level = 3; // Privilege level: LOW, STANDARD, PRIVILEGED
Algorithm algorithm = 4; // ED25519, ECDSA_SHA256, RS256
int64 expires_at_ms = 5; // optional expiration date of the key
enum Algorithm {
INVALID_ALGORITHM = 0;
ED25519 = 1; // recommended
ECDSA_SHA256 = 2; // recommended
RS256 = 3;
}
enum Level {
INVALID_LEVEL = 0;
PRIVILEGED = 1;
STANDARD = 2;
LOW = 3;
}
}
message PrivateKey {
string id = 1; // Key ID.
string private_key = 2 [(io.token.proto.extensions.field.redact) = true]; // Base64url encoded private key.
Key.Level level = 3; // Key's privilege level.
Key.Algorithm algorithm = 4; // Algorithm to use with key.
}
message Signature {
string member_id = 1; // ID of signing member
string key_id = 2; // ID of public key to verify signature
string signature = 3; // signature
}
// Represents an encrypted message payload
message SealedMessage {
string ciphertext = 1; // Base64url encoded ciphertext.
oneof method {
NoopMethod noop = 4; // Noop encryption
RsaMethod rsa = 6; // RSA blocks method
RsaAesMethod rsa_aes = 7; // RSA/AES Method specific metadata
}
// Clear text is used instead of encryption
message NoopMethod {
}
// The message is encrypted using the public key of the recipient.
// The message can be decrypted only with the corresponding private key.
message RsaMethod {
string key_id = 1; // The id of the key used for encryption
string algorithm = 2; // RSA/ECB/OAEPWithSHA-256AndMGF1Padding
string signature = 3; // Base64url encoded ciphertext signature.
string signature_key_id = 4; // the key-id of the signature
}
// The message is encrypted with a self-generated symmetric key.
// That key is encrypted using the public key of the recipient and
// can only be decrypted with the corresponding private key.
message RsaAesMethod {
string rsa_key_id = 1; // The id of the key used for encryption
string rsa_algorithm = 2; // RSA/ECB/OAEPWithSHA-256AndMGF1Padding
string aes_algorithm = 3; // AES/CBC/PKCS5Padding
string encrypted_aes_key = 5; // Base64url encoded rsa-encrypted aes key
string signature = 6; // Base64url encoded ciphertext signature.
string signature_key_id = 7; // the key-id of the signature
}
}
message SecurityMetadata {
option deprecated = true;
string ip_address = 1;
string geo_location = 2;
string device_fingerprint = 3;
}
message CustomerTrackingMetadata {
string ip_address = 1; // IP address of the customer. Required when the request is initiated by the customer, which means the request is exempted from the PSD2 data access restriction.
string geo_location = 2; // Optional. Geographical location of the customer.
string device_id = 3; // Optional. Universally Unique Identifier for a device of the customer that identifies either a device or a device dependent application installation.
string user_agent = 4;
}