common.security
io.token.proto.common.security /common/src/main/proto/security.proto
syntax = "proto3";
package io.token.proto.common.security;
option java_outer_classname = "SecurityProtos";
option csharp_namespace = "Tokenio.Proto.Common.SecurityProtos";
import "extensions/field.proto";
// Public key
message Key {
string id = 1; // Key ID
string public_key = 2; // Base64url encoded public key.
Level level = 3; // Privilege level: LOW, STANDARD, PRIVILEGED
Algorithm algorithm = 4; // ED25519, ECDSA_SHA256, RS256
int64 expires_at_ms = 5; // optional expiration date of the key
enum Algorithm {
INVALID_ALGORITHM = 0;
ED25519 = 1; // recommended
ECDSA_SHA256 = 2; // recommended
RS256 = 3;
}
enum Level {
INVALID_LEVEL = 0;
PRIVILEGED = 1;
STANDARD = 2;
LOW = 3;
}
}
message PrivateKey {
string id = 1; // Key ID.
string private_key = 2 [(io.token.proto.extensions.field.redact) = true]; // Base64url encoded private key.
Key.Level level = 3; // Key's privilege level.
Key.Algorithm algorithm = 4; // Algorithm to use with key.
}
message Signature {
string member_id = 1; // ID of signing member
string key_id = 2; // ID of public key to verify signature
string signature = 3; // signature
}
// Represents an encrypted message payload
message SealedMessage {
string ciphertext = 1; // Base64url encoded ciphertext.
oneof method {
NoopMethod noop = 4; // Noop encryption
RsaMethod rsa = 6; // RSA blocks method
RsaAesMethod rsa_aes = 7; // RSA/AES Method specific metadata
}
// Clear text is used instead of encryption
message NoopMethod {
}
// The message is encrypted using the public key of the recipient.
// The message can be decrypted only with the corresponding private key.
message RsaMethod {
string key_id = 1; // The id of the key used for encryption
string algorithm = 2; // RSA/ECB/OAEPWithSHA-256AndMGF1Padding
string signature = 3; // Base64url encoded ciphertext signature.
string signature_key_id = 4; // the key-id of the signature
}
// The message is encrypted with a self-generated symmetric key.
// That key is encrypted using the public key of the recipient and
// can only be decrypted with the corresponding private key.
message RsaAesMethod {
string rsa_key_id = 1; // The id of the key used for encryption
string rsa_algorithm = 2; // RSA/ECB/OAEPWithSHA-256AndMGF1Padding
string aes_algorithm = 3; // AES/CBC/PKCS5Padding
string encrypted_aes_key = 5; // Base64url encoded rsa-encrypted aes key
string signature = 6; // Base64url encoded ciphertext signature.
string signature_key_id = 7; // the key-id of the signature
}
}