common.security

io.token.proto.common.security /common/src/main/proto/security.proto


syntax = "proto3";
package io.token.proto.common.security;

option java_outer_classname = "SecurityProtos";
option csharp_namespace = "Tokenio.Proto.Common.SecurityProtos";

import "extensions/field.proto";

// Public key
message Key {
  string id = 1;           // Key ID
  string public_key = 2;   // Base64url encoded public key.
  Level level = 3;         // Privilege level: LOW, STANDARD, PRIVILEGED
  Algorithm algorithm = 4; // ED25519, ECDSA_SHA256, RS256
  int64 expires_at_ms = 5; // optional expiration date of the key

  enum Algorithm {
    INVALID_ALGORITHM = 0;
    ED25519 = 1;           // recommended
    ECDSA_SHA256 = 2;      // recommended
    RS256 = 3;
  }

  enum Level {
    INVALID_LEVEL = 0;
    PRIVILEGED = 1;
    STANDARD = 2;
    LOW = 3;
  }
}

message PrivateKey {
  string id = 1;                                                      // Key ID.
  string private_key = 2 [(io.token.proto.extensions.field.redact) = true]; // Base64url encoded private key.
  Key.Level level = 3;                                                // Key's privilege level.
  Key.Algorithm algorithm = 4;                                        // Algorithm to use with key.
}

message Signature {
  string member_id = 1; // ID of signing member
  string key_id = 2;    // ID of public key to verify signature
  string signature = 3; // signature
}

// Represents an encrypted message payload
message SealedMessage {
  string ciphertext = 1;              // Base64url encoded ciphertext.

  oneof method {
    NoopMethod noop = 4;              // Noop encryption
    RsaMethod rsa = 6;                // RSA blocks method
    RsaAesMethod rsa_aes = 7;         // RSA/AES Method specific metadata
  }

  // Clear text is used instead of encryption
  message NoopMethod {
  }

  // The message is encrypted using the public key of the recipient.
  // The message can be decrypted only with the corresponding private key.
  message RsaMethod {
    string key_id = 1;                // The id of the key used for encryption
    string algorithm = 2;             // RSA/ECB/OAEPWithSHA-256AndMGF1Padding
    string signature = 3;             // Base64url encoded ciphertext signature.
    string signature_key_id = 4;      // the key-id of the signature
  }

  // The message is encrypted with a self-generated symmetric key.
  // That key is encrypted using the public key of the recipient and
  // can only be decrypted with the corresponding private key.
  message RsaAesMethod {
    string rsa_key_id = 1;            // The id of the key used for encryption
    string rsa_algorithm = 2;         // RSA/ECB/OAEPWithSHA-256AndMGF1Padding
    string aes_algorithm = 3;         // AES/CBC/PKCS5Padding
    string encrypted_aes_key = 5;     // Base64url encoded rsa-encrypted aes key
    string signature = 6;             // Base64url encoded ciphertext signature.
    string signature_key_id = 7;      // the key-id of the signature
  }
}

message SecurityMetadata {
  string ip_address = 1;
  string geo_location = 2;
  string device_fingerprint = 3;
}