confidentialcomputingpb

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2025 License: Apache-2.0 Imports: 11 Imported by: 3

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	SigningAlgorithm_name = map[int32]string{
		0: "SIGNING_ALGORITHM_UNSPECIFIED",
		1: "RSASSA_PSS_SHA256",
		2: "RSASSA_PKCS1V15_SHA256",
		3: "ECDSA_P256_SHA256",
	}
	SigningAlgorithm_value = map[string]int32{
		"SIGNING_ALGORITHM_UNSPECIFIED": 0,
		"RSASSA_PSS_SHA256":             1,
		"RSASSA_PKCS1V15_SHA256":        2,
		"ECDSA_P256_SHA256":             3,
	}
)

Enum value maps for SigningAlgorithm.

View Source 
var (
	TokenType_name = map[int32]string{
		0: "TOKEN_TYPE_UNSPECIFIED",
		1: "TOKEN_TYPE_OIDC",
		2: "TOKEN_TYPE_PKI",
		3: "TOKEN_TYPE_LIMITED_AWS",
		4: "TOKEN_TYPE_AWS_PRINCIPALTAGS",
	}
	TokenType_value = map[string]int32{
		"TOKEN_TYPE_UNSPECIFIED":       0,
		"TOKEN_TYPE_OIDC":              1,
		"TOKEN_TYPE_PKI":               2,
		"TOKEN_TYPE_LIMITED_AWS":       3,
		"TOKEN_TYPE_AWS_PRINCIPALTAGS": 4,
	}
)

Enum value maps for TokenType.

View Source 
var File_google_cloud_confidentialcomputing_v1_service_proto protoreflect.FileDescriptor

Functions

func RegisterConfidentialComputingServer 

func RegisterConfidentialComputingServer(s *grpc.Server, srv ConfidentialComputingServer)

Types

type Challenge 

type Challenge struct {

	// Output only. The resource name for this Challenge in the format
	// `projects/*/locations/*/challenges/*`
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Output only. The time at which this Challenge was created
	CreateTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
	// Output only. The time at which this Challenge will no longer be usable. It
	// is also the expiration time for any tokens generated from this Challenge.
	ExpireTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
	// Output only. Indicates if this challenge has been used to generate a token.
	Used bool `protobuf:"varint,4,opt,name=used,proto3" json:"used,omitempty"`
	// Output only. Identical to nonce, but as a string.
	TpmNonce string `protobuf:"bytes,6,opt,name=tpm_nonce,json=tpmNonce,proto3" json:"tpm_nonce,omitempty"`
	// contains filtered or unexported fields
}

A Challenge from the server used to guarantee freshness of attestations

func (*Challenge) Descriptor deprecated 

func (*Challenge) Descriptor() ([]byte, []int)

Deprecated: Use Challenge.ProtoReflect.Descriptor instead.

func (*Challenge) GetCreateTime 

func (x *Challenge) GetCreateTime() *timestamppb.Timestamp

func (*Challenge) GetExpireTime 

func (x *Challenge) GetExpireTime() *timestamppb.Timestamp

func (*Challenge) GetName 

func (x *Challenge) GetName() string

func (*Challenge) GetTpmNonce 

func (x *Challenge) GetTpmNonce() string

func (*Challenge) GetUsed 

func (x *Challenge) GetUsed() bool

func (*Challenge) ProtoMessage 

func (*Challenge) ProtoMessage()

func (*Challenge) ProtoReflect 

func (x *Challenge) ProtoReflect() protoreflect.Message

func (*Challenge) Reset 

func (x *Challenge) Reset()

func (*Challenge) String 

func (x *Challenge) String() string

type ConfidentialComputingClient 

type ConfidentialComputingClient interface {
	// Creates a new Challenge in a given project and location.
	CreateChallenge(ctx context.Context, in *CreateChallengeRequest, opts ...grpc.CallOption) (*Challenge, error)
	// Verifies the provided attestation info, returning a signed OIDC token.
	VerifyAttestation(ctx context.Context, in *VerifyAttestationRequest, opts ...grpc.CallOption) (*VerifyAttestationResponse, error)
}

ConfidentialComputingClient is the client API for ConfidentialComputing service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.

func NewConfidentialComputingClient 

func NewConfidentialComputingClient(cc grpc.ClientConnInterface) ConfidentialComputingClient

type ConfidentialComputingServer 

type ConfidentialComputingServer interface {
	// Creates a new Challenge in a given project and location.
	CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)
	// Verifies the provided attestation info, returning a signed OIDC token.
	VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)
}

ConfidentialComputingServer is the server API for ConfidentialComputing service.

type ConfidentialSpaceInfo added in v1.1.0 

type ConfidentialSpaceInfo struct {

	// Optional. A list of signed entities containing container image signatures
	// that can be used for server-side signature verification.
	SignedEntities []*SignedEntity `protobuf:"bytes,1,rep,name=signed_entities,json=signedEntities,proto3" json:"signed_entities,omitempty"`
	// contains filtered or unexported fields
}

ConfidentialSpaceInfo contains information related to the Confidential Space TEE.

func (*ConfidentialSpaceInfo) Descriptor deprecated added in v1.1.0 

func (*ConfidentialSpaceInfo) Descriptor() ([]byte, []int)

Deprecated: Use ConfidentialSpaceInfo.ProtoReflect.Descriptor instead.

func (*ConfidentialSpaceInfo) GetSignedEntities added in v1.1.0 

func (x *ConfidentialSpaceInfo) GetSignedEntities() []*SignedEntity

func (*ConfidentialSpaceInfo) ProtoMessage added in v1.1.0 

func (*ConfidentialSpaceInfo) ProtoMessage()

func (*ConfidentialSpaceInfo) ProtoReflect added in v1.1.0 

func (x *ConfidentialSpaceInfo) ProtoReflect() protoreflect.Message

func (*ConfidentialSpaceInfo) Reset added in v1.1.0 

func (x *ConfidentialSpaceInfo) Reset()

func (*ConfidentialSpaceInfo) String added in v1.1.0 

func (x *ConfidentialSpaceInfo) String() string

type ContainerImageSignature added in v1.1.0 

type ContainerImageSignature struct {

	// Optional. The binary signature payload following the SimpleSigning format
	// https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#simple-signing.
	// This payload includes the container image digest.
	Payload []byte `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
	// Optional. A signature over the payload.
	// The container image digest is incorporated into the signature as follows:
	// 1. Generate a SimpleSigning format payload that includes the container
	// image digest.
	// 2. Generate a signature over SHA256 digest of the payload.
	// The signature generation process can be represented as follows:
	// `Sign(sha256(SimpleSigningPayload(sha256(Image Manifest))))`
	Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	// Optional. Reserved for future use.
	PublicKey []byte `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	// Optional. Reserved for future use.
	SigAlg SigningAlgorithm `` /* 140-byte string literal not displayed */
	// contains filtered or unexported fields
}

ContainerImageSignature holds necessary metadata to verify a container image signature.

func (*ContainerImageSignature) Descriptor deprecated added in v1.1.0 

func (*ContainerImageSignature) Descriptor() ([]byte, []int)

Deprecated: Use ContainerImageSignature.ProtoReflect.Descriptor instead.

func (*ContainerImageSignature) GetPayload added in v1.1.0 

func (x *ContainerImageSignature) GetPayload() []byte

func (*ContainerImageSignature) GetPublicKey added in v1.1.0 

func (x *ContainerImageSignature) GetPublicKey() []byte

func (*ContainerImageSignature) GetSigAlg added in v1.1.0 

func (x *ContainerImageSignature) GetSigAlg() SigningAlgorithm

func (*ContainerImageSignature) GetSignature added in v1.1.0 

func (x *ContainerImageSignature) GetSignature() []byte

func (*ContainerImageSignature) ProtoMessage added in v1.1.0 

func (*ContainerImageSignature) ProtoMessage()

func (*ContainerImageSignature) ProtoReflect added in v1.1.0 

func (x *ContainerImageSignature) ProtoReflect() protoreflect.Message

func (*ContainerImageSignature) Reset added in v1.1.0 

func (x *ContainerImageSignature) Reset()

func (*ContainerImageSignature) String added in v1.1.0 

func (x *ContainerImageSignature) String() string

type CreateChallengeRequest 

type CreateChallengeRequest struct {

	// Required. The resource name of the location where the Challenge will be
	// used, in the format `projects/*/locations/*`.
	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
	// Required. The Challenge to be created. Currently this field can be empty as
	// all the Challenge fields are set by the server.
	Challenge *Challenge `protobuf:"bytes,2,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// contains filtered or unexported fields
}

Message for creating a Challenge

func (*CreateChallengeRequest) Descriptor deprecated 

func (*CreateChallengeRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateChallengeRequest.ProtoReflect.Descriptor instead.

func (*CreateChallengeRequest) GetChallenge 

func (x *CreateChallengeRequest) GetChallenge() *Challenge

func (*CreateChallengeRequest) GetParent 

func (x *CreateChallengeRequest) GetParent() string

func (*CreateChallengeRequest) ProtoMessage 

func (*CreateChallengeRequest) ProtoMessage()

func (*CreateChallengeRequest) ProtoReflect 

func (x *CreateChallengeRequest) ProtoReflect() protoreflect.Message

func (*CreateChallengeRequest) Reset 

func (x *CreateChallengeRequest) Reset()

func (*CreateChallengeRequest) String 

func (x *CreateChallengeRequest) String() string

type GcpCredentials 

type GcpCredentials struct {

	// Same as id_tokens, but as a string.
	ServiceAccountIdTokens []string `` /* 131-byte string literal not displayed */
	// contains filtered or unexported fields
}

Credentials issued by GCP which are linked to the platform attestation. These will be verified server-side as part of attestaion verification.

func (*GcpCredentials) Descriptor deprecated 

func (*GcpCredentials) Descriptor() ([]byte, []int)

Deprecated: Use GcpCredentials.ProtoReflect.Descriptor instead.

func (*GcpCredentials) GetServiceAccountIdTokens 

func (x *GcpCredentials) GetServiceAccountIdTokens() []string

func (*GcpCredentials) ProtoMessage 

func (*GcpCredentials) ProtoMessage()

func (*GcpCredentials) ProtoReflect 

func (x *GcpCredentials) ProtoReflect() protoreflect.Message

func (*GcpCredentials) Reset 

func (x *GcpCredentials) Reset()

func (*GcpCredentials) String 

func (x *GcpCredentials) String() string

type SevSnpAttestation added in v1.6.0 

type SevSnpAttestation struct {

	// Optional. The SEV-SNP Attestation Report
	// Format is in revision 1.55, §7.3 Attestation, Table 22. ATTESTATION_REPORT
	// Structure in this document:
	// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf
	Report []byte `protobuf:"bytes,1,opt,name=report,proto3" json:"report,omitempty"`
	// Optional. Certificate bundle defined in the GHCB protocol definition
	// Format is documented in GHCB revision 2.03, section 4.1.8.1 struct
	// cert_table in this document:
	// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
	AuxBlob []byte `protobuf:"bytes,2,opt,name=aux_blob,json=auxBlob,proto3" json:"aux_blob,omitempty"`
	// contains filtered or unexported fields
}

An SEV-SNP Attestation Report. Contains the attestation report and the certificate bundle that the client collects.

func (*SevSnpAttestation) Descriptor deprecated added in v1.6.0 

func (*SevSnpAttestation) Descriptor() ([]byte, []int)

Deprecated: Use SevSnpAttestation.ProtoReflect.Descriptor instead.

func (*SevSnpAttestation) GetAuxBlob added in v1.6.0 

func (x *SevSnpAttestation) GetAuxBlob() []byte

func (*SevSnpAttestation) GetReport added in v1.6.0 

func (x *SevSnpAttestation) GetReport() []byte

func (*SevSnpAttestation) ProtoMessage added in v1.6.0 

func (*SevSnpAttestation) ProtoMessage()

func (*SevSnpAttestation) ProtoReflect added in v1.6.0 

func (x *SevSnpAttestation) ProtoReflect() protoreflect.Message

func (*SevSnpAttestation) Reset added in v1.6.0 

func (x *SevSnpAttestation) Reset()

func (*SevSnpAttestation) String added in v1.6.0 

func (x *SevSnpAttestation) String() string

type SignedEntity added in v1.1.0 

type SignedEntity struct {

	// Optional. A list of container image signatures attached to an OCI image
	// object.
	ContainerImageSignatures []*ContainerImageSignature `` /* 135-byte string literal not displayed */
	// contains filtered or unexported fields
}

SignedEntity represents an OCI image object containing everything necessary to verify container image signatures.

func (*SignedEntity) Descriptor deprecated added in v1.1.0 

func (*SignedEntity) Descriptor() ([]byte, []int)

Deprecated: Use SignedEntity.ProtoReflect.Descriptor instead.

func (*SignedEntity) GetContainerImageSignatures added in v1.1.0 

func (x *SignedEntity) GetContainerImageSignatures() []*ContainerImageSignature

func (*SignedEntity) ProtoMessage added in v1.1.0 

func (*SignedEntity) ProtoMessage()

func (*SignedEntity) ProtoReflect added in v1.1.0 

func (x *SignedEntity) ProtoReflect() protoreflect.Message

func (*SignedEntity) Reset added in v1.1.0 

func (x *SignedEntity) Reset()

func (*SignedEntity) String added in v1.1.0 

func (x *SignedEntity) String() string

type SigningAlgorithm added in v1.1.0 

type SigningAlgorithm int32

SigningAlgorithm enumerates all the supported signing algorithms. 

const (
	// Unspecified signing algorithm.
	SigningAlgorithm_SIGNING_ALGORITHM_UNSPECIFIED SigningAlgorithm = 0
	// RSASSA-PSS with a SHA256 digest.
	SigningAlgorithm_RSASSA_PSS_SHA256 SigningAlgorithm = 1
	// RSASSA-PKCS1 v1.5 with a SHA256 digest.
	SigningAlgorithm_RSASSA_PKCS1V15_SHA256 SigningAlgorithm = 2
	// ECDSA on the P-256 Curve with a SHA256 digest.
	SigningAlgorithm_ECDSA_P256_SHA256 SigningAlgorithm = 3
)

func (SigningAlgorithm) Descriptor added in v1.1.0 

func (SigningAlgorithm) Descriptor() protoreflect.EnumDescriptor

func (SigningAlgorithm) Enum added in v1.1.0 

func (x SigningAlgorithm) Enum() *SigningAlgorithm

func (SigningAlgorithm) EnumDescriptor deprecated added in v1.1.0 

func (SigningAlgorithm) EnumDescriptor() ([]byte, []int)

Deprecated: Use SigningAlgorithm.Descriptor instead.

func (SigningAlgorithm) Number added in v1.1.0 

func (x SigningAlgorithm) Number() protoreflect.EnumNumber

func (SigningAlgorithm) String added in v1.1.0 

func (x SigningAlgorithm) String() string

func (SigningAlgorithm) Type added in v1.1.0 

func (SigningAlgorithm) Type() protoreflect.EnumType

type TdxCcelAttestation added in v1.6.0 

type TdxCcelAttestation struct {

	// Optional. The Confidential Computing Event Log (CCEL) ACPI table. Formatted
	// as described in the ACPI Specification 6.5.
	CcelAcpiTable []byte `protobuf:"bytes,1,opt,name=ccel_acpi_table,json=ccelAcpiTable,proto3" json:"ccel_acpi_table,omitempty"`
	// Optional. The CCEL event log. Formatted as described in the UEFI 2.10.
	CcelData []byte `protobuf:"bytes,2,opt,name=ccel_data,json=ccelData,proto3" json:"ccel_data,omitempty"`
	// Optional. An Event Log containing additional events measured into the RTMR
	// that are not already present in the CCEL.
	CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
	// Optional. The TDX attestation quote from the guest. It contains the RTMR
	// values.
	TdQuote []byte `protobuf:"bytes,4,opt,name=td_quote,json=tdQuote,proto3" json:"td_quote,omitempty"`
	// contains filtered or unexported fields
}

A TDX Attestation quote.

func (*TdxCcelAttestation) Descriptor deprecated added in v1.6.0 

func (*TdxCcelAttestation) Descriptor() ([]byte, []int)

Deprecated: Use TdxCcelAttestation.ProtoReflect.Descriptor instead.

func (*TdxCcelAttestation) GetCanonicalEventLog added in v1.6.0 

func (x *TdxCcelAttestation) GetCanonicalEventLog() []byte

func (*TdxCcelAttestation) GetCcelAcpiTable added in v1.6.0 

func (x *TdxCcelAttestation) GetCcelAcpiTable() []byte

func (*TdxCcelAttestation) GetCcelData added in v1.6.0 

func (x *TdxCcelAttestation) GetCcelData() []byte

func (*TdxCcelAttestation) GetTdQuote added in v1.6.0 

func (x *TdxCcelAttestation) GetTdQuote() []byte

func (*TdxCcelAttestation) ProtoMessage added in v1.6.0 

func (*TdxCcelAttestation) ProtoMessage()

func (*TdxCcelAttestation) ProtoReflect added in v1.6.0 

func (x *TdxCcelAttestation) ProtoReflect() protoreflect.Message

func (*TdxCcelAttestation) Reset added in v1.6.0 

func (x *TdxCcelAttestation) Reset()

func (*TdxCcelAttestation) String added in v1.6.0 

func (x *TdxCcelAttestation) String() string

type TokenOptions added in v1.1.0 

type TokenOptions struct {

	// An optional additional configuration per token type.
	//
	// Types that are assignable to TokenTypeOptions:
	//
	//	*TokenOptions_AwsPrincipalTagsOptions_
	TokenTypeOptions isTokenOptions_TokenTypeOptions `protobuf_oneof:"token_type_options"`
	// Optional. Optional string to issue the token with a custom audience claim.
	// Required if one or more nonces are specified.
	Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"`
	// Optional. Optional parameter to place one or more nonces in the eat_nonce
	// claim in the output token. The minimum size for JSON-encoded EATs is 10
	// bytes and the maximum size is 74 bytes.
	Nonce []string `protobuf:"bytes,2,rep,name=nonce,proto3" json:"nonce,omitempty"`
	// Optional. Optional token type to select what type of token to return.
	TokenType TokenType `` /* 142-byte string literal not displayed */
	// contains filtered or unexported fields
}

Options to modify claims in the token to generate custom-purpose tokens.

func (*TokenOptions) Descriptor deprecated added in v1.1.0 

func (*TokenOptions) Descriptor() ([]byte, []int)

Deprecated: Use TokenOptions.ProtoReflect.Descriptor instead.

func (*TokenOptions) GetAudience added in v1.1.0 

func (x *TokenOptions) GetAudience() string

func (*TokenOptions) GetAwsPrincipalTagsOptions added in v1.8.0 

func (x *TokenOptions) GetAwsPrincipalTagsOptions() *TokenOptions_AwsPrincipalTagsOptions

func (*TokenOptions) GetNonce added in v1.1.0 

func (x *TokenOptions) GetNonce() []string

func (*TokenOptions) GetTokenType added in v1.4.0 

func (x *TokenOptions) GetTokenType() TokenType

func (*TokenOptions) GetTokenTypeOptions added in v1.8.0 

func (m *TokenOptions) GetTokenTypeOptions() isTokenOptions_TokenTypeOptions

func (*TokenOptions) ProtoMessage added in v1.1.0 

func (*TokenOptions) ProtoMessage()

func (*TokenOptions) ProtoReflect added in v1.1.0 

func (x *TokenOptions) ProtoReflect() protoreflect.Message

func (*TokenOptions) Reset added in v1.1.0 

func (x *TokenOptions) Reset()

func (*TokenOptions) String added in v1.1.0 

func (x *TokenOptions) String() string

type TokenOptions_AwsPrincipalTagsOptions added in v1.8.0 

type TokenOptions_AwsPrincipalTagsOptions struct {

	// Optional. Principal tags to allow in the token.
	AllowedPrincipalTags *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags `protobuf:"bytes,1,opt,name=allowed_principal_tags,json=allowedPrincipalTags,proto3" json:"allowed_principal_tags,omitempty"`
	// contains filtered or unexported fields
}

Token options that only apply to the AWS Principal Tags token type.

func (*TokenOptions_AwsPrincipalTagsOptions) Descriptor deprecated added in v1.8.0 

func (*TokenOptions_AwsPrincipalTagsOptions) Descriptor() ([]byte, []int)

Deprecated: Use TokenOptions_AwsPrincipalTagsOptions.ProtoReflect.Descriptor instead.

func (*TokenOptions_AwsPrincipalTagsOptions) GetAllowedPrincipalTags added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions) GetAllowedPrincipalTags() *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags

func (*TokenOptions_AwsPrincipalTagsOptions) ProtoMessage added in v1.8.0 

func (*TokenOptions_AwsPrincipalTagsOptions) ProtoMessage()

func (*TokenOptions_AwsPrincipalTagsOptions) ProtoReflect added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions) ProtoReflect() protoreflect.Message

func (*TokenOptions_AwsPrincipalTagsOptions) Reset added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions) Reset()

func (*TokenOptions_AwsPrincipalTagsOptions) String added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions) String() string

type TokenOptions_AwsPrincipalTagsOptions_ added in v1.8.0 

type TokenOptions_AwsPrincipalTagsOptions_ struct {
	// Optional. Options for the Limited AWS token type.
	AwsPrincipalTagsOptions *TokenOptions_AwsPrincipalTagsOptions `protobuf:"bytes,4,opt,name=aws_principal_tags_options,json=awsPrincipalTagsOptions,proto3,oneof"`
}

type TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags added in v1.8.0 

type TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags struct {

	// Optional. Container image signatures allowed in the token.
	ContainerImageSignatures *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures `` /* 135-byte string literal not displayed */
	// contains filtered or unexported fields
}

Allowed principal tags is used to define what principal tags will be placed in the token.

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) Descriptor deprecated added in v1.8.0 

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) Descriptor() ([]byte, []int)

Deprecated: Use TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags.ProtoReflect.Descriptor instead.

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) GetContainerImageSignatures added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) GetContainerImageSignatures() *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoMessage added in v1.8.0 

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoMessage()

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoReflect added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoReflect() protoreflect.Message

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) Reset added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) Reset()

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) String added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags) String() string

type TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures added in v1.8.0 

type TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures struct {

	// Optional. List of key ids to filter into the Principal tags. Only
	// keys that have been validated and added to the token will be filtered
	// into principal tags. Unrecognized key ids will be ignored.
	KeyIds []string `protobuf:"bytes,1,rep,name=key_ids,json=keyIds,proto3" json:"key_ids,omitempty"`
	// contains filtered or unexported fields
}

Allowed Container Image Signatures. Key IDs are required to allow this claim to fit within the narrow AWS IAM restrictions.

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Descriptor deprecated added in v1.8.0 

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Descriptor() ([]byte, []int)

Deprecated: Use TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures.ProtoReflect.Descriptor instead.

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) GetKeyIds added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) GetKeyIds() []string

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoMessage added in v1.8.0 

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoMessage()

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoReflect added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoReflect() protoreflect.Message

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Reset added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Reset()

func (*TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) String added in v1.8.0 

func (x *TokenOptions_AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) String() string

type TokenType added in v1.4.0 

type TokenType int32

Token type enum contains the different types of token responses Confidential Space supports 

const (
	// Unspecified token type
	TokenType_TOKEN_TYPE_UNSPECIFIED TokenType = 0
	// OpenID Connect (OIDC) token type
	TokenType_TOKEN_TYPE_OIDC TokenType = 1
	// Public Key Infrastructure (PKI) token type
	TokenType_TOKEN_TYPE_PKI TokenType = 2
	// Limited claim token type for AWS integration
	TokenType_TOKEN_TYPE_LIMITED_AWS TokenType = 3
	// Principal-tag-based token for AWS integration
	TokenType_TOKEN_TYPE_AWS_PRINCIPALTAGS TokenType = 4
)

func (TokenType) Descriptor added in v1.4.0 

func (TokenType) Descriptor() protoreflect.EnumDescriptor

func (TokenType) Enum added in v1.4.0 

func (x TokenType) Enum() *TokenType

func (TokenType) EnumDescriptor deprecated added in v1.4.0 

func (TokenType) EnumDescriptor() ([]byte, []int)

Deprecated: Use TokenType.Descriptor instead.

func (TokenType) Number added in v1.4.0 

func (x TokenType) Number() protoreflect.EnumNumber

func (TokenType) String added in v1.4.0 

func (x TokenType) String() string

func (TokenType) Type added in v1.4.0 

func (TokenType) Type() protoreflect.EnumType

type TpmAttestation 

type TpmAttestation struct {

	// TPM2 PCR Quotes generated by calling TPM2_Quote on each PCR bank.
	Quotes []*TpmAttestation_Quote `protobuf:"bytes,1,rep,name=quotes,proto3" json:"quotes,omitempty"`
	// The binary TCG Event Log containing events measured into the TPM by the
	// platform firmware and operating system. Formatted as described in the
	// "TCG PC Client Platform Firmware Profile Specification".
	TcgEventLog []byte `protobuf:"bytes,2,opt,name=tcg_event_log,json=tcgEventLog,proto3" json:"tcg_event_log,omitempty"`
	// An Event Log containing additional events measured into the TPM that are
	// not already present in the tcg_event_log. Formatted as described in the
	// "Canonical Event Log Format" TCG Specification.
	CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
	// DER-encoded X.509 certificate of the Attestation Key (otherwise known as
	// an AK or a TPM restricted signing key) used to generate the quotes.
	AkCert []byte `protobuf:"bytes,4,opt,name=ak_cert,json=akCert,proto3" json:"ak_cert,omitempty"`
	// List of DER-encoded X.509 certificates which, together with the ak_cert,
	// chain back to a trusted Root Certificate.
	CertChain [][]byte `protobuf:"bytes,5,rep,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
	// contains filtered or unexported fields
}

TPM2 data containing everything necessary to validate any platform state measured into the TPM.

func (*TpmAttestation) Descriptor deprecated 

func (*TpmAttestation) Descriptor() ([]byte, []int)

Deprecated: Use TpmAttestation.ProtoReflect.Descriptor instead.

func (*TpmAttestation) GetAkCert 

func (x *TpmAttestation) GetAkCert() []byte

func (*TpmAttestation) GetCanonicalEventLog 

func (x *TpmAttestation) GetCanonicalEventLog() []byte

func (*TpmAttestation) GetCertChain 

func (x *TpmAttestation) GetCertChain() [][]byte

func (*TpmAttestation) GetQuotes 

func (x *TpmAttestation) GetQuotes() []*TpmAttestation_Quote

func (*TpmAttestation) GetTcgEventLog 

func (x *TpmAttestation) GetTcgEventLog() []byte

func (*TpmAttestation) ProtoMessage 

func (*TpmAttestation) ProtoMessage()

func (*TpmAttestation) ProtoReflect 

func (x *TpmAttestation) ProtoReflect() protoreflect.Message

func (*TpmAttestation) Reset 

func (x *TpmAttestation) Reset()

func (*TpmAttestation) String 

func (x *TpmAttestation) String() string

type TpmAttestation_Quote 

type TpmAttestation_Quote struct {

	// The hash algorithm of the PCR bank being quoted, encoded as a TPM_ALG_ID
	HashAlgo int32 `protobuf:"varint,1,opt,name=hash_algo,json=hashAlgo,proto3" json:"hash_algo,omitempty"`
	// Raw binary values of each PCRs being quoted.
	PcrValues map[int32][]byte `` /* 177-byte string literal not displayed */
	// TPM2 quote, encoded as a TPMS_ATTEST
	RawQuote []byte `protobuf:"bytes,3,opt,name=raw_quote,json=rawQuote,proto3" json:"raw_quote,omitempty"`
	// TPM2 signature, encoded as a TPMT_SIGNATURE
	RawSignature []byte `protobuf:"bytes,4,opt,name=raw_signature,json=rawSignature,proto3" json:"raw_signature,omitempty"`
	// contains filtered or unexported fields
}

Information about Platform Control Registers (PCRs) including a signature over their values, which can be used for remote validation.

func (*TpmAttestation_Quote) Descriptor deprecated 

func (*TpmAttestation_Quote) Descriptor() ([]byte, []int)

Deprecated: Use TpmAttestation_Quote.ProtoReflect.Descriptor instead.

func (*TpmAttestation_Quote) GetHashAlgo 

func (x *TpmAttestation_Quote) GetHashAlgo() int32

func (*TpmAttestation_Quote) GetPcrValues 

func (x *TpmAttestation_Quote) GetPcrValues() map[int32][]byte

func (*TpmAttestation_Quote) GetRawQuote 

func (x *TpmAttestation_Quote) GetRawQuote() []byte

func (*TpmAttestation_Quote) GetRawSignature 

func (x *TpmAttestation_Quote) GetRawSignature() []byte

func (*TpmAttestation_Quote) ProtoMessage 

func (*TpmAttestation_Quote) ProtoMessage()

func (*TpmAttestation_Quote) ProtoReflect 

func (x *TpmAttestation_Quote) ProtoReflect() protoreflect.Message

func (*TpmAttestation_Quote) Reset 

func (x *TpmAttestation_Quote) Reset()

func (*TpmAttestation_Quote) String 

func (x *TpmAttestation_Quote) String() string

type UnimplementedConfidentialComputingServer 

type UnimplementedConfidentialComputingServer struct {
}

UnimplementedConfidentialComputingServer can be embedded to have forward compatible implementations.

func (*UnimplementedConfidentialComputingServer) CreateChallenge 

func (*UnimplementedConfidentialComputingServer) CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)

func (*UnimplementedConfidentialComputingServer) VerifyAttestation 

func (*UnimplementedConfidentialComputingServer) VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)

type VerifyAttestationRequest 

type VerifyAttestationRequest struct {

	// An optional tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyAttestationRequest_TdCcel
	//	*VerifyAttestationRequest_SevSnpAttestation
	TeeAttestation isVerifyAttestationRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format `projects/*/locations/*/challenges/*`. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// Optional. Credentials used to populate the "emails" claim in the
	// claims_token.
	GcpCredentials *GcpCredentials `protobuf:"bytes,2,opt,name=gcp_credentials,json=gcpCredentials,proto3" json:"gcp_credentials,omitempty"`
	// Required. The TPM-specific data provided by the attesting platform, used to
	// populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,3,opt,name=tpm_attestation,json=tpmAttestation,proto3" json:"tpm_attestation,omitempty"`
	// Optional. Optional information related to the Confidential Space TEE.
	ConfidentialSpaceInfo *ConfidentialSpaceInfo `` /* 126-byte string literal not displayed */
	// Optional. A collection of optional, workload-specified claims that modify
	// the token output.
	TokenOptions *TokenOptions `protobuf:"bytes,5,opt,name=token_options,json=tokenOptions,proto3" json:"token_options,omitempty"`
	// contains filtered or unexported fields
}

A request for an OIDC token, providing all the necessary information needed for this service to verify the plaform state of the requestor.

func (*VerifyAttestationRequest) Descriptor deprecated 

func (*VerifyAttestationRequest) Descriptor() ([]byte, []int)

Deprecated: Use VerifyAttestationRequest.ProtoReflect.Descriptor instead.

func (*VerifyAttestationRequest) GetChallenge 

func (x *VerifyAttestationRequest) GetChallenge() string

func (*VerifyAttestationRequest) GetConfidentialSpaceInfo added in v1.1.0 

func (x *VerifyAttestationRequest) GetConfidentialSpaceInfo() *ConfidentialSpaceInfo

func (*VerifyAttestationRequest) GetGcpCredentials 

func (x *VerifyAttestationRequest) GetGcpCredentials() *GcpCredentials

func (*VerifyAttestationRequest) GetSevSnpAttestation added in v1.6.0 

func (x *VerifyAttestationRequest) GetSevSnpAttestation() *SevSnpAttestation

func (*VerifyAttestationRequest) GetTdCcel added in v1.6.0 

func (x *VerifyAttestationRequest) GetTdCcel() *TdxCcelAttestation

func (*VerifyAttestationRequest) GetTeeAttestation added in v1.6.0 

func (m *VerifyAttestationRequest) GetTeeAttestation() isVerifyAttestationRequest_TeeAttestation

func (*VerifyAttestationRequest) GetTokenOptions added in v1.1.0 

func (x *VerifyAttestationRequest) GetTokenOptions() *TokenOptions

func (*VerifyAttestationRequest) GetTpmAttestation 

func (x *VerifyAttestationRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyAttestationRequest) ProtoMessage 

func (*VerifyAttestationRequest) ProtoMessage()

func (*VerifyAttestationRequest) ProtoReflect 

func (x *VerifyAttestationRequest) ProtoReflect() protoreflect.Message

func (*VerifyAttestationRequest) Reset 

func (x *VerifyAttestationRequest) Reset()

func (*VerifyAttestationRequest) String 

func (x *VerifyAttestationRequest) String() string

type VerifyAttestationRequest_SevSnpAttestation added in v1.6.0 

type VerifyAttestationRequest_SevSnpAttestation struct {
	// Optional. An SEV-SNP Attestation Report.
	SevSnpAttestation *SevSnpAttestation `protobuf:"bytes,7,opt,name=sev_snp_attestation,json=sevSnpAttestation,proto3,oneof"`
}

type VerifyAttestationRequest_TdCcel added in v1.6.0 

type VerifyAttestationRequest_TdCcel struct {
	// Optional. A TDX with CCEL and RTMR Attestation Quote.
	TdCcel *TdxCcelAttestation `protobuf:"bytes,6,opt,name=td_ccel,json=tdCcel,proto3,oneof"`
}

type VerifyAttestationResponse 

type VerifyAttestationResponse struct {

	// Output only. Same as claims_token, but as a string.
	OidcClaimsToken string `protobuf:"bytes,2,opt,name=oidc_claims_token,json=oidcClaimsToken,proto3" json:"oidc_claims_token,omitempty"`
	// Output only. A list of messages that carry the partial error details
	// related to VerifyAttestation.
	PartialErrors []*status.Status `protobuf:"bytes,3,rep,name=partial_errors,json=partialErrors,proto3" json:"partial_errors,omitempty"`
	// contains filtered or unexported fields
}

A response once an attestation has been successfully verified, containing a signed OIDC token.

func (*VerifyAttestationResponse) Descriptor deprecated 

func (*VerifyAttestationResponse) Descriptor() ([]byte, []int)

Deprecated: Use VerifyAttestationResponse.ProtoReflect.Descriptor instead.

func (*VerifyAttestationResponse) GetOidcClaimsToken 

func (x *VerifyAttestationResponse) GetOidcClaimsToken() string

func (*VerifyAttestationResponse) GetPartialErrors added in v1.3.0 

func (x *VerifyAttestationResponse) GetPartialErrors() []*status.Status

func (*VerifyAttestationResponse) ProtoMessage 

func (*VerifyAttestationResponse) ProtoMessage()

func (*VerifyAttestationResponse) ProtoReflect 

func (x *VerifyAttestationResponse) ProtoReflect() protoreflect.Message

func (*VerifyAttestationResponse) Reset 

func (x *VerifyAttestationResponse) Reset()

func (*VerifyAttestationResponse) String 

func (x *VerifyAttestationResponse) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.