Variables
SigningAlgorithm_name, SigningAlgorithm_value
var (
SigningAlgorithm_name = map[int32]string{
0: "SIGNING_ALGORITHM_UNSPECIFIED",
1: "RSASSA_PSS_SHA256",
2: "RSASSA_PKCS1V15_SHA256",
3: "ECDSA_P256_SHA256",
}
SigningAlgorithm_value = map[string]int32{
"SIGNING_ALGORITHM_UNSPECIFIED": 0,
"RSASSA_PSS_SHA256": 1,
"RSASSA_PKCS1V15_SHA256": 2,
"ECDSA_P256_SHA256": 3,
}
)Enum value maps for SigningAlgorithm.
TokenType_name, TokenType_value
var (
TokenType_name = map[int32]string{
0: "TOKEN_TYPE_UNSPECIFIED",
1: "TOKEN_TYPE_OIDC",
2: "TOKEN_TYPE_PKI",
3: "TOKEN_TYPE_LIMITED_AWS",
}
TokenType_value = map[string]int32{
"TOKEN_TYPE_UNSPECIFIED": 0,
"TOKEN_TYPE_OIDC": 1,
"TOKEN_TYPE_PKI": 2,
"TOKEN_TYPE_LIMITED_AWS": 3,
}
)Enum value maps for TokenType.
File_google_cloud_confidentialcomputing_v1_service_proto
var File_google_cloud_confidentialcomputing_v1_service_proto protoreflect.FileDescriptorFunctions
func RegisterConfidentialComputingServer
func RegisterConfidentialComputingServer(s *grpc.Server, srv ConfidentialComputingServer)Challenge
type Challenge struct {
// Output only. The resource name for this Challenge in the format
// `projects/*/locations/*/challenges/*`
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Output only. The time at which this Challenge was created
CreateTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
// Output only. The time at which this Challenge will no longer be usable. It
// is also the expiration time for any tokens generated from this Challenge.
ExpireTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
// Output only. Indicates if this challenge has been used to generate a token.
Used bool `protobuf:"varint,4,opt,name=used,proto3" json:"used,omitempty"`
// Output only. Identical to nonce, but as a string.
TpmNonce string `protobuf:"bytes,6,opt,name=tpm_nonce,json=tpmNonce,proto3" json:"tpm_nonce,omitempty"`
// contains filtered or unexported fields
}A Challenge from the server used to guarantee freshness of attestations
func (*Challenge) Descriptor
Deprecated: Use Challenge.ProtoReflect.Descriptor instead.
func (*Challenge) GetCreateTime
func (x *Challenge) GetCreateTime() *timestamppb.Timestampfunc (*Challenge) GetExpireTime
func (x *Challenge) GetExpireTime() *timestamppb.Timestampfunc (*Challenge) GetName
func (*Challenge) GetTpmNonce
func (*Challenge) GetUsed
func (*Challenge) ProtoMessage
func (*Challenge) ProtoMessage()func (*Challenge) ProtoReflect
func (x *Challenge) ProtoReflect() protoreflect.Messagefunc (*Challenge) Reset
func (x *Challenge) Reset()func (*Challenge) String
ConfidentialComputingClient
type ConfidentialComputingClient interface {
// Creates a new Challenge in a given project and location.
CreateChallenge(ctx context.Context, in *CreateChallengeRequest, opts ...grpc.CallOption) (*Challenge, error)
// Verifies the provided attestation info, returning a signed OIDC token.
VerifyAttestation(ctx context.Context, in *VerifyAttestationRequest, opts ...grpc.CallOption) (*VerifyAttestationResponse, error)
}ConfidentialComputingClient is the client API for ConfidentialComputing service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewConfidentialComputingClient
func NewConfidentialComputingClient(cc grpc.ClientConnInterface) ConfidentialComputingClientConfidentialComputingServer
type ConfidentialComputingServer interface {
// Creates a new Challenge in a given project and location.
CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)
// Verifies the provided attestation info, returning a signed OIDC token.
VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)
}ConfidentialComputingServer is the server API for ConfidentialComputing service.
ConfidentialSpaceInfo
type ConfidentialSpaceInfo struct {
// Optional. A list of signed entities containing container image signatures
// that can be used for server-side signature verification.
SignedEntities []*SignedEntity `protobuf:"bytes,1,rep,name=signed_entities,json=signedEntities,proto3" json:"signed_entities,omitempty"`
// contains filtered or unexported fields
}ConfidentialSpaceInfo contains information related to the Confidential Space TEE.
func (*ConfidentialSpaceInfo) Descriptor
func (*ConfidentialSpaceInfo) Descriptor() ([]byte, []int)Deprecated: Use ConfidentialSpaceInfo.ProtoReflect.Descriptor instead.
func (*ConfidentialSpaceInfo) GetSignedEntities
func (x *ConfidentialSpaceInfo) GetSignedEntities() []*SignedEntityfunc (*ConfidentialSpaceInfo) ProtoMessage
func (*ConfidentialSpaceInfo) ProtoMessage()func (*ConfidentialSpaceInfo) ProtoReflect
func (x *ConfidentialSpaceInfo) ProtoReflect() protoreflect.Messagefunc (*ConfidentialSpaceInfo) Reset
func (x *ConfidentialSpaceInfo) Reset()func (*ConfidentialSpaceInfo) String
func (x *ConfidentialSpaceInfo) String() stringContainerImageSignature
type ContainerImageSignature struct {
Payload []byte `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
PublicKey []byte `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
SigAlg SigningAlgorithm "" /* 140 byte string literal not displayed */
}ContainerImageSignature holds necessary metadata to verify a container image signature.
func (*ContainerImageSignature) Descriptor
func (*ContainerImageSignature) Descriptor() ([]byte, []int)Deprecated: Use ContainerImageSignature.ProtoReflect.Descriptor instead.
func (*ContainerImageSignature) GetPayload
func (x *ContainerImageSignature) GetPayload() []bytefunc (*ContainerImageSignature) GetPublicKey
func (x *ContainerImageSignature) GetPublicKey() []bytefunc (*ContainerImageSignature) GetSigAlg
func (x *ContainerImageSignature) GetSigAlg() SigningAlgorithmfunc (*ContainerImageSignature) GetSignature
func (x *ContainerImageSignature) GetSignature() []bytefunc (*ContainerImageSignature) ProtoMessage
func (*ContainerImageSignature) ProtoMessage()func (*ContainerImageSignature) ProtoReflect
func (x *ContainerImageSignature) ProtoReflect() protoreflect.Messagefunc (*ContainerImageSignature) Reset
func (x *ContainerImageSignature) Reset()func (*ContainerImageSignature) String
func (x *ContainerImageSignature) String() stringCreateChallengeRequest
type CreateChallengeRequest struct {
// Required. The resource name of the location where the Challenge will be
// used, in the format `projects/*/locations/*`.
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// Required. The Challenge to be created. Currently this field can be empty as
// all the Challenge fields are set by the server.
Challenge *Challenge `protobuf:"bytes,2,opt,name=challenge,proto3" json:"challenge,omitempty"`
// contains filtered or unexported fields
}Message for creating a Challenge
func (*CreateChallengeRequest) Descriptor
func (*CreateChallengeRequest) Descriptor() ([]byte, []int)Deprecated: Use CreateChallengeRequest.ProtoReflect.Descriptor instead.
func (*CreateChallengeRequest) GetChallenge
func (x *CreateChallengeRequest) GetChallenge() *Challengefunc (*CreateChallengeRequest) GetParent
func (x *CreateChallengeRequest) GetParent() stringfunc (*CreateChallengeRequest) ProtoMessage
func (*CreateChallengeRequest) ProtoMessage()func (*CreateChallengeRequest) ProtoReflect
func (x *CreateChallengeRequest) ProtoReflect() protoreflect.Messagefunc (*CreateChallengeRequest) Reset
func (x *CreateChallengeRequest) Reset()func (*CreateChallengeRequest) String
func (x *CreateChallengeRequest) String() stringGcpCredentials
type GcpCredentials struct {
ServiceAccountIdTokens []string "" /* 131 byte string literal not displayed */
}Credentials issued by GCP which are linked to the platform attestation. These will be verified server-side as part of attestaion verification.
func (*GcpCredentials) Descriptor
func (*GcpCredentials) Descriptor() ([]byte, []int)Deprecated: Use GcpCredentials.ProtoReflect.Descriptor instead.
func (*GcpCredentials) GetServiceAccountIdTokens
func (x *GcpCredentials) GetServiceAccountIdTokens() []stringfunc (*GcpCredentials) ProtoMessage
func (*GcpCredentials) ProtoMessage()func (*GcpCredentials) ProtoReflect
func (x *GcpCredentials) ProtoReflect() protoreflect.Messagefunc (*GcpCredentials) Reset
func (x *GcpCredentials) Reset()func (*GcpCredentials) String
func (x *GcpCredentials) String() stringSignedEntity
type SignedEntity struct {
ContainerImageSignatures []*ContainerImageSignature "" /* 135 byte string literal not displayed */
}SignedEntity represents an OCI image object containing everything necessary to verify container image signatures.
func (*SignedEntity) Descriptor
func (*SignedEntity) Descriptor() ([]byte, []int)Deprecated: Use SignedEntity.ProtoReflect.Descriptor instead.
func (*SignedEntity) GetContainerImageSignatures
func (x *SignedEntity) GetContainerImageSignatures() []*ContainerImageSignaturefunc (*SignedEntity) ProtoMessage
func (*SignedEntity) ProtoMessage()func (*SignedEntity) ProtoReflect
func (x *SignedEntity) ProtoReflect() protoreflect.Messagefunc (*SignedEntity) Reset
func (x *SignedEntity) Reset()func (*SignedEntity) String
func (x *SignedEntity) String() stringSigningAlgorithm
type SigningAlgorithm int32SigningAlgorithm enumerates all the supported signing algorithms.
SigningAlgorithm_SIGNING_ALGORITHM_UNSPECIFIED, SigningAlgorithm_RSASSA_PSS_SHA256, SigningAlgorithm_RSASSA_PKCS1V15_SHA256, SigningAlgorithm_ECDSA_P256_SHA256
const (
// Unspecified signing algorithm.
SigningAlgorithm_SIGNING_ALGORITHM_UNSPECIFIED SigningAlgorithm = 0
// RSASSA-PSS with a SHA256 digest.
SigningAlgorithm_RSASSA_PSS_SHA256 SigningAlgorithm = 1
// RSASSA-PKCS1 v1.5 with a SHA256 digest.
SigningAlgorithm_RSASSA_PKCS1V15_SHA256 SigningAlgorithm = 2
// ECDSA on the P-256 Curve with a SHA256 digest.
SigningAlgorithm_ECDSA_P256_SHA256 SigningAlgorithm = 3
)func (SigningAlgorithm) Descriptor
func (SigningAlgorithm) Descriptor() protoreflect.EnumDescriptorfunc (SigningAlgorithm) Enum
func (x SigningAlgorithm) Enum() *SigningAlgorithmfunc (SigningAlgorithm) EnumDescriptor
func (SigningAlgorithm) EnumDescriptor() ([]byte, []int)Deprecated: Use SigningAlgorithm.Descriptor instead.
func (SigningAlgorithm) Number
func (x SigningAlgorithm) Number() protoreflect.EnumNumberfunc (SigningAlgorithm) String
func (x SigningAlgorithm) String() stringfunc (SigningAlgorithm) Type
func (SigningAlgorithm) Type() protoreflect.EnumTypeTokenOptions
type TokenOptions struct {
Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"`
Nonce []string `protobuf:"bytes,2,rep,name=nonce,proto3" json:"nonce,omitempty"`
TokenType TokenType "" /* 142 byte string literal not displayed */
}Options to modify claims in the token to generate custom-purpose tokens.
func (*TokenOptions) Descriptor
func (*TokenOptions) Descriptor() ([]byte, []int)Deprecated: Use TokenOptions.ProtoReflect.Descriptor instead.
func (*TokenOptions) GetAudience
func (x *TokenOptions) GetAudience() stringfunc (*TokenOptions) GetNonce
func (x *TokenOptions) GetNonce() []stringfunc (*TokenOptions) GetTokenType
func (x *TokenOptions) GetTokenType() TokenTypefunc (*TokenOptions) ProtoMessage
func (*TokenOptions) ProtoMessage()func (*TokenOptions) ProtoReflect
func (x *TokenOptions) ProtoReflect() protoreflect.Messagefunc (*TokenOptions) Reset
func (x *TokenOptions) Reset()func (*TokenOptions) String
func (x *TokenOptions) String() stringTokenType
type TokenType int32Token type enum contains the different types of token responses Confidential Space supports
TokenType_TOKEN_TYPE_UNSPECIFIED, TokenType_TOKEN_TYPE_OIDC, TokenType_TOKEN_TYPE_PKI, TokenType_TOKEN_TYPE_LIMITED_AWS
const (
// Unspecified token type
TokenType_TOKEN_TYPE_UNSPECIFIED TokenType = 0
// OpenID Connect (OIDC) token type
TokenType_TOKEN_TYPE_OIDC TokenType = 1
// Public Key Infrastructure (PKI) token type
TokenType_TOKEN_TYPE_PKI TokenType = 2
// Limited claim token type for AWS integration
TokenType_TOKEN_TYPE_LIMITED_AWS TokenType = 3
)func (TokenType) Descriptor
func (TokenType) Descriptor() protoreflect.EnumDescriptorfunc (TokenType) Enum
func (TokenType) EnumDescriptor
Deprecated: Use TokenType.Descriptor instead.
func (TokenType) Number
func (x TokenType) Number() protoreflect.EnumNumberfunc (TokenType) String
func (TokenType) Type
func (TokenType) Type() protoreflect.EnumTypeTpmAttestation
type TpmAttestation struct {
// TPM2 PCR Quotes generated by calling TPM2_Quote on each PCR bank.
Quotes []*TpmAttestation_Quote `protobuf:"bytes,1,rep,name=quotes,proto3" json:"quotes,omitempty"`
// The binary TCG Event Log containing events measured into the TPM by the
// platform firmware and operating system. Formatted as described in the
// "TCG PC Client Platform Firmware Profile Specification".
TcgEventLog []byte `protobuf:"bytes,2,opt,name=tcg_event_log,json=tcgEventLog,proto3" json:"tcg_event_log,omitempty"`
// An Event Log containing additional events measured into the TPM that are
// not already present in the tcg_event_log. Formatted as described in the
// "Canonical Event Log Format" TCG Specification.
CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
// DER-encoded X.509 certificate of the Attestation Key (otherwise known as
// an AK or a TPM restricted signing key) used to generate the quotes.
AkCert []byte `protobuf:"bytes,4,opt,name=ak_cert,json=akCert,proto3" json:"ak_cert,omitempty"`
// List of DER-encoded X.509 certificates which, together with the ak_cert,
// chain back to a trusted Root Certificate.
CertChain [][]byte `protobuf:"bytes,5,rep,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
// contains filtered or unexported fields
}TPM2 data containing everything necessary to validate any platform state measured into the TPM.
func (*TpmAttestation) Descriptor
func (*TpmAttestation) Descriptor() ([]byte, []int)Deprecated: Use TpmAttestation.ProtoReflect.Descriptor instead.
func (*TpmAttestation) GetAkCert
func (x *TpmAttestation) GetAkCert() []bytefunc (*TpmAttestation) GetCanonicalEventLog
func (x *TpmAttestation) GetCanonicalEventLog() []bytefunc (*TpmAttestation) GetCertChain
func (x *TpmAttestation) GetCertChain() [][]bytefunc (*TpmAttestation) GetQuotes
func (x *TpmAttestation) GetQuotes() []*TpmAttestation_Quotefunc (*TpmAttestation) GetTcgEventLog
func (x *TpmAttestation) GetTcgEventLog() []bytefunc (*TpmAttestation) ProtoMessage
func (*TpmAttestation) ProtoMessage()func (*TpmAttestation) ProtoReflect
func (x *TpmAttestation) ProtoReflect() protoreflect.Messagefunc (*TpmAttestation) Reset
func (x *TpmAttestation) Reset()func (*TpmAttestation) String
func (x *TpmAttestation) String() stringTpmAttestation_Quote
type TpmAttestation_Quote struct {
HashAlgo int32 `protobuf:"varint,1,opt,name=hash_algo,json=hashAlgo,proto3" json:"hash_algo,omitempty"`
PcrValues map[int32][]byte "" /* 177 byte string literal not displayed */
RawQuote []byte `protobuf:"bytes,3,opt,name=raw_quote,json=rawQuote,proto3" json:"raw_quote,omitempty"`
RawSignature []byte `protobuf:"bytes,4,opt,name=raw_signature,json=rawSignature,proto3" json:"raw_signature,omitempty"`
}Information about Platform Control Registers (PCRs) including a signature over their values, which can be used for remote validation.
func (*TpmAttestation_Quote) Descriptor
func (*TpmAttestation_Quote) Descriptor() ([]byte, []int)Deprecated: Use TpmAttestation_Quote.ProtoReflect.Descriptor instead.
func (*TpmAttestation_Quote) GetHashAlgo
func (x *TpmAttestation_Quote) GetHashAlgo() int32func (*TpmAttestation_Quote) GetPcrValues
func (x *TpmAttestation_Quote) GetPcrValues() map[int32][]bytefunc (*TpmAttestation_Quote) GetRawQuote
func (x *TpmAttestation_Quote) GetRawQuote() []bytefunc (*TpmAttestation_Quote) GetRawSignature
func (x *TpmAttestation_Quote) GetRawSignature() []bytefunc (*TpmAttestation_Quote) ProtoMessage
func (*TpmAttestation_Quote) ProtoMessage()func (*TpmAttestation_Quote) ProtoReflect
func (x *TpmAttestation_Quote) ProtoReflect() protoreflect.Messagefunc (*TpmAttestation_Quote) Reset
func (x *TpmAttestation_Quote) Reset()func (*TpmAttestation_Quote) String
func (x *TpmAttestation_Quote) String() stringUnimplementedConfidentialComputingServer
type UnimplementedConfidentialComputingServer struct {
}UnimplementedConfidentialComputingServer can be embedded to have forward compatible implementations.
func (*UnimplementedConfidentialComputingServer) CreateChallenge
func (*UnimplementedConfidentialComputingServer) CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)func (*UnimplementedConfidentialComputingServer) VerifyAttestation
func (*UnimplementedConfidentialComputingServer) VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)VerifyAttestationRequest
type VerifyAttestationRequest struct {
// Required. The name of the Challenge whose nonce was used to generate the
// attestation, in the format `projects/*/locations/*/challenges/*`. The
// provided Challenge will be consumed, and cannot be used again.
Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
// Optional. Credentials used to populate the "emails" claim in the
// claims_token.
GcpCredentials *GcpCredentials `protobuf:"bytes,2,opt,name=gcp_credentials,json=gcpCredentials,proto3" json:"gcp_credentials,omitempty"`
// Required. The TPM-specific data provided by the attesting platform, used to
// populate any of the claims regarding platform state.
TpmAttestation *TpmAttestation `protobuf:"bytes,3,opt,name=tpm_attestation,json=tpmAttestation,proto3" json:"tpm_attestation,omitempty"`
// Optional. Optional information related to the Confidential Space TEE.
ConfidentialSpaceInfo *ConfidentialSpaceInfo `protobuf:"bytes,4,opt,name=confidential_space_info,json=confidentialSpaceInfo,proto3" json:"confidential_space_info,omitempty"`
// Optional. A collection of optional, workload-specified claims that modify
// the token output.
TokenOptions *TokenOptions `protobuf:"bytes,5,opt,name=token_options,json=tokenOptions,proto3" json:"token_options,omitempty"`
// contains filtered or unexported fields
}A request for an OIDC token, providing all the necessary information needed for this service to verify the plaform state of the requestor.
func (*VerifyAttestationRequest) Descriptor
func (*VerifyAttestationRequest) Descriptor() ([]byte, []int)Deprecated: Use VerifyAttestationRequest.ProtoReflect.Descriptor instead.
func (*VerifyAttestationRequest) GetChallenge
func (x *VerifyAttestationRequest) GetChallenge() stringfunc (*VerifyAttestationRequest) GetConfidentialSpaceInfo
func (x *VerifyAttestationRequest) GetConfidentialSpaceInfo() *ConfidentialSpaceInfofunc (*VerifyAttestationRequest) GetGcpCredentials
func (x *VerifyAttestationRequest) GetGcpCredentials() *GcpCredentialsfunc (*VerifyAttestationRequest) GetTokenOptions
func (x *VerifyAttestationRequest) GetTokenOptions() *TokenOptionsfunc (*VerifyAttestationRequest) GetTpmAttestation
func (x *VerifyAttestationRequest) GetTpmAttestation() *TpmAttestationfunc (*VerifyAttestationRequest) ProtoMessage
func (*VerifyAttestationRequest) ProtoMessage()func (*VerifyAttestationRequest) ProtoReflect
func (x *VerifyAttestationRequest) ProtoReflect() protoreflect.Messagefunc (*VerifyAttestationRequest) Reset
func (x *VerifyAttestationRequest) Reset()func (*VerifyAttestationRequest) String
func (x *VerifyAttestationRequest) String() stringVerifyAttestationResponse
type VerifyAttestationResponse struct {
// Output only. Same as claims_token, but as a string.
OidcClaimsToken string `protobuf:"bytes,2,opt,name=oidc_claims_token,json=oidcClaimsToken,proto3" json:"oidc_claims_token,omitempty"`
// Output only. A list of messages that carry the partial error details
// related to VerifyAttestation.
PartialErrors []*status.Status `protobuf:"bytes,3,rep,name=partial_errors,json=partialErrors,proto3" json:"partial_errors,omitempty"`
// contains filtered or unexported fields
}A response once an attestation has been successfully verified, containing a signed OIDC token.
func (*VerifyAttestationResponse) Descriptor
func (*VerifyAttestationResponse) Descriptor() ([]byte, []int)Deprecated: Use VerifyAttestationResponse.ProtoReflect.Descriptor instead.
func (*VerifyAttestationResponse) GetOidcClaimsToken
func (x *VerifyAttestationResponse) GetOidcClaimsToken() stringfunc (*VerifyAttestationResponse) GetPartialErrors
func (x *VerifyAttestationResponse) GetPartialErrors() []*status.Statusfunc (*VerifyAttestationResponse) ProtoMessage
func (*VerifyAttestationResponse) ProtoMessage()func (*VerifyAttestationResponse) ProtoReflect
func (x *VerifyAttestationResponse) ProtoReflect() protoreflect.Messagefunc (*VerifyAttestationResponse) Reset
func (x *VerifyAttestationResponse) Reset()func (*VerifyAttestationResponse) String
func (x *VerifyAttestationResponse) String() string