1 // Copyright 2018 The gRPC Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 syntax = "proto3"; 16 17 package grpc.gcp; 18 19 import "grpc/gcp/transport_security_common.proto"; 20 21 option java_package = "io.grpc.alts.internal"; 22 23 enum HandshakeProtocol { 24 // Default value. 25 HANDSHAKE_PROTOCOL_UNSPECIFIED = 0; 26 27 // TLS handshake protocol. 28 TLS = 1; 29 30 // Application Layer Transport Security handshake protocol. 31 ALTS = 2; 32 } 33 34 enum NetworkProtocol { 35 NETWORK_PROTOCOL_UNSPECIFIED = 0; 36 TCP = 1; 37 UDP = 2; 38 } 39 40 message Endpoint { 41 // IP address. It should contain an IPv4 or IPv6 string literal, e.g. 42 // "192.168.0.1" or "2001:db8::1". 43 string ip_address = 1; 44 45 // Port number. 46 int32 port = 2; 47 48 // Network protocol (e.g., TCP, UDP) associated with this endpoint. 49 NetworkProtocol protocol = 3; 50 } 51 52 message Identity { 53 oneof identity_oneof { 54 // Service account of a connection endpoint. 55 string service_account = 1; 56 57 // Hostname of a connection endpoint. 58 string hostname = 2; 59 } 60 } 61 62 message StartClientHandshakeReq { 63 // Handshake security protocol requested by the client. 64 HandshakeProtocol handshake_security_protocol = 1; 65 66 // The application protocols supported by the client, e.g., "h2" (for http2), 67 // "grpc". 68 repeated string application_protocols = 2; 69 70 // The record protocols supported by the client, e.g., 71 // "ALTSRP_GCM_AES128". 72 repeated string record_protocols = 3; 73 74 // (Optional) Describes which server identities are acceptable by the client. 75 // If target identities are provided and none of them matches the peer 76 // identity of the server, handshake will fail. 77 repeated Identity target_identities = 4; 78 79 // (Optional) Application may specify a local identity. Otherwise, the 80 // handshaker chooses a default local identity. 81 Identity local_identity = 5; 82 83 // (Optional) Local endpoint information of the connection to the server, 84 // such as local IP address, port number, and network protocol. 85 Endpoint local_endpoint = 6; 86 87 // (Optional) Endpoint information of the remote server, such as IP address, 88 // port number, and network protocol. 89 Endpoint remote_endpoint = 7; 90 91 // (Optional) If target name is provided, a secure naming check is performed 92 // to verify that the peer authenticated identity is indeed authorized to run 93 // the target name. 94 string target_name = 8; 95 96 // (Optional) RPC protocol versions supported by the client. 97 RpcProtocolVersions rpc_versions = 9; 98 } 99 100 message ServerHandshakeParameters { 101 // The record protocols supported by the server, e.g., 102 // "ALTSRP_GCM_AES128". 103 repeated string record_protocols = 1; 104 105 // (Optional) A list of local identities supported by the server, if 106 // specified. Otherwise, the handshaker chooses a default local identity. 107 repeated Identity local_identities = 2; 108 } 109 110 message StartServerHandshakeReq { 111 // The application protocols supported by the server, e.g., "h2" (for http2), 112 // "grpc". 113 repeated string application_protocols = 1; 114 115 // Handshake parameters (record protocols and local identities supported by 116 // the server) mapped by the handshake protocol. Each handshake security 117 // protocol (e.g., TLS or ALTS) has its own set of record protocols and local 118 // identities. Since protobuf does not support enum as key to the map, the key 119 // to handshake_parameters is the integer value of HandshakeProtocol enum. 120 map<int32, ServerHandshakeParameters> handshake_parameters = 2; 121 122 // Bytes in out_frames returned from the peer's HandshakerResp. It is possible 123 // that the peer's out_frames are split into multiple HandshakReq messages. 124 bytes in_bytes = 3; 125 126 // (Optional) Local endpoint information of the connection to the client, 127 // such as local IP address, port number, and network protocol. 128 Endpoint local_endpoint = 4; 129 130 // (Optional) Endpoint information of the remote client, such as IP address, 131 // port number, and network protocol. 132 Endpoint remote_endpoint = 5; 133 134 // (Optional) RPC protocol versions supported by the server. 135 RpcProtocolVersions rpc_versions = 6; 136 } 137 138 message NextHandshakeMessageReq { 139 // Bytes in out_frames returned from the peer's HandshakerResp. It is possible 140 // that the peer's out_frames are split into multiple NextHandshakerMessageReq 141 // messages. 142 bytes in_bytes = 1; 143 } 144 145 message HandshakerReq { 146 oneof req_oneof { 147 // The start client handshake request message. 148 StartClientHandshakeReq client_start = 1; 149 150 // The start server handshake request message. 151 StartServerHandshakeReq server_start = 2; 152 153 // The next handshake request message. 154 NextHandshakeMessageReq next = 3; 155 } 156 } 157 158 message HandshakerResult { 159 // The application protocol negotiated for this connection. 160 string application_protocol = 1; 161 162 // The record protocol negotiated for this connection. 163 string record_protocol = 2; 164 165 // Cryptographic key data. The key data may be more than the key length 166 // required for the record protocol, thus the client of the handshaker 167 // service needs to truncate the key data into the right key length. 168 bytes key_data = 3; 169 170 // The authenticated identity of the peer. 171 Identity peer_identity = 4; 172 173 // The local identity used in the handshake. 174 Identity local_identity = 5; 175 176 // Indicate whether the handshaker service client should keep the channel 177 // between the handshaker service open, e.g., in order to handle 178 // post-handshake messages in the future. 179 bool keep_channel_open = 6; 180 181 // The RPC protocol versions supported by the peer. 182 RpcProtocolVersions peer_rpc_versions = 7; 183 } 184 185 message HandshakerStatus { 186 // The status code. This could be the gRPC status code. 187 uint32 code = 1; 188 189 // The status details. 190 string details = 2; 191 } 192 193 message HandshakerResp { 194 // Frames to be given to the peer for the NextHandshakeMessageReq. May be 195 // empty if no out_frames have to be sent to the peer or if in_bytes in the 196 // HandshakerReq are incomplete. All the non-empty out frames must be sent to 197 // the peer even if the handshaker status is not OK as these frames may 198 // contain the alert frames. 199 bytes out_frames = 1; 200 201 // Number of bytes in the in_bytes consumed by the handshaker. It is possible 202 // that part of in_bytes in HandshakerReq was unrelated to the handshake 203 // process. 204 uint32 bytes_consumed = 2; 205 206 // This is set iff the handshake was successful. out_frames may still be set 207 // to frames that needs to be forwarded to the peer. 208 HandshakerResult result = 3; 209 210 // Status of the handshaker. 211 HandshakerStatus status = 4; 212 } 213 214 service HandshakerService { 215 // Handshaker service accepts a stream of handshaker request, returning a 216 // stream of handshaker response. Client is expected to send exactly one 217 // message with either client_start or server_start followed by one or more 218 // messages with next. Each time client sends a request, the handshaker 219 // service expects to respond. Client does not have to wait for service's 220 // response before sending next request. 221 rpc DoHandshake(stream HandshakerReq) 222 returns (stream HandshakerResp) { 223 } 224 } 225
