1// Copyright 2018 The gRPC Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// The canonical version of this proto can be found at
16// https://github.com/grpc/grpc-proto/blob/master/grpc/gcp/handshaker.proto
17
18syntax = "proto3";
19
20package grpc.gcp;
21
22import "src/proto/grpc/gcp/transport_security_common.proto";
23
24option go_package = "google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp";
25option java_multiple_files = true;
26option java_outer_classname = "HandshakerProto";
27option java_package = "io.grpc.alts.internal";
28
29
30enum HandshakeProtocol {
31  // Default value.
32  HANDSHAKE_PROTOCOL_UNSPECIFIED = 0;
33
34  // TLS handshake protocol.
35  TLS = 1;
36
37  // Application Layer Transport Security handshake protocol.
38  ALTS = 2;
39}
40
41enum NetworkProtocol {
42  NETWORK_PROTOCOL_UNSPECIFIED = 0;
43  TCP = 1;
44  UDP = 2;
45}
46
47message Endpoint {
48  // IP address. It should contain an IPv4 or IPv6 string literal, e.g.
49  // "192.168.0.1" or "2001:db8::1".
50  string ip_address = 1;
51
52  // Port number.
53  int32 port = 2;
54
55  // Network protocol (e.g., TCP, UDP) associated with this endpoint.
56  NetworkProtocol protocol = 3;
57}
58
59message Identity {
60  oneof identity_oneof {
61    // Service account of a connection endpoint.
62    string service_account = 1;
63
64    // Hostname of a connection endpoint.
65    string hostname = 2;
66  }
67
68  // Additional attributes of the identity.
69  map<string, string> attributes = 3;
70}
71
72message StartClientHandshakeReq {
73  // Handshake security protocol requested by the client.
74  HandshakeProtocol handshake_security_protocol = 1;
75
76  // The application protocols supported by the client, e.g., "h2" (for http2),
77  // "grpc".
78  repeated string application_protocols = 2;
79
80  // The record protocols supported by the client, e.g.,
81  // "ALTSRP_GCM_AES128".
82  repeated string record_protocols = 3;
83
84  // (Optional) Describes which server identities are acceptable by the client.
85  // If target identities are provided and none of them matches the peer
86  // identity of the server, handshake will fail.
87  repeated Identity target_identities = 4;
88
89  // (Optional) Application may specify a local identity. Otherwise, the
90  // handshaker chooses a default local identity.
91  Identity local_identity = 5;
92
93  // (Optional) Local endpoint information of the connection to the server,
94  // such as local IP address, port number, and network protocol.
95  Endpoint local_endpoint = 6;
96
97  // (Optional) Endpoint information of the remote server, such as IP address,
98  // port number, and network protocol.
99  Endpoint remote_endpoint = 7;
100
101  // (Optional) If target name is provided, a secure naming check is performed
102  // to verify that the peer authenticated identity is indeed authorized to run
103  // the target name.
104  string target_name = 8;
105
106  // (Optional) RPC protocol versions supported by the client.
107  RpcProtocolVersions rpc_versions = 9;
108
109  // (Optional) Maximum frame size supported by the client.
110  uint32 max_frame_size = 10;
111}
112
113message ServerHandshakeParameters {
114  // The record protocols supported by the server, e.g.,
115  // "ALTSRP_GCM_AES128".
116  repeated string record_protocols = 1;
117
118  // (Optional) A list of local identities supported by the server, if
119  // specified. Otherwise, the handshaker chooses a default local identity.
120  repeated Identity local_identities = 2;
121}
122
123message StartServerHandshakeReq {
124  // The application protocols supported by the server, e.g., "h2" (for http2),
125  // "grpc".
126  repeated string application_protocols = 1;
127
128  // Handshake parameters (record protocols and local identities supported by
129  // the server) mapped by the handshake protocol. Each handshake security
130  // protocol (e.g., TLS or ALTS) has its own set of record protocols and local
131  // identities. Since protobuf does not support enum as key to the map, the key
132  // to handshake_parameters is the integer value of HandshakeProtocol enum.
133  map<int32, ServerHandshakeParameters> handshake_parameters = 2;
134
135  // Bytes in out_frames returned from the peer's HandshakerResp. It is possible
136  // that the peer's out_frames are split into multiple HandshakReq messages.
137  bytes in_bytes = 3;
138
139  // (Optional) Local endpoint information of the connection to the client,
140  // such as local IP address, port number, and network protocol.
141  Endpoint local_endpoint = 4;
142
143  // (Optional) Endpoint information of the remote client, such as IP address,
144  // port number, and network protocol.
145  Endpoint remote_endpoint = 5;
146
147  // (Optional) RPC protocol versions supported by the server.
148  RpcProtocolVersions rpc_versions = 6;
149
150  // (Optional) Maximum frame size supported by the server.
151  uint32 max_frame_size = 7;
152}
153
154message NextHandshakeMessageReq {
155  // Bytes in out_frames returned from the peer's HandshakerResp. It is possible
156  // that the peer's out_frames are split into multiple NextHandshakerMessageReq
157  // messages.
158  bytes in_bytes = 1;
159}
160
161message HandshakerReq {
162  oneof req_oneof {
163    // The start client handshake request message.
164    StartClientHandshakeReq client_start = 1;
165
166    // The start server handshake request message.
167    StartServerHandshakeReq server_start = 2;
168
169    // The next handshake request message.
170    NextHandshakeMessageReq next = 3;
171  }
172}
173
174message HandshakerResult {
175  // The application protocol negotiated for this connection.
176  string application_protocol = 1;
177
178  // The record protocol negotiated for this connection.
179  string record_protocol = 2;
180
181  // Cryptographic key data. The key data may be more than the key length
182  // required for the record protocol, thus the client of the handshaker
183  // service needs to truncate the key data into the right key length.
184  bytes key_data = 3;
185
186  // The authenticated identity of the peer.
187  Identity peer_identity = 4;
188
189  // The local identity used in the handshake.
190  Identity local_identity = 5;
191
192  // Indicate whether the handshaker service client should keep the channel
193  // between the handshaker service open, e.g., in order to handle
194  // post-handshake messages in the future.
195  bool keep_channel_open = 6;
196
197  // The RPC protocol versions supported by the peer.
198  RpcProtocolVersions peer_rpc_versions = 7;
199
200  // The maximum frame size of the peer.
201  uint32 max_frame_size = 8;
202}
203
204message HandshakerStatus {
205  // The status code. This could be the gRPC status code.
206  uint32 code = 1;
207
208  // The status details.
209  string details = 2;
210}
211
212message HandshakerResp {
213  // Frames to be given to the peer for the NextHandshakeMessageReq. May be
214  // empty if no out_frames have to be sent to the peer or if in_bytes in the
215  // HandshakerReq are incomplete. All the non-empty out frames must be sent to
216  // the peer even if the handshaker status is not OK as these frames may
217  // contain the alert frames.
218  bytes out_frames = 1;
219
220  // Number of bytes in the in_bytes consumed by the handshaker. It is possible
221  // that part of in_bytes in HandshakerReq was unrelated to the handshake
222  // process.
223  uint32 bytes_consumed = 2;
224
225  // This is set iff the handshake was successful. out_frames may still be set
226  // to frames that needs to be forwarded to the peer.
227  HandshakerResult result = 3;
228
229  // Status of the handshaker.
230  HandshakerStatus status = 4;
231}
232
233service HandshakerService {
234  // Handshaker service accepts a stream of handshaker request, returning a
235  // stream of handshaker response. Client is expected to send exactly one
236  // message with either client_start or server_start followed by one or more
237  // messages with next. Each time client sends a request, the handshaker
238  // service expects to respond. Client does not have to wait for service's
239  // response before sending next request.
240  rpc DoHandshake(stream HandshakerReq)
241      returns (stream HandshakerResp) {
242  }
243}
244