confidentialcomputingpb

package
v1.10.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 16, 2025 License: Apache-2.0 Imports: 11 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	ConfidentialComputing_CreateChallenge_FullMethodName         = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/CreateChallenge"
	ConfidentialComputing_VerifyAttestation_FullMethodName       = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/VerifyAttestation"
	ConfidentialComputing_VerifyConfidentialSpace_FullMethodName = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/VerifyConfidentialSpace"
	ConfidentialComputing_VerifyConfidentialGke_FullMethodName   = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/VerifyConfidentialGke"
)

Variables

View Source 
var (
	SigningAlgorithm_name = map[int32]string{
		0: "SIGNING_ALGORITHM_UNSPECIFIED",
		1: "RSASSA_PSS_SHA256",
		2: "RSASSA_PKCS1V15_SHA256",
		3: "ECDSA_P256_SHA256",
	}
	SigningAlgorithm_value = map[string]int32{
		"SIGNING_ALGORITHM_UNSPECIFIED": 0,
		"RSASSA_PSS_SHA256":             1,
		"RSASSA_PKCS1V15_SHA256":        2,
		"ECDSA_P256_SHA256":             3,
	}
)

Enum value maps for SigningAlgorithm.

View Source 
var (
	TokenType_name = map[int32]string{
		0: "TOKEN_TYPE_UNSPECIFIED",
		1: "TOKEN_TYPE_OIDC",
		2: "TOKEN_TYPE_PKI",
		3: "TOKEN_TYPE_LIMITED_AWS",
		4: "TOKEN_TYPE_AWS_PRINCIPALTAGS",
	}
	TokenType_value = map[string]int32{
		"TOKEN_TYPE_UNSPECIFIED":       0,
		"TOKEN_TYPE_OIDC":              1,
		"TOKEN_TYPE_PKI":               2,
		"TOKEN_TYPE_LIMITED_AWS":       3,
		"TOKEN_TYPE_AWS_PRINCIPALTAGS": 4,
	}
)

Enum value maps for TokenType.

View Source 
var (
	SignatureType_name = map[int32]string{
		0: "SIGNATURE_TYPE_UNSPECIFIED",
		1: "SIGNATURE_TYPE_OIDC",
		2: "SIGNATURE_TYPE_PKI",
	}
	SignatureType_value = map[string]int32{
		"SIGNATURE_TYPE_UNSPECIFIED": 0,
		"SIGNATURE_TYPE_OIDC":        1,
		"SIGNATURE_TYPE_PKI":         2,
	}
)

Enum value maps for SignatureType.

View Source 
var (
	TokenProfile_name = map[int32]string{
		0: "TOKEN_PROFILE_UNSPECIFIED",
		1: "TOKEN_PROFILE_DEFAULT_EAT",
		2: "TOKEN_PROFILE_AWS",
	}
	TokenProfile_value = map[string]int32{
		"TOKEN_PROFILE_UNSPECIFIED": 0,
		"TOKEN_PROFILE_DEFAULT_EAT": 1,
		"TOKEN_PROFILE_AWS":         2,
	}
)

Enum value maps for TokenProfile.

View Source 
var ConfidentialComputing_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "google.cloud.confidentialcomputing.v1.ConfidentialComputing",
	HandlerType: (*ConfidentialComputingServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CreateChallenge",
			Handler:    _ConfidentialComputing_CreateChallenge_Handler,
		},
		{
			MethodName: "VerifyAttestation",
			Handler:    _ConfidentialComputing_VerifyAttestation_Handler,
		},
		{
			MethodName: "VerifyConfidentialSpace",
			Handler:    _ConfidentialComputing_VerifyConfidentialSpace_Handler,
		},
		{
			MethodName: "VerifyConfidentialGke",
			Handler:    _ConfidentialComputing_VerifyConfidentialGke_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "google/cloud/confidentialcomputing/v1/service.proto",
}

ConfidentialComputing_ServiceDesc is the grpc.ServiceDesc for ConfidentialComputing service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source 
var File_google_cloud_confidentialcomputing_v1_service_proto protoreflect.FileDescriptor

Functions

func RegisterConfidentialComputingServer 

func RegisterConfidentialComputingServer(s grpc.ServiceRegistrar, srv ConfidentialComputingServer)

Types

type AwsPrincipalTagsOptions added in v1.10.0 

type AwsPrincipalTagsOptions struct {

	// Optional. Principal tags to allow in the token.
	AllowedPrincipalTags *AwsPrincipalTagsOptions_AllowedPrincipalTags `protobuf:"bytes,1,opt,name=allowed_principal_tags,json=allowedPrincipalTags,proto3" json:"allowed_principal_tags,omitempty"`
	// contains filtered or unexported fields
}

Token options that only apply to the AWS Principal Tags token type.

func (*AwsPrincipalTagsOptions) Descriptor deprecated added in v1.10.0 

func (*AwsPrincipalTagsOptions) Descriptor() ([]byte, []int)

Deprecated: Use AwsPrincipalTagsOptions.ProtoReflect.Descriptor instead.

func (*AwsPrincipalTagsOptions) GetAllowedPrincipalTags added in v1.10.0 

func (x *AwsPrincipalTagsOptions) GetAllowedPrincipalTags() *AwsPrincipalTagsOptions_AllowedPrincipalTags

func (*AwsPrincipalTagsOptions) ProtoMessage added in v1.10.0 

func (*AwsPrincipalTagsOptions) ProtoMessage()

func (*AwsPrincipalTagsOptions) ProtoReflect added in v1.10.0 

func (x *AwsPrincipalTagsOptions) ProtoReflect() protoreflect.Message

func (*AwsPrincipalTagsOptions) Reset added in v1.10.0 

func (x *AwsPrincipalTagsOptions) Reset()

func (*AwsPrincipalTagsOptions) String added in v1.10.0 

func (x *AwsPrincipalTagsOptions) String() string

type AwsPrincipalTagsOptions_AllowedPrincipalTags added in v1.10.0 

type AwsPrincipalTagsOptions_AllowedPrincipalTags struct {

	// Optional. Container image signatures allowed in the token.
	ContainerImageSignatures *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures `` /* 135-byte string literal not displayed */
	// contains filtered or unexported fields
}

Allowed principal tags is used to define what principal tags will be placed in the token.

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) Descriptor deprecated added in v1.10.0 

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) Descriptor() ([]byte, []int)

Deprecated: Use AwsPrincipalTagsOptions_AllowedPrincipalTags.ProtoReflect.Descriptor instead.

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) GetContainerImageSignatures added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) GetContainerImageSignatures() *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoMessage added in v1.10.0 

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoMessage()

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoReflect added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoReflect() protoreflect.Message

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) Reset added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) Reset()

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) String added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) String() string

type AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures added in v1.10.0 

type AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures struct {

	// Optional. List of key ids to filter into the Principal tags. Only keys
	// that have been validated and added to the token will be filtered into
	// principal tags. Unrecognized key ids will be ignored.
	KeyIds []string `protobuf:"bytes,1,rep,name=key_ids,json=keyIds,proto3" json:"key_ids,omitempty"`
	// contains filtered or unexported fields
}

Allowed Container Image Signatures. Key IDs are required to allow this claim to fit within the narrow AWS IAM restrictions.

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Descriptor deprecated added in v1.10.0 

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Descriptor() ([]byte, []int)

Deprecated: Use AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures.ProtoReflect.Descriptor instead.

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) GetKeyIds added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) GetKeyIds() []string

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoMessage added in v1.10.0 

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoMessage()

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoReflect added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoReflect() protoreflect.Message

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Reset added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Reset()

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) String added in v1.10.0 

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) String() string

type Challenge 

type Challenge struct {

	// Output only. The resource name for this Challenge in the format
	// `projects/*/locations/*/challenges/*`
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Output only. The time at which this Challenge was created
	CreateTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
	// Output only. The time at which this Challenge will no longer be usable. It
	// is also the expiration time for any tokens generated from this Challenge.
	ExpireTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
	// Output only. Indicates if this challenge has been used to generate a token.
	Used bool `protobuf:"varint,4,opt,name=used,proto3" json:"used,omitempty"`
	// Output only. Identical to nonce, but as a string.
	TpmNonce string `protobuf:"bytes,6,opt,name=tpm_nonce,json=tpmNonce,proto3" json:"tpm_nonce,omitempty"`
	// contains filtered or unexported fields
}

A Challenge from the server used to guarantee freshness of attestations

func (*Challenge) Descriptor deprecated 

func (*Challenge) Descriptor() ([]byte, []int)

Deprecated: Use Challenge.ProtoReflect.Descriptor instead.

func (*Challenge) GetCreateTime 

func (x *Challenge) GetCreateTime() *timestamppb.Timestamp

func (*Challenge) GetExpireTime 

func (x *Challenge) GetExpireTime() *timestamppb.Timestamp

func (*Challenge) GetName 

func (x *Challenge) GetName() string

func (*Challenge) GetTpmNonce 

func (x *Challenge) GetTpmNonce() string

func (*Challenge) GetUsed 

func (x *Challenge) GetUsed() bool

func (*Challenge) ProtoMessage 

func (*Challenge) ProtoMessage()

func (*Challenge) ProtoReflect 

func (x *Challenge) ProtoReflect() protoreflect.Message

func (*Challenge) Reset 

func (x *Challenge) Reset()

func (*Challenge) String 

func (x *Challenge) String() string

type ConfidentialComputingClient 

type ConfidentialComputingClient interface {
	// Creates a new Challenge in a given project and location.
	CreateChallenge(ctx context.Context, in *CreateChallengeRequest, opts ...grpc.CallOption) (*Challenge, error)
	// Verifies the provided attestation info, returning a signed attestation
	// token.
	VerifyAttestation(ctx context.Context, in *VerifyAttestationRequest, opts ...grpc.CallOption) (*VerifyAttestationResponse, error)
	// Verifies whether the provided attestation info is valid, returning a signed
	// attestation token if so.
	VerifyConfidentialSpace(ctx context.Context, in *VerifyConfidentialSpaceRequest, opts ...grpc.CallOption) (*VerifyConfidentialSpaceResponse, error)
	// Verifies the provided Confidential GKE attestation info, returning a signed
	// OIDC token.
	VerifyConfidentialGke(ctx context.Context, in *VerifyConfidentialGkeRequest, opts ...grpc.CallOption) (*VerifyConfidentialGkeResponse, error)
}

ConfidentialComputingClient is the client API for ConfidentialComputing service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewConfidentialComputingClient 

func NewConfidentialComputingClient(cc grpc.ClientConnInterface) ConfidentialComputingClient

type ConfidentialComputingServer 

type ConfidentialComputingServer interface {
	// Creates a new Challenge in a given project and location.
	CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)
	// Verifies the provided attestation info, returning a signed attestation
	// token.
	VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)
	// Verifies whether the provided attestation info is valid, returning a signed
	// attestation token if so.
	VerifyConfidentialSpace(context.Context, *VerifyConfidentialSpaceRequest) (*VerifyConfidentialSpaceResponse, error)
	// Verifies the provided Confidential GKE attestation info, returning a signed
	// OIDC token.
	VerifyConfidentialGke(context.Context, *VerifyConfidentialGkeRequest) (*VerifyConfidentialGkeResponse, error)
}

ConfidentialComputingServer is the server API for ConfidentialComputing service. All implementations should embed UnimplementedConfidentialComputingServer for forward compatibility

type ConfidentialSpaceInfo added in v1.1.0 

type ConfidentialSpaceInfo struct {

	// Optional. A list of signed entities containing container image signatures
	// that can be used for server-side signature verification.
	SignedEntities []*SignedEntity `protobuf:"bytes,1,rep,name=signed_entities,json=signedEntities,proto3" json:"signed_entities,omitempty"`
	// contains filtered or unexported fields
}

ConfidentialSpaceInfo contains information related to the Confidential Space TEE.

func (*ConfidentialSpaceInfo) Descriptor deprecated added in v1.1.0 

func (*ConfidentialSpaceInfo) Descriptor() ([]byte, []int)

Deprecated: Use ConfidentialSpaceInfo.ProtoReflect.Descriptor instead.

func (*ConfidentialSpaceInfo) GetSignedEntities added in v1.1.0 

func (x *ConfidentialSpaceInfo) GetSignedEntities() []*SignedEntity

func (*ConfidentialSpaceInfo) ProtoMessage added in v1.1.0 

func (*ConfidentialSpaceInfo) ProtoMessage()

func (*ConfidentialSpaceInfo) ProtoReflect added in v1.1.0 

func (x *ConfidentialSpaceInfo) ProtoReflect() protoreflect.Message

func (*ConfidentialSpaceInfo) Reset added in v1.1.0 

func (x *ConfidentialSpaceInfo) Reset()

func (*ConfidentialSpaceInfo) String added in v1.1.0 

func (x *ConfidentialSpaceInfo) String() string

type ContainerImageSignature added in v1.1.0 

type ContainerImageSignature struct {

	// Optional. The binary signature payload following the SimpleSigning format
	// https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#simple-signing.
	// This payload includes the container image digest.
	Payload []byte `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
	// Optional. A signature over the payload.
	// The container image digest is incorporated into the signature as follows:
	// 1. Generate a SimpleSigning format payload that includes the container
	// image digest.
	// 2. Generate a signature over SHA256 digest of the payload.
	// The signature generation process can be represented as follows:
	// `Sign(sha256(SimpleSigningPayload(sha256(Image Manifest))))`
	Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	// Optional. Reserved for future use.
	PublicKey []byte `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	// Optional. Reserved for future use.
	SigAlg SigningAlgorithm `` /* 140-byte string literal not displayed */
	// contains filtered or unexported fields
}

ContainerImageSignature holds necessary metadata to verify a container image signature.

func (*ContainerImageSignature) Descriptor deprecated added in v1.1.0 

func (*ContainerImageSignature) Descriptor() ([]byte, []int)

Deprecated: Use ContainerImageSignature.ProtoReflect.Descriptor instead.

func (*ContainerImageSignature) GetPayload added in v1.1.0 

func (x *ContainerImageSignature) GetPayload() []byte

func (*ContainerImageSignature) GetPublicKey added in v1.1.0 

func (x *ContainerImageSignature) GetPublicKey() []byte

func (*ContainerImageSignature) GetSigAlg added in v1.1.0 

func (x *ContainerImageSignature) GetSigAlg() SigningAlgorithm

func (*ContainerImageSignature) GetSignature added in v1.1.0 

func (x *ContainerImageSignature) GetSignature() []byte

func (*ContainerImageSignature) ProtoMessage added in v1.1.0 

func (*ContainerImageSignature) ProtoMessage()

func (*ContainerImageSignature) ProtoReflect added in v1.1.0 

func (x *ContainerImageSignature) ProtoReflect() protoreflect.Message

func (*ContainerImageSignature) Reset added in v1.1.0 

func (x *ContainerImageSignature) Reset()

func (*ContainerImageSignature) String added in v1.1.0 

func (x *ContainerImageSignature) String() string

type CreateChallengeRequest 

type CreateChallengeRequest struct {

	// Required. The resource name of the location where the Challenge will be
	// used, in the format `projects/*/locations/*`.
	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
	// Required. The Challenge to be created. Currently this field can be empty as
	// all the Challenge fields are set by the server.
	Challenge *Challenge `protobuf:"bytes,2,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// contains filtered or unexported fields
}

Message for creating a Challenge

func (*CreateChallengeRequest) Descriptor deprecated 

func (*CreateChallengeRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateChallengeRequest.ProtoReflect.Descriptor instead.

func (*CreateChallengeRequest) GetChallenge 

func (x *CreateChallengeRequest) GetChallenge() *Challenge

func (*CreateChallengeRequest) GetParent 

func (x *CreateChallengeRequest) GetParent() string

func (*CreateChallengeRequest) ProtoMessage 

func (*CreateChallengeRequest) ProtoMessage()

func (*CreateChallengeRequest) ProtoReflect 

func (x *CreateChallengeRequest) ProtoReflect() protoreflect.Message

func (*CreateChallengeRequest) Reset 

func (x *CreateChallengeRequest) Reset()

func (*CreateChallengeRequest) String 

func (x *CreateChallengeRequest) String() string

type GceShieldedIdentity added in v1.10.0 

type GceShieldedIdentity struct {

	// Optional. DER-encoded X.509 certificate of the Attestation Key (otherwise
	// known as an AK or a TPM restricted signing key) used to generate the
	// quotes.
	AkCert []byte `protobuf:"bytes,1,opt,name=ak_cert,json=akCert,proto3" json:"ak_cert,omitempty"`
	// Optional. List of DER-encoded X.509 certificates which, together with the
	// ak_cert, chain back to a trusted Root Certificate.
	AkCertChain [][]byte `protobuf:"bytes,2,rep,name=ak_cert_chain,json=akCertChain,proto3" json:"ak_cert_chain,omitempty"`
	// contains filtered or unexported fields
}

GceShieldedIdentity contains information about a Compute Engine instance.

func (*GceShieldedIdentity) Descriptor deprecated added in v1.10.0 

func (*GceShieldedIdentity) Descriptor() ([]byte, []int)

Deprecated: Use GceShieldedIdentity.ProtoReflect.Descriptor instead.

func (*GceShieldedIdentity) GetAkCert added in v1.10.0 

func (x *GceShieldedIdentity) GetAkCert() []byte

func (*GceShieldedIdentity) GetAkCertChain added in v1.10.0 

func (x *GceShieldedIdentity) GetAkCertChain() [][]byte

func (*GceShieldedIdentity) ProtoMessage added in v1.10.0 

func (*GceShieldedIdentity) ProtoMessage()

func (*GceShieldedIdentity) ProtoReflect added in v1.10.0 

func (x *GceShieldedIdentity) ProtoReflect() protoreflect.Message

func (*GceShieldedIdentity) Reset added in v1.10.0 

func (x *GceShieldedIdentity) Reset()

func (*GceShieldedIdentity) String added in v1.10.0 

func (x *GceShieldedIdentity) String() string

type GcpCredentials 

type GcpCredentials struct {

	// Same as id_tokens, but as a string.
	ServiceAccountIdTokens []string `` /* 131-byte string literal not displayed */
	// contains filtered or unexported fields
}

Credentials issued by GCP which are linked to the platform attestation. These will be verified server-side as part of attestaion verification.

func (*GcpCredentials) Descriptor deprecated 

func (*GcpCredentials) Descriptor() ([]byte, []int)

Deprecated: Use GcpCredentials.ProtoReflect.Descriptor instead.

func (*GcpCredentials) GetServiceAccountIdTokens 

func (x *GcpCredentials) GetServiceAccountIdTokens() []string

func (*GcpCredentials) ProtoMessage 

func (*GcpCredentials) ProtoMessage()

func (*GcpCredentials) ProtoReflect 

func (x *GcpCredentials) ProtoReflect() protoreflect.Message

func (*GcpCredentials) Reset 

func (x *GcpCredentials) Reset()

func (*GcpCredentials) String 

func (x *GcpCredentials) String() string

type SevSnpAttestation added in v1.6.0 

type SevSnpAttestation struct {

	// Optional. The SEV-SNP Attestation Report
	// Format is in revision 1.55, §7.3 Attestation, Table 22. ATTESTATION_REPORT
	// Structure in this document:
	// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf
	Report []byte `protobuf:"bytes,1,opt,name=report,proto3" json:"report,omitempty"`
	// Optional. Certificate bundle defined in the GHCB protocol definition
	// Format is documented in GHCB revision 2.03, section 4.1.8.1 struct
	// cert_table in this document:
	// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
	AuxBlob []byte `protobuf:"bytes,2,opt,name=aux_blob,json=auxBlob,proto3" json:"aux_blob,omitempty"`
	// contains filtered or unexported fields
}

An SEV-SNP Attestation Report. Contains the attestation report and the certificate bundle that the client collects.

func (*SevSnpAttestation) Descriptor deprecated added in v1.6.0 

func (*SevSnpAttestation) Descriptor() ([]byte, []int)

Deprecated: Use SevSnpAttestation.ProtoReflect.Descriptor instead.

func (*SevSnpAttestation) GetAuxBlob added in v1.6.0 

func (x *SevSnpAttestation) GetAuxBlob() []byte

func (*SevSnpAttestation) GetReport added in v1.6.0 

func (x *SevSnpAttestation) GetReport() []byte

func (*SevSnpAttestation) ProtoMessage added in v1.6.0 

func (*SevSnpAttestation) ProtoMessage()

func (*SevSnpAttestation) ProtoReflect added in v1.6.0 

func (x *SevSnpAttestation) ProtoReflect() protoreflect.Message

func (*SevSnpAttestation) Reset added in v1.6.0 

func (x *SevSnpAttestation) Reset()

func (*SevSnpAttestation) String added in v1.6.0 

func (x *SevSnpAttestation) String() string

type SignatureType added in v1.10.0 

type SignatureType int32

SignatureType enumerates supported signature types for attestation tokens. 

const (
	// Unspecified signature type.
	SignatureType_SIGNATURE_TYPE_UNSPECIFIED SignatureType = 0
	// Google OIDC signature.
	SignatureType_SIGNATURE_TYPE_OIDC SignatureType = 1
	// Public Key Infrastructure (PKI) signature.
	SignatureType_SIGNATURE_TYPE_PKI SignatureType = 2
)

func (SignatureType) Descriptor added in v1.10.0 

func (SignatureType) Descriptor() protoreflect.EnumDescriptor

func (SignatureType) Enum added in v1.10.0 

func (x SignatureType) Enum() *SignatureType

func (SignatureType) EnumDescriptor deprecated added in v1.10.0 

func (SignatureType) EnumDescriptor() ([]byte, []int)

Deprecated: Use SignatureType.Descriptor instead.

func (SignatureType) Number added in v1.10.0 

func (x SignatureType) Number() protoreflect.EnumNumber

func (SignatureType) String added in v1.10.0 

func (x SignatureType) String() string

func (SignatureType) Type added in v1.10.0 

func (SignatureType) Type() protoreflect.EnumType

type SignedEntity added in v1.1.0 

type SignedEntity struct {

	// Optional. A list of container image signatures attached to an OCI image
	// object.
	ContainerImageSignatures []*ContainerImageSignature `` /* 135-byte string literal not displayed */
	// contains filtered or unexported fields
}

SignedEntity represents an OCI image object containing everything necessary to verify container image signatures.

func (*SignedEntity) Descriptor deprecated added in v1.1.0 

func (*SignedEntity) Descriptor() ([]byte, []int)

Deprecated: Use SignedEntity.ProtoReflect.Descriptor instead.

func (*SignedEntity) GetContainerImageSignatures added in v1.1.0 

func (x *SignedEntity) GetContainerImageSignatures() []*ContainerImageSignature

func (*SignedEntity) ProtoMessage added in v1.1.0 

func (*SignedEntity) ProtoMessage()

func (*SignedEntity) ProtoReflect added in v1.1.0 

func (x *SignedEntity) ProtoReflect() protoreflect.Message

func (*SignedEntity) Reset added in v1.1.0 

func (x *SignedEntity) Reset()

func (*SignedEntity) String added in v1.1.0 

func (x *SignedEntity) String() string

type SigningAlgorithm added in v1.1.0 

type SigningAlgorithm int32

SigningAlgorithm enumerates all the supported signing algorithms. 

const (
	// Unspecified signing algorithm.
	SigningAlgorithm_SIGNING_ALGORITHM_UNSPECIFIED SigningAlgorithm = 0
	// RSASSA-PSS with a SHA256 digest.
	SigningAlgorithm_RSASSA_PSS_SHA256 SigningAlgorithm = 1
	// RSASSA-PKCS1 v1.5 with a SHA256 digest.
	SigningAlgorithm_RSASSA_PKCS1V15_SHA256 SigningAlgorithm = 2
	// ECDSA on the P-256 Curve with a SHA256 digest.
	SigningAlgorithm_ECDSA_P256_SHA256 SigningAlgorithm = 3
)

func (SigningAlgorithm) Descriptor added in v1.1.0 

func (SigningAlgorithm) Descriptor() protoreflect.EnumDescriptor

func (SigningAlgorithm) Enum added in v1.1.0 

func (x SigningAlgorithm) Enum() *SigningAlgorithm

func (SigningAlgorithm) EnumDescriptor deprecated added in v1.1.0 

func (SigningAlgorithm) EnumDescriptor() ([]byte, []int)

Deprecated: Use SigningAlgorithm.Descriptor instead.

func (SigningAlgorithm) Number added in v1.1.0 

func (x SigningAlgorithm) Number() protoreflect.EnumNumber

func (SigningAlgorithm) String added in v1.1.0 

func (x SigningAlgorithm) String() string

func (SigningAlgorithm) Type added in v1.1.0 

func (SigningAlgorithm) Type() protoreflect.EnumType

type TdxCcelAttestation added in v1.6.0 

type TdxCcelAttestation struct {

	// Optional. The Confidential Computing Event Log (CCEL) ACPI table. Formatted
	// as described in the ACPI Specification 6.5.
	CcelAcpiTable []byte `protobuf:"bytes,1,opt,name=ccel_acpi_table,json=ccelAcpiTable,proto3" json:"ccel_acpi_table,omitempty"`
	// Optional. The CCEL event log. Formatted as described in the UEFI 2.10.
	CcelData []byte `protobuf:"bytes,2,opt,name=ccel_data,json=ccelData,proto3" json:"ccel_data,omitempty"`
	// Optional. An Event Log containing additional events measured into the RTMR
	// that are not already present in the CCEL.
	CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
	// Optional. The TDX attestation quote from the guest. It contains the RTMR
	// values.
	TdQuote []byte `protobuf:"bytes,4,opt,name=td_quote,json=tdQuote,proto3" json:"td_quote,omitempty"`
	// contains filtered or unexported fields
}

A TDX Attestation quote.

func (*TdxCcelAttestation) Descriptor deprecated added in v1.6.0 

func (*TdxCcelAttestation) Descriptor() ([]byte, []int)

Deprecated: Use TdxCcelAttestation.ProtoReflect.Descriptor instead.

func (*TdxCcelAttestation) GetCanonicalEventLog added in v1.6.0 

func (x *TdxCcelAttestation) GetCanonicalEventLog() []byte

func (*TdxCcelAttestation) GetCcelAcpiTable added in v1.6.0 

func (x *TdxCcelAttestation) GetCcelAcpiTable() []byte

func (*TdxCcelAttestation) GetCcelData added in v1.6.0 

func (x *TdxCcelAttestation) GetCcelData() []byte

func (*TdxCcelAttestation) GetTdQuote added in v1.6.0 

func (x *TdxCcelAttestation) GetTdQuote() []byte

func (*TdxCcelAttestation) ProtoMessage added in v1.6.0 

func (*TdxCcelAttestation) ProtoMessage()

func (*TdxCcelAttestation) ProtoReflect added in v1.6.0 

func (x *TdxCcelAttestation) ProtoReflect() protoreflect.Message

func (*TdxCcelAttestation) Reset added in v1.6.0 

func (x *TdxCcelAttestation) Reset()

func (*TdxCcelAttestation) String added in v1.6.0 

func (x *TdxCcelAttestation) String() string

type TokenOptions added in v1.1.0 

type TokenOptions struct {

	// An optional additional configuration per token type.
	//
	// Types that are assignable to TokenTypeOptions:
	//
	//	*TokenOptions_AwsPrincipalTagsOptions
	TokenTypeOptions isTokenOptions_TokenTypeOptions `protobuf_oneof:"token_type_options"`
	// Optional. Optional string to issue the token with a custom audience claim.
	// Required if one or more nonces are specified.
	Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"`
	// Optional. Optional parameter to place one or more nonces in the eat_nonce
	// claim in the output token. The minimum size for JSON-encoded EATs is 10
	// bytes and the maximum size is 74 bytes.
	Nonce []string `protobuf:"bytes,2,rep,name=nonce,proto3" json:"nonce,omitempty"`
	// Optional. Optional token type to select what type of token to return.
	TokenType TokenType `` /* 142-byte string literal not displayed */
	// contains filtered or unexported fields
}

Options to modify claims in the token to generate custom-purpose tokens.

func (*TokenOptions) Descriptor deprecated added in v1.1.0 

func (*TokenOptions) Descriptor() ([]byte, []int)

Deprecated: Use TokenOptions.ProtoReflect.Descriptor instead.

func (*TokenOptions) GetAudience added in v1.1.0 

func (x *TokenOptions) GetAudience() string

func (*TokenOptions) GetAwsPrincipalTagsOptions added in v1.8.0 

func (x *TokenOptions) GetAwsPrincipalTagsOptions() *AwsPrincipalTagsOptions

func (*TokenOptions) GetNonce added in v1.1.0 

func (x *TokenOptions) GetNonce() []string

func (*TokenOptions) GetTokenType added in v1.4.0 

func (x *TokenOptions) GetTokenType() TokenType

func (*TokenOptions) GetTokenTypeOptions added in v1.8.0 

func (m *TokenOptions) GetTokenTypeOptions() isTokenOptions_TokenTypeOptions

func (*TokenOptions) ProtoMessage added in v1.1.0 

func (*TokenOptions) ProtoMessage()

func (*TokenOptions) ProtoReflect added in v1.1.0 

func (x *TokenOptions) ProtoReflect() protoreflect.Message

func (*TokenOptions) Reset added in v1.1.0 

func (x *TokenOptions) Reset()

func (*TokenOptions) String added in v1.1.0 

func (x *TokenOptions) String() string

type TokenOptions_AwsPrincipalTagsOptions added in v1.8.0 

type TokenOptions_AwsPrincipalTagsOptions struct {
	// Optional. Options for AWS token type.
	AwsPrincipalTagsOptions *AwsPrincipalTagsOptions `protobuf:"bytes,4,opt,name=aws_principal_tags_options,json=awsPrincipalTagsOptions,proto3,oneof"`
}

type TokenProfile added in v1.10.0 

type TokenProfile int32

TokenProfile enumerates the supported token claims profiles. 

const (
	// Unspecified token profile.
	TokenProfile_TOKEN_PROFILE_UNSPECIFIED TokenProfile = 0
	// EAT claims.
	TokenProfile_TOKEN_PROFILE_DEFAULT_EAT TokenProfile = 1
	// AWS Principal Tags claims.
	TokenProfile_TOKEN_PROFILE_AWS TokenProfile = 2
)

func (TokenProfile) Descriptor added in v1.10.0 

func (TokenProfile) Descriptor() protoreflect.EnumDescriptor

func (TokenProfile) Enum added in v1.10.0 

func (x TokenProfile) Enum() *TokenProfile

func (TokenProfile) EnumDescriptor deprecated added in v1.10.0 

func (TokenProfile) EnumDescriptor() ([]byte, []int)

Deprecated: Use TokenProfile.Descriptor instead.

func (TokenProfile) Number added in v1.10.0 

func (x TokenProfile) Number() protoreflect.EnumNumber

func (TokenProfile) String added in v1.10.0 

func (x TokenProfile) String() string

func (TokenProfile) Type added in v1.10.0 

func (TokenProfile) Type() protoreflect.EnumType

type TokenType added in v1.4.0 

type TokenType int32

Token type enum contains the different types of token responses Confidential Space supports 

const (
	// Unspecified token type
	TokenType_TOKEN_TYPE_UNSPECIFIED TokenType = 0
	// OpenID Connect (OIDC) token type
	TokenType_TOKEN_TYPE_OIDC TokenType = 1
	// Public Key Infrastructure (PKI) token type
	TokenType_TOKEN_TYPE_PKI TokenType = 2
	// Limited claim token type for AWS integration
	TokenType_TOKEN_TYPE_LIMITED_AWS TokenType = 3
	// Principal-tag-based token for AWS integration
	TokenType_TOKEN_TYPE_AWS_PRINCIPALTAGS TokenType = 4
)

func (TokenType) Descriptor added in v1.4.0 

func (TokenType) Descriptor() protoreflect.EnumDescriptor

func (TokenType) Enum added in v1.4.0 

func (x TokenType) Enum() *TokenType

func (TokenType) EnumDescriptor deprecated added in v1.4.0 

func (TokenType) EnumDescriptor() ([]byte, []int)

Deprecated: Use TokenType.Descriptor instead.

func (TokenType) Number added in v1.4.0 

func (x TokenType) Number() protoreflect.EnumNumber

func (TokenType) String added in v1.4.0 

func (x TokenType) String() string

func (TokenType) Type added in v1.4.0 

func (TokenType) Type() protoreflect.EnumType

type TpmAttestation 

type TpmAttestation struct {

	// TPM2 PCR Quotes generated by calling TPM2_Quote on each PCR bank.
	Quotes []*TpmAttestation_Quote `protobuf:"bytes,1,rep,name=quotes,proto3" json:"quotes,omitempty"`
	// The binary TCG Event Log containing events measured into the TPM by the
	// platform firmware and operating system. Formatted as described in the
	// "TCG PC Client Platform Firmware Profile Specification".
	TcgEventLog []byte `protobuf:"bytes,2,opt,name=tcg_event_log,json=tcgEventLog,proto3" json:"tcg_event_log,omitempty"`
	// An Event Log containing additional events measured into the TPM that are
	// not already present in the tcg_event_log. Formatted as described in the
	// "Canonical Event Log Format" TCG Specification.
	CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
	// DER-encoded X.509 certificate of the Attestation Key (otherwise known as
	// an AK or a TPM restricted signing key) used to generate the quotes.
	AkCert []byte `protobuf:"bytes,4,opt,name=ak_cert,json=akCert,proto3" json:"ak_cert,omitempty"`
	// List of DER-encoded X.509 certificates which, together with the ak_cert,
	// chain back to a trusted Root Certificate.
	CertChain [][]byte `protobuf:"bytes,5,rep,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
	// contains filtered or unexported fields
}

TPM2 data containing everything necessary to validate any platform state measured into the TPM.

func (*TpmAttestation) Descriptor deprecated 

func (*TpmAttestation) Descriptor() ([]byte, []int)

Deprecated: Use TpmAttestation.ProtoReflect.Descriptor instead.

func (*TpmAttestation) GetAkCert 

func (x *TpmAttestation) GetAkCert() []byte

func (*TpmAttestation) GetCanonicalEventLog 

func (x *TpmAttestation) GetCanonicalEventLog() []byte

func (*TpmAttestation) GetCertChain 

func (x *TpmAttestation) GetCertChain() [][]byte

func (*TpmAttestation) GetQuotes 

func (x *TpmAttestation) GetQuotes() []*TpmAttestation_Quote

func (*TpmAttestation) GetTcgEventLog 

func (x *TpmAttestation) GetTcgEventLog() []byte

func (*TpmAttestation) ProtoMessage 

func (*TpmAttestation) ProtoMessage()

func (*TpmAttestation) ProtoReflect 

func (x *TpmAttestation) ProtoReflect() protoreflect.Message

func (*TpmAttestation) Reset 

func (x *TpmAttestation) Reset()

func (*TpmAttestation) String 

func (x *TpmAttestation) String() string

type TpmAttestation_Quote 

type TpmAttestation_Quote struct {

	// The hash algorithm of the PCR bank being quoted, encoded as a TPM_ALG_ID
	HashAlgo int32 `protobuf:"varint,1,opt,name=hash_algo,json=hashAlgo,proto3" json:"hash_algo,omitempty"`
	// Raw binary values of each PCRs being quoted.
	PcrValues map[int32][]byte `` /* 177-byte string literal not displayed */
	// TPM2 quote, encoded as a TPMS_ATTEST
	RawQuote []byte `protobuf:"bytes,3,opt,name=raw_quote,json=rawQuote,proto3" json:"raw_quote,omitempty"`
	// TPM2 signature, encoded as a TPMT_SIGNATURE
	RawSignature []byte `protobuf:"bytes,4,opt,name=raw_signature,json=rawSignature,proto3" json:"raw_signature,omitempty"`
	// contains filtered or unexported fields
}

Information about Platform Control Registers (PCRs) including a signature over their values, which can be used for remote validation.

func (*TpmAttestation_Quote) Descriptor deprecated 

func (*TpmAttestation_Quote) Descriptor() ([]byte, []int)

Deprecated: Use TpmAttestation_Quote.ProtoReflect.Descriptor instead.

func (*TpmAttestation_Quote) GetHashAlgo 

func (x *TpmAttestation_Quote) GetHashAlgo() int32

func (*TpmAttestation_Quote) GetPcrValues 

func (x *TpmAttestation_Quote) GetPcrValues() map[int32][]byte

func (*TpmAttestation_Quote) GetRawQuote 

func (x *TpmAttestation_Quote) GetRawQuote() []byte

func (*TpmAttestation_Quote) GetRawSignature 

func (x *TpmAttestation_Quote) GetRawSignature() []byte

func (*TpmAttestation_Quote) ProtoMessage 

func (*TpmAttestation_Quote) ProtoMessage()

func (*TpmAttestation_Quote) ProtoReflect 

func (x *TpmAttestation_Quote) ProtoReflect() protoreflect.Message

func (*TpmAttestation_Quote) Reset 

func (x *TpmAttestation_Quote) Reset()

func (*TpmAttestation_Quote) String 

func (x *TpmAttestation_Quote) String() string

type UnimplementedConfidentialComputingServer 

type UnimplementedConfidentialComputingServer struct {
}

UnimplementedConfidentialComputingServer should be embedded to have forward compatible implementations.

func (UnimplementedConfidentialComputingServer) CreateChallenge 

func (UnimplementedConfidentialComputingServer) CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)

func (UnimplementedConfidentialComputingServer) VerifyAttestation 

func (UnimplementedConfidentialComputingServer) VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)

func (UnimplementedConfidentialComputingServer) VerifyConfidentialGke added in v1.10.0 

func (UnimplementedConfidentialComputingServer) VerifyConfidentialGke(context.Context, *VerifyConfidentialGkeRequest) (*VerifyConfidentialGkeResponse, error)

func (UnimplementedConfidentialComputingServer) VerifyConfidentialSpace added in v1.10.0 

func (UnimplementedConfidentialComputingServer) VerifyConfidentialSpace(context.Context, *VerifyConfidentialSpaceRequest) (*VerifyConfidentialSpaceResponse, error)

type UnsafeConfidentialComputingServer added in v1.10.1 

type UnsafeConfidentialComputingServer interface {
	// contains filtered or unexported methods
}

UnsafeConfidentialComputingServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to ConfidentialComputingServer will result in compilation errors.

type VerifyAttestationRequest 

type VerifyAttestationRequest struct {

	// An optional tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyAttestationRequest_TdCcel
	//	*VerifyAttestationRequest_SevSnpAttestation
	TeeAttestation isVerifyAttestationRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format `projects/*/locations/*/challenges/*`. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// Optional. Credentials used to populate the "emails" claim in the
	// claims_token.
	GcpCredentials *GcpCredentials `protobuf:"bytes,2,opt,name=gcp_credentials,json=gcpCredentials,proto3" json:"gcp_credentials,omitempty"`
	// Required. The TPM-specific data provided by the attesting platform, used to
	// populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,3,opt,name=tpm_attestation,json=tpmAttestation,proto3" json:"tpm_attestation,omitempty"`
	// Optional. Optional information related to the Confidential Space TEE.
	ConfidentialSpaceInfo *ConfidentialSpaceInfo `` /* 126-byte string literal not displayed */
	// Optional. A collection of optional, workload-specified claims that modify
	// the token output.
	TokenOptions *TokenOptions `protobuf:"bytes,5,opt,name=token_options,json=tokenOptions,proto3" json:"token_options,omitempty"`
	// Optional. An optional indicator of the attester, only applies to certain
	// products.
	Attester string `protobuf:"bytes,8,opt,name=attester,proto3" json:"attester,omitempty"`
	// contains filtered or unexported fields
}

A request for an attestation token, providing all the necessary information needed for this service to verify the platform state of the requestor.

func (*VerifyAttestationRequest) Descriptor deprecated 

func (*VerifyAttestationRequest) Descriptor() ([]byte, []int)

Deprecated: Use VerifyAttestationRequest.ProtoReflect.Descriptor instead.

func (*VerifyAttestationRequest) GetAttester added in v1.9.0 

func (x *VerifyAttestationRequest) GetAttester() string

func (*VerifyAttestationRequest) GetChallenge 

func (x *VerifyAttestationRequest) GetChallenge() string

func (*VerifyAttestationRequest) GetConfidentialSpaceInfo added in v1.1.0 

func (x *VerifyAttestationRequest) GetConfidentialSpaceInfo() *ConfidentialSpaceInfo

func (*VerifyAttestationRequest) GetGcpCredentials 

func (x *VerifyAttestationRequest) GetGcpCredentials() *GcpCredentials

func (*VerifyAttestationRequest) GetSevSnpAttestation added in v1.6.0 

func (x *VerifyAttestationRequest) GetSevSnpAttestation() *SevSnpAttestation

func (*VerifyAttestationRequest) GetTdCcel added in v1.6.0 

func (x *VerifyAttestationRequest) GetTdCcel() *TdxCcelAttestation

func (*VerifyAttestationRequest) GetTeeAttestation added in v1.6.0 

func (m *VerifyAttestationRequest) GetTeeAttestation() isVerifyAttestationRequest_TeeAttestation

func (*VerifyAttestationRequest) GetTokenOptions added in v1.1.0 

func (x *VerifyAttestationRequest) GetTokenOptions() *TokenOptions

func (*VerifyAttestationRequest) GetTpmAttestation 

func (x *VerifyAttestationRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyAttestationRequest) ProtoMessage 

func (*VerifyAttestationRequest) ProtoMessage()

func (*VerifyAttestationRequest) ProtoReflect 

func (x *VerifyAttestationRequest) ProtoReflect() protoreflect.Message

func (*VerifyAttestationRequest) Reset 

func (x *VerifyAttestationRequest) Reset()

func (*VerifyAttestationRequest) String 

func (x *VerifyAttestationRequest) String() string

type VerifyAttestationRequest_SevSnpAttestation added in v1.6.0 

type VerifyAttestationRequest_SevSnpAttestation struct {
	// Optional. An SEV-SNP Attestation Report.
	SevSnpAttestation *SevSnpAttestation `protobuf:"bytes,7,opt,name=sev_snp_attestation,json=sevSnpAttestation,proto3,oneof"`
}

type VerifyAttestationRequest_TdCcel added in v1.6.0 

type VerifyAttestationRequest_TdCcel struct {
	// Optional. A TDX with CCEL and RTMR Attestation Quote.
	TdCcel *TdxCcelAttestation `protobuf:"bytes,6,opt,name=td_ccel,json=tdCcel,proto3,oneof"`
}

type VerifyAttestationResponse 

type VerifyAttestationResponse struct {

	// Output only. Same as claims_token, but as a string.
	OidcClaimsToken string `protobuf:"bytes,2,opt,name=oidc_claims_token,json=oidcClaimsToken,proto3" json:"oidc_claims_token,omitempty"`
	// Output only. A list of messages that carry the partial error details
	// related to VerifyAttestation.
	PartialErrors []*status.Status `protobuf:"bytes,3,rep,name=partial_errors,json=partialErrors,proto3" json:"partial_errors,omitempty"`
	// contains filtered or unexported fields
}

A response once an attestation has been successfully verified, containing a signed attestation token.

func (*VerifyAttestationResponse) Descriptor deprecated 

func (*VerifyAttestationResponse) Descriptor() ([]byte, []int)

Deprecated: Use VerifyAttestationResponse.ProtoReflect.Descriptor instead.

func (*VerifyAttestationResponse) GetOidcClaimsToken 

func (x *VerifyAttestationResponse) GetOidcClaimsToken() string

func (*VerifyAttestationResponse) GetPartialErrors added in v1.3.0 

func (x *VerifyAttestationResponse) GetPartialErrors() []*status.Status

func (*VerifyAttestationResponse) ProtoMessage 

func (*VerifyAttestationResponse) ProtoMessage()

func (*VerifyAttestationResponse) ProtoReflect 

func (x *VerifyAttestationResponse) ProtoReflect() protoreflect.Message

func (*VerifyAttestationResponse) Reset 

func (x *VerifyAttestationResponse) Reset()

func (*VerifyAttestationResponse) String 

func (x *VerifyAttestationResponse) String() string

type VerifyConfidentialGkeRequest added in v1.10.0 

type VerifyConfidentialGkeRequest struct {

	// Required. A tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyConfidentialGkeRequest_TpmAttestation
	TeeAttestation isVerifyConfidentialGkeRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format projects/*/locations/*/challenges/*. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// contains filtered or unexported fields
}

A request for an attestation token, providing all the necessary information needed for this service to verify Confidential GKE platform state of the requestor.

func (*VerifyConfidentialGkeRequest) Descriptor deprecated added in v1.10.0 

func (*VerifyConfidentialGkeRequest) Descriptor() ([]byte, []int)

Deprecated: Use VerifyConfidentialGkeRequest.ProtoReflect.Descriptor instead.

func (*VerifyConfidentialGkeRequest) GetChallenge added in v1.10.0 

func (x *VerifyConfidentialGkeRequest) GetChallenge() string

func (*VerifyConfidentialGkeRequest) GetTeeAttestation added in v1.10.0 

func (m *VerifyConfidentialGkeRequest) GetTeeAttestation() isVerifyConfidentialGkeRequest_TeeAttestation

func (*VerifyConfidentialGkeRequest) GetTpmAttestation added in v1.10.0 

func (x *VerifyConfidentialGkeRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyConfidentialGkeRequest) ProtoMessage added in v1.10.0 

func (*VerifyConfidentialGkeRequest) ProtoMessage()

func (*VerifyConfidentialGkeRequest) ProtoReflect added in v1.10.0 

func (x *VerifyConfidentialGkeRequest) ProtoReflect() protoreflect.Message

func (*VerifyConfidentialGkeRequest) Reset added in v1.10.0 

func (x *VerifyConfidentialGkeRequest) Reset()

func (*VerifyConfidentialGkeRequest) String added in v1.10.0 

func (x *VerifyConfidentialGkeRequest) String() string

type VerifyConfidentialGkeRequest_TpmAttestation added in v1.10.0 

type VerifyConfidentialGkeRequest_TpmAttestation struct {
	// The TPM-specific data provided by the attesting platform, used to
	// populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,2,opt,name=tpm_attestation,json=tpmAttestation,proto3,oneof"`
}

type VerifyConfidentialGkeResponse added in v1.10.0 

type VerifyConfidentialGkeResponse struct {

	// Output only. The attestation token issued by this service for Confidential
	// GKE. It contains specific platform claims based on the contents of the
	// provided attestation.
	AttestationToken string `protobuf:"bytes,1,opt,name=attestation_token,json=attestationToken,proto3" json:"attestation_token,omitempty"`
	// contains filtered or unexported fields
}

VerifyConfidentialGkeResponse response is returened once a Confidential GKE attestation has been successfully verified, containing a signed OIDC token.

func (*VerifyConfidentialGkeResponse) Descriptor deprecated added in v1.10.0 

func (*VerifyConfidentialGkeResponse) Descriptor() ([]byte, []int)

Deprecated: Use VerifyConfidentialGkeResponse.ProtoReflect.Descriptor instead.

func (*VerifyConfidentialGkeResponse) GetAttestationToken added in v1.10.0 

func (x *VerifyConfidentialGkeResponse) GetAttestationToken() string

func (*VerifyConfidentialGkeResponse) ProtoMessage added in v1.10.0 

func (*VerifyConfidentialGkeResponse) ProtoMessage()

func (*VerifyConfidentialGkeResponse) ProtoReflect added in v1.10.0 

func (x *VerifyConfidentialGkeResponse) ProtoReflect() protoreflect.Message

func (*VerifyConfidentialGkeResponse) Reset added in v1.10.0 

func (x *VerifyConfidentialGkeResponse) Reset()

func (*VerifyConfidentialGkeResponse) String added in v1.10.0 

func (x *VerifyConfidentialGkeResponse) String() string

type VerifyConfidentialSpaceRequest added in v1.10.0 

type VerifyConfidentialSpaceRequest struct {

	// Required. A tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyConfidentialSpaceRequest_TdCcel
	//	*VerifyConfidentialSpaceRequest_TpmAttestation
	TeeAttestation isVerifyConfidentialSpaceRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format `projects/*/locations/*/challenges/*`. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// Optional. Credentials used to populate the "emails" claim in the
	// claims_token. If not present, token will not contain the "emails" claim.
	GcpCredentials *GcpCredentials `protobuf:"bytes,2,opt,name=gcp_credentials,json=gcpCredentials,proto3" json:"gcp_credentials,omitempty"`
	// Optional. A list of signed entities containing container image signatures
	// that can be used for server-side signature verification.
	SignedEntities []*SignedEntity `protobuf:"bytes,5,rep,name=signed_entities,json=signedEntities,proto3" json:"signed_entities,omitempty"`
	// Optional. Information about the associated Compute Engine instance.
	// Required for td_ccel requests only - tpm_attestation requests will provide
	// this information in the attestation.
	GceShieldedIdentity *GceShieldedIdentity `protobuf:"bytes,6,opt,name=gce_shielded_identity,json=gceShieldedIdentity,proto3" json:"gce_shielded_identity,omitempty"`
	// Optional. A collection of fields that modify the token output.
	Options *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions `protobuf:"bytes,7,opt,name=options,proto3" json:"options,omitempty"`
	// contains filtered or unexported fields
}

A request for an attestation token, providing all the necessary information needed for this service to verify the platform state of the requestor.

func (*VerifyConfidentialSpaceRequest) Descriptor deprecated added in v1.10.0 

func (*VerifyConfidentialSpaceRequest) Descriptor() ([]byte, []int)

Deprecated: Use VerifyConfidentialSpaceRequest.ProtoReflect.Descriptor instead.

func (*VerifyConfidentialSpaceRequest) GetChallenge added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetChallenge() string

func (*VerifyConfidentialSpaceRequest) GetGceShieldedIdentity added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetGceShieldedIdentity() *GceShieldedIdentity

func (*VerifyConfidentialSpaceRequest) GetGcpCredentials added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetGcpCredentials() *GcpCredentials

func (*VerifyConfidentialSpaceRequest) GetOptions added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetOptions() *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions

func (*VerifyConfidentialSpaceRequest) GetSignedEntities added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetSignedEntities() []*SignedEntity

func (*VerifyConfidentialSpaceRequest) GetTdCcel added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetTdCcel() *TdxCcelAttestation

func (*VerifyConfidentialSpaceRequest) GetTeeAttestation added in v1.10.0 

func (m *VerifyConfidentialSpaceRequest) GetTeeAttestation() isVerifyConfidentialSpaceRequest_TeeAttestation

func (*VerifyConfidentialSpaceRequest) GetTpmAttestation added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyConfidentialSpaceRequest) ProtoMessage added in v1.10.0 

func (*VerifyConfidentialSpaceRequest) ProtoMessage()

func (*VerifyConfidentialSpaceRequest) ProtoReflect added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) ProtoReflect() protoreflect.Message

func (*VerifyConfidentialSpaceRequest) Reset added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) Reset()

func (*VerifyConfidentialSpaceRequest) String added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest) String() string

type VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions added in v1.10.0 

type VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions struct {

	// An optional additional configuration per token type.
	//
	// Types that are assignable to TokenProfileOptions:
	//
	//	*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_AwsPrincipalTagsOptions
	TokenProfileOptions isVerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_TokenProfileOptions `protobuf_oneof:"token_profile_options"`
	// Optional. Optional string to issue the token with a custom audience
	// claim. Required if custom nonces are specified.
	Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"`
	// Optional. Optional specification for token claims profile.
	TokenProfile TokenProfile `` /* 154-byte string literal not displayed */
	// Optional. Optional parameter to place one or more nonces in the eat_nonce
	// claim in the output token. The minimum size for JSON-encoded EATs is 10
	// bytes and the maximum size is 74 bytes.
	Nonce []string `protobuf:"bytes,3,rep,name=nonce,proto3" json:"nonce,omitempty"`
	// Optional. Optional specification for how to sign the attestation token.
	// Defaults to SIGNATURE_TYPE_OIDC if unspecified.
	SignatureType SignatureType `` /* 158-byte string literal not displayed */
	// contains filtered or unexported fields
}

Token options for Confidential Space attestation.

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) Descriptor deprecated added in v1.10.0 

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) Descriptor() ([]byte, []int)

Deprecated: Use VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions.ProtoReflect.Descriptor instead.

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetAudience added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetAudience() string

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetAwsPrincipalTagsOptions added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetAwsPrincipalTagsOptions() *AwsPrincipalTagsOptions

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetNonce added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetNonce() []string

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetSignatureType added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetSignatureType() SignatureType

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetTokenProfile added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetTokenProfile() TokenProfile

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetTokenProfileOptions added in v1.10.0 

func (m *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetTokenProfileOptions() isVerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_TokenProfileOptions

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) ProtoMessage added in v1.10.0 

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) ProtoMessage()

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) ProtoReflect added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) ProtoReflect() protoreflect.Message

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) Reset added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) Reset()

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) String added in v1.10.0 

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) String() string

type VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_AwsPrincipalTagsOptions added in v1.10.0 

type VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_AwsPrincipalTagsOptions struct {
	// Optional. Options for the AWS token type.
	AwsPrincipalTagsOptions *AwsPrincipalTagsOptions `protobuf:"bytes,5,opt,name=aws_principal_tags_options,json=awsPrincipalTagsOptions,proto3,oneof"`
}

type VerifyConfidentialSpaceRequest_TdCcel added in v1.10.0 

type VerifyConfidentialSpaceRequest_TdCcel struct {
	// Input only. A TDX with CCEL and RTMR Attestation Quote.
	TdCcel *TdxCcelAttestation `protobuf:"bytes,3,opt,name=td_ccel,json=tdCcel,proto3,oneof"`
}

type VerifyConfidentialSpaceRequest_TpmAttestation added in v1.10.0 

type VerifyConfidentialSpaceRequest_TpmAttestation struct {
	// Input only. The TPM-specific data provided by the attesting platform,
	// used to populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,4,opt,name=tpm_attestation,json=tpmAttestation,proto3,oneof"`
}

type VerifyConfidentialSpaceResponse added in v1.10.0 

type VerifyConfidentialSpaceResponse struct {

	// Output only. The attestation token issued by this service. It contains
	// specific platform claims based on the contents of the provided attestation.
	AttestationToken string `protobuf:"bytes,1,opt,name=attestation_token,json=attestationToken,proto3" json:"attestation_token,omitempty"`
	// Output only. A list of messages that carry the partial error details
	// related to VerifyConfidentialSpace. This field is populated by errors
	// during container image signature verification, which may reflect problems
	// in the provided image signatures. This does not block the issuing of an
	// attestation token, but the token will not contain claims for the failed
	// image signatures.
	PartialErrors []*status.Status `protobuf:"bytes,2,rep,name=partial_errors,json=partialErrors,proto3" json:"partial_errors,omitempty"`
	// contains filtered or unexported fields
}

VerifyConfidentialSpaceResponse is returned once a Confidential Space attestation has been successfully verified, containing a signed token.

func (*VerifyConfidentialSpaceResponse) Descriptor deprecated added in v1.10.0 

func (*VerifyConfidentialSpaceResponse) Descriptor() ([]byte, []int)

Deprecated: Use VerifyConfidentialSpaceResponse.ProtoReflect.Descriptor instead.

func (*VerifyConfidentialSpaceResponse) GetAttestationToken added in v1.10.0 

func (x *VerifyConfidentialSpaceResponse) GetAttestationToken() string

func (*VerifyConfidentialSpaceResponse) GetPartialErrors added in v1.10.0 

func (x *VerifyConfidentialSpaceResponse) GetPartialErrors() []*status.Status

func (*VerifyConfidentialSpaceResponse) ProtoMessage added in v1.10.0 

func (*VerifyConfidentialSpaceResponse) ProtoMessage()

func (*VerifyConfidentialSpaceResponse) ProtoReflect added in v1.10.0 

func (x *VerifyConfidentialSpaceResponse) ProtoReflect() protoreflect.Message

func (*VerifyConfidentialSpaceResponse) Reset added in v1.10.0 

func (x *VerifyConfidentialSpaceResponse) Reset()

func (*VerifyConfidentialSpaceResponse) String added in v1.10.0 

func (x *VerifyConfidentialSpaceResponse) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.