Package cloud.google.com/go/confidentialcomputing/apiv1/confidentialcomputingpb (v1.10.1)

const (
	ConfidentialComputing_CreateChallenge_FullMethodName         = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/CreateChallenge"
	ConfidentialComputing_VerifyAttestation_FullMethodName       = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/VerifyAttestation"
	ConfidentialComputing_VerifyConfidentialSpace_FullMethodName = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/VerifyConfidentialSpace"
	ConfidentialComputing_VerifyConfidentialGke_FullMethodName   = "/google.cloud.confidentialcomputing.v1.ConfidentialComputing/VerifyConfidentialGke"
)

var (
	SigningAlgorithm_name = map[int32]string{
		0: "SIGNING_ALGORITHM_UNSPECIFIED",
		1: "RSASSA_PSS_SHA256",
		2: "RSASSA_PKCS1V15_SHA256",
		3: "ECDSA_P256_SHA256",
	}
	SigningAlgorithm_value = map[string]int32{
		"SIGNING_ALGORITHM_UNSPECIFIED": 0,
		"RSASSA_PSS_SHA256":             1,
		"RSASSA_PKCS1V15_SHA256":        2,
		"ECDSA_P256_SHA256":             3,
	}
)

var (
	TokenType_name = map[int32]string{
		0: "TOKEN_TYPE_UNSPECIFIED",
		1: "TOKEN_TYPE_OIDC",
		2: "TOKEN_TYPE_PKI",
		3: "TOKEN_TYPE_LIMITED_AWS",
		4: "TOKEN_TYPE_AWS_PRINCIPALTAGS",
	}
	TokenType_value = map[string]int32{
		"TOKEN_TYPE_UNSPECIFIED":       0,
		"TOKEN_TYPE_OIDC":              1,
		"TOKEN_TYPE_PKI":               2,
		"TOKEN_TYPE_LIMITED_AWS":       3,
		"TOKEN_TYPE_AWS_PRINCIPALTAGS": 4,
	}
)

var (
	SignatureType_name = map[int32]string{
		0: "SIGNATURE_TYPE_UNSPECIFIED",
		1: "SIGNATURE_TYPE_OIDC",
		2: "SIGNATURE_TYPE_PKI",
	}
	SignatureType_value = map[string]int32{
		"SIGNATURE_TYPE_UNSPECIFIED": 0,
		"SIGNATURE_TYPE_OIDC":        1,
		"SIGNATURE_TYPE_PKI":         2,
	}
)

var (
	TokenProfile_name = map[int32]string{
		0: "TOKEN_PROFILE_UNSPECIFIED",
		1: "TOKEN_PROFILE_DEFAULT_EAT",
		2: "TOKEN_PROFILE_AWS",
	}
	TokenProfile_value = map[string]int32{
		"TOKEN_PROFILE_UNSPECIFIED": 0,
		"TOKEN_PROFILE_DEFAULT_EAT": 1,
		"TOKEN_PROFILE_AWS":         2,
	}
)

var ConfidentialComputing_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "google.cloud.confidentialcomputing.v1.ConfidentialComputing",
	HandlerType: (*ConfidentialComputingServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CreateChallenge",
			Handler:    _ConfidentialComputing_CreateChallenge_Handler,
		},
		{
			MethodName: "VerifyAttestation",
			Handler:    _ConfidentialComputing_VerifyAttestation_Handler,
		},
		{
			MethodName: "VerifyConfidentialSpace",
			Handler:    _ConfidentialComputing_VerifyConfidentialSpace_Handler,
		},
		{
			MethodName: "VerifyConfidentialGke",
			Handler:    _ConfidentialComputing_VerifyConfidentialGke_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "google/cloud/confidentialcomputing/v1/service.proto",
}

var File_google_cloud_confidentialcomputing_v1_service_proto protoreflect.FileDescriptor

func RegisterConfidentialComputingServer(s grpc.ServiceRegistrar, srv ConfidentialComputingServer)

type AwsPrincipalTagsOptions struct {

	// Optional. Principal tags to allow in the token.
	AllowedPrincipalTags *AwsPrincipalTagsOptions_AllowedPrincipalTags `protobuf:"bytes,1,opt,name=allowed_principal_tags,json=allowedPrincipalTags,proto3" json:"allowed_principal_tags,omitempty"`
	// contains filtered or unexported fields
}

func (*AwsPrincipalTagsOptions) Descriptor() ([]byte, []int)

func (x *AwsPrincipalTagsOptions) GetAllowedPrincipalTags() *AwsPrincipalTagsOptions_AllowedPrincipalTags

func (*AwsPrincipalTagsOptions) ProtoMessage()

func (x *AwsPrincipalTagsOptions) ProtoReflect() protoreflect.Message

func (x *AwsPrincipalTagsOptions) Reset()

func (x *AwsPrincipalTagsOptions) String() string

type AwsPrincipalTagsOptions_AllowedPrincipalTags struct {

	// Optional. Container image signatures allowed in the token.
	ContainerImageSignatures *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures `protobuf:"bytes,1,opt,name=container_image_signatures,json=containerImageSignatures,proto3" json:"container_image_signatures,omitempty"`
	// contains filtered or unexported fields
}

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) Descriptor() ([]byte, []int)

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) GetContainerImageSignatures() *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoMessage()

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) ProtoReflect() protoreflect.Message

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) Reset()

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags) String() string

type AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures struct {

	// Optional. List of key ids to filter into the Principal tags. Only keys
	// that have been validated and added to the token will be filtered into
	// principal tags. Unrecognized key ids will be ignored.
	KeyIds []string `protobuf:"bytes,1,rep,name=key_ids,json=keyIds,proto3" json:"key_ids,omitempty"`
	// contains filtered or unexported fields
}

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Descriptor() ([]byte, []int)

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) GetKeyIds() []string

func (*AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoMessage()

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) ProtoReflect() protoreflect.Message

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) Reset()

func (x *AwsPrincipalTagsOptions_AllowedPrincipalTags_ContainerImageSignatures) String() string

type Challenge struct {

	// Output only. The resource name for this Challenge in the format
	// `projects/*/locations/*/challenges/*`
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Output only. The time at which this Challenge was created
	CreateTime *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty"`
	// Output only. The time at which this Challenge will no longer be usable. It
	// is also the expiration time for any tokens generated from this Challenge.
	ExpireTime *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expire_time,json=expireTime,proto3" json:"expire_time,omitempty"`
	// Output only. Indicates if this challenge has been used to generate a token.
	Used bool `protobuf:"varint,4,opt,name=used,proto3" json:"used,omitempty"`
	// Output only. Identical to nonce, but as a string.
	TpmNonce string `protobuf:"bytes,6,opt,name=tpm_nonce,json=tpmNonce,proto3" json:"tpm_nonce,omitempty"`
	// contains filtered or unexported fields
}

func (*Challenge) Descriptor() ([]byte, []int)

func (x *Challenge) GetCreateTime() *timestamppb.Timestamp

func (x *Challenge) GetExpireTime() *timestamppb.Timestamp

func (x *Challenge) GetName() string

func (x *Challenge) GetTpmNonce() string

func (x *Challenge) GetUsed() bool

func (*Challenge) ProtoMessage()

func (x *Challenge) ProtoReflect() protoreflect.Message

func (x *Challenge) Reset()

func (x *Challenge) String() string

type ConfidentialComputingClient interface {
	// Creates a new Challenge in a given project and location.
	CreateChallenge(ctx context.Context, in *CreateChallengeRequest, opts ...grpc.CallOption) (*Challenge, error)
	// Verifies the provided attestation info, returning a signed attestation
	// token.
	VerifyAttestation(ctx context.Context, in *VerifyAttestationRequest, opts ...grpc.CallOption) (*VerifyAttestationResponse, error)
	// Verifies whether the provided attestation info is valid, returning a signed
	// attestation token if so.
	VerifyConfidentialSpace(ctx context.Context, in *VerifyConfidentialSpaceRequest, opts ...grpc.CallOption) (*VerifyConfidentialSpaceResponse, error)
	// Verifies the provided Confidential GKE attestation info, returning a signed
	// OIDC token.
	VerifyConfidentialGke(ctx context.Context, in *VerifyConfidentialGkeRequest, opts ...grpc.CallOption) (*VerifyConfidentialGkeResponse, error)
}

func NewConfidentialComputingClient(cc grpc.ClientConnInterface) ConfidentialComputingClient

type ConfidentialComputingServer interface {
	// Creates a new Challenge in a given project and location.
	CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)
	// Verifies the provided attestation info, returning a signed attestation
	// token.
	VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)
	// Verifies whether the provided attestation info is valid, returning a signed
	// attestation token if so.
	VerifyConfidentialSpace(context.Context, *VerifyConfidentialSpaceRequest) (*VerifyConfidentialSpaceResponse, error)
	// Verifies the provided Confidential GKE attestation info, returning a signed
	// OIDC token.
	VerifyConfidentialGke(context.Context, *VerifyConfidentialGkeRequest) (*VerifyConfidentialGkeResponse, error)
}

type ConfidentialSpaceInfo struct {

	// Optional. A list of signed entities containing container image signatures
	// that can be used for server-side signature verification.
	SignedEntities []*SignedEntity `protobuf:"bytes,1,rep,name=signed_entities,json=signedEntities,proto3" json:"signed_entities,omitempty"`
	// contains filtered or unexported fields
}

func (*ConfidentialSpaceInfo) Descriptor() ([]byte, []int)

func (x *ConfidentialSpaceInfo) GetSignedEntities() []*SignedEntity

func (*ConfidentialSpaceInfo) ProtoMessage()

func (x *ConfidentialSpaceInfo) ProtoReflect() protoreflect.Message

func (x *ConfidentialSpaceInfo) Reset()

func (x *ConfidentialSpaceInfo) String() string

type ContainerImageSignature struct {

	// Optional. The binary signature payload following the SimpleSigning format
	// https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#simple-signing.
	// This payload includes the container image digest.
	Payload []byte `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
	// Optional. A signature over the payload.
	// The container image digest is incorporated into the signature as follows:
	// 1. Generate a SimpleSigning format payload that includes the container
	// image digest.
	// 2. Generate a signature over SHA256 digest of the payload.
	// The signature generation process can be represented as follows:
	// `Sign(sha256(SimpleSigningPayload(sha256(Image Manifest))))`
	Signature []byte `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	// Optional. Reserved for future use.
	PublicKey []byte `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
	// Optional. Reserved for future use.
	SigAlg SigningAlgorithm `protobuf:"varint,4,opt,name=sig_alg,json=sigAlg,proto3,enum=google.cloud.confidentialcomputing.v1.SigningAlgorithm" json:"sig_alg,omitempty"`
	// contains filtered or unexported fields
}

func (*ContainerImageSignature) Descriptor() ([]byte, []int)

func (x *ContainerImageSignature) GetPayload() []byte

func (x *ContainerImageSignature) GetPublicKey() []byte

func (x *ContainerImageSignature) GetSigAlg() SigningAlgorithm

func (x *ContainerImageSignature) GetSignature() []byte

func (*ContainerImageSignature) ProtoMessage()

func (x *ContainerImageSignature) ProtoReflect() protoreflect.Message

func (x *ContainerImageSignature) Reset()

func (x *ContainerImageSignature) String() string

type CreateChallengeRequest struct {

	// Required. The resource name of the location where the Challenge will be
	// used, in the format `projects/*/locations/*`.
	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
	// Required. The Challenge to be created. Currently this field can be empty as
	// all the Challenge fields are set by the server.
	Challenge *Challenge `protobuf:"bytes,2,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// contains filtered or unexported fields
}

func (*CreateChallengeRequest) Descriptor() ([]byte, []int)

func (x *CreateChallengeRequest) GetChallenge() *Challenge

func (x *CreateChallengeRequest) GetParent() string

func (*CreateChallengeRequest) ProtoMessage()

func (x *CreateChallengeRequest) ProtoReflect() protoreflect.Message

func (x *CreateChallengeRequest) Reset()

func (x *CreateChallengeRequest) String() string

type GceShieldedIdentity struct {

	// Optional. DER-encoded X.509 certificate of the Attestation Key (otherwise
	// known as an AK or a TPM restricted signing key) used to generate the
	// quotes.
	AkCert []byte `protobuf:"bytes,1,opt,name=ak_cert,json=akCert,proto3" json:"ak_cert,omitempty"`
	// Optional. List of DER-encoded X.509 certificates which, together with the
	// ak_cert, chain back to a trusted Root Certificate.
	AkCertChain [][]byte `protobuf:"bytes,2,rep,name=ak_cert_chain,json=akCertChain,proto3" json:"ak_cert_chain,omitempty"`
	// contains filtered or unexported fields
}

func (*GceShieldedIdentity) Descriptor() ([]byte, []int)

func (x *GceShieldedIdentity) GetAkCert() []byte

func (x *GceShieldedIdentity) GetAkCertChain() [][]byte

func (*GceShieldedIdentity) ProtoMessage()

func (x *GceShieldedIdentity) ProtoReflect() protoreflect.Message

func (x *GceShieldedIdentity) Reset()

func (x *GceShieldedIdentity) String() string

type GcpCredentials struct {

	// Same as id_tokens, but as a string.
	ServiceAccountIdTokens []string `protobuf:"bytes,2,rep,name=service_account_id_tokens,json=serviceAccountIdTokens,proto3" json:"service_account_id_tokens,omitempty"`
	// contains filtered or unexported fields
}

func (*GcpCredentials) Descriptor() ([]byte, []int)

func (x *GcpCredentials) GetServiceAccountIdTokens() []string

func (*GcpCredentials) ProtoMessage()

func (x *GcpCredentials) ProtoReflect() protoreflect.Message

func (x *GcpCredentials) Reset()

func (x *GcpCredentials) String() string

type SevSnpAttestation struct {

	// Optional. The SEV-SNP Attestation Report
	// Format is in revision 1.55, §7.3 Attestation, Table 22. ATTESTATION_REPORT
	// Structure in this document:
	// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf
	Report []byte `protobuf:"bytes,1,opt,name=report,proto3" json:"report,omitempty"`
	// Optional. Certificate bundle defined in the GHCB protocol definition
	// Format is documented in GHCB revision 2.03, section 4.1.8.1 struct
	// cert_table in this document:
	// https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf
	AuxBlob []byte `protobuf:"bytes,2,opt,name=aux_blob,json=auxBlob,proto3" json:"aux_blob,omitempty"`
	// contains filtered or unexported fields
}

func (*SevSnpAttestation) Descriptor() ([]byte, []int)

func (x *SevSnpAttestation) GetAuxBlob() []byte

func (x *SevSnpAttestation) GetReport() []byte

func (*SevSnpAttestation) ProtoMessage()

func (x *SevSnpAttestation) ProtoReflect() protoreflect.Message

func (x *SevSnpAttestation) Reset()

func (x *SevSnpAttestation) String() string

type SignatureType int32

const (
	// Unspecified signature type.
	SignatureType_SIGNATURE_TYPE_UNSPECIFIED SignatureType = 0
	// Google OIDC signature.
	SignatureType_SIGNATURE_TYPE_OIDC SignatureType = 1
	// Public Key Infrastructure (PKI) signature.
	SignatureType_SIGNATURE_TYPE_PKI SignatureType = 2
)

func (SignatureType) Descriptor() protoreflect.EnumDescriptor

func (x SignatureType) Enum() *SignatureType

func (SignatureType) EnumDescriptor() ([]byte, []int)

func (x SignatureType) Number() protoreflect.EnumNumber

func (x SignatureType) String() string

func (SignatureType) Type() protoreflect.EnumType

type SignedEntity struct {

	// Optional. A list of container image signatures attached to an OCI image
	// object.
	ContainerImageSignatures []*ContainerImageSignature `protobuf:"bytes,1,rep,name=container_image_signatures,json=containerImageSignatures,proto3" json:"container_image_signatures,omitempty"`
	// contains filtered or unexported fields
}

func (*SignedEntity) Descriptor() ([]byte, []int)

func (x *SignedEntity) GetContainerImageSignatures() []*ContainerImageSignature

func (*SignedEntity) ProtoMessage()

func (x *SignedEntity) ProtoReflect() protoreflect.Message

func (x *SignedEntity) Reset()

func (x *SignedEntity) String() string

type SigningAlgorithm int32

const (
	// Unspecified signing algorithm.
	SigningAlgorithm_SIGNING_ALGORITHM_UNSPECIFIED SigningAlgorithm = 0
	// RSASSA-PSS with a SHA256 digest.
	SigningAlgorithm_RSASSA_PSS_SHA256 SigningAlgorithm = 1
	// RSASSA-PKCS1 v1.5 with a SHA256 digest.
	SigningAlgorithm_RSASSA_PKCS1V15_SHA256 SigningAlgorithm = 2
	// ECDSA on the P-256 Curve with a SHA256 digest.
	SigningAlgorithm_ECDSA_P256_SHA256 SigningAlgorithm = 3
)

func (SigningAlgorithm) Descriptor() protoreflect.EnumDescriptor

func (x SigningAlgorithm) Enum() *SigningAlgorithm

func (SigningAlgorithm) EnumDescriptor() ([]byte, []int)

func (x SigningAlgorithm) Number() protoreflect.EnumNumber

func (x SigningAlgorithm) String() string

func (SigningAlgorithm) Type() protoreflect.EnumType

type TdxCcelAttestation struct {

	// Optional. The Confidential Computing Event Log (CCEL) ACPI table. Formatted
	// as described in the ACPI Specification 6.5.
	CcelAcpiTable []byte `protobuf:"bytes,1,opt,name=ccel_acpi_table,json=ccelAcpiTable,proto3" json:"ccel_acpi_table,omitempty"`
	// Optional. The CCEL event log. Formatted as described in the UEFI 2.10.
	CcelData []byte `protobuf:"bytes,2,opt,name=ccel_data,json=ccelData,proto3" json:"ccel_data,omitempty"`
	// Optional. An Event Log containing additional events measured into the RTMR
	// that are not already present in the CCEL.
	CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
	// Optional. The TDX attestation quote from the guest. It contains the RTMR
	// values.
	TdQuote []byte `protobuf:"bytes,4,opt,name=td_quote,json=tdQuote,proto3" json:"td_quote,omitempty"`
	// contains filtered or unexported fields
}

func (*TdxCcelAttestation) Descriptor() ([]byte, []int)

func (x *TdxCcelAttestation) GetCanonicalEventLog() []byte

func (x *TdxCcelAttestation) GetCcelAcpiTable() []byte

func (x *TdxCcelAttestation) GetCcelData() []byte

func (x *TdxCcelAttestation) GetTdQuote() []byte

func (*TdxCcelAttestation) ProtoMessage()

func (x *TdxCcelAttestation) ProtoReflect() protoreflect.Message

func (x *TdxCcelAttestation) Reset()

func (x *TdxCcelAttestation) String() string

type TokenOptions struct {

	// An optional additional configuration per token type.
	//
	// Types that are assignable to TokenTypeOptions:
	//
	//	*TokenOptions_AwsPrincipalTagsOptions
	TokenTypeOptions isTokenOptions_TokenTypeOptions `protobuf_oneof:"token_type_options"`
	// Optional. Optional string to issue the token with a custom audience claim.
	// Required if one or more nonces are specified.
	Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"`
	// Optional. Optional parameter to place one or more nonces in the eat_nonce
	// claim in the output token. The minimum size for JSON-encoded EATs is 10
	// bytes and the maximum size is 74 bytes.
	Nonce []string `protobuf:"bytes,2,rep,name=nonce,proto3" json:"nonce,omitempty"`
	// Optional. Optional token type to select what type of token to return.
	TokenType TokenType `protobuf:"varint,3,opt,name=token_type,json=tokenType,proto3,enum=google.cloud.confidentialcomputing.v1.TokenType" json:"token_type,omitempty"`
	// contains filtered or unexported fields
}

func (*TokenOptions) Descriptor() ([]byte, []int)

func (x *TokenOptions) GetAudience() string

func (x *TokenOptions) GetAwsPrincipalTagsOptions() *AwsPrincipalTagsOptions

func (x *TokenOptions) GetNonce() []string

func (x *TokenOptions) GetTokenType() TokenType

func (m *TokenOptions) GetTokenTypeOptions() isTokenOptions_TokenTypeOptions

func (*TokenOptions) ProtoMessage()

func (x *TokenOptions) ProtoReflect() protoreflect.Message

func (x *TokenOptions) Reset()

func (x *TokenOptions) String() string

type TokenOptions_AwsPrincipalTagsOptions struct {
	// Optional. Options for AWS token type.
	AwsPrincipalTagsOptions *AwsPrincipalTagsOptions `protobuf:"bytes,4,opt,name=aws_principal_tags_options,json=awsPrincipalTagsOptions,proto3,oneof"`
}

type TokenProfile int32

const (
	// Unspecified token profile.
	TokenProfile_TOKEN_PROFILE_UNSPECIFIED TokenProfile = 0
	// EAT claims.
	TokenProfile_TOKEN_PROFILE_DEFAULT_EAT TokenProfile = 1
	// AWS Principal Tags claims.
	TokenProfile_TOKEN_PROFILE_AWS TokenProfile = 2
)

func (TokenProfile) Descriptor() protoreflect.EnumDescriptor

func (x TokenProfile) Enum() *TokenProfile

func (TokenProfile) EnumDescriptor() ([]byte, []int)

func (x TokenProfile) Number() protoreflect.EnumNumber

func (x TokenProfile) String() string

func (TokenProfile) Type() protoreflect.EnumType

type TokenType int32

const (
	// Unspecified token type
	TokenType_TOKEN_TYPE_UNSPECIFIED TokenType = 0
	// OpenID Connect (OIDC) token type
	TokenType_TOKEN_TYPE_OIDC TokenType = 1
	// Public Key Infrastructure (PKI) token type
	TokenType_TOKEN_TYPE_PKI TokenType = 2
	// Limited claim token type for AWS integration
	TokenType_TOKEN_TYPE_LIMITED_AWS TokenType = 3
	// Principal-tag-based token for AWS integration
	TokenType_TOKEN_TYPE_AWS_PRINCIPALTAGS TokenType = 4
)

func (TokenType) Descriptor() protoreflect.EnumDescriptor

func (x TokenType) Enum() *TokenType

func (TokenType) EnumDescriptor() ([]byte, []int)

func (x TokenType) Number() protoreflect.EnumNumber

func (x TokenType) String() string

func (TokenType) Type() protoreflect.EnumType

type TpmAttestation struct {

	// TPM2 PCR Quotes generated by calling TPM2_Quote on each PCR bank.
	Quotes []*TpmAttestation_Quote `protobuf:"bytes,1,rep,name=quotes,proto3" json:"quotes,omitempty"`
	// The binary TCG Event Log containing events measured into the TPM by the
	// platform firmware and operating system. Formatted as described in the
	// "TCG PC Client Platform Firmware Profile Specification".
	TcgEventLog []byte `protobuf:"bytes,2,opt,name=tcg_event_log,json=tcgEventLog,proto3" json:"tcg_event_log,omitempty"`
	// An Event Log containing additional events measured into the TPM that are
	// not already present in the tcg_event_log. Formatted as described in the
	// "Canonical Event Log Format" TCG Specification.
	CanonicalEventLog []byte `protobuf:"bytes,3,opt,name=canonical_event_log,json=canonicalEventLog,proto3" json:"canonical_event_log,omitempty"`
	// DER-encoded X.509 certificate of the Attestation Key (otherwise known as
	// an AK or a TPM restricted signing key) used to generate the quotes.
	AkCert []byte `protobuf:"bytes,4,opt,name=ak_cert,json=akCert,proto3" json:"ak_cert,omitempty"`
	// List of DER-encoded X.509 certificates which, together with the ak_cert,
	// chain back to a trusted Root Certificate.
	CertChain [][]byte `protobuf:"bytes,5,rep,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
	// contains filtered or unexported fields
}

func (*TpmAttestation) Descriptor() ([]byte, []int)

func (x *TpmAttestation) GetAkCert() []byte

func (x *TpmAttestation) GetCanonicalEventLog() []byte

func (x *TpmAttestation) GetCertChain() [][]byte

func (x *TpmAttestation) GetQuotes() []*TpmAttestation_Quote

func (x *TpmAttestation) GetTcgEventLog() []byte

func (*TpmAttestation) ProtoMessage()

func (x *TpmAttestation) ProtoReflect() protoreflect.Message

func (x *TpmAttestation) Reset()

func (x *TpmAttestation) String() string

type TpmAttestation_Quote struct {

	// The hash algorithm of the PCR bank being quoted, encoded as a TPM_ALG_ID
	HashAlgo int32 `protobuf:"varint,1,opt,name=hash_algo,json=hashAlgo,proto3" json:"hash_algo,omitempty"`
	// Raw binary values of each PCRs being quoted.
	PcrValues map[int32][]byte `protobuf:"bytes,2,rep,name=pcr_values,json=pcrValues,proto3" json:"pcr_values,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	// TPM2 quote, encoded as a TPMS_ATTEST
	RawQuote []byte `protobuf:"bytes,3,opt,name=raw_quote,json=rawQuote,proto3" json:"raw_quote,omitempty"`
	// TPM2 signature, encoded as a TPMT_SIGNATURE
	RawSignature []byte `protobuf:"bytes,4,opt,name=raw_signature,json=rawSignature,proto3" json:"raw_signature,omitempty"`
	// contains filtered or unexported fields
}

func (*TpmAttestation_Quote) Descriptor() ([]byte, []int)

func (x *TpmAttestation_Quote) GetHashAlgo() int32

func (x *TpmAttestation_Quote) GetPcrValues() map[int32][]byte

func (x *TpmAttestation_Quote) GetRawQuote() []byte

func (x *TpmAttestation_Quote) GetRawSignature() []byte

func (*TpmAttestation_Quote) ProtoMessage()

func (x *TpmAttestation_Quote) ProtoReflect() protoreflect.Message

func (x *TpmAttestation_Quote) Reset()

func (x *TpmAttestation_Quote) String() string

type UnimplementedConfidentialComputingServer struct {
}

func (UnimplementedConfidentialComputingServer) CreateChallenge(context.Context, *CreateChallengeRequest) (*Challenge, error)

func (UnimplementedConfidentialComputingServer) VerifyAttestation(context.Context, *VerifyAttestationRequest) (*VerifyAttestationResponse, error)

func (UnimplementedConfidentialComputingServer) VerifyConfidentialGke(context.Context, *VerifyConfidentialGkeRequest) (*VerifyConfidentialGkeResponse, error)

func (UnimplementedConfidentialComputingServer) VerifyConfidentialSpace(context.Context, *VerifyConfidentialSpaceRequest) (*VerifyConfidentialSpaceResponse, error)

type UnsafeConfidentialComputingServer interface {
	// contains filtered or unexported methods
}

type VerifyAttestationRequest struct {

	// An optional tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyAttestationRequest_TdCcel
	//	*VerifyAttestationRequest_SevSnpAttestation
	TeeAttestation isVerifyAttestationRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format `projects/*/locations/*/challenges/*`. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// Optional. Credentials used to populate the "emails" claim in the
	// claims_token.
	GcpCredentials *GcpCredentials `protobuf:"bytes,2,opt,name=gcp_credentials,json=gcpCredentials,proto3" json:"gcp_credentials,omitempty"`
	// Required. The TPM-specific data provided by the attesting platform, used to
	// populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,3,opt,name=tpm_attestation,json=tpmAttestation,proto3" json:"tpm_attestation,omitempty"`
	// Optional. Optional information related to the Confidential Space TEE.
	ConfidentialSpaceInfo *ConfidentialSpaceInfo `protobuf:"bytes,4,opt,name=confidential_space_info,json=confidentialSpaceInfo,proto3" json:"confidential_space_info,omitempty"`
	// Optional. A collection of optional, workload-specified claims that modify
	// the token output.
	TokenOptions *TokenOptions `protobuf:"bytes,5,opt,name=token_options,json=tokenOptions,proto3" json:"token_options,omitempty"`
	// Optional. An optional indicator of the attester, only applies to certain
	// products.
	Attester string `protobuf:"bytes,8,opt,name=attester,proto3" json:"attester,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyAttestationRequest) Descriptor() ([]byte, []int)

func (x *VerifyAttestationRequest) GetAttester() string

func (x *VerifyAttestationRequest) GetChallenge() string

func (x *VerifyAttestationRequest) GetConfidentialSpaceInfo() *ConfidentialSpaceInfo

func (x *VerifyAttestationRequest) GetGcpCredentials() *GcpCredentials

func (x *VerifyAttestationRequest) GetSevSnpAttestation() *SevSnpAttestation

func (x *VerifyAttestationRequest) GetTdCcel() *TdxCcelAttestation

func (m *VerifyAttestationRequest) GetTeeAttestation() isVerifyAttestationRequest_TeeAttestation

func (x *VerifyAttestationRequest) GetTokenOptions() *TokenOptions

func (x *VerifyAttestationRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyAttestationRequest) ProtoMessage()

func (x *VerifyAttestationRequest) ProtoReflect() protoreflect.Message

func (x *VerifyAttestationRequest) Reset()

func (x *VerifyAttestationRequest) String() string

type VerifyAttestationRequest_SevSnpAttestation struct {
	// Optional. An SEV-SNP Attestation Report.
	SevSnpAttestation *SevSnpAttestation `protobuf:"bytes,7,opt,name=sev_snp_attestation,json=sevSnpAttestation,proto3,oneof"`
}

type VerifyAttestationRequest_TdCcel struct {
	// Optional. A TDX with CCEL and RTMR Attestation Quote.
	TdCcel *TdxCcelAttestation `protobuf:"bytes,6,opt,name=td_ccel,json=tdCcel,proto3,oneof"`
}

type VerifyAttestationResponse struct {

	// Output only. Same as claims_token, but as a string.
	OidcClaimsToken string `protobuf:"bytes,2,opt,name=oidc_claims_token,json=oidcClaimsToken,proto3" json:"oidc_claims_token,omitempty"`
	// Output only. A list of messages that carry the partial error details
	// related to VerifyAttestation.
	PartialErrors []*status.Status `protobuf:"bytes,3,rep,name=partial_errors,json=partialErrors,proto3" json:"partial_errors,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyAttestationResponse) Descriptor() ([]byte, []int)

func (x *VerifyAttestationResponse) GetOidcClaimsToken() string

func (x *VerifyAttestationResponse) GetPartialErrors() []*status.Status

func (*VerifyAttestationResponse) ProtoMessage()

func (x *VerifyAttestationResponse) ProtoReflect() protoreflect.Message

func (x *VerifyAttestationResponse) Reset()

func (x *VerifyAttestationResponse) String() string

type VerifyConfidentialGkeRequest struct {

	// Required. A tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyConfidentialGkeRequest_TpmAttestation
	TeeAttestation isVerifyConfidentialGkeRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format projects/*/locations/*/challenges/*. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyConfidentialGkeRequest) Descriptor() ([]byte, []int)

func (x *VerifyConfidentialGkeRequest) GetChallenge() string

func (m *VerifyConfidentialGkeRequest) GetTeeAttestation() isVerifyConfidentialGkeRequest_TeeAttestation

func (x *VerifyConfidentialGkeRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyConfidentialGkeRequest) ProtoMessage()

func (x *VerifyConfidentialGkeRequest) ProtoReflect() protoreflect.Message

func (x *VerifyConfidentialGkeRequest) Reset()

func (x *VerifyConfidentialGkeRequest) String() string

type VerifyConfidentialGkeRequest_TpmAttestation struct {
	// The TPM-specific data provided by the attesting platform, used to
	// populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,2,opt,name=tpm_attestation,json=tpmAttestation,proto3,oneof"`
}

type VerifyConfidentialGkeResponse struct {

	// Output only. The attestation token issued by this service for Confidential
	// GKE. It contains specific platform claims based on the contents of the
	// provided attestation.
	AttestationToken string `protobuf:"bytes,1,opt,name=attestation_token,json=attestationToken,proto3" json:"attestation_token,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyConfidentialGkeResponse) Descriptor() ([]byte, []int)

func (x *VerifyConfidentialGkeResponse) GetAttestationToken() string

func (*VerifyConfidentialGkeResponse) ProtoMessage()

func (x *VerifyConfidentialGkeResponse) ProtoReflect() protoreflect.Message

func (x *VerifyConfidentialGkeResponse) Reset()

func (x *VerifyConfidentialGkeResponse) String() string

type VerifyConfidentialSpaceRequest struct {

	// Required. A tee attestation report, used to populate hardware rooted
	// claims.
	//
	// Types that are assignable to TeeAttestation:
	//
	//	*VerifyConfidentialSpaceRequest_TdCcel
	//	*VerifyConfidentialSpaceRequest_TpmAttestation
	TeeAttestation isVerifyConfidentialSpaceRequest_TeeAttestation `protobuf_oneof:"tee_attestation"`
	// Required. The name of the Challenge whose nonce was used to generate the
	// attestation, in the format `projects/*/locations/*/challenges/*`. The
	// provided Challenge will be consumed, and cannot be used again.
	Challenge string `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
	// Optional. Credentials used to populate the "emails" claim in the
	// claims_token. If not present, token will not contain the "emails" claim.
	GcpCredentials *GcpCredentials `protobuf:"bytes,2,opt,name=gcp_credentials,json=gcpCredentials,proto3" json:"gcp_credentials,omitempty"`
	// Optional. A list of signed entities containing container image signatures
	// that can be used for server-side signature verification.
	SignedEntities []*SignedEntity `protobuf:"bytes,5,rep,name=signed_entities,json=signedEntities,proto3" json:"signed_entities,omitempty"`
	// Optional. Information about the associated Compute Engine instance.
	// Required for td_ccel requests only - tpm_attestation requests will provide
	// this information in the attestation.
	GceShieldedIdentity *GceShieldedIdentity `protobuf:"bytes,6,opt,name=gce_shielded_identity,json=gceShieldedIdentity,proto3" json:"gce_shielded_identity,omitempty"`
	// Optional. A collection of fields that modify the token output.
	Options *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions `protobuf:"bytes,7,opt,name=options,proto3" json:"options,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyConfidentialSpaceRequest) Descriptor() ([]byte, []int)

func (x *VerifyConfidentialSpaceRequest) GetChallenge() string

func (x *VerifyConfidentialSpaceRequest) GetGceShieldedIdentity() *GceShieldedIdentity

func (x *VerifyConfidentialSpaceRequest) GetGcpCredentials() *GcpCredentials

func (x *VerifyConfidentialSpaceRequest) GetOptions() *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions

func (x *VerifyConfidentialSpaceRequest) GetSignedEntities() []*SignedEntity

func (x *VerifyConfidentialSpaceRequest) GetTdCcel() *TdxCcelAttestation

func (m *VerifyConfidentialSpaceRequest) GetTeeAttestation() isVerifyConfidentialSpaceRequest_TeeAttestation

func (x *VerifyConfidentialSpaceRequest) GetTpmAttestation() *TpmAttestation

func (*VerifyConfidentialSpaceRequest) ProtoMessage()

func (x *VerifyConfidentialSpaceRequest) ProtoReflect() protoreflect.Message

func (x *VerifyConfidentialSpaceRequest) Reset()

func (x *VerifyConfidentialSpaceRequest) String() string

type VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions struct {

	// An optional additional configuration per token type.
	//
	// Types that are assignable to TokenProfileOptions:
	//
	//	*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_AwsPrincipalTagsOptions
	TokenProfileOptions isVerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_TokenProfileOptions `protobuf_oneof:"token_profile_options"`
	// Optional. Optional string to issue the token with a custom audience
	// claim. Required if custom nonces are specified.
	Audience string `protobuf:"bytes,1,opt,name=audience,proto3" json:"audience,omitempty"`
	// Optional. Optional specification for token claims profile.
	TokenProfile TokenProfile `protobuf:"varint,2,opt,name=token_profile,json=tokenProfile,proto3,enum=google.cloud.confidentialcomputing.v1.TokenProfile" json:"token_profile,omitempty"`
	// Optional. Optional parameter to place one or more nonces in the eat_nonce
	// claim in the output token. The minimum size for JSON-encoded EATs is 10
	// bytes and the maximum size is 74 bytes.
	Nonce []string `protobuf:"bytes,3,rep,name=nonce,proto3" json:"nonce,omitempty"`
	// Optional. Optional specification for how to sign the attestation token.
	// Defaults to SIGNATURE_TYPE_OIDC if unspecified.
	SignatureType SignatureType `protobuf:"varint,4,opt,name=signature_type,json=signatureType,proto3,enum=google.cloud.confidentialcomputing.v1.SignatureType" json:"signature_type,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) Descriptor() ([]byte, []int)

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetAudience() string

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetAwsPrincipalTagsOptions() *AwsPrincipalTagsOptions

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetNonce() []string

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetSignatureType() SignatureType

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetTokenProfile() TokenProfile

func (m *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) GetTokenProfileOptions() isVerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_TokenProfileOptions

func (*VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) ProtoMessage()

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) ProtoReflect() protoreflect.Message

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) Reset()

func (x *VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions) String() string

type VerifyConfidentialSpaceRequest_ConfidentialSpaceOptions_AwsPrincipalTagsOptions struct {
	// Optional. Options for the AWS token type.
	AwsPrincipalTagsOptions *AwsPrincipalTagsOptions `protobuf:"bytes,5,opt,name=aws_principal_tags_options,json=awsPrincipalTagsOptions,proto3,oneof"`
}

type VerifyConfidentialSpaceRequest_TdCcel struct {
	// Input only. A TDX with CCEL and RTMR Attestation Quote.
	TdCcel *TdxCcelAttestation `protobuf:"bytes,3,opt,name=td_ccel,json=tdCcel,proto3,oneof"`
}

type VerifyConfidentialSpaceRequest_TpmAttestation struct {
	// Input only. The TPM-specific data provided by the attesting platform,
	// used to populate any of the claims regarding platform state.
	TpmAttestation *TpmAttestation `protobuf:"bytes,4,opt,name=tpm_attestation,json=tpmAttestation,proto3,oneof"`
}

type VerifyConfidentialSpaceResponse struct {

	// Output only. The attestation token issued by this service. It contains
	// specific platform claims based on the contents of the provided attestation.
	AttestationToken string `protobuf:"bytes,1,opt,name=attestation_token,json=attestationToken,proto3" json:"attestation_token,omitempty"`
	// Output only. A list of messages that carry the partial error details
	// related to VerifyConfidentialSpace. This field is populated by errors
	// during container image signature verification, which may reflect problems
	// in the provided image signatures. This does not block the issuing of an
	// attestation token, but the token will not contain claims for the failed
	// image signatures.
	PartialErrors []*status.Status `protobuf:"bytes,2,rep,name=partial_errors,json=partialErrors,proto3" json:"partial_errors,omitempty"`
	// contains filtered or unexported fields
}

func (*VerifyConfidentialSpaceResponse) Descriptor() ([]byte, []int)

func (x *VerifyConfidentialSpaceResponse) GetAttestationToken() string

func (x *VerifyConfidentialSpaceResponse) GetPartialErrors() []*status.Status

func (*VerifyConfidentialSpaceResponse) ProtoMessage()

func (x *VerifyConfidentialSpaceResponse) ProtoReflect() protoreflect.Message

func (x *VerifyConfidentialSpaceResponse) Reset()

func (x *VerifyConfidentialSpaceResponse) String() string