go.chromium.org/luci@v0.0.0-20250314024836-d9a61d0730e6/tokenserver/api/machine_token.proto

go.chromium.org/luci@v0.0.0-20250314024836-d9a61d0730e6/tokenserver/api/machine_token.proto (about)

     1  // Copyright 2016 The LUCI Authors. All rights reserved.
     2  // Use of this source code is governed under the Apache License, Version 2.0
     3  // that can be found in the LICENSE file.
     4  
     5  syntax = "proto3";
     6  
     7  package tokenserver;
     8  
     9  option go_package = "go.chromium.org/luci/tokenserver/api;tokenserver";
    10  
    11  
    12  // The kinds of machine tokens the token server can mint.
    13  //
    14  // Passed to MintMachineToken and InspectMachineToken.
    15  //
    16  // Reserved: 1.
    17  enum MachineTokenType {
    18    UNKNOWN_TYPE       = 0; // used if the field is not initialized
    19    LUCI_MACHINE_TOKEN = 2; // matches serialized MachineTokenEnvelope
    20  }
    21  
    22  
    23  // MachineTokenBody describes internal structure of the machine token.
    24  //
    25  // The token will be put in HTTP headers and its body shouldn't be too large.
    26  // For that reason we use unix timestamps instead of google.protobuf.Timestamp
    27  // (no need for microsecond precision), and assume certificate serial numbers
    28  // are smallish uint64 integers (not random blobs).
    29  message MachineTokenBody {
    30    reserved 6;
    31  
    32    // Machine identity this token conveys (machine FQDN).
    33    //
    34    // It is extracted from a Common Name of a certificate used as a basis for
    35    // the token.
    36    string machine_fqdn = 1;
    37  
    38    // Service account email that signed this token.
    39    //
    40    // When verifying the token backends will check that the issuer is in
    41    // "auth-token-servers" group.
    42    string issued_by = 2;
    43  
    44    // Unix timestamp in seconds when this token was issued. Required.
    45    uint64 issued_at = 3;
    46  
    47    // Number of seconds the token is considered valid.
    48    //
    49    // Usually 3600. Set by the token server. Required.
    50    uint64 lifetime  = 4;
    51  
    52    // Id of a CA that issued machine certificate used to make this token.
    53    //
    54    // These IDs are defined in token server config (via unique_id field).
    55    int64 ca_id = 5;
    56  
    57    // Serial number of the machine certificate used to make this token.
    58    //
    59    // ca_id and cert_sn together uniquely identify the certificate, and can be
    60    // used to check for certificate revocation (by asking token server whether
    61    // the given certificate is in CRL). Revocation checks are optional, most
    62    // callers can rely on expiration checks only.
    63    bytes cert_sn = 7;
    64  }
    65  
    66  
    67  // MachineTokenEnvelope is what is actually being serialized and represented
    68  // as a machine token (after being encoded using base64 standard raw encoding).
    69  //
    70  // Resulting token (including base64 encoding) is usually ~500 bytes long.
    71  message MachineTokenEnvelope {
    72    bytes token_body = 1; // serialized MachineTokenBody
    73    string key_id = 2;    // id of a token server private key used for signing
    74    bytes rsa_sha256 = 3; // signature of 'token_body'
    75  }