edition = "2023"; package mfa; option go_package = "/mfa"; // Unlocker is a message that contains encrypted key which has been used during // encryption of 'Secrets' message in 'EncryptedSecrets' field of MFABox. message Unlocker { // PublicKeys is 33-byte ECDSA P-256 curve public key which identifies // unlocker who can decrypt 'Secrets'. bytes PublicKey = 1 [json_name = "publicKey"]; // EncryptedSecretsKey is a binary encoded encryption key of MFA Secrets, // encrypted by ChaCha20-Poly1305 AEAD algorithm. bytes EncryptedSecretsKey = 2 [json_name = "encryptedSecretsKey"]; // Salt for HKDF function to derive key for encryption of 'EncryptedSecreteKey'. bytes Salt = 3 [json_name = "salt"]; } message MFABox { // Unlockers are the set of messages contain key that has been used // to encrypt 'Secrets' message in 'EncrytedSecrets' field. repeated Unlocker Unlockers = 1 [json_name = "unlockers"]; // ECDHPublicKey is 33-byte ECDSA P-256 curve key to derive // unique encryption keys for every unlocker with ECDH algorithm bytes ECDHPublicKey = 2 [json_name = "ecdhPublicKey"]; // EncryptedSecrets is a binary encoded 'Secrets' message, encrypted by // ChaCha20-Poly1305 AEAD algorithm. bytes EncryptedSecrets = 3 [json_name = "encryptedSecrets"]; // Salt for HKDF function to derive key for encryption of 'EncryptedSecrets'. bytes Salt = 4 [json_name = "salt"]; } // Secrets is a message that contains private data about MFA Device message Secrets { // MFAURL is a seed for virtual authenticator device. // Format is described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format string MFAURL = 2 [json_name = "mfaURL"]; }