edition = "2023";

package mfa;

option go_package = "/mfa";

// Unlocker is a message that contains encrypted key which has been used during
// encryption of 'Secrets' message in 'EncryptedSecrets' field of MFABox.
message Unlocker {
  // PublicKeys is 33-byte ECDSA P-256 curve public key which identifies
  // unlocker who can decrypt 'Secrets'.
  bytes PublicKey = 1 [json_name = "publicKey"];

  // EncryptedSecretsKey is a binary encoded encryption key of MFA Secrets,
  // encrypted by ChaCha20-Poly1305 AEAD algorithm.
  bytes EncryptedSecretsKey = 2 [json_name = "encryptedSecretsKey"];

  // Salt for HKDF function to derive key for encryption of 'EncryptedSecreteKey'.
  bytes Salt = 3 [json_name = "salt"];
}

message MFABox {
  // Unlockers are the set of messages contain key that has been used
  // to encrypt 'Secrets' message in 'EncrytedSecrets' field.
  repeated Unlocker Unlockers = 1 [json_name = "unlockers"];

  // ECDHPublicKey is 33-byte ECDSA P-256 curve key to derive
  // unique encryption keys for every unlocker with ECDH algorithm
  bytes ECDHPublicKey = 2 [json_name = "ecdhPublicKey"];

  // EncryptedSecrets is a binary encoded 'Secrets' message, encrypted by
  // ChaCha20-Poly1305 AEAD algorithm.
  bytes EncryptedSecrets = 3 [json_name = "encryptedSecrets"];

  // Salt for HKDF function to derive key for encryption of 'EncryptedSecrets'.
  bytes Salt = 4 [json_name = "salt"];
}

// Secrets is a message that contains private data about MFA Device
message Secrets {
  // MFAURL is a seed for virtual authenticator device.
  // Format is described in https://github.com/google/google-authenticator/wiki/Key-Uri-Format
  string MFAURL = 2 [json_name = "mfaURL"];
}