PkixPublicKey

A public key in the PkixPublicKey format. Public keys of this type are typically textually encoded using the PEM format.

JSON representation
{
  "publicKeyPem": string,
  "signatureAlgorithm": enum (SignatureAlgorithm),
  "keyId": string
}
Fields
publicKeyPem

string

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

signatureAlgorithm

enum (SignatureAlgorithm)

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

keyId

string

Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them. The ID must match exactly contents of the keyId field exactly.

The ID may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If keyId is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key.

If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either match that value exactly, or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.

SignatureAlgorithm

Represents a signature algorithm and other information necessary to verify signatures with a given public key. This is based primarily on the public key types supported by Tink's PemKeyType, which is in turn based on KMS's supported signing algorithms. In the future, Binary Authorization might support additional public key types independently of Tink and/or KMS.

Enums
SIGNATURE_ALGORITHM_UNSPECIFIED Not specified.
RSA_PSS_2048_SHA256 RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS_2048_SHA256 RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_PSS_3072_SHA256 RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS_3072_SHA256 RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_PSS_4096_SHA256 RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PSS_4096_SHA256 RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_PSS_4096_SHA512 RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PSS_4096_SHA512 RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PKCS1_2048_SHA256 RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_3072_SHA256 RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA256 RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA512 RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
ECDSA_P256_SHA256 ECDSA on the NIST P-256 curve with a SHA256 digest.
EC_SIGN_P256_SHA256 ECDSA on the NIST P-256 curve with a SHA256 digest.
ECDSA_P384_SHA384 ECDSA on the NIST P-384 curve with a SHA384 digest.
EC_SIGN_P384_SHA384 ECDSA on the NIST P-384 curve with a SHA384 digest.
ECDSA_P521_SHA512 ECDSA on the NIST P-521 curve with a SHA512 digest.
EC_SIGN_P521_SHA512 ECDSA on the NIST P-521 curve with a SHA512 digest.