chromeos/crosapi/mojom/keystore_service.mojom - chromium/src - Git at Google

 // Copyright 2020 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 module crosapi.mojom;

 // This interface mirrors the enterprise.platformKeys extension API.
 // TODO(https://crbug.com/1128022): Figure out the appropriate API surface for
 // long-term stabilization.

 // The system has a keystore and a certificate store. Keys are tuples
 // of (private key, public key). These are generated by the system and the
 // private key is never shared. Certificates provide proof of ownership of a
 // private key. There are many uses for keys and certificates -- this interface
 // currently focuses on the use cases for the enterprise_platform_keys extension
 // API.

 // Both keystores and certificate stores have two variants: device and user.
 // Device keys/certificates are available to all affiliated users on the device.
 // User keys/certificates are only available to the current user.
 [Stable, Extensible]
 enum KeystoreType {
   kUser = 0,
   kDevice = 1,
 };

 // Returned by ChallengeAttestationOnlyKeystore().
 [Stable]
 union ChallengeAttestationOnlyKeystoreResult {
   // Implies failure.
   string error_message;

   // Implies success.
   string challenge_response;
 };

 // This interface is implemented by ash-chrome. It provides lacros-chrome a
 // mechanism to modify and query the attestation-only and generate purpose
 // keystores.
 [Stable]
 interface KeystoreService {
   // This API serves a challenge to a special "attestation-only" keystore. This
   // keystore only contains 2 private keys (1 for the user, 1 for the device).
   // The challenge must be generated via the Verified Access Web API. If
   // |migrate| is true, then after the attestation, the key is migrated
   // from the attestation-only keystore to the regular keystore. A new
   // "attestation-only" key is generated on demand if a key does not exist
   // because it was recently migrated. If a key is migrated, the expectation is
   // that the caller will later call ImportCertificate() to associate a
   // certificate with the migrated key.
   ChallengeAttestationOnlyKeystore@0(
       string challenge, KeystoreType type, bool migrate) =>
           (ChallengeAttestationOnlyKeystoreResult result);
 };
	// Copyright 2020 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	module crosapi.mojom;

	// This interface mirrors the enterprise.platformKeys extension API.
	// TODO(https://crbug.com/1128022): Figure out the appropriate API surface for
	// long-term stabilization.

	// The system has a keystore and a certificate store. Keys are tuples
	// of (private key, public key). These are generated by the system and the
	// private key is never shared. Certificates provide proof of ownership of a
	// private key. There are many uses for keys and certificates -- this interface
	// currently focuses on the use cases for the enterprise_platform_keys extension
	// API.

	// Both keystores and certificate stores have two variants: device and user.
	// Device keys/certificates are available to all affiliated users on the device.
	// User keys/certificates are only available to the current user.
	[Stable, Extensible]
	enum KeystoreType {
	kUser = 0,
	kDevice = 1,
	};

	// Returned by ChallengeAttestationOnlyKeystore().
	[Stable]
	union ChallengeAttestationOnlyKeystoreResult {
	// Implies failure.
	string error_message;

	// Implies success.
	string challenge_response;
	};

	// This interface is implemented by ash-chrome. It provides lacros-chrome a
	// mechanism to modify and query the attestation-only and generate purpose
	// keystores.
	[Stable]
	interface KeystoreService {
	// This API serves a challenge to a special "attestation-only" keystore. This
	// keystore only contains 2 private keys (1 for the user, 1 for the device).
	// The challenge must be generated via the Verified Access Web API. If
	// \|migrate\| is true, then after the attestation, the key is migrated
	// from the attestation-only keystore to the regular keystore. A new
	// "attestation-only" key is generated on demand if a key does not exist
	// because it was recently migrated. If a key is migrated, the expectation is
	// that the caller will later call ImportCertificate() to associate a
	// certificate with the migrated key.
	ChallengeAttestationOnlyKeystore@0(
	string challenge, KeystoreType type, bool migrate) =>
	(ChallengeAttestationOnlyKeystoreResult result);
	};