| // Copyright 2020 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| module crosapi.mojom; |
| |
| // This interface mirrors the enterprise.platformKeys extension API. |
| // TODO(https://crbug.com/1128022): Figure out the appropriate API surface for |
| // long-term stabilization. |
| |
| // The system has a keystore and a certificate store. Keys are tuples |
| // of (private key, public key). These are generated by the system and the |
| // private key is never shared. Certificates provide proof of ownership of a |
| // private key. There are many uses for keys and certificates -- this interface |
| // currently focuses on the use cases for the enterprise_platform_keys extension |
| // API. |
| |
| // Both keystores and certificate stores have two variants: device and user. |
| // Device keys/certificates are available to all affiliated users on the device. |
| // User keys/certificates are only available to the current user. |
| [Stable, Extensible] |
| enum KeystoreType { |
| kUser = 0, |
| kDevice = 1, |
| }; |
| |
| // Returned by ChallengeAttestationOnlyKeystore(). |
| [Stable] |
| union ChallengeAttestationOnlyKeystoreResult { |
| // Implies failure. |
| string error_message; |
| |
| // Implies success. |
| string challenge_response; |
| }; |
| |
| // This interface is implemented by ash-chrome. It provides lacros-chrome a |
| // mechanism to modify and query the attestation-only and generate purpose |
| // keystores. |
| [Stable] |
| interface KeystoreService { |
| // This API serves a challenge to a special "attestation-only" keystore. This |
| // keystore only contains 2 private keys (1 for the user, 1 for the device). |
| // The challenge must be generated via the Verified Access Web API. If |
| // |migrate| is true, then after the attestation, the key is migrated |
| // from the attestation-only keystore to the regular keystore. A new |
| // "attestation-only" key is generated on demand if a key does not exist |
| // because it was recently migrated. If a key is migrated, the expectation is |
| // that the caller will later call ImportCertificate() to associate a |
| // certificate with the migrated key. |
| ChallengeAttestationOnlyKeystore@0( |
| string challenge, KeystoreType type, bool migrate) => |
| (ChallengeAttestationOnlyKeystoreResult result); |
| }; |
| |