blob: 8f4f2e4b64d14752ae5fb5999fdd716862ba6584 [file] [log] [blame]
// Copyright 2015 The ChromiumOS Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package attestation;
option go_package = "chromiumos/system_api/attestation_proto";
// Enumerates various certificate profiles supported by the Attestation CA.
enum CertificateProfile {
// A certificate intended for enterprise-owned devices. It has the following
// subjectName fields:
// CN=<stable device identifier>
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
ENTERPRISE_MACHINE_CERTIFICATE = 0;
// A certificate intended for enterprise-owned user accounts. It has the
// following subjectName fields:
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
ENTERPRISE_USER_CERTIFICATE = 1;
// A certificate intended for platform verification by providers of protected
// content. It has the following subjectName fields:
// O=Chrome Device Content Protection
CONTENT_PROTECTION_CERTIFICATE = 2;
// Like above, but it also includes a stable ID and origin.
// CN=<origin-specific device identifier>
// OU=<origin>
// O=Chrome Device Content Protection
CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3;
// A certificate intended for cast devices.
CAST_CERTIFICATE = 4;
GFSC_CERTIFICATE = 5;
JETSTREAM_CERTIFICATE = 6;
// A certificate for enterprise enrollment.
ENTERPRISE_ENROLLMENT_CERTIFICATE = 7;
// A certificate for signing Android Testsuite Results using CTS-in-a-box.
XTS_CERTIFICATE = 8;
// An EK certificate for vTPM
// CN=CROS VTPM PRD EK ROOT CA
ENTERPRISE_VTPM_EK_CERTIFICATE = 9;
// A local authority certificate for binding software keys.
// CN=Local Authority
// O=Chrome Device Soft Bind
SOFT_BIND_CERTIFICATE = 10;
// A remote attestation certificate for proving device integrity.
// CN=<An opaque device identifier string>
// O=Chrome Device Setup
DEVICE_SETUP_CERTIFICATE = 11;
}
enum TpmVersion {
TPM_1_2 = 1; // NOTE: This is the default. It must remain listed first.
TPM_2_0 = 2;
}
// Types of NVRAM quotes used for attestation.
enum NVRAMQuoteType {
// Quote of the Cr50-backed BoardID.
BOARD_ID = 0;
// Quote of the Cr50-backed SN+RMA bits.
SN_BITS = 1;
// Quote of the Cr50-backed RSA public endorsement key certificate.
RSA_PUB_EK_CERT = 2;
// Quote of the Cr50-backed RSU device ID.
RSU_DEVICE_ID = 3;
// Quote of RMA bytes (a complement of RMA bits with optional leading zeroes).
RMA_BYTES = 4;
}
// Holds information about a quote generated by the TPM.
message Quote {
// The quote; a signature generated with the AIK.
optional bytes quote = 1;
// The serialized data that was quoted; this assists in verifying the quote.
optional bytes quoted_data = 2;
// The value of the PCR(s) at the time the quote was generated.
optional bytes quoted_pcr_value = 3;
// Source data which was originally used to extend the PCR. If this field
// exists it can be expected that SHA1(pcr_source_hint) was extended into the
// PCR.
optional bytes pcr_source_hint = 4;
}
// Holds encrypted data and information required to decrypt it.
message EncryptedData {
// A key that has been sealed to the TPM or wrapped by another key.
optional bytes wrapped_key = 2;
// The initialization vector used during encryption.
optional bytes iv = 3;
// MAC of (iv + encrypted_data).
optional bytes mac = 4;
optional bytes encrypted_data = 5;
// An identifier for the wrapping key to assist in decryption.
optional bytes wrapping_key_id = 6;
}
// The wrapper message of any data and its signature.
message SignedData {
// The data to be signed.
optional bytes data = 1;
// The signature of the data field.
optional bytes signature = 2;
}
// The first two fields are suitable for passing to Tspi_TPM_ActivateIdentity()
// directly when using TPM 1.2. For TPM 2.0 the first two fields are not used.
message EncryptedIdentityCredential {
// TPM_ASYM_CA_CONTENTS, encrypted with EK public key.
optional bytes asym_ca_contents = 1;
// TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents.
optional bytes sym_ca_attestation = 2;
optional TpmVersion tpm_version = 3;
// The following fields are used only for TPM 2.0. For details see the TPM 2.0
// specification Part 1 Rev 1.16:
// - Section 9.5.3.3: General description of the scheme.
// - Section 24: More details including how to use the seed to compute the
// values for 'credential_mac' and 'wrapped_certificate->
// wrapped_key'
// - Section B.10.4: Encrypting the seed with a RSA EK.
// - Section C.7.4: Encrypting the seed with an EC EK.
// A seed encrypted with the EK public key. The TPM will use this seed to
// derive both an HMAC key to verify the 'credential_mac' field and an AES key
// to unwrap the 'wrapped_certificate->wrapped_key' field.
optional bytes encrypted_seed = 4;
// An integrity value computed using HMAC-SHA256 over the
// 'wrapped_certificate.wrapped_key' field and the 'Name' of the identity key.
optional bytes credential_mac = 5;
// A certificate encrypted with a 'credential' that is decrypted by the TPM.
// The 'wrapped_key' field contains the encrypted credential which is
// encrypted using AES-256-CFB with a zero IV. The encryption of the
// certificate itself uses AES-256-CBC with PKCS #5 padding and a random IV.
// The encryption key is derived from the 'credential' using:
// SHA256('ENCRYPT' + credential)
// The mac uses HMAC-SHA256 with a key derived using:
// SHA256('MAC' + credential)
optional EncryptedData wrapped_certificate = 6;
}
// This message holds all information to be sent to the attestation server in
// order to complete enrollment.
message AttestationEnrollmentRequest {
// The EK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_endorsement_credential = 1;
// The AIK public key, the raw TPM format. (TPM_PUBKEY for TPM 1.2,
// TPMT_PUBLIC for TPM 2.0).
optional bytes identity_public_key = 2;
// PCR0 quoted by AIK.
optional Quote pcr0_quote = 3;
// PCR1 quoted by AIK.
optional Quote pcr1_quote = 4;
// DEN for enterprise zero-touch enrollment (crbug/624187).
optional bytes enterprise_enrollment_nonce = 5;
// The device TPM version.
optional TpmVersion tpm_version = 6;
// An encrypted quote of the RSA EK cert, in X.509 form, if the endorsement
// credential is not RSA.
optional EncryptedData encrypted_rsa_endorsement_quote = 7;
}
enum ResponseStatus {
OK = 0;
// Internal server error.
SERVER_ERROR = 1;
// The server cannot parse the request.
BAD_REQUEST = 2;
// The server rejects the request.
REJECT = 3;
// Only appears in enrollment response. The server returns the same generated
// id and reports the quota limit exceeded status when the number of reset
// action in a specified time window is more than self reset limitation.
QUOTA_LIMIT_EXCEEDED = 4;
}
// The response from the attestation server for the enrollment request.
message AttestationEnrollmentResponse {
optional ResponseStatus status = 1;
// Short detail response message. Included when the result is not OK.
optional string detail = 2;
optional EncryptedIdentityCredential encrypted_identity_credential = 3;
// Extra details included when the result is not OK.
optional string extra_details = 4;
}
// `DEVICE_SETUP_CERTIFICATE` specific metadata.
message DeviceSetupCertificateMetadata {
// This will eventually be a DUSI. For now, this will be a 36 character GUID.
// This will be used as the CN of the Remote Attestation certificate.
optional string id = 1;
// Unix timestamp (in seconds) of the generation of the request.
optional uint64 timestamp_seconds = 2;
// The generated certificate will be bound to this value. This is used to
// prevent replay attacks. Currently it is the FIDO credential id.
optional string content_binding = 3;
}
// The certificate request to be sent to the attestation server.
message AttestationCertificateRequest {
// The AIK cert in X.509 format.
optional bytes identity_credential = 1;
// A certified public key in TPM_PUBKEY (TPMT_PUBLIC for TPM 2.0).
optional bytes certified_public_key = 3;
// The serialized TPM_CERTIFY_INFO (TPMS_ATTEST for TPM 2.0) for the
// certified key.
optional bytes certified_key_info = 4;
// The signature of the TPM_CERTIFY_INFO (TPMS_ATTEST for TPM 2.0) by the AIK.
optional bytes certified_key_proof = 5;
// A message identifier to be included in the response.
optional bytes message_id = 10;
// The certificate profile defines the type of certificate to issue.
optional CertificateProfile profile = 11;
// Information about the origin of the request which may be used depending on
// the certificate profile.
optional string origin = 12;
// The index of a temporal value. This may be used or ignored depending on
// the certificate profile.
optional int32 temporal_index = 13;
// The device TPM version.
optional TpmVersion tpm_version = 14;
// NVRAM quoted by AIK. Keys are values of the NVRAMQuoteType. This is only
// used for enrollment certificates.
map<int32, Quote> nvram_quotes = 15;
// Certificate profile specific metadata.
oneof metadata {
// `DEVICE_SETUP_CERTIFICATE` specific metadata.
DeviceSetupCertificateMetadata device_setup_certificate_metadata = 16;
}
// ADID read from the VPD. Used as the host identifier incorporated in the
// certificates.
// Used for `ENTERPRISE_VTPM_EK_CERTIFICATE` profile only.
optional bytes attested_device_id = 17;
}
// The response from the attestation server for the certificate request.
message AttestationCertificateResponse {
optional ResponseStatus status = 1;
// Short detail response message. Included when the result is not OK.
optional string detail = 2;
// The credential of the certified key in X.509 format.
optional bytes certified_key_credential = 3;
// The issuer intermediate CA certificate in X.509 format.
optional bytes intermediate_ca_cert = 5;
// A message identifier from the request this message is responding to.
optional bytes message_id = 6;
// Additional intermediate CA certificates that can help in validation.
// Certificate chaining order is from the leaf to the root. That is,
// |certified_key_credential| is signed by
// |intermediate_ca_cert|, which is signed by
// |additional_intermediate_ca_cert(0)|, which is signed by
// |additional_intermediate_ca_cert(1)|, ... and so on.
repeated bytes additional_intermediate_ca_cert = 7;
// Extra details included when the result is not OK.
optional string extra_details = 8;
}
// The reset request to be sent to the attestation server.
message AttestationResetRequest {
// The AIK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_identity_credential = 1;
// The one time token to make sure the reset process can be triggered only
// once.
optional bytes token = 2;
// The EK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_endorsement_credential = 3;
}
// The response from the attestation server for the reset request.
message AttestationResetResponse {
// The response status.
optional ResponseStatus status = 1;
// Short detail response message. Included when the result is not OK.
optional string detail = 2;
// Extra details included when the result is not OK.
optional string extra_details = 3;
}
// The challenge data (as in challenge-response) generated by the server.
// Before transmitted to the client, this message will be wrapped as a
// SignedData message, in which the data field is the serialized Challenge
// message, and the signature field is the signature of the data field signed
// by the enterprise server using a hard-coded key. The signature algorithm is
// RSASSA-PKCS1-v1_5-SHA256.
message Challenge {
// A string for the client to sanity check a legitimate challenge.
optional string prefix = 1;
// A 256-bit random value generated by the server.
optional bytes nonce = 2;
// A timestamp for a stateless server to limit the timeframe during which the
// challenge may be replayed.
optional int64 timestamp = 3;
}
// The response data (as in challenge-response) generated by the client.
// Before transmitted to the server, this message will be wrapped as a
// SignedData message, in which the data field is the serialized
// ChallengeResponse message, and the signature field is the signature of the
// data field signed by the client using the key being challenged. The
// signature algorithm is RSASSA-PKCS1-v1_5-SHA256.
message ChallengeResponse {
// The original challenge data.
optional SignedData challenge = 1;
// A 256-bit random value generated by the client. Mixing in this nonce
// prevents a caller from using a challenge to sign arbitrary data.
optional bytes nonce = 2;
// The KeyInfo message encrypted using a public encryption key, pushed via
// policy with the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_key_info = 3;
}
// The data type of the message decrypted from
// ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds
// information required by enterprise server to complete the verification.
message KeyInfo {
// Indicates whether the key is an EMK or EUK.
optional KeyProfile key_type = 1;
// Domain information about the user associated with the key. For an
// EMK, this value is empty - customer_id is used instead.
// For an EUK, this value is the user's email address.
optional string domain = 2;
// The virtual device ID associated with the device or user.
optional bytes device_id = 3;
// If the key is an EUK, this value is the PCA-issued certificate for the key.
optional bytes certificate = 4;
// If the key is an EUK, this value may hold a SignedPublicKeyAndChallenge
// with a random challenge. The SignedPublicKeyAndChallenge specification is
// here: https://developer.mozilla.org/en-US/docs/HTML/Element/keygen.
optional bytes signed_public_key_and_challenge = 5;
// The identifier of the customer, as defined by the Google Admin SDK at
// https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers
optional string customer_id = 6;
// A new field which contains public key generated by the CBCM-enrolled
// browser if key type is CBCM
optional bytes browser_instance_public_key = 7;
// A new field which indicated the signing scheme used for the outer
// SignedData message. We should populate this for any key type. For EUK/EMK
// (Chrome OS use case), this will currently say "SHA256withRSA" at all times,
// but we should start supporting ECDSA signing in the near future as per 2020
// OKRs. For CBCM, this will be one of the permitted_schemes from
// DeviceIdentity policy.
optional string signing_scheme = 8;
// Device Trust Signals
// Deprecated due to signals collection change to store signals in a
// dictionary and converting them to a JSON string. Use
// `device_trust_signals_json` instead.
optional DeviceTrustSignals device_trust_signals = 9 [deprecated = true];
// Device Trust Signals
optional string device_trust_signals_json = 10;
// DM token to be used for this request.
optional string dm_token = 11;
}
// Device Trust Signals
message DeviceTrustSignals {
option deprecated = true;
// Device Id
optional string device_id = 1;
// Obfuscated CBCM-enrolled Customer Id
optional string obfuscated_customer_id = 2;
// Device serial number
optional string serial_number = 3;
// Human readable name for this device
optional string display_name = 4;
// OS running on the device (e.g. Chrome OS)
optional string os = 5;
// Device manufacturer (e.g. Dell)
optional string device_manufacturer = 6;
// Device model (e.g. iPhone 12 Max)
optional string device_model = 7;
// OS version (e.g. macOS 10.15.7)
optional string os_version = 8;
// IMEI
repeated string imei = 9;
// MEID
repeated string meid = 10;
// Hash of the EKPub certificate of the TPM on the device, if available.
optional string tpm_hash = 11;
// Is the disk encrypted
optional bool is_disk_encrypted = 12;
// Value of the AllowScreenLock policy.
// https://chromeenterprise.google/policies/?policy=AllowScreenLock
optional bool allow_screen_lock = 13;
// Is the access to the OS user protected by a password
optional bool is_protected_by_password = 14;
// Is the device jailbroken or modified
optional bool is_jailbroken = 15;
// The CBCM enrollment domain of the browser.
optional string enrollment_domain = 16;
// Browser Version
optional string browser_version = 17;
// Value of the SafeBrowsingProtectionLevel policy.
// https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel
optional int32 safe_browsing_protection_level = 18;
// Value of the SitePerProcess policy.
// https://chromeenterprise.google/policies/#SitePerProcess
optional bool site_isolation_enabled = 19;
// ThirdPartyBlockingEnabled
optional bool third_party_blocking_enabled = 20;
// To determine whether users can access other computers
// from Chrome using Chrome Remote Desktop
optional bool remote_desktop_available = 21;
// Signed in profile name
optional string signed_in_profile_name = 22;
// ChromeCleanupEnabled
optional bool chrome_cleanup_enabled = 23;
// PasswordProtectionWarningTrigger
optional int32 password_protection_warning_trigger = 24;
// DNS address
optional string dns_address = 25;
// BuiltInDnsClientEnabled
optional bool built_in_dns_client_enabled = 26;
// Whether the OS firewall is turned on
optional bool firewall_on = 27;
// The Windows domain the device has joined
optional string windows_domain = 28;
}
enum KeyProfile {
// Enterprise machine key.
EMK = 0;
// Enterprise user key.
EUK = 1;
// CBCM key.
CBCM = 2;
}