| // |
| // Copyright (C) 2015 The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| // |
| |
| option optimize_for = LITE_RUNTIME; |
| |
| import "common.proto"; |
| |
| package attestation; |
| |
| enum AttestationStatus { |
| STATUS_SUCCESS = 0; |
| STATUS_UNEXPECTED_DEVICE_ERROR = 1; |
| STATUS_NOT_AVAILABLE = 2; |
| STATUS_NOT_READY = 3; |
| STATUS_NOT_ALLOWED = 4; |
| STATUS_INVALID_PARAMETER = 5; |
| STATUS_REQUEST_DENIED_BY_CA = 6; |
| STATUS_CA_NOT_AVAILABLE = 7; |
| } |
| |
| message CreateGoogleAttestedKeyRequest { |
| // An arbitrary label which can be used to reference the key later. |
| optional string key_label = 1; |
| optional KeyType key_type = 2; |
| optional KeyUsage key_usage = 3; |
| // Describes the certificate to be requested of the CA. |
| optional CertificateProfile certificate_profile = 4; |
| // Provided if the new key should be accessible only by a particular user. If |
| // this field is not set or is the empty string, the key will be accessible |
| // system-wide. |
| optional string username = 5; |
| // If the |certificate_profile| is intended to be bound to a particular origin |
| // this field specifies the origin. For most profiles this is not required. |
| optional string origin = 6; |
| } |
| |
| message CreateGoogleAttestedKeyReply { |
| optional AttestationStatus status = 1; |
| // More information about a server-side error. This only exists |
| // if status=REQUEST_DENIED_BY_CA. |
| optional string server_error = 2; |
| // A PEM-encoded list of X.509 certificates starting with the requested |
| // certificate issued by the CA and followed by certificates for any |
| // intermediate authorities, in order. The Google Attestation CA root |
| // certificate is well-known and not included. |
| optional string certificate_chain = 3; |
| } |
| |
| message GetKeyInfoRequest { |
| optional string key_label = 1; |
| optional string username = 2; |
| } |
| |
| message GetKeyInfoReply { |
| optional AttestationStatus status = 1; |
| optional KeyType key_type = 2; |
| optional KeyUsage key_usage = 3; |
| // The public key (X.509/DER SubjectPublicKeyInfo). |
| optional bytes public_key = 4; |
| // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key. |
| optional bytes certify_info = 5; |
| // The signature of certify_info by the Attestation Key. |
| optional bytes certify_info_signature = 6; |
| // The certificate data associated with the key (if any). |
| optional bytes certificate = 7; |
| } |
| |
| message GetEndorsementInfoRequest { |
| optional KeyType key_type = 1; |
| } |
| |
| message GetEndorsementInfoReply { |
| optional AttestationStatus status = 1; |
| // The endorsement public key (X.509/DER SubjectPublicKeyInfo). |
| optional bytes ek_public_key = 2; |
| // The endorsement certificate (X.509/DER). |
| optional bytes ek_certificate = 3; |
| } |
| |
| message GetAttestationKeyInfoRequest { |
| optional KeyType key_type = 1; |
| } |
| |
| message GetAttestationKeyInfoReply { |
| optional AttestationStatus status = 1; |
| // The attestation public key (X.509/DER SubjectPublicKeyInfo). |
| optional bytes public_key = 2; |
| // The attestation public key in TPM_PUBKEY form. |
| optional bytes public_key_tpm_format = 3; |
| // The attestation key certificate. |
| optional bytes certificate = 4; |
| // A quote of PCR0 at the time of attestation key creation. |
| optional Quote pcr0_quote = 5; |
| // A quote of PCR1 at the time of attestation key creation. |
| optional Quote pcr1_quote = 6; |
| } |
| |
| message ActivateAttestationKeyRequest { |
| optional KeyType key_type = 1; |
| optional EncryptedIdentityCredential encrypted_certificate = 2; |
| optional bool save_certificate = 3; |
| } |
| |
| message ActivateAttestationKeyReply { |
| optional AttestationStatus status = 1; |
| // The decrypted attestation key certificate. |
| optional bytes certificate = 2; |
| } |
| |
| message CreateCertifiableKeyRequest { |
| // An arbitrary label which can be used to reference the key later. |
| optional string key_label = 1; |
| // Provided if the new key should be accessible only by a |
| // particular user. If this field is not set or is the empty |
| // string, the key will be accessible system-wide. |
| optional string username = 2; |
| optional KeyType key_type = 3; |
| optional KeyUsage key_usage = 4; |
| } |
| |
| message CreateCertifiableKeyReply { |
| optional AttestationStatus status = 1; |
| // The new public key (X.509/DER SubjectPublicKeyInfo). |
| optional bytes public_key = 2; |
| // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key. |
| optional bytes certify_info = 3; |
| // The signature of certify_info by the Attestation Key. |
| optional bytes certify_info_signature = 4; |
| } |
| |
| message DecryptRequest { |
| optional string key_label = 1; |
| optional string username = 2; |
| optional bytes encrypted_data = 3; |
| } |
| |
| message DecryptReply { |
| optional AttestationStatus status = 1; |
| optional bytes decrypted_data = 2; |
| } |
| |
| message SignRequest { |
| optional string key_label = 1; |
| optional string username = 2; |
| optional bytes data_to_sign = 3; |
| } |
| |
| message SignReply { |
| optional AttestationStatus status = 1; |
| optional bytes signature = 2; |
| } |
| |
| message RegisterKeyWithChapsTokenRequest { |
| optional string key_label = 1; |
| optional string username = 2; |
| } |
| |
| message RegisterKeyWithChapsTokenReply { |
| optional AttestationStatus status = 1; |
| } |