1/* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17syntax = "proto3"; 18 19package nugget.app.identity; 20 21import "nugget/app/identity/identity_defs.proto"; 22import "nugget/app/identity/identity_types.proto"; 23import "nugget/protobuf/options.proto"; 24 25// Identity is the app used to implement Android's Identity HAL. 26// 27// The documentation for the HAL applies to this implementation. 28service Identity { 29 option (nugget.protobuf.app_id) = "IDENTITY"; 30 option (nugget.protobuf.app_name) = "Identity"; 31 option (nugget.protobuf.app_version) = 1; 32 option (nugget.protobuf.request_buffer_size) = 2048; 33 option (nugget.protobuf.response_buffer_size) = 2048; 34 35 // RPCs for the Identity HAL 36 rpc WICinitialize (WICinitializeRequest) returns (WICinitializeResponse); 37 rpc WICinitializeForUpdate (WICinitializeForUpdateRequest) returns (WICinitializeForUpdateResponse); 38 rpc WICcreateCredentialKey (WICcreateCredentialKeyRequest) returns (WICcreateCredentialKeyResponse); 39 rpc WICstartPersonalization (WICstartPersonalizationRequest) returns (WICstartPersonalizationResponse); 40 rpc WICaddAccessControlProfile (WICaddAccessControlProfileRequest) returns (WICaddAccessControlProfileResponse); 41 rpc WICbeginAddEntry (WICbeginAddEntryRequest) returns (WICbeginAddEntryResponse); 42 rpc WICaddEntryValue (WICaddEntryValueRequest) returns (WICaddEntryValueResponse); 43 rpc WICfinishAddingEntries (WICfinishAddingEntriesRequest) returns (WICfinishAddingEntriesResponse); 44 rpc ICinitialize (ICinitializeRequest) returns (ICinitializeResponse); 45 rpc ICcreateEphemeralKeyPair (ICcreateEphemeralKeyPairRequest) returns (ICcreateEphemeralKeyPairResponse); 46 rpc ICgenerateSigningKeyPair (ICgenerateSigningKeyPairRequest) returns (ICgenerateSigningKeyPairResponse); 47 rpc ICcreateAuthChallenge (ICcreateAuthChallengeRequest) returns (ICcreateAuthChallengeResponse); 48 rpc ICstartRetrieveEntries (ICstartRetrieveEntriesRequest) returns (ICstartRetrieveEntriesResponse); 49 rpc ICsetAuthToken (ICsetAuthTokenRequest) returns (ICsetAuthTokenResponse); 50 rpc ICpushReaderCert (ICpushReaderCertRequest) returns (ICpushReaderCertResponse); 51 rpc ICvalidateAccessControlProfile (ICvalidateAccessControlProfileRequest) returns (ICvalidateAccessControlProfileResponse); 52 rpc ICvalidateRequestMessage (ICvalidateRequestMessageRequest) returns (ICvalidateRequestMessageResponse); 53 rpc ICcalcMacKey (ICcalcMacKeyRequest) returns (ICcalcMacKeyResponse); 54 rpc ICstartRetrieveEntryValue (ICstartRetrieveEntryValueRequest) returns (ICstartRetrieveEntryValueResponse); 55 rpc ICretrieveEntryValue (ICretrieveEntryValueRequest) returns (ICretrieveEntryValueResponse); 56 rpc ICfinishRetrieval (ICfinishRetrievalRequest) returns (ICfinishRetrievalResponse); 57 rpc ICdeleteCredential (ICdeleteCredentialRequest) returns (ICdeleteCredentialResponse); 58 rpc ICproveOwnership (ICproveOwnershipRequest) returns (ICproveOwnershipResponse); 59 rpc GetSessionId (GetSessionIdRequest) returns (GetSessionIdResponse); 60 rpc SessionShutdown(SessionShutdownRequest) returns (SessionShutdownResponse); 61 rpc SessionInitialize (SessionInitializeRequest) returns (SessionInitializeResponse); 62 rpc SessionSetReaderEphemeralPublicKey (SessionSetReaderEphemeralPublicKeyRequest) returns (SessionSetReaderEphemeralPublicKeyResponse); 63 rpc SessionSetSessionTranscript (SessionSetSessionTranscriptRequest) returns (SessionSetSessionTranscriptResponse); 64 65 // For Android 14 new APIs 66 rpc ICprepareDeviceAuthentication (ICprepareDeviceAuthenticationRequest) returns (ICprepareDeviceAuthenticationResponse); 67 rpc ICfinishRetrievalWithSignature (ICfinishRetrievalWithSignatureRequest) returns (ICfinishRetrievalWithSignatureResponse); 68 rpc SessionGetEphemeralKeyPair (SessionGetEphemeralKeyPairRequest) returns (SessionGetEphemeralKeyPairResponse); 69} 70 71enum RequestType { 72 unknown = 0; 73 provision = 1; 74 presentation = 2; 75 session = 3; 76} 77 78// WICinitialize 79message WICinitializeRequest{ 80 bool testCredential = 1; 81} 82message WICinitializeResponse{ 83 Result result = 1; 84} 85 86// WICinitializeForUpdate 87message WICinitializeForUpdateRequest{ 88 bool testCredential = 1; 89 bytes docType = 2; 90 bytes encryptedCredentialKeys = 3; 91} 92 93message WICinitializeForUpdateResponse{ 94 Result result = 1; 95} 96 97// WICcreateCredentialKey 98message WICcreateCredentialKeyRequest{ 99} 100 101message WICcreateCredentialKeyResponse{ 102 Result result = 1; 103 bytes publickey = 2; 104} 105 106// WICstartPersonalization 107message WICstartPersonalizationRequest{ 108 uint32 accessControlProfileCount = 1; 109 bytes entryCounts = 2; 110 bytes docType = 3; 111 uint32 expectedProofOfProvisioningSize = 4; 112 bool supportInt32EntryCounts = 5; 113} 114message WICstartPersonalizationResponse{ 115 Result result = 1; 116} 117 118// WICaddAccessControlProfile 119message WICaddAccessControlProfileRequest{ 120 uint32 id = 1; 121 bytes readerCertificate = 2; 122 bool userAuthenticationRequired = 3; 123 uint64 timeoutMillis = 4; 124 uint64 secureUserId = 5; 125} 126message WICaddAccessControlProfileResponse{ 127 Result result = 1; 128 bytes mac = 2; 129} 130 131// WICbeginAddEntry 132message WICbeginAddEntryRequest{ 133 bytes accessControlProfileIds = 1; 134 string nameSpace = 2; 135 string name = 3; 136 uint64 entrySize = 4; 137} 138message WICbeginAddEntryResponse{ 139 Result result = 1; 140} 141 142// WICaddEntryValue 143message WICaddEntryValueRequest{ 144 bytes accessControlProfileIds = 1; 145 string nameSpace = 2; 146 string name = 3; 147 bytes content = 4; 148} 149message WICaddEntryValueResponse{ 150 Result result = 1; 151 bytes encrypted_content = 2; 152} 153 154// WICfinishAddingEntries 155message WICfinishAddingEntriesRequest{ 156 bytes docType = 1; 157 bool testCredential = 2; 158} 159 160message WICfinishAddingEntriesResponse{ 161 Result result = 1; 162 bytes signatureOfToBeSigned = 2; 163 bytes credentialData = 3; 164} 165 166// ICinitialize 167message ICinitializeRequest{ 168 bool testCredential = 1; 169 bytes docType = 2; 170 bytes encryptedCredentialKeys = 3; 171 uint32 oemHalVersion = 4; 172 uint32 sessionId = 5; 173} 174 175message ICinitializeResponse{ 176 Result result = 1; 177} 178 179// ICcreateEphemeralKeyPair 180message ICcreateEphemeralKeyPairRequest{ 181} 182 183message ICcreateEphemeralKeyPairResponse{ 184 Result result = 1; 185 bytes ephemeralPriv = 2; 186} 187 188// ICgenerateSigningKeyPair 189message ICgenerateSigningKeyPairRequest{ 190 bytes docType = 1; 191} 192 193message ICgenerateSigningKeyPairResponse{ 194 Result result = 1; 195 bytes SigningKeyBlob =2; 196 bytes signingPubKey =3; 197} 198 199// ICcreateAuthChallenge 200message ICcreateAuthChallengeRequest{ 201} 202 203message ICcreateAuthChallengeResponse{ 204 Result result = 1; 205 uint64 challenge = 2; 206} 207 208// ICstartRetrieveEntries 209message ICstartRetrieveEntriesRequest{ 210} 211 212message ICstartRetrieveEntriesResponse{ 213 Result result = 1; 214} 215 216// ICsetAuthToken 217message ICsetAuthTokenRequest{ 218 uint64 challenge = 1; 219 uint64 secureUserId = 2; 220 uint64 authenticatorId = 3; 221 uint32 hardwareAuthenticatorType = 4; 222 uint64 timeStamp = 5; 223 bytes mac = 6; 224 uint64 verificationTokenChallenge = 7; 225 uint64 verificationTokenTimestamp =8; 226 uint32 verificationTokenSecurityLevel =9; 227 bytes verificationTokenMac = 10; 228} 229 230message ICsetAuthTokenResponse{ 231 Result result = 1; 232} 233 234// ICpushReaderCert 235message ICpushReaderCertRequest{ 236 bytes x509Cert = 1; 237 uint32 tbsCertificateOffset = 2; 238 uint32 tbsCertificateSize = 3; 239 uint32 signatureOffset = 4; 240 uint32 signatureSize = 5; 241 uint32 publicKeyOffset = 6; 242 uint32 publicKeySize = 7; 243 uint32 signAlg = 8; 244} 245 246message ICpushReaderCertResponse{ 247 Result result = 1; 248} 249 250// ICvalidateAccessControlProfile 251message ICvalidateAccessControlProfileRequest{ 252 uint32 id = 1; 253 bytes readerCertificate = 2; 254 bool userAuthenticationRequired = 3; 255 uint32 timeoutMillis = 4; 256 uint64 secureUserId = 5; 257 bytes mac = 6; 258 uint32 publicKeyOffset = 7; 259 uint32 publicKeySize = 8; 260} 261 262message ICvalidateAccessControlProfileResponse{ 263 Result result = 1; 264 bool accessGranted = 2; 265} 266 267// ICvalidateRequestMessage 268message ICvalidateRequestMessageRequest{ 269 bytes sessionTranscript = 1; 270 bytes requestMessage = 2; 271 uint32 coseSignAlg = 3; 272 bytes readerSignatureOfToBeSigned = 4; 273} 274 275message ICvalidateRequestMessageResponse{ 276 Result result = 1; 277} 278 279// ICcalcMacKey 280message ICcalcMacKeyRequest{ 281 bytes sessionTranscript = 1; 282 bytes readerEphemeralPublicKey = 2; 283 bytes signingKeyBlob = 3; 284 bytes docType = 4; 285 uint32 numNamespacesWithValues = 5; 286 uint32 expectedProofOfProvisioningSize = 6; 287} 288 289message ICcalcMacKeyResponse{ 290 Result result = 1; 291} 292 293// ICprepareDeviceAuthentication 294message ICprepareDeviceAuthenticationRequest{ 295 bytes sessionTranscript = 1; 296 bytes readerEphemeralPublicKey = 2; 297 bytes signingKeyBlob = 3; 298 bytes docType = 4; 299 uint32 numNamespacesWithValues = 5; 300 uint32 expectedDeviceNamespacesSize = 6; 301} 302 303message ICprepareDeviceAuthenticationResponse{ 304 Result result = 1; 305} 306 307// ICstartRetrieveEntryValue 308message ICstartRetrieveEntryValueRequest{ 309 string nameSpace = 1; 310 string name = 2; 311 uint32 newNamespaceNumEntries = 3; 312 uint32 entrySize = 4; 313 bytes accessControlProfileIds = 5; 314} 315 316message ICstartRetrieveEntryValueResponse{ 317 AccessResult accessCheckResult = 1; 318 uint32 sessionCookie = 2; 319 Result result = 3; 320} 321 322// ICretrieveEntryValue 323message ICretrieveEntryValueRequest{ 324 bytes encryptedContent = 1; 325 string nameSpace = 2; 326 string name = 3; 327 bytes accessControlProfileIds = 4; 328 uint32 sessionCookie = 5; 329} 330 331message ICretrieveEntryValueResponse{ 332 Result result = 1; 333 bytes content = 2; 334} 335 336// ICfinishRetrieval 337message ICfinishRetrievalRequest{ 338} 339 340message ICfinishRetrievalResponse{ 341 Result result = 1; 342 bytes mac = 2; 343} 344 345// ICfinishRetrievalWithSignature 346message ICfinishRetrievalWithSignatureRequest{ 347} 348 349message ICfinishRetrievalWithSignatureResponse{ 350 Result result = 1; 351 bytes mac = 2; 352 bytes ecdsaSignature = 3; 353} 354 355// ICdeleteCredential 356message ICdeleteCredentialRequest{ 357 bytes docType = 1; 358 bytes challenge = 2; 359 bool includeChallenge = 3; 360 uint32 proofOfDeletionCborSize = 4; 361} 362 363message ICdeleteCredentialResponse{ 364 Result result = 1; 365 bytes signatureOfToBeSigned = 2; 366} 367 368// ICproveOwnership 369message ICproveOwnershipRequest{ 370 bytes docType = 1; 371 bool testCredential = 2; 372 bytes challenge = 3; 373 uint32 proofOfOwnershipCborSize = 4; 374} 375 376message ICproveOwnershipResponse{ 377 Result result = 1; 378 bytes signatureOfToBeSigned = 2; 379} 380 381// GetSessionId 382message GetSessionIdRequest{ 383 RequestType requestType = 1; 384} 385 386message GetSessionIdResponse{ 387 Result result = 1; 388 uint32 id = 2; 389} 390 391// SessionShutdown 392message SessionShutdownRequest{ 393 RequestType requestType = 1; 394} 395 396message SessionShutdownResponse{ 397 Result result = 1; 398} 399 400// SessionInitialize 401message SessionInitializeRequest{ 402 uint32 oemHalVersion = 1; 403} 404 405message SessionInitializeResponse{ 406 Result result = 1; 407 uint64 authChallenge = 2; 408 bytes ephemeralPrivateKey = 3; 409} 410 411// SessionSetReaderEphemeralPublicKey 412message SessionSetReaderEphemeralPublicKeyRequest{ 413 bytes readerEphemeralPublicKey = 1; 414} 415 416message SessionSetReaderEphemeralPublicKeyResponse{ 417 Result result = 1; 418} 419 420// SessionSetSessionTranscript 421message SessionSetSessionTranscriptRequest{ 422 bytes sessionTranscript = 1; 423} 424 425message SessionSetSessionTranscriptResponse{ 426 Result result = 1; 427} 428 429// SessionGetEphemeralKeyPair 430message SessionGetEphemeralKeyPairRequest{ 431} 432 433message SessionGetEphemeralKeyPairResponse{ 434 Result result = 1; 435 bytes ephemeralPrivateKey = 2; 436} 437