1/* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17syntax = "proto3"; 18 19package nugget.app.identity; 20 21import "nugget/app/identity/identity_types.proto"; 22import "nugget/protobuf/options.proto"; 23 24// Identity is the app used to implement Android's Identity HAL. 25// 26// The documentation for the HAL applies to this implementation. 27service Identity { 28 option (nugget.protobuf.app_id) = "IDENTITY"; 29 option (nugget.protobuf.app_name) = "Identity"; 30 option (nugget.protobuf.app_version) = 1; 31 option (nugget.protobuf.request_buffer_size) = 2048; 32 option (nugget.protobuf.response_buffer_size) = 2048; 33 34 // RPCs for the Identity HAL 35 rpc WICinitialize (WICinitializeRequest) returns (WICinitializeResponse); 36 rpc WICinitializeForUpdate (WICinitializeForUpdateRequest) returns (WICinitializeForUpdateResponse); 37 rpc WICcreateCredentialKey (WICcreateCredentialKeyRequest) returns (WICcreateCredentialKeyResponse); 38 rpc WICstartPersonalization (WICstartPersonalizationRequest) returns (WICstartPersonalizationResponse); 39 rpc WICaddAccessControlProfile (WICaddAccessControlProfileRequest) returns (WICaddAccessControlProfileResponse); 40 rpc WICbeginAddEntry (WICbeginAddEntryRequest) returns (WICbeginAddEntryResponse); 41 rpc WICaddEntryValue (WICaddEntryValueRequest) returns (WICaddEntryValueResponse); 42 rpc WICfinishAddingEntries (WICfinishAddingEntriesRequest) returns (WICfinishAddingEntriesResponse); 43 rpc ICinitialize (ICinitializeRequest) returns (ICinitializeResponse); 44 rpc ICcreateEphemeralKeyPair (ICcreateEphemeralKeyPairRequest) returns (ICcreateEphemeralKeyPairResponse); 45 rpc ICgenerateSigningKeyPair (ICgenerateSigningKeyPairRequest) returns (ICgenerateSigningKeyPairResponse); 46 rpc ICcreateAuthChallenge (ICcreateAuthChallengeRequest) returns (ICcreateAuthChallengeResponse); 47 rpc ICstartRetrieveEntries (ICstartRetrieveEntriesRequest) returns (ICstartRetrieveEntriesResponse); 48 rpc ICsetAuthToken (ICsetAuthTokenRequest) returns (ICsetAuthTokenResponse); 49 rpc ICpushReaderCert (ICpushReaderCertRequest) returns (ICpushReaderCertResponse); 50 rpc ICvalidateAccessControlProfile (ICvalidateAccessControlProfileRequest) returns (ICvalidateAccessControlProfileResponse); 51 rpc ICvalidateRequestMessage (ICvalidateRequestMessageRequest) returns (ICvalidateRequestMessageResponse); 52 rpc ICcalcMacKey (ICcalcMacKeyRequest) returns (ICcalcMacKeyResponse); 53 rpc ICstartRetrieveEntryValue (ICstartRetrieveEntryValueRequest) returns (ICstartRetrieveEntryValueResponse); 54 rpc ICretrieveEntryValue (ICretrieveEntryValueRequest) returns (ICretrieveEntryValueResponse); 55 rpc ICfinishRetrieval (ICfinishRetrievalRequest) returns (ICfinishRetrievalResponse); 56 rpc ICdeleteCredential (ICdeleteCredentialRequest) returns (ICdeleteCredentialResponse); 57 rpc ICproveOwnership (ICproveOwnershipRequest) returns (ICproveOwnershipResponse); 58 rpc GetSessionId (GetSessionIdRequest) returns (GetSessionIdResponse); 59 rpc SessionShutdown(SessionShutdownRequest) returns (SessionShutdownResponse); 60 rpc SessionInitialize (SessionInitializeRequest) returns (SessionInitializeResponse); 61 rpc SessionSetReaderEphemeralPublicKey (SessionSetReaderEphemeralPublicKeyRequest) returns (SessionSetReaderEphemeralPublicKeyResponse); 62 rpc SessionSetSessionTranscript (SessionSetSessionTranscriptRequest) returns (SessionSetSessionTranscriptResponse); 63 64 // For Android 14 new APIs 65 rpc ICprepareDeviceAuthentication (ICprepareDeviceAuthenticationRequest) returns (ICprepareDeviceAuthenticationResponse); 66 rpc ICfinishRetrievalWithSignature (ICfinishRetrievalWithSignatureRequest) returns (ICfinishRetrievalWithSignatureResponse); 67 rpc SessionGetEphemeralKeyPair (SessionGetEphemeralKeyPairRequest) returns (SessionGetEphemeralKeyPairResponse); 68} 69 70enum RequestType { 71 unknown = 0; 72 provision = 1; 73 presentation = 2; 74 session = 3; 75} 76 77// WICinitialize 78message WICinitializeRequest{ 79 bool testCredential = 1; 80} 81message WICinitializeResponse{ 82 Result result = 1; 83} 84 85// WICinitializeForUpdate 86message WICinitializeForUpdateRequest{ 87 bool testCredential = 1; 88 bytes docType = 2; 89 bytes encryptedCredentialKeys = 3; 90} 91 92message WICinitializeForUpdateResponse{ 93 Result result = 1; 94} 95 96// WICcreateCredentialKey 97message WICcreateCredentialKeyRequest{ 98} 99 100message WICcreateCredentialKeyResponse{ 101 Result result = 1; 102 bytes publickey = 2; 103} 104 105// WICstartPersonalization 106message WICstartPersonalizationRequest{ 107 uint32 accessControlProfileCount = 1; 108 bytes entryCounts = 2; 109 bytes docType = 3; 110 uint32 expectedProofOfProvisioningSize = 4; 111 bool supportInt32EntryCounts = 5; 112} 113message WICstartPersonalizationResponse{ 114 Result result = 1; 115} 116 117// WICaddAccessControlProfile 118message WICaddAccessControlProfileRequest{ 119 uint32 id = 1; 120 bytes readerCertificate = 2; 121 bool userAuthenticationRequired = 3; 122 uint64 timeoutMillis = 4; 123 uint64 secureUserId = 5; 124} 125message WICaddAccessControlProfileResponse{ 126 Result result = 1; 127 bytes mac = 2; 128} 129 130// WICbeginAddEntry 131message WICbeginAddEntryRequest{ 132 bytes accessControlProfileIds = 1; 133 string nameSpace = 2; 134 string name = 3; 135 uint64 entrySize = 4; 136} 137message WICbeginAddEntryResponse{ 138 Result result = 1; 139} 140 141// WICaddEntryValue 142message WICaddEntryValueRequest{ 143 bytes accessControlProfileIds = 1; 144 string nameSpace = 2; 145 string name = 3; 146 bytes content = 4; 147} 148message WICaddEntryValueResponse{ 149 Result result = 1; 150 bytes encrypted_content = 2; 151} 152 153// WICfinishAddingEntries 154message WICfinishAddingEntriesRequest{ 155 bytes docType = 1; 156 bool testCredential = 2; 157} 158 159message WICfinishAddingEntriesResponse{ 160 Result result = 1; 161 bytes signatureOfToBeSigned = 2; 162 bytes credentialData = 3; 163} 164 165// ICinitialize 166message ICinitializeRequest{ 167 bool testCredential = 1; 168 bytes docType = 2; 169 bytes encryptedCredentialKeys = 3; 170 uint32 oemHalVersion = 4; 171 uint32 sessionId = 5; 172} 173 174message ICinitializeResponse{ 175 Result result = 1; 176} 177 178// ICcreateEphemeralKeyPair 179message ICcreateEphemeralKeyPairRequest{ 180} 181 182message ICcreateEphemeralKeyPairResponse{ 183 Result result = 1; 184 bytes ephemeralPriv = 2; 185} 186 187// ICgenerateSigningKeyPair 188message ICgenerateSigningKeyPairRequest{ 189 bytes docType = 1; 190} 191 192message ICgenerateSigningKeyPairResponse{ 193 Result result = 1; 194 bytes SigningKeyBlob =2; 195 bytes signingPubKey =3; 196} 197 198// ICcreateAuthChallenge 199message ICcreateAuthChallengeRequest{ 200} 201 202message ICcreateAuthChallengeResponse{ 203 Result result = 1; 204 uint64 challenge = 2; 205} 206 207// ICstartRetrieveEntries 208message ICstartRetrieveEntriesRequest{ 209} 210 211message ICstartRetrieveEntriesResponse{ 212 Result result = 1; 213} 214 215// ICsetAuthToken 216message ICsetAuthTokenRequest{ 217 uint64 challenge = 1; 218 uint64 secureUserId = 2; 219 uint64 authenticatorId = 3; 220 uint32 hardwareAuthenticatorType = 4; 221 uint64 timeStamp = 5; 222 bytes mac = 6; 223 uint64 verificationTokenChallenge = 7; 224 uint64 verificationTokenTimestamp =8; 225 uint32 verificationTokenSecurityLevel =9; 226 bytes verificationTokenMac = 10; 227} 228 229message ICsetAuthTokenResponse{ 230 Result result = 1; 231} 232 233// ICpushReaderCert 234message ICpushReaderCertRequest{ 235 bytes x509Cert = 1; 236 uint32 tbsCertificateOffset = 2; 237 uint32 tbsCertificateSize = 3; 238 uint32 signatureOffset = 4; 239 uint32 signatureSize = 5; 240 uint32 publicKeyOffset = 6; 241 uint32 publicKeySize = 7; 242 uint32 signAlg = 8; 243} 244 245message ICpushReaderCertResponse{ 246 Result result = 1; 247} 248 249// ICvalidateAccessControlProfile 250message ICvalidateAccessControlProfileRequest{ 251 uint32 id = 1; 252 bytes readerCertificate = 2; 253 bool userAuthenticationRequired = 3; 254 uint32 timeoutMillis = 4; 255 uint64 secureUserId = 5; 256 bytes mac = 6; 257 uint32 publicKeyOffset = 7; 258 uint32 publicKeySize = 8; 259} 260 261message ICvalidateAccessControlProfileResponse{ 262 Result result = 1; 263 bool accessGranted = 2; 264} 265 266// ICvalidateRequestMessage 267message ICvalidateRequestMessageRequest{ 268 bytes sessionTranscript = 1; 269 bytes requestMessage = 2; 270 uint32 coseSignAlg = 3; 271 bytes readerSignatureOfToBeSigned = 4; 272} 273 274message ICvalidateRequestMessageResponse{ 275 Result result = 1; 276} 277 278// ICcalcMacKey 279message ICcalcMacKeyRequest{ 280 bytes sessionTranscript = 1; 281 bytes readerEphemeralPublicKey = 2; 282 bytes signingKeyBlob = 3; 283 bytes docType = 4; 284 uint32 numNamespacesWithValues = 5; 285 uint32 expectedProofOfProvisioningSize = 6; 286} 287 288message ICcalcMacKeyResponse{ 289 Result result = 1; 290} 291 292// ICprepareDeviceAuthentication 293message ICprepareDeviceAuthenticationRequest{ 294 bytes sessionTranscript = 1; 295 bytes readerEphemeralPublicKey = 2; 296 bytes signingKeyBlob = 3; 297 bytes docType = 4; 298 uint32 numNamespacesWithValues = 5; 299 uint32 expectedDeviceNamespacesSize = 6; 300} 301 302message ICprepareDeviceAuthenticationResponse{ 303 Result result = 1; 304} 305 306// ICstartRetrieveEntryValue 307message ICstartRetrieveEntryValueRequest{ 308 string nameSpace = 1; 309 string name = 2; 310 uint32 newNamespaceNumEntries = 3; 311 uint32 entrySize = 4; 312 bytes accessControlProfileIds = 5; 313} 314 315message ICstartRetrieveEntryValueResponse{ 316 AccessResult accessCheckResult = 1; 317 uint32 sessionCookie = 2; 318 Result result = 3; 319} 320 321// ICretrieveEntryValue 322message ICretrieveEntryValueRequest{ 323 bytes encryptedContent = 1; 324 string nameSpace = 2; 325 string name = 3; 326 bytes accessControlProfileIds = 4; 327 uint32 sessionCookie = 5; 328} 329 330message ICretrieveEntryValueResponse{ 331 Result result = 1; 332 bytes content = 2; 333} 334 335// ICfinishRetrieval 336message ICfinishRetrievalRequest{ 337} 338 339message ICfinishRetrievalResponse{ 340 Result result = 1; 341 bytes mac = 2; 342} 343 344// ICfinishRetrievalWithSignature 345message ICfinishRetrievalWithSignatureRequest{ 346} 347 348message ICfinishRetrievalWithSignatureResponse{ 349 Result result = 1; 350 bytes mac = 2; 351 bytes ecdsaSignature = 3; 352} 353 354// ICdeleteCredential 355message ICdeleteCredentialRequest{ 356 bytes docType = 1; 357 bytes challenge = 2; 358 bool includeChallenge = 3; 359 uint32 proofOfDeletionCborSize = 4; 360} 361 362message ICdeleteCredentialResponse{ 363 Result result = 1; 364 bytes signatureOfToBeSigned = 2; 365} 366 367// ICproveOwnership 368message ICproveOwnershipRequest{ 369 bytes docType = 1; 370 bool testCredential = 2; 371 bytes challenge = 3; 372 uint32 proofOfOwnershipCborSize = 4; 373} 374 375message ICproveOwnershipResponse{ 376 Result result = 1; 377 bytes signatureOfToBeSigned = 2; 378} 379 380// GetSessionId 381message GetSessionIdRequest{ 382 RequestType requestType = 1; 383} 384 385message GetSessionIdResponse{ 386 Result result = 1; 387 uint32 id = 2; 388} 389 390// SessionShutdown 391message SessionShutdownRequest{ 392 RequestType requestType = 1; 393} 394 395message SessionShutdownResponse{ 396 Result result = 1; 397} 398 399// SessionInitialize 400message SessionInitializeRequest{ 401 uint32 oemHalVersion = 1; 402} 403 404message SessionInitializeResponse{ 405 Result result = 1; 406 uint64 authChallenge = 2; 407 bytes ephemeralPrivateKey = 3; 408} 409 410// SessionSetReaderEphemeralPublicKey 411message SessionSetReaderEphemeralPublicKeyRequest{ 412 bytes readerEphemeralPublicKey = 1; 413} 414 415message SessionSetReaderEphemeralPublicKeyResponse{ 416 Result result = 1; 417} 418 419// SessionSetSessionTranscript 420message SessionSetSessionTranscriptRequest{ 421 bytes sessionTranscript = 1; 422} 423 424message SessionSetSessionTranscriptResponse{ 425 Result result = 1; 426} 427 428// SessionGetEphemeralKeyPair 429message SessionGetEphemeralKeyPairRequest{ 430} 431 432message SessionGetEphemeralKeyPairResponse{ 433 Result result = 1; 434 bytes ephemeralPrivateKey = 2; 435} 436