1// Copyright 2015 The ChromiumOS Authors 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5syntax = "proto2"; 6 7package attestation; 8 9option go_package = "attestation_proto"; 10 11// Enumerates various certificate profiles supported by the Attestation CA. 12enum CertificateProfile { 13 // A certificate intended for enterprise-owned devices. It has the following 14 // subjectName fields: 15 // CN=<stable device identifier> 16 // OU=state:[verified|developer] 17 // O=Chrome Device Enterprise 18 ENTERPRISE_MACHINE_CERTIFICATE = 0; 19 20 // A certificate intended for enterprise-owned user accounts. It has the 21 // following subjectName fields: 22 // OU=state:[verified|developer] 23 // O=Chrome Device Enterprise 24 ENTERPRISE_USER_CERTIFICATE = 1; 25 26 // A certificate intended for platform verification by providers of protected 27 // content. It has the following subjectName fields: 28 // O=Chrome Device Content Protection 29 CONTENT_PROTECTION_CERTIFICATE = 2; 30 31 // Like above, but it also includes a stable ID and origin. 32 // CN=<origin-specific device identifier> 33 // OU=<origin> 34 // O=Chrome Device Content Protection 35 CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3; 36 37 // A certificate intended for cast devices. 38 CAST_CERTIFICATE = 4; 39 40 GFSC_CERTIFICATE = 5; 41 42 JETSTREAM_CERTIFICATE = 6; 43 44 // A certificate for enterprise enrollment. 45 ENTERPRISE_ENROLLMENT_CERTIFICATE = 7; 46 47 // A certificate for signing Android Testsuite Results using CTS-in-a-box. 48 XTS_CERTIFICATE = 8; 49 50 // An EK certificate for vTPM 51 // CN=CROS VTPM PRD EK ROOT CA 52 ENTERPRISE_VTPM_EK_CERTIFICATE = 9; 53 54 // A local authority certificate for binding software keys. 55 // CN=Local Authority 56 // O=Chrome Device Soft Bind 57 SOFT_BIND_CERTIFICATE = 10; 58 59 // A remote attestation certificate for proving device integrity. 60 // CN=<An opaque device identifier string> 61 // O=Chrome Device Setup 62 DEVICE_SETUP_CERTIFICATE = 11; 63 64 // The ARC TPM certifying key is a restricted key that is used to quote 65 // various TPM data, such as PCR quotation or NVRAM quotation. 66 // It is primarily used for Version Attestation in ARC Attestation. 67 ARC_TPM_CERTIFYING_KEY_CERTIFICATE = 12; 68 69 // The ARC Device Key is the Device Key used in Android Attestation for ARC. 70 // It is an unrestricted key. 71 ARC_ATTESTATION_DEVICE_KEY_CERTIFICATE = 13; 72 73 // A certificate intended for the Device Trust flow on enterprise-owned user 74 // accounts on unmanaged devices. It has the following subjectName fields: 75 // OU=state:[verified|developer] 76 // O=Chrome Device Enterprise 77 DEVICE_TRUST_USER_CERTIFICATE = 14; 78 79 // A certificate for an Android UDS public key. 80 UDS_CERTIFICATE = 15; 81} 82 83enum TpmVersion { 84 TPM_1_2 = 1; // NOTE: This is the default. It must remain listed first. 85 TPM_2_0 = 2; 86} 87 88// Types of NVRAM quotes used for attestation. 89enum NVRAMQuoteType { 90 // Quote of the Cr50-backed BoardID. 91 BOARD_ID = 0; 92 // Quote of the Cr50-backed SN+RMA bits. 93 SN_BITS = 1; 94 // Quote of the Cr50-backed RSA public endorsement key certificate. 95 RSA_PUB_EK_CERT = 2; 96 // Quote of the Cr50-backed RSU device ID. 97 RSU_DEVICE_ID = 3; 98 // Quote of RMA bytes (a complement of RMA bits with optional leading zeroes). 99 RMA_BYTES = 4; 100 // Quote of the Cr50-backed G2f certificate. 101 G2F_CERT = 5; 102 // Quote of a DICE cert chain. 103 DICE_CERT_CHAIN = 6; 104} 105 106// Holds information about a quote generated by the TPM. 107message Quote { 108 // The quote; a signature generated with the AIK. 109 optional bytes quote = 1; 110 // The serialized data that was quoted; this assists in verifying the quote. 111 optional bytes quoted_data = 2; 112 // The value of the PCR(s) at the time the quote was generated. 113 optional bytes quoted_pcr_value = 3; 114 // Source data which was originally used to extend the PCR. If this field 115 // exists it can be expected that SHA1(pcr_source_hint) was extended into the 116 // PCR. 117 optional bytes pcr_source_hint = 4; 118} 119 120// Holds encrypted data and information required to decrypt it. 121message EncryptedData { 122 // A key that has been sealed to the TPM or wrapped by another key. 123 optional bytes wrapped_key = 2; 124 // The initialization vector used during encryption. 125 optional bytes iv = 3; 126 // MAC of (iv + encrypted_data). 127 optional bytes mac = 4; 128 optional bytes encrypted_data = 5; 129 // An identifier for the wrapping key to assist in decryption. 130 optional bytes wrapping_key_id = 6; 131} 132 133// The wrapper message of any data and its signature. 134message SignedData { 135 // The data to be signed. 136 optional bytes data = 1; 137 // The signature of the data field. 138 optional bytes signature = 2; 139} 140 141// The first two fields are suitable for passing to Tspi_TPM_ActivateIdentity() 142// directly when using TPM 1.2. For TPM 2.0 the first two fields are not used. 143message EncryptedIdentityCredential { 144 // TPM_ASYM_CA_CONTENTS, encrypted with EK public key. 145 optional bytes asym_ca_contents = 1; 146 // TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents. 147 optional bytes sym_ca_attestation = 2; 148 149 optional TpmVersion tpm_version = 3; 150 151 // The following fields are used only for TPM 2.0. For details see the TPM 2.0 152 // specification Part 1 Rev 1.16: 153 // - Section 9.5.3.3: General description of the scheme. 154 // - Section 24: More details including how to use the seed to compute the 155 // values for 'credential_mac' and 'wrapped_certificate-> 156 // wrapped_key' 157 // - Section B.10.4: Encrypting the seed with a RSA EK. 158 // - Section C.7.4: Encrypting the seed with an EC EK. 159 160 // A seed encrypted with the EK public key. The TPM will use this seed to 161 // derive both an HMAC key to verify the 'credential_mac' field and an AES key 162 // to unwrap the 'wrapped_certificate->wrapped_key' field. 163 optional bytes encrypted_seed = 4; 164 165 // An integrity value computed using HMAC-SHA256 over the 166 // 'wrapped_certificate.wrapped_key' field and the 'Name' of the identity key. 167 optional bytes credential_mac = 5; 168 169 // A certificate encrypted with a 'credential' that is decrypted by the TPM. 170 // The 'wrapped_key' field contains the encrypted credential which is 171 // encrypted using AES-256-CFB with a zero IV. The encryption of the 172 // certificate itself uses AES-256-CBC with PKCS #5 padding and a random IV. 173 // The encryption key is derived from the 'credential' using: 174 // SHA256('ENCRYPT' + credential) 175 // The mac uses HMAC-SHA256 with a key derived using: 176 // SHA256('MAC' + credential) 177 optional EncryptedData wrapped_certificate = 6; 178} 179 180// This message holds all information to be sent to the attestation server in 181// order to complete enrollment. 182message AttestationEnrollmentRequest { 183 // The EK cert, in X.509 form, encrypted using the server's public key with 184 // the following parameters: 185 // Key encryption: RSA-OAEP with no custom parameters. 186 // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. 187 // MAC: HMAC-SHA-512 using the AES key. 188 optional EncryptedData encrypted_endorsement_credential = 1; 189 // The AIK public key, the raw TPM format. (TPM_PUBKEY for TPM 1.2, 190 // TPMT_PUBLIC for TPM 2.0). 191 optional bytes identity_public_key = 2; 192 // PCR0 quoted by AIK. 193 optional Quote pcr0_quote = 3; 194 // PCR1 quoted by AIK. 195 optional Quote pcr1_quote = 4; 196 // DEN for enterprise zero-touch enrollment (crbug/624187). 197 optional bytes enterprise_enrollment_nonce = 5; 198 // The device TPM version. 199 optional TpmVersion tpm_version = 6; 200 // An encrypted quote of the RSA EK cert, in X.509 form, if the endorsement 201 // credential is not RSA. 202 optional EncryptedData encrypted_rsa_endorsement_quote = 7; 203} 204 205enum ResponseStatus { 206 OK = 0; 207 // Internal server error. 208 SERVER_ERROR = 1; 209 // The server cannot parse the request. 210 BAD_REQUEST = 2; 211 // The server rejects the request. 212 REJECT = 3; 213 // Only appears in enrollment response. The server returns the same generated 214 // id and reports the quota limit exceeded status when the number of reset 215 // action in a specified time window is more than self reset limitation. 216 QUOTA_LIMIT_EXCEEDED = 4; 217} 218 219// The response from the attestation server for the enrollment request. 220message AttestationEnrollmentResponse { 221 optional ResponseStatus status = 1; 222 // Short detail response message. Included when the result is not OK. 223 optional string detail = 2; 224 optional EncryptedIdentityCredential encrypted_identity_credential = 3; 225 // Extra details included when the result is not OK. 226 optional string extra_details = 4; 227} 228 229// `DEVICE_SETUP_CERTIFICATE` specific metadata. 230message DeviceSetupCertificateMetadata { 231 // This will eventually be a DUSI. For now, this will be a 36 character GUID. 232 // This will be used as the CN of the Remote Attestation certificate. 233 optional string id = 1; 234 235 // Unix timestamp (in seconds) of the generation of the request. 236 optional uint64 timestamp_seconds = 2; 237 238 // The generated certificate will be bound to this value. This is used to 239 // prevent replay attacks. Currently it is the FIDO credential id. 240 optional string content_binding = 3; 241} 242 243// The certificate request to be sent to the attestation server. 244message AttestationCertificateRequest { 245 // The AIK cert in X.509 format. 246 optional bytes identity_credential = 1; 247 // A certified public key in TPM_PUBKEY (TPMT_PUBLIC for TPM 2.0). 248 optional bytes certified_public_key = 3; 249 // The serialized TPM_CERTIFY_INFO (TPMS_ATTEST for TPM 2.0) for the 250 // certified key. 251 optional bytes certified_key_info = 4; 252 // The signature of the TPM_CERTIFY_INFO (TPMS_ATTEST for TPM 2.0) by the AIK. 253 optional bytes certified_key_proof = 5; 254 // A message identifier to be included in the response. 255 optional bytes message_id = 10; 256 // The certificate profile defines the type of certificate to issue. 257 optional CertificateProfile profile = 11; 258 // Information about the origin of the request which may be used depending on 259 // the certificate profile. 260 optional string origin = 12; 261 // The index of a temporal value. This may be used or ignored depending on 262 // the certificate profile. 263 optional int32 temporal_index = 13; 264 // The device TPM version. 265 optional TpmVersion tpm_version = 14; 266 // NVRAM quoted by AIK. Keys are values of the NVRAMQuoteType. This is used 267 // by the following profiles: 268 // - `ENTERPRISE_ENROLLMENT_CERTIFICATE` 269 // - `ENTERPRISE_VTPM_EK_CERTIFICATE` 270 // - `UDS_CERTIFICATE` 271 map<int32, Quote> nvram_quotes = 15; 272 // Certificate profile specific metadata. 273 oneof metadata { 274 // `DEVICE_SETUP_CERTIFICATE` specific metadata. 275 DeviceSetupCertificateMetadata device_setup_certificate_metadata = 16; 276 } 277 // ADID read from the VPD. Used as the host identifier incorporated in the 278 // certificates. 279 // Used for `ENTERPRISE_ENROLLMENT_CERTIFICATE` and 280 // `ENTERPRISE_VTPM_EK_CERTIFICATE` profiles only. 281 optional bytes attested_device_id = 17; 282} 283 284// The response from the attestation server for the certificate request. 285message AttestationCertificateResponse { 286 optional ResponseStatus status = 1; 287 // Short detail response message. Included when the result is not OK. 288 optional string detail = 2; 289 // The credential of the certified key in X.509 format. 290 optional bytes certified_key_credential = 3; 291 // The issuer intermediate CA certificate in X.509 format. 292 optional bytes intermediate_ca_cert = 5; 293 // A message identifier from the request this message is responding to. 294 optional bytes message_id = 6; 295 // Additional intermediate CA certificates that can help in validation. 296 // Certificate chaining order is from the leaf to the root. That is, 297 // |certified_key_credential| is signed by 298 // |intermediate_ca_cert|, which is signed by 299 // |additional_intermediate_ca_cert(0)|, which is signed by 300 // |additional_intermediate_ca_cert(1)|, ... and so on. 301 repeated bytes additional_intermediate_ca_cert = 7; 302 // Extra details included when the result is not OK. 303 optional string extra_details = 8; 304} 305 306// The reset request to be sent to the attestation server. 307message AttestationResetRequest { 308 // The AIK cert, in X.509 form, encrypted using the server's public key with 309 // the following parameters: 310 // Key encryption: RSA-OAEP with no custom parameters. 311 // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. 312 // MAC: HMAC-SHA-512 using the AES key. 313 optional EncryptedData encrypted_identity_credential = 1; 314 315 // The one time token to make sure the reset process can be triggered only 316 // once. 317 optional bytes token = 2; 318 319 // The EK cert, in X.509 form, encrypted using the server's public key with 320 // the following parameters: 321 // Key encryption: RSA-OAEP with no custom parameters. 322 // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. 323 // MAC: HMAC-SHA-512 using the AES key. 324 optional EncryptedData encrypted_endorsement_credential = 3; 325} 326 327// The response from the attestation server for the reset request. 328message AttestationResetResponse { 329 // The response status. 330 optional ResponseStatus status = 1; 331 // Short detail response message. Included when the result is not OK. 332 optional string detail = 2; 333 // Extra details included when the result is not OK. 334 optional string extra_details = 3; 335} 336 337// The challenge data (as in challenge-response) generated by the server. 338// Before transmitted to the client, this message will be wrapped as a 339// SignedData message, in which the data field is the serialized Challenge 340// message, and the signature field is the signature of the data field signed 341// by the enterprise server using a hard-coded key. The signature algorithm is 342// RSASSA-PKCS1-v1_5-SHA256. 343message Challenge { 344 // A string for the client to sanity check a legitimate challenge. 345 optional string prefix = 1; 346 // A 256-bit random value generated by the server. 347 optional bytes nonce = 2; 348 // A timestamp for a stateless server to limit the timeframe during which the 349 // challenge may be replayed. 350 optional int64 timestamp = 3; 351} 352 353// The response data (as in challenge-response) generated by the client. 354// Before transmitted to the server, this message will be wrapped as a 355// SignedData message, in which the data field is the serialized 356// ChallengeResponse message, and the signature field is the signature of the 357// data field signed by the client using the key being challenged. The 358// signature algorithm is RSASSA-PKCS1-v1_5-SHA256. 359message ChallengeResponse { 360 // The original challenge data. 361 optional SignedData challenge = 1; 362 // A 256-bit random value generated by the client. Mixing in this nonce 363 // prevents a caller from using a challenge to sign arbitrary data. 364 optional bytes nonce = 2; 365 // The KeyInfo message encrypted using a public encryption key, pushed via 366 // policy with the following parameters: 367 // Key encryption: RSA-OAEP with no custom parameters. 368 // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. 369 // MAC: HMAC-SHA-512 using the AES key. 370 optional EncryptedData encrypted_key_info = 3; 371} 372 373// The data type of the message decrypted from 374// ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds 375// information required by the Verified Access server API (VA) to complete the 376// verification. 377message KeyInfo { 378 // Determines the verification flow on VA and the content of the VA response. 379 optional VerifiedAccessFlow flow_type = 1; 380 // Domain information about the device or user associated with the VA flow 381 // type. For `flow_type` ENTERPRISE_MACHINE, this value is the enrolled 382 // domain. For `flow_type` ENTERPRISE_USER, this value is the user's email 383 // address. 384 optional string domain = 2; 385 // The virtual device ID associated with the device or user. 386 optional bytes device_id = 3; 387 // If the `flow_type` is ENTERPRISE_MACHINE, this value is the PCA-issued 388 // certificate for the key. 389 optional bytes certificate = 4; 390 // If the `flow_type` is ENTERPRISE_USER, this value may hold a 391 // SignedPublicKeyAndChallenge with a random challenge. The 392 // SignedPublicKeyAndChallenge specification is here: 393 // https://developer.mozilla.org/en-US/docs/HTML/Element/keygen. 394 optional bytes signed_public_key_and_challenge = 5; 395 // The identifier of the customer, as defined by the Google Admin SDK at 396 // https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers 397 optional string customer_id = 6; 398 // A new field which contains public key generated by the CBCM-enrolled 399 // browser if key type is CBCM 400 optional bytes browser_instance_public_key = 7; 401 // A new field which indicated the signing scheme used for the outer 402 // SignedData message. We should populate this for any `flow_type`. For 403 // `flow_type` ENTERPRISE_USER/ENTERPRISE_MACHINE (ChromeOS use case), this 404 // will currently say "SHA256withRSA" at all times, but we should start 405 // supporting ECDSA signing in the near future as per 2020 OKRs. For 406 // `flow_type` CBCM, this will be one of the permitted_schemes from 407 // DeviceIdentity policy. 408 optional string signing_scheme = 8; 409 // Device Trust Signals 410 // Deprecated due to signals collection change to store signals in a 411 // dictionary and converting them to a JSON string. Use 412 // `device_trust_signals_json` instead. 413 reserved 9; 414 // Device Trust Signals 415 optional string device_trust_signals_json = 10; 416 // DM token to be used for this request. 417 optional string dm_token = 11; 418 // The identifier of the customer for the managed user, as defined by the 419 // Google Admin SDK at 420 // https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers. 421 optional string user_customer_id = 12; 422 // Obfuscated gaia ID associated with the signed in managed user. 423 optional string obfuscated_gaia_id = 13; 424 // The ID of a profile on the device. 425 optional string profile_id = 14; 426} 427 428// Device Trust Signals 429message DeviceTrustSignals { 430 option deprecated = true; 431 432 // Device Id 433 optional string device_id = 1; 434 // Obfuscated CBCM-enrolled Customer Id 435 optional string obfuscated_customer_id = 2; 436 // Device serial number 437 optional string serial_number = 3; 438 // Human readable name for this device 439 optional string display_name = 4; 440 // OS running on the device (e.g. Chrome OS) 441 optional string os = 5; 442 // Device manufacturer (e.g. Dell) 443 optional string device_manufacturer = 6; 444 // Device model (e.g. iPhone 12 Max) 445 optional string device_model = 7; 446 // OS version (e.g. macOS 10.15.7) 447 optional string os_version = 8; 448 // IMEI 449 repeated string imei = 9; 450 // MEID 451 repeated string meid = 10; 452 // Hash of the EKPub certificate of the TPM on the device, if available. 453 optional string tpm_hash = 11; 454 // Is the disk encrypted 455 optional bool is_disk_encrypted = 12; 456 // Value of the AllowScreenLock policy. 457 // https://chromeenterprise.google/policies/?policy=AllowScreenLock 458 optional bool allow_screen_lock = 13; 459 // Is the access to the OS user protected by a password 460 optional bool is_protected_by_password = 14; 461 // Is the device jailbroken or modified 462 optional bool is_jailbroken = 15; 463 // The CBCM enrollment domain of the browser. 464 optional string enrollment_domain = 16; 465 // Browser Version 466 optional string browser_version = 17; 467 // Value of the SafeBrowsingProtectionLevel policy. 468 // https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel 469 optional int32 safe_browsing_protection_level = 18; 470 // Value of the SitePerProcess policy. 471 // https://chromeenterprise.google/policies/#SitePerProcess 472 optional bool site_isolation_enabled = 19; 473 // ThirdPartyBlockingEnabled 474 optional bool third_party_blocking_enabled = 20; 475 // To determine whether users can access other computers 476 // from Chrome using Chrome Remote Desktop 477 optional bool remote_desktop_available = 21; 478 // Signed in profile name 479 optional string signed_in_profile_name = 22; 480 // ChromeCleanupEnabled 481 optional bool chrome_cleanup_enabled = 23; 482 // PasswordProtectionWarningTrigger 483 optional int32 password_protection_warning_trigger = 24; 484 // DNS address 485 optional string dns_address = 25; 486 // BuiltInDnsClientEnabled 487 optional bool built_in_dns_client_enabled = 26; 488 // Whether the OS firewall is turned on 489 optional bool firewall_on = 27; 490 // The Windows domain the device has joined 491 optional string windows_domain = 28; 492} 493 494// Possible VA flows supported by the Verified Access server API and chromium. 495// The values will be used to distinguish between different prerequisites, 496// verification methods and contents of VA challenge response. 497enum VerifiedAccessFlow { 498 // The flow of creating a challenge response for enterprise machine 499 // verification. The VA challenge will be signed with the EMK. ChromeOS only. 500 // Uses CertificateProfile: ENTERPRISE_MACHINE_CERTIFICATE 501 // Uses AttestationKeyType: KEY_DEVICE 502 ENTERPRISE_MACHINE = 0; 503 // The flow of creating a challenge response for enterprise user verification. 504 // The VA challenge will be signed with the EUK. ChromeOS only. 505 // Uses CertificateProfile: ENTERPRISE_USER_CERTIFICATE 506 // Uses AttestationKeyType: KEY_USER 507 ENTERPRISE_USER = 1; 508 // The flow of creating a challenge response for verifying a managed Chrome 509 // Browser. It does not use remote attestation and instead relies on a key 510 // exchange to sign the VA challenge. Chrome Browser only. 511 // Uses CertificateProfile: n.a. 512 // Uses AttestationKeyType: n.a. 513 CBCM = 2; 514 // The flow of creating a challenge response for verification during the 515 // Device Trust Connector handshake. The VA challenge will be signed with a 516 // device key. ChromeOS only. 517 // Uses CertificateProfile: DEVICE_TRUST_USER_CERTIFICATE 518 // Uses AttestationKeyType: KEY_DEVICE 519 DEVICE_TRUST_CONNECTOR = 3; 520} 521