1// 2// Copyright (C) 2015 The Android Open Source Project 3// 4// Licensed under the Apache License, Version 2.0 (the "License"); 5// you may not use this file except in compliance with the License. 6// You may obtain a copy of the License at 7// 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// See the License for the specific language governing permissions and 14// limitations under the License. 15// 16 17option optimize_for = LITE_RUNTIME; 18 19import "common.proto"; 20 21package attestation; 22 23enum AttestationStatus { 24 STATUS_SUCCESS = 0; 25 STATUS_UNEXPECTED_DEVICE_ERROR = 1; 26 STATUS_NOT_AVAILABLE = 2; 27 STATUS_NOT_READY = 3; 28 STATUS_NOT_ALLOWED = 4; 29 STATUS_INVALID_PARAMETER = 5; 30 STATUS_REQUEST_DENIED_BY_CA = 6; 31 STATUS_CA_NOT_AVAILABLE = 7; 32} 33 34message CreateGoogleAttestedKeyRequest { 35 // An arbitrary label which can be used to reference the key later. 36 optional string key_label = 1; 37 optional KeyType key_type = 2; 38 optional KeyUsage key_usage = 3; 39 // Describes the certificate to be requested of the CA. 40 optional CertificateProfile certificate_profile = 4; 41 // Provided if the new key should be accessible only by a particular user. If 42 // this field is not set or is the empty string, the key will be accessible 43 // system-wide. 44 optional string username = 5; 45 // If the |certificate_profile| is intended to be bound to a particular origin 46 // this field specifies the origin. For most profiles this is not required. 47 optional string origin = 6; 48} 49 50message CreateGoogleAttestedKeyReply { 51 optional AttestationStatus status = 1; 52 // More information about a server-side error. This only exists 53 // if status=REQUEST_DENIED_BY_CA. 54 optional string server_error = 2; 55 // A PEM-encoded list of X.509 certificates starting with the requested 56 // certificate issued by the CA and followed by certificates for any 57 // intermediate authorities, in order. The Google Attestation CA root 58 // certificate is well-known and not included. 59 optional string certificate_chain = 3; 60} 61 62message GetKeyInfoRequest { 63 optional string key_label = 1; 64 optional string username = 2; 65} 66 67message GetKeyInfoReply { 68 optional AttestationStatus status = 1; 69 optional KeyType key_type = 2; 70 optional KeyUsage key_usage = 3; 71 // The public key (X.509/DER SubjectPublicKeyInfo). 72 optional bytes public_key = 4; 73 // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key. 74 optional bytes certify_info = 5; 75 // The signature of certify_info by the Attestation Key. 76 optional bytes certify_info_signature = 6; 77 // The certificate data associated with the key (if any). 78 optional bytes certificate = 7; 79} 80 81message GetEndorsementInfoRequest { 82 optional KeyType key_type = 1; 83} 84 85message GetEndorsementInfoReply { 86 optional AttestationStatus status = 1; 87 // The endorsement public key (X.509/DER SubjectPublicKeyInfo). 88 optional bytes ek_public_key = 2; 89 // The endorsement certificate (X.509/DER). 90 optional bytes ek_certificate = 3; 91} 92 93message GetAttestationKeyInfoRequest { 94 optional KeyType key_type = 1; 95} 96 97message GetAttestationKeyInfoReply { 98 optional AttestationStatus status = 1; 99 // The attestation public key (X.509/DER SubjectPublicKeyInfo). 100 optional bytes public_key = 2; 101 // The attestation public key in TPM_PUBKEY form. 102 optional bytes public_key_tpm_format = 3; 103 // The attestation key certificate. 104 optional bytes certificate = 4; 105 // A quote of PCR0 at the time of attestation key creation. 106 optional Quote pcr0_quote = 5; 107 // A quote of PCR1 at the time of attestation key creation. 108 optional Quote pcr1_quote = 6; 109} 110 111message ActivateAttestationKeyRequest { 112 optional KeyType key_type = 1; 113 optional EncryptedIdentityCredential encrypted_certificate = 2; 114 optional bool save_certificate = 3; 115} 116 117message ActivateAttestationKeyReply { 118 optional AttestationStatus status = 1; 119 // The decrypted attestation key certificate. 120 optional bytes certificate = 2; 121} 122 123message CreateCertifiableKeyRequest { 124 // An arbitrary label which can be used to reference the key later. 125 optional string key_label = 1; 126 // Provided if the new key should be accessible only by a 127 // particular user. If this field is not set or is the empty 128 // string, the key will be accessible system-wide. 129 optional string username = 2; 130 optional KeyType key_type = 3; 131 optional KeyUsage key_usage = 4; 132} 133 134message CreateCertifiableKeyReply { 135 optional AttestationStatus status = 1; 136 // The new public key (X.509/DER SubjectPublicKeyInfo). 137 optional bytes public_key = 2; 138 // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key. 139 optional bytes certify_info = 3; 140 // The signature of certify_info by the Attestation Key. 141 optional bytes certify_info_signature = 4; 142} 143 144message DecryptRequest { 145 optional string key_label = 1; 146 optional string username = 2; 147 optional bytes encrypted_data = 3; 148} 149 150message DecryptReply { 151 optional AttestationStatus status = 1; 152 optional bytes decrypted_data = 2; 153} 154 155message SignRequest { 156 optional string key_label = 1; 157 optional string username = 2; 158 optional bytes data_to_sign = 3; 159} 160 161message SignReply { 162 optional AttestationStatus status = 1; 163 optional bytes signature = 2; 164} 165 166message RegisterKeyWithChapsTokenRequest { 167 optional string key_label = 1; 168 optional string username = 2; 169} 170 171message RegisterKeyWithChapsTokenReply { 172 optional AttestationStatus status = 1; 173} 174