blob: 5c4f25d5181a0e778a204c066931d5bbfc4e52a4 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
package cryptohome;
// Holds TPM credentials that the attestation server will need to see. These
// credentials must be cleared once the attestation server has certified the
// AIK.
message TPMCredentials {
optional bytes endorsement_public_key = 1;
optional bytes endorsement_credential = 2;
optional bytes platform_credential = 3;
optional bytes conformance_credential = 4;
// The |endorsement_credential| encrypted with a public key associated with
// the default Chrome OS Privacy CA.
optional EncryptedData default_encrypted_endorsement_credential = 5;
optional EncryptedData alternate_encrypted_endorsement_credential = 6;
}
// Holds information relevant to a particular AIK.
message IdentityKey {
// The DER encoded public key.
optional bytes identity_public_key = 1;
// The TPM-specific key blob that can be loaded back into the TPM.
optional bytes identity_key_blob = 2;
// A credential issued by the attestation server.
optional bytes identity_credential = 3;
}
// Holds information required to verify the binding of an AIK to an EK. This
// information should be cleared once the attestation server has certified the
// AIK.
message IdentityBinding {
// The binding data, as output by the TPM_MakeIdentity operation.
optional bytes identity_binding = 1;
// The AIK public key, DER encoded.
optional bytes identity_public_key_der = 2;
// The AIK public key, in TPM_PUBKEY form.
optional bytes identity_public_key = 3;
// The label used during AIK creation.
optional bytes identity_label = 4;
// The PCA public key used during AIK creation, in TPM_PUBKEY form.
optional bytes pca_public_key = 5;
}
// Holds information about a quote generated by the TPM.
message Quote {
// The quote; a signature generated with the AIK.
optional bytes quote = 1;
// The serialized data that was quoted; this assists in verifying the quote.
optional bytes quoted_data = 2;
// The value of the PCR(s) at the time the quote was generated.
optional bytes quoted_pcr_value = 3;
// Source data which was originally used to extend the PCR. If this field
// exists it can be expected that SHA1(pcr_source_hint) was extended into the
// PCR.
optional bytes pcr_source_hint = 4;
}
// Holds owner delegation information.
message Delegation {
// The delegate owner blob.
optional bytes blob = 1;
// The authorization secret.
optional bytes secret = 2;
// Whether this delegate has permissions to call TPM_ResetLockValue.
optional bool has_reset_lock_permissions = 3;
}
// This message holds all information to be sent to the attestation server in
// order to complete enrollment.
message AttestationEnrollmentRequest {
// The EK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_endorsement_credential = 1;
// The AIK public key, in TPM_PUBKEY form.
optional bytes identity_public_key = 2;
// PCR0 quoted by AIK.
optional Quote pcr0_quote = 3;
// PCR1 quoted by AIK.
optional Quote pcr1_quote = 4;
}
// These two fields are suitable for passing to Tspi_TPM_ActivateIdentity()
// directly.
message EncryptedIdentityCredential {
// TPM_ASYM_CA_CONTENTS, encrypted with EK public key.
optional bytes asym_ca_contents = 1;
// TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents.
optional bytes sym_ca_attestation = 2;
}
enum ResponseStatus {
OK = 0;
// Internal server error.
SERVER_ERROR = 1;
// The server cannot parse the request.
BAD_REQUEST = 2;
// The server rejects the request.
REJECT = 3;
// Only appears in enrollment response. The server returns the same generated
// id and reports the quota limit exceeded status when the number of reset
// action in a specified time window is more than self reset limitation.
QUOTA_LIMIT_EXCEEDED = 4;
}
// The response from the attestation server for the enrollment request.
message AttestationEnrollmentResponse {
optional ResponseStatus status = 1;
// Detail response message. Included when the result is not OK.
optional string detail = 2;
optional EncryptedIdentityCredential encrypted_identity_credential = 3;
}
enum CertificateProfile {
// A certificate intended for enterprise-owned devices. It has the following
// subjectName fields:
// CN=<stable device identifier>
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
ENTERPRISE_MACHINE_CERTIFICATE = 0;
// A certificate intended for enterprise-owned user accounts. It has the
// following subjectName fields:
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
ENTERPRISE_USER_CERTIFICATE = 1;
// A certificate intended for platform verification by providers of protected
// content. It has the following subjectName fields:
// O=Chrome Device Content Protection
CONTENT_PROTECTION_CERTIFICATE = 2;
// Like above, but it also includes a stable ID and origin.
// CN=<origin-specific device identifier>
// OU=<origin>
// O=Chrome Device Content Protection
CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3;
// A certificate intended for cast devices.
CAST_CERTIFICATE = 4;
GFSC_CERTIFICATE = 5;
JETSTREAM_CERTIFICATE = 6;
}
// The certificate request to be sent to the attestation server.
message AttestationCertificateRequest {
// The AIK cert in X.509 format.
optional bytes identity_credential = 1;
// A certified public key in TPM_PUBKEY.
optional bytes certified_public_key = 3;
// The serialized TPM_CERTIFY_INFO for the certified key.
optional bytes certified_key_info = 4;
// The signature of the TPM_CERTIFY_INFO by the AIK.
optional bytes certified_key_proof = 5;
// A message identifier to be included in the response.
optional bytes message_id = 10;
// The certificate profile defines the type of certificate to issue.
optional CertificateProfile profile = 11;
// Information about the origin of the request which may be used depending on
// the certificate profile.
optional string origin = 12;
// The index of a temporal value. This may be used or ignored depending on
// the certificate profile.
optional int32 temporal_index = 13;
}
// The response from the attestation server for the certificate request.
message AttestationCertificateResponse {
optional ResponseStatus status = 1;
// Detail response message. Included when the result is not OK.
optional string detail = 2;
// The credential of the certified key in X.509 format.
optional bytes certified_key_credential = 3;
// The issuer intermediate CA certificate in X.509 format.
optional bytes intermediate_ca_cert = 5;
// A message identifier from the request this message is responding to.
optional bytes message_id = 6;
// Additional intermediate CA certificates that can help in validation.
// Certificate chaining order is from the leaf to the root. That is,
// |certified_key_credential| is signed by
// |intermediate_ca_cert|, which is signed by
// |additional_intermediate_ca_cert(0)|, which is signed by
// |additional_intermediate_ca_cert(1)|, ... and so on.
repeated bytes additional_intermediate_ca_cert = 7;
}
// Holds all information that a client stores locally.
message AttestationDatabase {
optional TPMCredentials credentials = 2;
optional IdentityBinding identity_binding = 3;
optional IdentityKey identity_key = 4;
optional Quote pcr0_quote = 5;
optional Quote pcr1_quote = 12;
optional Delegation delegate = 6;
repeated CertifiedKey device_keys = 7;
message TemporalIndexRecord {
optional bytes user_hash = 1;
optional bytes origin_hash = 2;
optional int32 temporal_index = 3;
}
repeated TemporalIndexRecord temporal_index_record = 8;
optional IdentityBinding alternate_identity_binding = 9;
optional IdentityKey alternate_identity_key = 10;
optional Quote alternate_pcr0_quote = 11;
optional Quote alternate_pcr1_quote = 13;
}
// Holds encrypted data and information required to decrypt it.
message EncryptedData {
// A key that has been sealed to the TPM or wrapped by another key.
optional bytes wrapped_key = 2;
// The initialization vector used during encryption.
optional bytes iv = 3;
// MAC of (iv || encrypted_data).
optional bytes mac = 4;
optional bytes encrypted_data = 5;
// An identifier for the wrapping key to assist in decryption.
optional bytes wrapping_key_id = 6;
}
// The reset request to be sent to the attestation server.
message AttestationResetRequest {
// The AIK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_identity_credential = 1;
// The one time token to make sure the reset process can be triggered only once.
optional bytes token = 2;
// The EK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_endorsement_credential = 3;
}
// The response from the attestation server for the reset request.
message AttestationResetResponse {
// The response status.
optional ResponseStatus status = 1;
// Detail response message. Included when the result is not OK.
optional string detail = 2;
}
// The wrapper message of any data and its signature.
message SignedData {
// The data to be signed.
optional bytes data = 1;
// The signature of the data field.
optional bytes signature = 2;
}
// The challenge data (as in challenge-response) generated by the server.
// Before transmitted to the client, this message will be wrapped as a
// SignedData message, in which the data field is the serialized Challenge
// message, and the signature field is the signature of the data field signed
// by the enterprise server using a hard-coded key. The signature algorithm is
// RSASSA-PKCS1-v1_5-SHA256.
message Challenge {
// A string for the client to sanity check a legitimate challenge.
optional string prefix = 1;
// A 256-bit random value generated by the server.
optional bytes nonce = 2;
// A timestamp for a stateless server to limit the timeframe during which the
// challenge may be replayed.
optional int64 timestamp = 3;
}
// The response data (as in challenge-response) generated by the client.
// Before transmitted to the server, this message will be wrapped as a
// SignedData message, in which the data field is the serialized
// ChallengeResponse message, and the signature field is the signature of the
// data field signed by the client using the key being challenged. The
// signature algorithm is RSASSA-PKCS1-v1_5-SHA256.
message ChallengeResponse {
// The original challenge data.
optional SignedData challenge = 1;
// A 256-bit random value generated by the client. Mixing in this nonce
// prevents a caller from using a challenge to sign arbitrary data.
optional bytes nonce = 2;
// The KeyInfo message encrypted using a public encryption key, pushed via
// policy with the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_key_info = 3;
}
// Holds information about a certified key.
message CertifiedKey {
// The TPM-wrapped key blob.
optional bytes key_blob = 1;
// The public key in ASN.1 DER form.
optional bytes public_key = 2;
// The credential of the certified key in X.509 format.
optional bytes certified_key_credential = 3;
// The issuer intermediate CA certificate in X.509 format.
optional bytes intermediate_ca_cert = 4;
// A key name. This is not necessarily a unique identifier.
optional bytes key_name = 5;
// An arbitrary payload associated with the key.
optional bytes payload = 6;
// Addtional intermediate CA certificates that helps chaining up to the root
// CA. See |AttestationCertificateResponse.additional_intermediate_ca_cert|
// for more detail.
repeated bytes additional_intermediate_ca_cert = 7;
}
// The data type of the message decrypted from
// ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds
// information required by enterprise server to complete the verification.
message KeyInfo {
// Indicates whether the key is an EMK or EUK.
optional KeyType key_type = 1;
// Domain information about the device or user associated with the key. For an
// EMK, this value is the enrolled domain. For an EUK, this value is the
// user's email address.
optional string domain = 2;
// The virtual device ID associated with the device or user.
optional bytes device_id = 3;
// If the key is an EUK, this value is the PCA-issued certificate for the key.
optional bytes certificate = 4;
// If the key is an EUK, this value may hold a SignedPublicKeyAndChallenge
// with a random challenge. The SignedPublicKeyAndChallenge specification is
// here: https://developer.mozilla.org/en-US/docs/HTML/Element/keygen.
optional bytes signed_public_key_and_challenge = 5;
}
enum KeyType {
// Enterprise machine key.
EMK = 0;
// Enterprise user key.
EUK = 1;
}