| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // DEPRECATED! Attestation is moving to platform2/attestation. In |
| // particular, all work for supporting TPM 2.0 is there. This file should be |
| // kept in sync with platform2/attestation/common/*.proto but should not |
| // contain any changes not already present there. |
| |
| syntax = "proto2"; |
| |
| package cryptohome; |
| |
| // Holds TPM credentials that the attestation server will need to see. These |
| // credentials must be cleared once the attestation server has certified the |
| // AIK. |
| message TPMCredentials { |
| optional bytes endorsement_public_key = 1; |
| optional bytes endorsement_credential = 2; |
| optional bytes platform_credential = 3; |
| optional bytes conformance_credential = 4; |
| optional EncryptedData default_encrypted_endorsement_credential = 5 |
| [deprecated = true]; |
| optional EncryptedData test_encrypted_endorsement_credential = 6 |
| [deprecated = true]; |
| optional bytes ecc_endorsement_public_key = 7; |
| optional bytes ecc_endorsement_credential = 8; |
| // Map of |endorsement_credential| encrypted with a public key associated with |
| // Chrome OS Privacy CA, by CA. |
| map<int32, EncryptedData> encrypted_endorsement_credentials = 9; |
| } |
| |
| // Holds information relevant to a particular AIK. |
| message IdentityKey { |
| // The DER encoded public key. |
| optional bytes identity_public_key = 1; |
| // The TPM-specific key blob that can be loaded back into the TPM. |
| optional bytes identity_key_blob = 2; |
| // A credential issued by the attestation server. (Now in |
| // IdentityCertificate.) |
| optional bytes identity_credential = 3 [deprecated = true]; |
| // The computed enrollment ID, present only for enrolled devices. |
| optional bytes enrollment_id = 4 [deprecated = true]; |
| } |
| |
| // Holds information required to verify the binding of an AIK to an EK. This |
| // information should be cleared once the attestation server has certified the |
| // AIK. |
| message IdentityBinding { |
| // The binding data, as output by the TPM_MakeIdentity operation. |
| optional bytes identity_binding = 1; |
| // The AIK public key, DER encoded. |
| optional bytes identity_public_key_der = 2; |
| // The AIK public key, in TPM_PUBKEY form. |
| optional bytes identity_public_key = 3; |
| // The label used during AIK creation. |
| optional bytes identity_label = 4; |
| // The PCA public key used during AIK creation, in TPM_PUBKEY form. |
| optional bytes pca_public_key = 5; |
| } |
| |
| // Holds information about a quote generated by the TPM. |
| message Quote { |
| // The quote; a signature generated with the AIK. |
| optional bytes quote = 1; |
| // The serialized data that was quoted; this assists in verifying the quote. |
| optional bytes quoted_data = 2; |
| // The value of the PCR(s) at the time the quote was generated. |
| optional bytes quoted_pcr_value = 3; |
| // Source data which was originally used to extend the PCR. If this field |
| // exists it can be expected that SHA1(pcr_source_hint) was extended into the |
| // PCR. |
| optional bytes pcr_source_hint = 4; |
| } |
| |
| // Holds owner delegation information. |
| message Delegation { |
| // The delegate owner blob. |
| optional bytes blob = 1; |
| // The authorization secret. |
| optional bytes secret = 2; |
| // Whether this delegate has permissions to call TPM_ResetLockValue. |
| optional bool has_reset_lock_permissions = 3; |
| // Whether this delegate has permissions TPM_DELEGATE_OwnerReadInternalPub. |
| optional bool can_read_internal_pub = 4; |
| } |
| |
| enum TpmVersion { |
| TPM_1_2 = 1; // NOTE: This is the default. It must remain listed first. |
| TPM_2_0 = 2; |
| } |
| |
| // This message holds all information to be sent to the attestation server in |
| // order to complete enrollment. |
| message AttestationEnrollmentRequest { |
| // Fields reserved because they were added to platform2/attestation. |
| reserved 7; |
| reserved "nvram_quotes"; |
| // The EK cert, in X.509 form, encrypted using the server's public key with |
| // the following parameters: |
| // Key encryption: RSA-OAEP with no custom parameters. |
| // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. |
| // MAC: HMAC-SHA-512 using the AES key. |
| optional EncryptedData encrypted_endorsement_credential = 1; |
| // The AIK public key, in TPM_PUBKEY form. |
| optional bytes identity_public_key = 2; |
| // PCR0 quoted by AIK. |
| optional Quote pcr0_quote = 3; |
| // PCR1 quoted by AIK. |
| optional Quote pcr1_quote = 4; |
| // DEN for enterprise zero-touch enrollment (crbug/624187). |
| optional bytes enterprise_enrollment_nonce = 5; |
| // The device TPM version. |
| optional TpmVersion tpm_version = 6; |
| } |
| |
| // These two fields are suitable for passing to Tspi_TPM_ActivateIdentity() |
| // directly. |
| message EncryptedIdentityCredential { |
| // TPM_ASYM_CA_CONTENTS, encrypted with EK public key. |
| optional bytes asym_ca_contents = 1; |
| // TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents. |
| optional bytes sym_ca_attestation = 2; |
| |
| optional TpmVersion tpm_version = 3; |
| |
| // The following fields are used only for TPM 2.0. For details see the TPM 2.0 |
| // specification Part 1 Rev 1.16: |
| // - Section 9.5.3.3: General description of the scheme. |
| // - Section 24: More details including how to use the seed to compute the |
| // values for 'credential_mac' and 'wrapped_certificate-> |
| // wrapped_key' |
| // - Section B.10.4: Encrypting the seed with a RSA EK. |
| // - Section C.7.4: Encrypting the seed with an EC EK. |
| |
| // A seed encrypted with the EK public key. The TPM will use this seed to |
| // derive both an HMAC key to verify the 'credential_mac' field and an AES key |
| // to unwrap the 'wrapped_certificate->wrapped_key' field. |
| optional bytes encrypted_seed = 4; |
| |
| // An integrity value computed using HMAC-SHA256 over the |
| // 'wrapped_certificate.wrapped_key' field and the 'Name' of the identity key. |
| optional bytes credential_mac = 5; |
| |
| // A certificate encrypted with a 'credential' that is decrypted by the TPM. |
| // The 'wrapped_key' field contains the encrypted credential which is |
| // encrypted using AES-256-CFB with a zero IV. The encryption of the |
| // certificate itself uses AES-256-CBC with PKCS #5 padding and a random IV. |
| // The encryption key is derived from the 'credential' using: |
| // SHA256('ENCRYPT' + credential) |
| // The mac uses HMAC-SHA256 with a key derived using: |
| // SHA256('MAC' + credential) |
| optional EncryptedData wrapped_certificate = 6; |
| } |
| |
| enum ResponseStatus { |
| OK = 0; |
| // Internal server error. |
| SERVER_ERROR = 1; |
| // The server cannot parse the request. |
| BAD_REQUEST = 2; |
| // The server rejects the request. |
| REJECT = 3; |
| // Only appears in enrollment response. The server returns the same generated |
| // id and reports the quota limit exceeded status when the number of reset |
| // action in a specified time window is more than self reset limitation. |
| QUOTA_LIMIT_EXCEEDED = 4; |
| } |
| |
| // The response from the attestation server for the enrollment request. |
| message AttestationEnrollmentResponse { |
| optional ResponseStatus status = 1; |
| // Detail response message. Included when the result is not OK. |
| optional string detail = 2; |
| optional EncryptedIdentityCredential encrypted_identity_credential = 3; |
| } |
| |
| enum CertificateProfile { |
| // A certificate intended for enterprise-owned devices. It has the following |
| // subjectName fields: |
| // CN=<stable device identifier> |
| // OU=state:[verified|developer] |
| // O=Chrome Device Enterprise |
| ENTERPRISE_MACHINE_CERTIFICATE = 0; |
| |
| // A certificate intended for enterprise-owned user accounts. It has the |
| // following subjectName fields: |
| // OU=state:[verified|developer] |
| // O=Chrome Device Enterprise |
| ENTERPRISE_USER_CERTIFICATE = 1; |
| |
| // A certificate intended for platform verification by providers of protected |
| // content. It has the following subjectName fields: |
| // O=Chrome Device Content Protection |
| CONTENT_PROTECTION_CERTIFICATE = 2; |
| |
| // Like above, but it also includes a stable ID and origin. |
| // CN=<origin-specific device identifier> |
| // OU=<origin> |
| // O=Chrome Device Content Protection |
| CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3; |
| |
| // A certificate intended for cast devices. |
| CAST_CERTIFICATE = 4; |
| |
| GFSC_CERTIFICATE = 5; |
| |
| JETSTREAM_CERTIFICATE = 6; |
| |
| // A certificate for enterprise enrollment. |
| ENTERPRISE_ENROLLMENT_CERTIFICATE = 7; |
| |
| // A certificate for signing Android Testsuite Results using CTS-in-a-box. |
| XTS_CERTIFICATE = 8; |
| } |
| |
| // The certificate request to be sent to the attestation server. |
| message AttestationCertificateRequest { |
| // The AIK cert in X.509 format. |
| optional bytes identity_credential = 1; |
| // A certified public key in TPM_PUBKEY. |
| optional bytes certified_public_key = 3; |
| // The serialized TPM_CERTIFY_INFO for the certified key. |
| optional bytes certified_key_info = 4; |
| // The signature of the TPM_CERTIFY_INFO by the AIK. |
| optional bytes certified_key_proof = 5; |
| // A message identifier to be included in the response. |
| optional bytes message_id = 10; |
| // The certificate profile defines the type of certificate to issue. |
| optional CertificateProfile profile = 11; |
| // Information about the origin of the request which may be used depending on |
| // the certificate profile. |
| optional string origin = 12; |
| // The index of a temporal value. This may be used or ignored depending on |
| // the certificate profile. |
| optional int32 temporal_index = 13; |
| // The device TPM version. |
| optional TpmVersion tpm_version = 14; |
| } |
| |
| // The response from the attestation server for the certificate request. |
| message AttestationCertificateResponse { |
| optional ResponseStatus status = 1; |
| // Detail response message. Included when the result is not OK. |
| optional string detail = 2; |
| // The credential of the certified key in X.509 format. |
| optional bytes certified_key_credential = 3; |
| // The issuer intermediate CA certificate in X.509 format. |
| optional bytes intermediate_ca_cert = 5; |
| // A message identifier from the request this message is responding to. |
| optional bytes message_id = 6; |
| // Additional intermediate CA certificates that can help in validation. |
| // Certificate chaining order is from the leaf to the root. That is, |
| // |certified_key_credential| is signed by |
| // |intermediate_ca_cert|, which is signed by |
| // |additional_intermediate_ca_cert(0)|, which is signed by |
| // |additional_intermediate_ca_cert(1)|, ... and so on. |
| repeated bytes additional_intermediate_ca_cert = 7; |
| } |
| |
| // Features of an identity (bitwise enumeration). |
| enum IdentityFeatures { |
| // No identity features. |
| NO_IDENTITY_FEATURES = 0; |
| // This identity carries an EID. |
| IDENTITY_FEATURE_ENTERPRISE_ENROLLMENT_ID = 1; |
| } |
| |
| // Holds all information that a client stores locally. |
| message AttestationDatabase { |
| reserved 1, 9, 10, 11, 13; |
| optional TPMCredentials credentials = 2; |
| |
| // These deprecated fields are now in identities and identity certificates. |
| optional IdentityBinding identity_binding = 3 [deprecated = true]; |
| optional IdentityKey identity_key = 4 [deprecated = true]; |
| optional Quote pcr0_quote = 5 [deprecated = true]; |
| optional Quote pcr1_quote = 12 [deprecated = true]; |
| |
| optional Delegation delegate = 6; |
| repeated CertifiedKey device_keys = 7; |
| |
| message TemporalIndexRecord { |
| optional bytes user_hash = 1; |
| optional bytes origin_hash = 2; |
| optional int32 temporal_index = 3; |
| } |
| repeated TemporalIndexRecord temporal_index_record = 8; |
| |
| // Holds identity-related values generated by the TPM. |
| message Identity { |
| // Fields reserved because they were added to platform2/attestation. |
| reserved 5; |
| reserved "nvram_quotes"; |
| optional int32 features = 1; |
| optional IdentityBinding identity_binding = 2; |
| optional IdentityKey identity_key = 3; |
| // PCR quotes. Keys are PCR indices. |
| map<int32, Quote> pcr_quotes = 4; |
| } |
| |
| // The unique device EID. |
| optional bytes enrollment_id = 14; |
| |
| // All the known identities. Identity 0 is guaranteed to exist and to have |
| // identity features of IDENTITY_FEATURE_ENTERPRISE_ENROLLMENT_ID. |
| repeated Identity identities = 15; |
| |
| // Holds all identity-related value for a combination of Identity and ACA. |
| message IdentityCertificate { |
| // The Identity used for this certificate. |
| optional int32 identity = 1; |
| // The attestation server that this certificate was created with. |
| optional int32 aca = 2; |
| // A credential issued by the attestation server. |
| optional bytes identity_credential = 3; |
| } |
| |
| // All the identity certificates we know of. Keys 0 and 1 are reserved |
| // for backwards compatibility and represent identity 0 enrolled with the |
| // default and test ACA respectively. |
| map<int32, IdentityCertificate> identity_certificates = 16; |
| } |
| |
| // Holds encrypted data and information required to decrypt it. |
| message EncryptedData { |
| // A key that has been sealed to the TPM or wrapped by another key. |
| optional bytes wrapped_key = 2; |
| // The initialization vector used during encryption. |
| optional bytes iv = 3; |
| // MAC of (iv || encrypted_data). |
| optional bytes mac = 4; |
| optional bytes encrypted_data = 5; |
| // An identifier for the wrapping key to assist in decryption. |
| optional bytes wrapping_key_id = 6; |
| } |
| |
| // The reset request to be sent to the attestation server. |
| message AttestationResetRequest { |
| // The AIK cert, in X.509 form, encrypted using the server's public key with |
| // the following parameters: |
| // Key encryption: RSA-OAEP with no custom parameters. |
| // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. |
| // MAC: HMAC-SHA-512 using the AES key. |
| optional EncryptedData encrypted_identity_credential = 1; |
| |
| // The one time token to make sure the reset process can be triggered only once. |
| optional bytes token = 2; |
| |
| // The EK cert, in X.509 form, encrypted using the server's public key with |
| // the following parameters: |
| // Key encryption: RSA-OAEP with no custom parameters. |
| // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. |
| // MAC: HMAC-SHA-512 using the AES key. |
| optional EncryptedData encrypted_endorsement_credential = 3; |
| } |
| |
| // The response from the attestation server for the reset request. |
| message AttestationResetResponse { |
| // The response status. |
| optional ResponseStatus status = 1; |
| // Detail response message. Included when the result is not OK. |
| optional string detail = 2; |
| } |
| |
| // The wrapper message of any data and its signature. |
| message SignedData { |
| // The data to be signed. |
| optional bytes data = 1; |
| // The signature of the data field. |
| optional bytes signature = 2; |
| } |
| |
| // The challenge data (as in challenge-response) generated by the server. |
| // Before transmitted to the client, this message will be wrapped as a |
| // SignedData message, in which the data field is the serialized Challenge |
| // message, and the signature field is the signature of the data field signed |
| // by the enterprise server using a hard-coded key. The signature algorithm is |
| // RSASSA-PKCS1-v1_5-SHA256. |
| message Challenge { |
| // A string for the client to sanity check a legitimate challenge. |
| optional string prefix = 1; |
| // A 256-bit random value generated by the server. |
| optional bytes nonce = 2; |
| // A timestamp for a stateless server to limit the timeframe during which the |
| // challenge may be replayed. |
| optional int64 timestamp = 3; |
| } |
| |
| // The response data (as in challenge-response) generated by the client. |
| // Before transmitted to the server, this message will be wrapped as a |
| // SignedData message, in which the data field is the serialized |
| // ChallengeResponse message, and the signature field is the signature of the |
| // data field signed by the client using the key being challenged. The |
| // signature algorithm is RSASSA-PKCS1-v1_5-SHA256. |
| message ChallengeResponse { |
| // The original challenge data. |
| optional SignedData challenge = 1; |
| // A 256-bit random value generated by the client. Mixing in this nonce |
| // prevents a caller from using a challenge to sign arbitrary data. |
| optional bytes nonce = 2; |
| // The KeyInfo message encrypted using a public encryption key, pushed via |
| // policy with the following parameters: |
| // Key encryption: RSA-OAEP with no custom parameters. |
| // Data encryption: 256-bit key, AES-CBC with PKCS5 padding. |
| // MAC: HMAC-SHA-512 using the AES key. |
| optional EncryptedData encrypted_key_info = 3; |
| } |
| |
| // Holds information about a certified key. |
| message CertifiedKey { |
| // The TPM-wrapped key blob. |
| optional bytes key_blob = 1; |
| // The public key in ASN.1 DER form. |
| optional bytes public_key = 2; |
| // The credential of the certified key in X.509 format. |
| optional bytes certified_key_credential = 3; |
| // The issuer intermediate CA certificate in X.509 format. |
| optional bytes intermediate_ca_cert = 4; |
| // A key name. This is not necessarily a unique identifier. |
| optional bytes key_name = 5; |
| // An arbitrary payload associated with the key. |
| optional bytes payload = 6; |
| // Addtional intermediate CA certificates that helps chaining up to the root |
| // CA. See |AttestationCertificateResponse.additional_intermediate_ca_cert| |
| // for more detail. |
| repeated bytes additional_intermediate_ca_cert = 7; |
| } |
| |
| // The data type of the message decrypted from |
| // ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds |
| // information required by enterprise server to complete the verification. |
| message KeyInfo { |
| // Indicates whether the key is an EMK or EUK. |
| optional KeyType key_type = 1; |
| // Domain information about the device or user associated with the key. For an |
| // EMK, this value is the enrolled domain. For an EUK, this value is the |
| // user's email address. |
| optional string domain = 2; |
| // The virtual device ID associated with the device or user. |
| optional bytes device_id = 3; |
| // If the key is an EUK, this value is the PCA-issued certificate for the key. |
| optional bytes certificate = 4; |
| // If the key is an EUK, this value may hold a SignedPublicKeyAndChallenge |
| // with a random challenge. The SignedPublicKeyAndChallenge specification is |
| // here: https://developer.mozilla.org/en-US/docs/HTML/Element/keygen. |
| optional bytes signed_public_key_and_challenge = 5; |
| } |
| |
| enum KeyType { |
| // Enterprise machine key. |
| EMK = 0; |
| // Enterprise user key. |
| EUK = 1; |
| } |