attestation/common/interface.proto - mirrors/cros/chromiumos/platform2 - Git at Google

 //
 // Copyright (C) 2015 The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //

 syntax = "proto2";

 option optimize_for = LITE_RUNTIME;

 import "attestation_ca.proto";
 import "keystore.proto";

 package attestation;

 enum AttestationStatus {
   STATUS_SUCCESS = 0;
   STATUS_UNEXPECTED_DEVICE_ERROR = 1;
   STATUS_NOT_AVAILABLE = 2;
   STATUS_NOT_READY = 3;
   STATUS_NOT_ALLOWED = 4;
   STATUS_INVALID_PARAMETER = 5;
   STATUS_REQUEST_DENIED_BY_CA = 6;
   STATUS_CA_NOT_AVAILABLE = 7;
   STATUS_NOT_SUPPORTED = 8;
 }

 enum ACAType {
   DEFAULT_ACA = 0;
   TEST_ACA = 1;
 }

 enum VAType {
   DEFAULT_VA = 0;
   TEST_VA = 1;
 }

 message CreateGoogleAttestedKeyRequest {
   // An arbitrary label which can be used to reference the key later.
   optional string key_label = 1;
   optional KeyType key_type = 2;
   optional KeyUsage key_usage = 3;
   // Describes the certificate to be requested of the CA.
   optional CertificateProfile certificate_profile = 4;
   // Provided if the new key should be accessible only by a particular user. If
   // this field is not set or is the empty string, the key will be accessible
   // system-wide.
   optional string username = 5;
   // If the |certificate_profile| is intended to be bound to a particular origin
   // this field specifies the origin. For most profiles this is not required.
   optional string origin = 6;
   // What kind of ACA to use.
   optional ACAType aca_type = 7;
 }

 message CreateGoogleAttestedKeyReply {
   optional AttestationStatus status = 1;
   // More information about a server-side error. This only exists
   // if status=REQUEST_DENIED_BY_CA.
   optional string server_error = 2;
   // A PEM-encoded list of X.509 certificates starting with the requested
   // certificate issued by the CA and followed by certificates for any
   // intermediate authorities, in order. The Google Attestation CA root
   // certificate is well-known and not included.
   optional string certificate_chain = 3;
 }

 message GetKeyInfoRequest {
   optional string key_label = 1;
   optional string username = 2;
 }

 message GetKeyInfoReply {
   optional AttestationStatus status = 1;
   optional KeyType key_type = 2;
   optional KeyUsage key_usage = 3;
   // The public key (X.509/DER SubjectPublicKeyInfo).
   optional bytes public_key = 4;
   // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key.
   optional bytes certify_info = 5;
   // The signature of certify_info by the Attestation Key.
   optional bytes certify_info_signature = 6;
   // The certificate data associated with the key (if any).
   optional bytes certificate = 7;
   // The payload associated with the key.
   optional bytes payload = 8;
 }

 message GetEndorsementInfoRequest {
   optional KeyType key_type = 1;
 }

 message GetEndorsementInfoReply {
   optional AttestationStatus status = 1;
   // The endorsement public key (X.509/DER SubjectPublicKeyInfo).
   optional bytes ek_public_key = 2;
   // The endorsement certificate (X.509/DER).
   optional bytes ek_certificate = 3;
   // Human-readable string with EK information. Contains EK certificate in PEM
   // format and SHA256 hash of the raw DER encoded certificate.
   optional string ek_info = 4;
 }

 message GetAttestationKeyInfoRequest {
   optional KeyType key_type = 1;
   // What kind of ACA to use.
   optional ACAType aca_type = 2;
 }

 message GetAttestationKeyInfoReply {
   optional AttestationStatus status = 1;
   // The attestation public key (X.509/DER SubjectPublicKeyInfo).
   optional bytes public_key = 2;
   // The attestation public key in TPM_PUBKEY form.
   optional bytes public_key_tpm_format = 3;
   // The attestation key certificate.
   optional bytes certificate = 4;
   // A quote of PCR0 at the time of attestation key creation.
   optional Quote pcr0_quote = 5;
   // A quote of PCR1 at the time of attestation key creation.
   optional Quote pcr1_quote = 6;
 }

 message ActivateAttestationKeyRequest {
   optional KeyType key_type = 1;
   optional EncryptedIdentityCredential encrypted_certificate = 2;
   // Whether, on success, the decrypted certificate should be retained in
   // association with the attestation key. When using an ACA, this is normally
   // set to true. Other protocols may use a nonce as the 'certificate' and in
   // these cases this field is normally set to false.
   optional bool save_certificate = 3;
   // What kind of ACA to use.
   optional ACAType aca_type = 4;
 }

 message ActivateAttestationKeyReply {
   optional AttestationStatus status = 1;
   // The decrypted attestation key certificate.
   optional bytes certificate = 2;
 }

 message CreateCertifiableKeyRequest {
   // An arbitrary label which can be used to reference the key later.
   optional string key_label = 1;
   // Provided if the new key should be accessible only by a
   // particular user. If this field is not set or is the empty
   // string, the key will be accessible system-wide.
   optional string username = 2;
   optional KeyType key_type = 3;
   optional KeyUsage key_usage = 4;
 }

 message CreateCertifiableKeyReply {
   optional AttestationStatus status = 1;
   // The new public key (X.509/DER SubjectPublicKeyInfo).
   optional bytes public_key = 2;
   // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key.
   optional bytes certify_info = 3;
   // The signature of certify_info by the Attestation Key.
   optional bytes certify_info_signature = 4;
 }

 message DecryptRequest {
   optional string key_label = 1;
   optional string username = 2;
   optional bytes encrypted_data = 3;
 }

 message DecryptReply {
   optional AttestationStatus status = 1;
   optional bytes decrypted_data = 2;
 }

 message SignRequest {
   optional string key_label = 1;
   optional string username = 2;
   optional bytes data_to_sign = 3;
 }

 message SignReply {
   optional AttestationStatus status = 1;
   optional bytes signature = 2;
 }

 message RegisterKeyWithChapsTokenRequest {
   optional string key_label = 1;
   optional string username = 2;
   optional bool include_certificates = 3;
 }

 message RegisterKeyWithChapsTokenReply {
   optional AttestationStatus status = 1;
 }

 message GetStatusRequest {
   // Get extended status (see GetStatusReply below).
   optional bool extended_status = 1;
 }

 message GetStatusReply {
   message Identity {
     // The identity features.
     optional int32 features = 1;
   }

   message IdentityCertificate {
     // The identity that is enrolled.
     optional int32 identity = 1;
     // The Privacy CA that the identity is enrolled with.
     optional int32 aca = 2;
   }

   optional AttestationStatus status = 1;
   // Is prepared for enrollment?
   optional bool prepared_for_enrollment = 2;
   // Is enrolled (AIK certificate created)?
   optional bool enrolled = 3;
   // Is in verified boot mode (according to PCR0 quote)?
   // [Only included in reply if extended_status is set]
   optional bool verified_boot = 4;
   // List of identities and their identity features.
   repeated Identity identities = 5;
   // List of identity certificates.
   map<int32, IdentityCertificate> identity_certificates = 6;
 }

 // Verify attestation data.
 message VerifyRequest {
   // Use CrosCore CA to verify that the EK is endorsed.
   optional bool cros_core = 1;
   // Verify EK only.
   // Otherwise, in addition to EK, verify all attestation data as a CA would.
   optional bool ek_only = 2;
 }

 message VerifyReply {
   optional AttestationStatus status = 1;
   optional bool verified = 2;
 }

 // Create an enrollment request to be sent to the Privacy CA. This request
 // is a serialized AttestationEnrollmentRequest protobuf. Attestation
 // enrollment is a process by which the Privacy CA verifies the EK certificate
 // of a device and issues a certificate for an AIK. The enrollment process can
 // be finished by sending FinishEnrollRequest with the response from the CA.
 message CreateEnrollRequestRequest {
   // What kind of ACA to use.
   optional ACAType aca_type = 1;
 }

 message CreateEnrollRequestReply {
   optional AttestationStatus status = 1;
   // AttestationEnrollmentRequest to be sent to CA server.
   optional bytes pca_request = 2;
 }

 // Finish the enrollment process.
 message FinishEnrollRequest {
   // AttestationEnrollmentResponse received from CA server.
   optional bytes pca_response = 1;
   // What kind of ACA to use.
   optional ACAType aca_type = 2;
 }

 message FinishEnrollReply {
   optional AttestationStatus status = 1;
 }

 // Create an attestation certificate request to be sent to the Privacy CA.
 // The request is a serialized AttestationCertificateRequest protobuf. The
 // certificate request process generates and certifies a key in the TPM and
 // sends the AIK certificate along with information about the certified key to
 // the Privacy CA. The PCA verifies the information and issues a certificate
 // for the certified key. The certificate request process can be finished by
 // sending FinishCertificateRequestRequest with the response from the CA.
 message CreateCertificateRequestRequest {
   // Type of certificate to be requested.
   optional CertificateProfile certificate_profile = 1;
   // The canonical username of the active user profile. Leave blank
   // if not associated with the current user.
   optional string username = 2;
   // Some certificate requests require information about the origin
   // of the request.  If no origin is needed, this can be empty.
   optional string request_origin = 3;
   // What kind of ACA to use.
   optional ACAType aca_type = 4;
 }

 message CreateCertificateRequestReply {
   optional AttestationStatus status = 1;
   // The request to be sent to the Privacy CA.
   optional bytes pca_request = 2;
 }

 // Finish the certificate request process.  The |pca_response| from the PCA
 // is a serialized AttestationCertificateResponse protobuf. This final step
 // verifies the PCA operation succeeded and extracts the certificate for the
 // certified key.  The certificate is stored with the key.
 message FinishCertificateRequestRequest {
   // The Privacy CA's response to a certificate request.
   optional bytes pca_response = 1;
   // A name for the key.  If a key already exists with this name it
   // will be destroyed and replaced with this one.
   optional string key_label = 2;
   // This should match |username| in CreateCertificateRequestRequest.
   optional string username = 3;
 }

 message FinishCertificateRequestReply {
   optional AttestationStatus status = 1;
   // The PCA issued certificate chain in PEM format.  By
   // convention the certified key certificate is listed
   // first followed by intermediate CA certificate(s).
   // The PCA root certificate is not included.
   optional bytes certificate = 2;
 }

 // Sign a challenge for an enterprise device / user.  This challenge is
 // typically generated by and the response verified by the Enterprise Device
 // Verification Server (DVServer).
 message SignEnterpriseChallengeRequest {
   // The key name. This is the same name previously passed to
   // FinishCertficateRequestRequest.
   optional string key_label = 1;
   // The canonical username of the active user profile. Leave blank
   // if not associated with the current user.
   optional string username = 2;
   // A domain value to be included in the challenge response.
   optional string domain = 3;
   // A device identifier to be included in the challenge response.
   optional bytes device_id = 4;
   // Whether the challenge response should include
   // a SignedPublicKeyAndChallenge.
   optional bool include_signed_public_key = 5;
   // The challenge to be signed.
   optional bytes challenge = 6;
   // The VA server that will handle the challenge.
   optional VAType va_type = 7;
 }

 message SignEnterpriseChallengeReply {
   optional AttestationStatus status = 1;
   // The challenge response.
   optional bytes challenge_response = 2;
 }

 // Sign a challenge outside of an enterprise context: generate a random nonce
 // and append it to challenge, then sign and return the signature in the
 // |challenge_response|.
 // This challenge is typically generated by some module running within Chrome.
 message SignSimpleChallengeRequest {
   // The key name. This is the same name previously passed to
   // FinishCertficateRequestRequest.
   optional string key_label = 1;
   // The canonical username of the active user profile. Leave blank
   // if not associated with the current user.
   optional string username = 2;
   // The challenge to be signed.
   optional bytes challenge = 3;
 }

 message SignSimpleChallengeReply {
   optional AttestationStatus status = 1;
   // The challenge response.
   optional bytes challenge_response = 2;
 }

 // Set a payload for a key; any previous payload will be overwritten.
 message SetKeyPayloadRequest {
   // The key name. This is the same name previously passed to
   // FinishCertficateRequestRequest.
   optional string key_label = 1;
   // The canonical username of the active user profile. Leave blank
   // if not associated with the current user.
   optional string username = 2;
   optional bytes payload = 3;
 }

 message SetKeyPayloadReply {
   optional AttestationStatus status = 1;
 }

 // Delete all keys where the key name has the given |key_prefix|.
 message DeleteKeysRequest {
   // The key name prefix.
   optional string key_prefix = 1;
   // The canonical username of the active user profile. Leave blank
   // if not associated with the current user.
   optional string username = 2;
 }

 message DeleteKeysReply {
   optional AttestationStatus status = 1;
 }

 // Create a request to be sent to the PCA which will reset the identity for
 // this device on future AIK enrollments.  The |reset_token| is put in the
 // request protobuf verbatim.
 message ResetIdentityRequest {
   optional string reset_token = 1;
 }

 message ResetIdentityReply {
   optional AttestationStatus status = 1;
   // Request to be sent to the CA.
   optional bytes reset_request = 2;
 }

 // Set system salt.
 // TODO(http://crosbug.com/p/58299): remove after cryptohomed calls to
 // attestationd become non-blocking. Until then, we need to pass the system
 // salt this way, since we can't query cryptohomed from attestationd.
 message SetSystemSaltRequest {
   optional string system_salt = 1;
 }

 message SetSystemSaltReply {
   optional AttestationStatus status = 1;
 }

 message GetEnrollmentIdRequest {
   optional bool ignore_cache = 1;
 }

 message GetEnrollmentIdReply {
   optional AttestationStatus status = 1;
   optional string enrollment_id = 2;
 }
	//
	// Copyright (C) 2015 The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//

	syntax = "proto2";

	option optimize_for = LITE_RUNTIME;

	import "attestation_ca.proto";
	import "keystore.proto";

	package attestation;

	enum AttestationStatus {
	STATUS_SUCCESS = 0;
	STATUS_UNEXPECTED_DEVICE_ERROR = 1;
	STATUS_NOT_AVAILABLE = 2;
	STATUS_NOT_READY = 3;
	STATUS_NOT_ALLOWED = 4;
	STATUS_INVALID_PARAMETER = 5;
	STATUS_REQUEST_DENIED_BY_CA = 6;
	STATUS_CA_NOT_AVAILABLE = 7;
	STATUS_NOT_SUPPORTED = 8;
	}

	enum ACAType {
	DEFAULT_ACA = 0;
	TEST_ACA = 1;
	}

	enum VAType {
	DEFAULT_VA = 0;
	TEST_VA = 1;
	}

	message CreateGoogleAttestedKeyRequest {
	// An arbitrary label which can be used to reference the key later.
	optional string key_label = 1;
	optional KeyType key_type = 2;
	optional KeyUsage key_usage = 3;
	// Describes the certificate to be requested of the CA.
	optional CertificateProfile certificate_profile = 4;
	// Provided if the new key should be accessible only by a particular user. If
	// this field is not set or is the empty string, the key will be accessible
	// system-wide.
	optional string username = 5;
	// If the \|certificate_profile\| is intended to be bound to a particular origin
	// this field specifies the origin. For most profiles this is not required.
	optional string origin = 6;
	// What kind of ACA to use.
	optional ACAType aca_type = 7;
	}

	message CreateGoogleAttestedKeyReply {
	optional AttestationStatus status = 1;
	// More information about a server-side error. This only exists
	// if status=REQUEST_DENIED_BY_CA.
	optional string server_error = 2;
	// A PEM-encoded list of X.509 certificates starting with the requested
	// certificate issued by the CA and followed by certificates for any
	// intermediate authorities, in order. The Google Attestation CA root
	// certificate is well-known and not included.
	optional string certificate_chain = 3;
	}

	message GetKeyInfoRequest {
	optional string key_label = 1;
	optional string username = 2;
	}

	message GetKeyInfoReply {
	optional AttestationStatus status = 1;
	optional KeyType key_type = 2;
	optional KeyUsage key_usage = 3;
	// The public key (X.509/DER SubjectPublicKeyInfo).
	optional bytes public_key = 4;
	// The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key.
	optional bytes certify_info = 5;
	// The signature of certify_info by the Attestation Key.
	optional bytes certify_info_signature = 6;
	// The certificate data associated with the key (if any).
	optional bytes certificate = 7;
	// The payload associated with the key.
	optional bytes payload = 8;
	}

	message GetEndorsementInfoRequest {
	optional KeyType key_type = 1;
	}

	message GetEndorsementInfoReply {
	optional AttestationStatus status = 1;
	// The endorsement public key (X.509/DER SubjectPublicKeyInfo).
	optional bytes ek_public_key = 2;
	// The endorsement certificate (X.509/DER).
	optional bytes ek_certificate = 3;
	// Human-readable string with EK information. Contains EK certificate in PEM
	// format and SHA256 hash of the raw DER encoded certificate.
	optional string ek_info = 4;
	}

	message GetAttestationKeyInfoRequest {
	optional KeyType key_type = 1;
	// What kind of ACA to use.
	optional ACAType aca_type = 2;
	}

	message GetAttestationKeyInfoReply {
	optional AttestationStatus status = 1;
	// The attestation public key (X.509/DER SubjectPublicKeyInfo).
	optional bytes public_key = 2;
	// The attestation public key in TPM_PUBKEY form.
	optional bytes public_key_tpm_format = 3;
	// The attestation key certificate.
	optional bytes certificate = 4;
	// A quote of PCR0 at the time of attestation key creation.
	optional Quote pcr0_quote = 5;
	// A quote of PCR1 at the time of attestation key creation.
	optional Quote pcr1_quote = 6;
	}

	message ActivateAttestationKeyRequest {
	optional KeyType key_type = 1;
	optional EncryptedIdentityCredential encrypted_certificate = 2;
	// Whether, on success, the decrypted certificate should be retained in
	// association with the attestation key. When using an ACA, this is normally
	// set to true. Other protocols may use a nonce as the 'certificate' and in
	// these cases this field is normally set to false.
	optional bool save_certificate = 3;
	// What kind of ACA to use.
	optional ACAType aca_type = 4;
	}

	message ActivateAttestationKeyReply {
	optional AttestationStatus status = 1;
	// The decrypted attestation key certificate.
	optional bytes certificate = 2;
	}

	message CreateCertifiableKeyRequest {
	// An arbitrary label which can be used to reference the key later.
	optional string key_label = 1;
	// Provided if the new key should be accessible only by a
	// particular user. If this field is not set or is the empty
	// string, the key will be accessible system-wide.
	optional string username = 2;
	optional KeyType key_type = 3;
	optional KeyUsage key_usage = 4;
	}

	message CreateCertifiableKeyReply {
	optional AttestationStatus status = 1;
	// The new public key (X.509/DER SubjectPublicKeyInfo).
	optional bytes public_key = 2;
	// The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key.
	optional bytes certify_info = 3;
	// The signature of certify_info by the Attestation Key.
	optional bytes certify_info_signature = 4;
	}

	message DecryptRequest {
	optional string key_label = 1;
	optional string username = 2;
	optional bytes encrypted_data = 3;
	}

	message DecryptReply {
	optional AttestationStatus status = 1;
	optional bytes decrypted_data = 2;
	}

	message SignRequest {
	optional string key_label = 1;
	optional string username = 2;
	optional bytes data_to_sign = 3;
	}

	message SignReply {
	optional AttestationStatus status = 1;
	optional bytes signature = 2;
	}

	message RegisterKeyWithChapsTokenRequest {
	optional string key_label = 1;
	optional string username = 2;
	optional bool include_certificates = 3;
	}

	message RegisterKeyWithChapsTokenReply {
	optional AttestationStatus status = 1;
	}

	message GetStatusRequest {
	// Get extended status (see GetStatusReply below).
	optional bool extended_status = 1;
	}

	message GetStatusReply {
	message Identity {
	// The identity features.
	optional int32 features = 1;
	}

	message IdentityCertificate {
	// The identity that is enrolled.
	optional int32 identity = 1;
	// The Privacy CA that the identity is enrolled with.
	optional int32 aca = 2;
	}

	optional AttestationStatus status = 1;
	// Is prepared for enrollment?
	optional bool prepared_for_enrollment = 2;
	// Is enrolled (AIK certificate created)?
	optional bool enrolled = 3;
	// Is in verified boot mode (according to PCR0 quote)?
	// [Only included in reply if extended_status is set]
	optional bool verified_boot = 4;
	// List of identities and their identity features.
	repeated Identity identities = 5;
	// List of identity certificates.
	map<int32, IdentityCertificate> identity_certificates = 6;
	}

	// Verify attestation data.
	message VerifyRequest {
	// Use CrosCore CA to verify that the EK is endorsed.
	optional bool cros_core = 1;
	// Verify EK only.
	// Otherwise, in addition to EK, verify all attestation data as a CA would.
	optional bool ek_only = 2;
	}

	message VerifyReply {
	optional AttestationStatus status = 1;
	optional bool verified = 2;
	}

	// Create an enrollment request to be sent to the Privacy CA. This request
	// is a serialized AttestationEnrollmentRequest protobuf. Attestation
	// enrollment is a process by which the Privacy CA verifies the EK certificate
	// of a device and issues a certificate for an AIK. The enrollment process can
	// be finished by sending FinishEnrollRequest with the response from the CA.
	message CreateEnrollRequestRequest {
	// What kind of ACA to use.
	optional ACAType aca_type = 1;
	}

	message CreateEnrollRequestReply {
	optional AttestationStatus status = 1;
	// AttestationEnrollmentRequest to be sent to CA server.
	optional bytes pca_request = 2;
	}

	// Finish the enrollment process.
	message FinishEnrollRequest {
	// AttestationEnrollmentResponse received from CA server.
	optional bytes pca_response = 1;
	// What kind of ACA to use.
	optional ACAType aca_type = 2;
	}

	message FinishEnrollReply {
	optional AttestationStatus status = 1;
	}

	// Create an attestation certificate request to be sent to the Privacy CA.
	// The request is a serialized AttestationCertificateRequest protobuf. The
	// certificate request process generates and certifies a key in the TPM and
	// sends the AIK certificate along with information about the certified key to
	// the Privacy CA. The PCA verifies the information and issues a certificate
	// for the certified key. The certificate request process can be finished by
	// sending FinishCertificateRequestRequest with the response from the CA.
	message CreateCertificateRequestRequest {
	// Type of certificate to be requested.
	optional CertificateProfile certificate_profile = 1;
	// The canonical username of the active user profile. Leave blank
	// if not associated with the current user.
	optional string username = 2;
	// Some certificate requests require information about the origin
	// of the request. If no origin is needed, this can be empty.
	optional string request_origin = 3;
	// What kind of ACA to use.
	optional ACAType aca_type = 4;
	}

	message CreateCertificateRequestReply {
	optional AttestationStatus status = 1;
	// The request to be sent to the Privacy CA.
	optional bytes pca_request = 2;
	}

	// Finish the certificate request process. The \|pca_response\| from the PCA
	// is a serialized AttestationCertificateResponse protobuf. This final step
	// verifies the PCA operation succeeded and extracts the certificate for the
	// certified key. The certificate is stored with the key.
	message FinishCertificateRequestRequest {
	// The Privacy CA's response to a certificate request.
	optional bytes pca_response = 1;
	// A name for the key. If a key already exists with this name it
	// will be destroyed and replaced with this one.
	optional string key_label = 2;
	// This should match \|username\| in CreateCertificateRequestRequest.
	optional string username = 3;
	}

	message FinishCertificateRequestReply {
	optional AttestationStatus status = 1;
	// The PCA issued certificate chain in PEM format. By
	// convention the certified key certificate is listed
	// first followed by intermediate CA certificate(s).
	// The PCA root certificate is not included.
	optional bytes certificate = 2;
	}

	// Sign a challenge for an enterprise device / user. This challenge is
	// typically generated by and the response verified by the Enterprise Device
	// Verification Server (DVServer).
	message SignEnterpriseChallengeRequest {
	// The key name. This is the same name previously passed to
	// FinishCertficateRequestRequest.
	optional string key_label = 1;
	// The canonical username of the active user profile. Leave blank
	// if not associated with the current user.
	optional string username = 2;
	// A domain value to be included in the challenge response.
	optional string domain = 3;
	// A device identifier to be included in the challenge response.
	optional bytes device_id = 4;
	// Whether the challenge response should include
	// a SignedPublicKeyAndChallenge.
	optional bool include_signed_public_key = 5;
	// The challenge to be signed.
	optional bytes challenge = 6;
	// The VA server that will handle the challenge.
	optional VAType va_type = 7;
	}

	message SignEnterpriseChallengeReply {
	optional AttestationStatus status = 1;
	// The challenge response.
	optional bytes challenge_response = 2;
	}

	// Sign a challenge outside of an enterprise context: generate a random nonce
	// and append it to challenge, then sign and return the signature in the
	// \|challenge_response\|.
	// This challenge is typically generated by some module running within Chrome.
	message SignSimpleChallengeRequest {
	// The key name. This is the same name previously passed to
	// FinishCertficateRequestRequest.
	optional string key_label = 1;
	// The canonical username of the active user profile. Leave blank
	// if not associated with the current user.
	optional string username = 2;
	// The challenge to be signed.
	optional bytes challenge = 3;
	}

	message SignSimpleChallengeReply {
	optional AttestationStatus status = 1;
	// The challenge response.
	optional bytes challenge_response = 2;
	}

	// Set a payload for a key; any previous payload will be overwritten.
	message SetKeyPayloadRequest {
	// The key name. This is the same name previously passed to
	// FinishCertficateRequestRequest.
	optional string key_label = 1;
	// The canonical username of the active user profile. Leave blank
	// if not associated with the current user.
	optional string username = 2;
	optional bytes payload = 3;
	}

	message SetKeyPayloadReply {
	optional AttestationStatus status = 1;
	}

	// Delete all keys where the key name has the given \|key_prefix\|.
	message DeleteKeysRequest {
	// The key name prefix.
	optional string key_prefix = 1;
	// The canonical username of the active user profile. Leave blank
	// if not associated with the current user.
	optional string username = 2;
	}

	message DeleteKeysReply {
	optional AttestationStatus status = 1;
	}

	// Create a request to be sent to the PCA which will reset the identity for
	// this device on future AIK enrollments. The \|reset_token\| is put in the
	// request protobuf verbatim.
	message ResetIdentityRequest {
	optional string reset_token = 1;
	}

	message ResetIdentityReply {
	optional AttestationStatus status = 1;
	// Request to be sent to the CA.
	optional bytes reset_request = 2;
	}

	// Set system salt.
	// TODO(http://crosbug.com/p/58299): remove after cryptohomed calls to
	// attestationd become non-blocking. Until then, we need to pass the system
	// salt this way, since we can't query cryptohomed from attestationd.
	message SetSystemSaltRequest {
	optional string system_salt = 1;
	}

	message SetSystemSaltReply {
	optional AttestationStatus status = 1;
	}

	message GetEnrollmentIdRequest {
	optional bool ignore_cache = 1;
	}

	message GetEnrollmentIdReply {
	optional AttestationStatus status = 1;
	optional string enrollment_id = 2;
	}