| // Copyright 2019 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| syntax = "proto3"; |
| option optimize_for = LITE_RUNTIME; |
| |
| package u2f; |
| |
| // UserNotification signal payload. |
| message UserNotification { |
| enum EventType { |
| // This event is periodically sent when confirming physical presence is |
| // required for the integrated U2F device. In response, the UI should |
| // start/continue showing the 'touch powerbutton' user prompt. |
| TOUCH_NEEDED = 0; |
| } |
| EventType event_type = 1; |
| } |
| |
| enum VerificationType { |
| VERIFICATION_UNKNOWN = 0; |
| VERIFICATION_USER_PRESENCE = 1; |
| VERIFICATION_USER_VERIFICATION = 2; |
| } |
| |
| message MakeCredentialRequest { |
| enum AttestationConveyancePreference { |
| NONE = 0; |
| // Want u2f attestation. |
| U2F = 1; |
| // Want g2f attestation, with a cert and a signature from the TPM. |
| G2F = 2; |
| } |
| |
| VerificationType verification_type = 1; |
| // String representing a valid domain name. |
| string rp_id = 2; |
| // Whether to store as a resident credential. Currently not implemented. |
| bool resident_credential = 3; |
| // User id for listing credentials to the user. |
| bytes user_id = 4; |
| // MakeCredential should fail if any excluded credential belongs to this |
| // device. |
| repeated bytes excluded_credential_id = 5; |
| // Id used to idenfity the window that initiated the request. |
| uint64 request_id = 6; |
| // User display name for listing credentials to the user. |
| string user_display_name = 7; |
| // The appIdExclude extension. If set, values in |excluded_credential_id| |
| // will be tested against this AppID in addition to |rp_id|. |
| string app_id_exclude = 8; |
| // SHA-256 hash of client data, which is the same as "challenge" in u2f. |
| bytes client_data_hash = 9; |
| // What kind of attestation is desired. |
| AttestationConveyancePreference attestation_conveyance_preference = 10; |
| // The name of RP to display in credential management UI. |
| string rp_display_name = 11; |
| // Whether the credential should be a resident key, a.k.a. discoverable |
| // credential. |
| bool resident_key_required = 12; |
| } |
| |
| message MakeCredentialResponse { |
| // These values are persisted to logs. Entries should not be renumbered and |
| // numeric values should never be reused. |
| enum MakeCredentialStatus { |
| UNKNOWN = 0; |
| SUCCESS = 1; |
| VERIFICATION_FAILED = 2; |
| VERIFICATION_TIMEOUT = 3; |
| INVALID_REQUEST = 4; |
| INTERNAL_ERROR = 5; |
| // An excluded credential belongs to this device. |
| EXCLUDED_CREDENTIAL_ID = 6; |
| REQUEST_PENDING = 7; |
| CANCELED = 8; |
| } |
| |
| MakeCredentialStatus status = 1; |
| |
| // Attestation object for newly created credential. |
| // |
| // See https://www.w3.org/TR/webauthn/#attestation-object for details |
| // on the format of these fields. |
| // |
| // Note that currently only 'none' attestation is supported. |
| |
| // Includes the newly created credential ID and public key. |
| bytes authenticator_data = 2; |
| |
| // Use of 'none' attestation means these fields always have values of "none" |
| // and "\xa0" respectively. |
| string attestation_format = 3; |
| bytes attestation_statement = 4; |
| } |
| |
| message GetAssertionRequest { |
| VerificationType verification_type = 1; |
| // String representing a valid domain name. |
| string rp_id = 2; |
| // SHA-256 hash of client data. |
| bytes client_data_hash = 3; |
| // Currently must not be empty; resident credentials not implemented yet. |
| repeated bytes allowed_credential_id = 4; |
| // Id used to identify the window that initiated the request. |
| uint64 request_id = 5; |
| // App id extension. Used in place of rp id for legacy u2f credentials. |
| string app_id = 6; |
| // Next ID: 7 |
| } |
| |
| message Assertion { |
| bytes credential_id = 1; |
| bytes authenticator_data = 2; |
| bytes signature = 3; |
| // Resident credentials not imlemented yet; this field is always empty. |
| bytes user_entity = 4; |
| } |
| |
| message GetAssertionResponse { |
| // These values are persisted to logs. Entries should not be renumbered and |
| // numeric values should never be reused. |
| enum GetAssertionStatus { |
| UNKNOWN = 0; |
| SUCCESS = 1; |
| VERIFICATION_FAILED = 2; |
| VERIFICATION_TIMEOUT = 3; |
| INVALID_REQUEST = 4; |
| INTERNAL_ERROR = 5; |
| // No allowed credential belongs to this device. |
| UNKNOWN_CREDENTIAL_ID = 6; |
| REQUEST_PENDING = 7; |
| CANCELED = 8; |
| } |
| |
| GetAssertionStatus status = 1; |
| repeated Assertion assertion = 2; |
| } |
| |
| // Check whether the specified |credential_id|s are valid. Invalid |
| // credentials will not be present in the response. If no |credential_id|s are |
| // specified, returns any resident credentials for |rp_id|. |
| // There are types of valid credentials: |
| // 1. Credentials registered with platform authenticator (webauthn_handler). |
| // 2. Credentials registered via u2fhid on WebAuthn API. Those will be scoped |
| // to rp_id. |
| // 3. Credentials registered via U2F API. Those will be scoped to app_id. |
| message HasCredentialsRequest { |
| // String representing a valid domain name. |
| string rp_id = 1; |
| repeated bytes credential_id = 2; |
| // App id extension. Used in place of rp id for U2F API credentials. |
| string app_id = 3; |
| } |
| |
| message HasCredentialsResponse { |
| enum HasCredentialsStatus { |
| UNKNOWN = 0; |
| SUCCESS = 1; |
| INVALID_REQUEST = 2; |
| INTERNAL_ERROR = 3; |
| // No specified credential belongs to this device. |
| UNKNOWN_CREDENTIAL_ID = 4; |
| } |
| |
| HasCredentialsStatus status = 1; |
| // Valid or resident credentials for the specified rp_id. |
| repeated bytes credential_id = 2; |
| } |
| |
| // Dismiss user verification UI and abort the operation. |
| message CancelWebAuthnFlowRequest { |
| // Id used to identify the window that initiated the request. |
| uint64 request_id = 1; |
| } |
| |
| message CancelWebAuthnFlowResponse { |
| bool canceled = 1; |
| } |
| |
| // Check whether user-verifying platform authenticator is available. |
| message IsUvpaaRequest {} |
| |
| message IsUvpaaResponse { |
| bool available = 1; |
| } |
| |
| // Check whether u2f is enabled (by policy or by force flag). If u2f is |
| // enabled, the browser will dispatch a cross-platform MakeCredential call to |
| // the Chrome OS platform authenticator (with VerificationType=USER_PRESENCE), |
| // so that we preserve the MakeCredential behavior for u2f users. |
| message IsU2fEnabledRequest {} |
| |
| message IsU2fEnabledResponse { |
| bool enabled = 1; |
| } |