1//
2// Copyright (C) 2015 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8//      http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
16
17option optimize_for = LITE_RUNTIME;
18
19import "common.proto";
20
21package attestation;
22
23enum AttestationStatus {
24  STATUS_SUCCESS = 0;
25  STATUS_UNEXPECTED_DEVICE_ERROR = 1;
26  STATUS_NOT_AVAILABLE = 2;
27  STATUS_NOT_READY = 3;
28  STATUS_NOT_ALLOWED = 4;
29  STATUS_INVALID_PARAMETER = 5;
30  STATUS_REQUEST_DENIED_BY_CA = 6;
31  STATUS_CA_NOT_AVAILABLE = 7;
32}
33
34message CreateGoogleAttestedKeyRequest {
35  // An arbitrary label which can be used to reference the key later.
36  optional string key_label = 1;
37  optional KeyType key_type = 2;
38  optional KeyUsage key_usage = 3;
39  // Describes the certificate to be requested of the CA.
40  optional CertificateProfile certificate_profile = 4;
41  // Provided if the new key should be accessible only by a particular user. If
42  // this field is not set or is the empty string, the key will be accessible
43  // system-wide.
44  optional string username = 5;
45  // If the |certificate_profile| is intended to be bound to a particular origin
46  // this field specifies the origin. For most profiles this is not required.
47  optional string origin = 6;
48}
49
50message CreateGoogleAttestedKeyReply {
51  optional AttestationStatus status = 1;
52  // More information about a server-side error. This only exists
53  // if status=REQUEST_DENIED_BY_CA.
54  optional string server_error = 2;
55  // A PEM-encoded list of X.509 certificates starting with the requested
56  // certificate issued by the CA and followed by certificates for any
57  // intermediate authorities, in order. The Google Attestation CA root
58  // certificate is well-known and not included.
59  optional string certificate_chain = 3;
60}
61
62message GetKeyInfoRequest {
63  optional string key_label = 1;
64  optional string username = 2;
65}
66
67message GetKeyInfoReply {
68  optional AttestationStatus status = 1;
69  optional KeyType key_type = 2;
70  optional KeyUsage key_usage = 3;
71  // The public key (X.509/DER SubjectPublicKeyInfo).
72  optional bytes public_key = 4;
73  // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key.
74  optional bytes certify_info = 5;
75  // The signature of certify_info by the Attestation Key.
76  optional bytes certify_info_signature = 6;
77  // The certificate data associated with the key (if any).
78  optional bytes certificate = 7;
79}
80
81message GetEndorsementInfoRequest {
82  optional KeyType key_type = 1;
83}
84
85message GetEndorsementInfoReply {
86  optional AttestationStatus status = 1;
87  // The endorsement public key (X.509/DER SubjectPublicKeyInfo).
88  optional bytes ek_public_key = 2;
89  // The endorsement certificate (X.509/DER).
90  optional bytes ek_certificate = 3;
91}
92
93message GetAttestationKeyInfoRequest {
94  optional KeyType key_type = 1;
95}
96
97message GetAttestationKeyInfoReply {
98  optional AttestationStatus status = 1;
99  // The attestation public key (X.509/DER SubjectPublicKeyInfo).
100  optional bytes public_key = 2;
101  // The attestation public key in TPM_PUBKEY form.
102  optional bytes public_key_tpm_format = 3;
103  // The attestation key certificate.
104  optional bytes certificate = 4;
105  // A quote of PCR0 at the time of attestation key creation.
106  optional Quote pcr0_quote = 5;
107  // A quote of PCR1 at the time of attestation key creation.
108  optional Quote pcr1_quote = 6;
109}
110
111message ActivateAttestationKeyRequest {
112  optional KeyType key_type = 1;
113  optional EncryptedIdentityCredential encrypted_certificate = 2;
114  optional bool save_certificate = 3;
115}
116
117message ActivateAttestationKeyReply {
118  optional AttestationStatus status = 1;
119  // The decrypted attestation key certificate.
120  optional bytes certificate = 2;
121}
122
123message CreateCertifiableKeyRequest {
124  // An arbitrary label which can be used to reference the key later.
125  optional string key_label = 1;
126  // Provided if the new key should be accessible only by a
127  // particular user. If this field is not set or is the empty
128  // string, the key will be accessible system-wide.
129  optional string username = 2;
130  optional KeyType key_type = 3;
131  optional KeyUsage key_usage = 4;
132}
133
134message CreateCertifiableKeyReply {
135  optional AttestationStatus status = 1;
136  // The new public key (X.509/DER SubjectPublicKeyInfo).
137  optional bytes public_key = 2;
138  // The serialized TPM_CERTIFY_INFO or TPM2B_ATTEST for the new key.
139  optional bytes certify_info = 3;
140  // The signature of certify_info by the Attestation Key.
141  optional bytes certify_info_signature = 4;
142}
143
144message DecryptRequest {
145  optional string key_label = 1;
146  optional string username = 2;
147  optional bytes encrypted_data = 3;
148}
149
150message DecryptReply {
151  optional AttestationStatus status = 1;
152  optional bytes decrypted_data = 2;
153}
154
155message SignRequest {
156  optional string key_label = 1;
157  optional string username = 2;
158  optional bytes data_to_sign = 3;
159}
160
161message SignReply {
162  optional AttestationStatus status = 1;
163  optional bytes signature = 2;
164}
165
166message RegisterKeyWithChapsTokenRequest {
167  optional string key_label = 1;
168  optional string username = 2;
169}
170
171message RegisterKeyWithChapsTokenReply {
172  optional AttestationStatus status = 1;
173}
174