1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
|
// Copyright 2015 The ChromiumOS Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package attestation;
option go_package = "go.chromium.org/chromiumos/system_api/attestation_proto";
// Enumerates various certificate profiles supported by the Attestation CA.
enum CertificateProfile {
// A certificate intended for enterprise-owned devices. It has the following
// subjectName fields:
// CN=<stable device identifier>
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
ENTERPRISE_MACHINE_CERTIFICATE = 0;
// A certificate intended for enterprise-owned user accounts. It has the
// following subjectName fields:
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
ENTERPRISE_USER_CERTIFICATE = 1;
// A certificate intended for platform verification by providers of protected
// content. It has the following subjectName fields:
// O=Chrome Device Content Protection
CONTENT_PROTECTION_CERTIFICATE = 2;
// Like above, but it also includes a stable ID and origin.
// CN=<origin-specific device identifier>
// OU=<origin>
// O=Chrome Device Content Protection
CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3;
// A certificate intended for cast devices.
CAST_CERTIFICATE = 4;
GFSC_CERTIFICATE = 5;
JETSTREAM_CERTIFICATE = 6;
// A certificate for enterprise enrollment.
ENTERPRISE_ENROLLMENT_CERTIFICATE = 7;
// A certificate for signing Android Testsuite Results using CTS-in-a-box.
XTS_CERTIFICATE = 8;
// An EK certificate for vTPM
// CN=CROS VTPM PRD EK ROOT CA
ENTERPRISE_VTPM_EK_CERTIFICATE = 9;
// A local authority certificate for binding software keys.
// CN=Local Authority
// O=Chrome Device Soft Bind
SOFT_BIND_CERTIFICATE = 10;
// A remote attestation certificate for proving device integrity.
// CN=<An opaque device identifier string>
// O=Chrome Device Setup
DEVICE_SETUP_CERTIFICATE = 11;
// The ARC TPM certifying key is a restricted key that is used to quote
// various TPM data, such as PCR quotation or NVRAM quotation.
// It is primarily used for Version Attestation in ARC Attestation.
ARC_TPM_CERTIFYING_KEY_CERTIFICATE = 12;
// The ARC Device Key is the Device Key used in Android Attestation for ARC.
// It is an unrestricted key.
ARC_ATTESTATION_DEVICE_KEY_CERTIFICATE = 13;
// A certificate intended for the Device Trust flow on enterprise-owned user
// accounts on unmanaged devices. It has the following subjectName fields:
// OU=state:[verified|developer]
// O=Chrome Device Enterprise
DEVICE_TRUST_USER_CERTIFICATE = 14;
// A certificate for an Android UDS public key.
UDS_CERTIFICATE = 15;
// A certificate establishing Android product identity values. It has the
// following subjectName fields:
// CN=<ADID>
// OU=<BoardID.Type as brand code>
// O=Android Product Identity
ANDROID_PRODUCT_IDENTITY_CERTIFICATE = 16;
}
enum TpmVersion {
TPM_1_2 = 1; // NOTE: This is the default. It must remain listed first.
TPM_2_0 = 2;
}
// Types of NVRAM quotes used for attestation.
enum NVRAMQuoteType {
// Quote of the Cr50-backed BoardID.
BOARD_ID = 0;
// Quote of the Cr50-backed SN+RMA bits.
SN_BITS = 1;
// Quote of the Cr50-backed RSA public endorsement key certificate.
RSA_PUB_EK_CERT = 2;
// Quote of the Cr50-backed RSU device ID.
RSU_DEVICE_ID = 3;
// Quote of RMA bytes (a complement of RMA bits with optional leading zeroes).
RMA_BYTES = 4;
// Quote of the Cr50-backed G2f certificate.
G2F_CERT = 5;
// Quote of a DICE cert chain.
DICE_CERT_CHAIN = 6;
}
// Holds information about a quote generated by the TPM.
message Quote {
// The quote; a signature generated with the AIK.
optional bytes quote = 1;
// The serialized data that was quoted; this assists in verifying the quote.
optional bytes quoted_data = 2;
// The value of the PCR(s) at the time the quote was generated.
optional bytes quoted_pcr_value = 3;
// Source data which was originally used to extend the PCR. If this field
// exists it can be expected that SHA1(pcr_source_hint) was extended into the
// PCR.
optional bytes pcr_source_hint = 4;
}
// Holds encrypted data and information required to decrypt it.
message EncryptedData {
// A key that has been sealed to the TPM or wrapped by another key.
optional bytes wrapped_key = 2;
// The initialization vector used during encryption.
optional bytes iv = 3;
// MAC of (iv + encrypted_data).
optional bytes mac = 4;
optional bytes encrypted_data = 5;
// An identifier for the wrapping key to assist in decryption.
optional bytes wrapping_key_id = 6;
}
// The wrapper message of any data and its signature.
message SignedData {
// The data to be signed.
optional bytes data = 1;
// The signature of the data field.
optional bytes signature = 2;
}
// The first two fields are suitable for passing to Tspi_TPM_ActivateIdentity()
// directly when using TPM 1.2. For TPM 2.0 the first two fields are not used.
message EncryptedIdentityCredential {
// TPM_ASYM_CA_CONTENTS, encrypted with EK public key.
optional bytes asym_ca_contents = 1;
// TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents.
optional bytes sym_ca_attestation = 2;
optional TpmVersion tpm_version = 3;
// The following fields are used only for TPM 2.0. For details see the TPM 2.0
// specification Part 1 Rev 1.16:
// - Section 9.5.3.3: General description of the scheme.
// - Section 24: More details including how to use the seed to compute the
// values for 'credential_mac' and 'wrapped_certificate->
// wrapped_key'
// - Section B.10.4: Encrypting the seed with a RSA EK.
// - Section C.7.4: Encrypting the seed with an EC EK.
// A seed encrypted with the EK public key. The TPM will use this seed to
// derive both an HMAC key to verify the 'credential_mac' field and an AES key
// to unwrap the 'wrapped_certificate->wrapped_key' field.
optional bytes encrypted_seed = 4;
// An integrity value computed using HMAC-SHA256 over the
// 'wrapped_certificate.wrapped_key' field and the 'Name' of the identity key.
optional bytes credential_mac = 5;
// A certificate encrypted with a 'credential' that is decrypted by the TPM.
// The 'wrapped_key' field contains the encrypted credential which is
// encrypted using AES-256-CFB with a zero IV. The encryption of the
// certificate itself uses AES-256-CBC with PKCS #5 padding and a random IV.
// The encryption key is derived from the 'credential' using:
// SHA256('ENCRYPT' + credential)
// The mac uses HMAC-SHA256 with a key derived using:
// SHA256('MAC' + credential)
optional EncryptedData wrapped_certificate = 6;
}
// This message holds all information to be sent to the attestation server in
// order to complete enrollment.
message AttestationEnrollmentRequest {
// The EK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_endorsement_credential = 1;
// The AIK public key, the raw TPM format. (TPM_PUBKEY for TPM 1.2,
// TPMT_PUBLIC for TPM 2.0).
optional bytes identity_public_key = 2;
// PCR0 quoted by AIK.
optional Quote pcr0_quote = 3;
// PCR1 quoted by AIK.
optional Quote pcr1_quote = 4;
// DEN for enterprise zero-touch enrollment (crbug/624187).
optional bytes enterprise_enrollment_nonce = 5;
// The device TPM version.
optional TpmVersion tpm_version = 6;
// An encrypted quote of the RSA EK cert, in X.509 form, if the endorsement
// credential is not RSA.
optional EncryptedData encrypted_rsa_endorsement_quote = 7;
}
enum ResponseStatus {
OK = 0;
// Internal server error.
SERVER_ERROR = 1;
// The server cannot parse the request.
BAD_REQUEST = 2;
// The server rejects the request.
REJECT = 3;
// Only appears in enrollment response. The server returns the same generated
// id and reports the quota limit exceeded status when the number of reset
// action in a specified time window is more than self reset limitation.
QUOTA_LIMIT_EXCEEDED = 4;
}
// The response from the attestation server for the enrollment request.
message AttestationEnrollmentResponse {
optional ResponseStatus status = 1;
// Short detail response message. Included when the result is not OK.
optional string detail = 2;
optional EncryptedIdentityCredential encrypted_identity_credential = 3;
// Extra details included when the result is not OK.
optional string extra_details = 4;
}
// `DEVICE_SETUP_CERTIFICATE` specific metadata.
message DeviceSetupCertificateMetadata {
// This will eventually be a DUSI. For now, this will be a 36 character GUID.
// This will be used as the CN of the Remote Attestation certificate.
optional string id = 1;
// Unix timestamp (in seconds) of the generation of the request.
optional uint64 timestamp_seconds = 2;
// The generated certificate will be bound to this value. This is used to
// prevent replay attacks. Currently it is the FIDO credential id.
optional string content_binding = 3;
}
// The certificate request to be sent to the attestation server.
message AttestationCertificateRequest {
// The AIK cert in X.509 format.
optional bytes identity_credential = 1;
// A certified public key in TPM_PUBKEY (TPMT_PUBLIC for TPM 2.0).
optional bytes certified_public_key = 3;
// The serialized TPM_CERTIFY_INFO (TPMS_ATTEST for TPM 2.0) for the
// certified key.
optional bytes certified_key_info = 4;
// The signature of the TPM_CERTIFY_INFO (TPMS_ATTEST for TPM 2.0) by the AIK.
optional bytes certified_key_proof = 5;
// A message identifier to be included in the response.
optional bytes message_id = 10;
// The certificate profile defines the type of certificate to issue.
optional CertificateProfile profile = 11;
// Information about the origin of the request which may be used depending on
// the certificate profile.
optional string origin = 12;
// The index of a temporal value. This may be used or ignored depending on
// the certificate profile.
optional int32 temporal_index = 13;
// The device TPM version.
optional TpmVersion tpm_version = 14;
// NVRAM quoted by AIK. Keys are values of the NVRAMQuoteType. This is used
// by the following profiles:
// - `ENTERPRISE_ENROLLMENT_CERTIFICATE`
// - `ENTERPRISE_VTPM_EK_CERTIFICATE`
// - `UDS_CERTIFICATE`
map<int32, Quote> nvram_quotes = 15;
// Certificate profile specific metadata.
oneof metadata {
// `DEVICE_SETUP_CERTIFICATE` specific metadata.
DeviceSetupCertificateMetadata device_setup_certificate_metadata = 16;
}
// ADID read from the VPD. Used as the host identifier incorporated in the
// certificates.
// Used for `ENTERPRISE_ENROLLMENT_CERTIFICATE`,
// `ENTERPRISE_VTPM_EK_CERTIFICATE` and `ANDROID_PRODUCT_IDENTITY_CERTIFICATE`
// profiles only.
optional bytes attested_device_id = 17;
}
// The response from the attestation server for the certificate request.
message AttestationCertificateResponse {
optional ResponseStatus status = 1;
// Short detail response message. Included when the result is not OK.
optional string detail = 2;
// The credential of the certified key in X.509 format.
optional bytes certified_key_credential = 3;
// The issuer intermediate CA certificate in X.509 format.
optional bytes intermediate_ca_cert = 5;
// A message identifier from the request this message is responding to.
optional bytes message_id = 6;
// Additional intermediate CA certificates that can help in validation.
// Certificate chaining order is from the leaf to the root. That is,
// |certified_key_credential| is signed by
// |intermediate_ca_cert|, which is signed by
// |additional_intermediate_ca_cert(0)|, which is signed by
// |additional_intermediate_ca_cert(1)|, ... and so on.
repeated bytes additional_intermediate_ca_cert = 7;
// Extra details included when the result is not OK.
optional string extra_details = 8;
}
// The reset request to be sent to the attestation server.
message AttestationResetRequest {
// The AIK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_identity_credential = 1;
// The one time token to make sure the reset process can be triggered only
// once.
optional bytes token = 2;
// The EK cert, in X.509 form, encrypted using the server's public key with
// the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_endorsement_credential = 3;
}
// The response from the attestation server for the reset request.
message AttestationResetResponse {
// The response status.
optional ResponseStatus status = 1;
// Short detail response message. Included when the result is not OK.
optional string detail = 2;
// Extra details included when the result is not OK.
optional string extra_details = 3;
}
// The challenge data (as in challenge-response) generated by the server.
// Before transmitted to the client, this message will be wrapped as a
// SignedData message, in which the data field is the serialized Challenge
// message, and the signature field is the signature of the data field signed
// by the enterprise server using a hard-coded key. The signature algorithm is
// RSASSA-PKCS1-v1_5-SHA256.
message Challenge {
// A string for the client to sanity check a legitimate challenge.
optional string prefix = 1;
// A 256-bit random value generated by the server.
optional bytes nonce = 2;
// A timestamp for a stateless server to limit the timeframe during which the
// challenge may be replayed.
optional int64 timestamp = 3;
}
// The response data (as in challenge-response) generated by the client.
// Before transmitted to the server, this message will be wrapped as a
// SignedData message, in which the data field is the serialized
// ChallengeResponse message, and the signature field is the signature of the
// data field signed by the client using the key being challenged. The
// signature algorithm is RSASSA-PKCS1-v1_5-SHA256.
message ChallengeResponse {
// The original challenge data.
optional SignedData challenge = 1;
// A 256-bit random value generated by the client. Mixing in this nonce
// prevents a caller from using a challenge to sign arbitrary data.
optional bytes nonce = 2;
// The KeyInfo message encrypted using a public encryption key, pushed via
// policy with the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_key_info = 3;
}
// The data type of the message decrypted from
// ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds
// information required by the Verified Access server API (VA) to complete the
// verification.
message KeyInfo {
// Determines the verification flow on VA and the content of the VA response.
optional VerifiedAccessFlow flow_type = 1;
// Domain information about the device or user associated with the VA flow
// type. For `flow_type` ENTERPRISE_MACHINE, this value is the enrolled
// domain. For `flow_type` ENTERPRISE_USER, this value is the user's email
// address.
optional string domain = 2;
// The virtual device ID associated with the device or user.
optional bytes device_id = 3;
// If the `flow_type` is ENTERPRISE_MACHINE, this value is the PCA-issued
// certificate for the key.
optional bytes certificate = 4;
// If the `flow_type` is ENTERPRISE_USER, this value may hold a
// SignedPublicKeyAndChallenge with a random challenge. The
// SignedPublicKeyAndChallenge specification is here:
// https://developer.mozilla.org/en-US/docs/HTML/Element/keygen.
optional bytes signed_public_key_and_challenge = 5;
// The identifier of the customer, as defined by the Google Admin SDK at
// https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers
optional string customer_id = 6;
// A new field which contains public key generated by the CBCM-enrolled
// browser if key type is CBCM
optional bytes browser_instance_public_key = 7;
// A new field which indicated the signing scheme used for the outer
// SignedData message. We should populate this for any `flow_type`. For
// `flow_type` ENTERPRISE_USER/ENTERPRISE_MACHINE (ChromeOS use case), this
// will currently say "SHA256withRSA" at all times, but we should start
// supporting ECDSA signing in the near future as per 2020 OKRs. For
// `flow_type` CBCM, this will be one of the permitted_schemes from
// DeviceIdentity policy.
optional string signing_scheme = 8;
// Device Trust Signals
// Deprecated due to signals collection change to store signals in a
// dictionary and converting them to a JSON string. Use
// `device_trust_signals_json` instead.
reserved 9;
// Device Trust Signals
optional string device_trust_signals_json = 10;
// DM token to be used for this request.
optional string dm_token = 11;
// The identifier of the customer for the managed user, as defined by the
// Google Admin SDK at
// https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers.
optional string user_customer_id = 12;
// Obfuscated gaia ID associated with the signed in managed user.
optional string obfuscated_gaia_id = 13;
// The ID of a profile on the device.
optional string profile_id = 14;
}
// Device Trust Signals
message DeviceTrustSignals {
option deprecated = true;
// Device Id
optional string device_id = 1;
// Obfuscated CBCM-enrolled Customer Id
optional string obfuscated_customer_id = 2;
// Device serial number
optional string serial_number = 3;
// Human readable name for this device
optional string display_name = 4;
// OS running on the device (e.g. Chrome OS)
optional string os = 5;
// Device manufacturer (e.g. Dell)
optional string device_manufacturer = 6;
// Device model (e.g. iPhone 12 Max)
optional string device_model = 7;
// OS version (e.g. macOS 10.15.7)
optional string os_version = 8;
// IMEI
repeated string imei = 9;
// MEID
repeated string meid = 10;
// Hash of the EKPub certificate of the TPM on the device, if available.
optional string tpm_hash = 11;
// Is the disk encrypted
optional bool is_disk_encrypted = 12;
// Value of the AllowScreenLock policy.
// https://chromeenterprise.google/policies/?policy=AllowScreenLock
optional bool allow_screen_lock = 13;
// Is the access to the OS user protected by a password
optional bool is_protected_by_password = 14;
// Is the device jailbroken or modified
optional bool is_jailbroken = 15;
// The CBCM enrollment domain of the browser.
optional string enrollment_domain = 16;
// Browser Version
optional string browser_version = 17;
// Value of the SafeBrowsingProtectionLevel policy.
// https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel
optional int32 safe_browsing_protection_level = 18;
// Value of the SitePerProcess policy.
// https://chromeenterprise.google/policies/#SitePerProcess
optional bool site_isolation_enabled = 19;
// ThirdPartyBlockingEnabled
optional bool third_party_blocking_enabled = 20;
// To determine whether users can access other computers
// from Chrome using Chrome Remote Desktop
optional bool remote_desktop_available = 21;
// Signed in profile name
optional string signed_in_profile_name = 22;
// ChromeCleanupEnabled
optional bool chrome_cleanup_enabled = 23;
// PasswordProtectionWarningTrigger
optional int32 password_protection_warning_trigger = 24;
// DNS address
optional string dns_address = 25;
// BuiltInDnsClientEnabled
optional bool built_in_dns_client_enabled = 26;
// Whether the OS firewall is turned on
optional bool firewall_on = 27;
// The Windows domain the device has joined
optional string windows_domain = 28;
}
// Possible VA flows supported by the Verified Access server API and chromium.
// The values will be used to distinguish between different prerequisites,
// verification methods and contents of VA challenge response.
enum VerifiedAccessFlow {
// The flow of creating a challenge response for enterprise machine
// verification. The VA challenge will be signed with the EMK. ChromeOS only.
// Uses CertificateProfile: ENTERPRISE_MACHINE_CERTIFICATE
// Uses AttestationKeyType: KEY_DEVICE
ENTERPRISE_MACHINE = 0;
// The flow of creating a challenge response for enterprise user verification.
// The VA challenge will be signed with the EUK. ChromeOS only.
// Uses CertificateProfile: ENTERPRISE_USER_CERTIFICATE
// Uses AttestationKeyType: KEY_USER
ENTERPRISE_USER = 1;
// The flow of creating a challenge response for verifying a managed Chrome
// Browser. It does not use remote attestation and instead relies on a key
// exchange to sign the VA challenge. Chrome Browser only.
// Uses CertificateProfile: n.a.
// Uses AttestationKeyType: n.a.
CBCM = 2;
// The flow of creating a challenge response for verification during the
// Device Trust Connector handshake. The VA challenge will be signed with a
// device key. ChromeOS only.
// Uses CertificateProfile: DEVICE_TRUST_USER_CERTIFICATE
// Uses AttestationKeyType: KEY_DEVICE
DEVICE_TRUST_CONNECTOR = 3;
}
|
