File: UserDataAuth.proto

package info (click to toggle)
chromium 139.0.7258.127-1
links: PTS, VCS
area: main
in suites:
size: 6,122,068 kB
sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (1682 lines) | stat: -rw-r--r-- 63,023 bytes
parent folder | download | duplicates (6)
// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// The messages in this file comprise the DBus/Proto interface for the new set
// of Cryptohome interface after the refactor, and the associated messages used
// by those interfaces.
//
// For every DBus call there is both an input and output message which have the
// same name as the call plus the "Request" or "Reply" suffix, respectively.
// Every Reply message will also have two error fields:
//   * CryptohomeErrorCode error
//   * CryptohomeErrorInfo error_info
// The first field is an enum which will be set on any errors. The second field
// is a richer error message which will also be set on any errors. The latter is
// intended to eventually replace the former. For more information on which
// field to use and the process of the migration, see the more specific comments
// on CryptohomeErrorInfo.

syntax = "proto3";

option optimize_for = LITE_RUNTIME;

package user_data_auth;
option go_package = "go.chromium.org/chromiumos/system_api/user_data_auth_proto";

import "auth_factor.proto";
import "fido.proto";
import "recoverable_key_store.proto";

///////////////////////////////////////////////////////////////////////////////
// Messages that's used by the actual request/reply goes below
///////////////////////////////////////////////////////////////////////////////

// We still need the AccountIdentifier and KeyDelegate messages from the old
// interface.
import "rpc.proto";

// Error codes do not need to be sequential per-call.
// Prefixes by Request/Reply type should be used to help
// callers know if specialized errors apply.
// TODO(b/135984863): Rename this.
enum CryptohomeErrorCode {
  // No error: the operation succeeded.
  CRYPTOHOME_ERROR_NOT_SET = 0;

  CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
  CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
  CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
  CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
  CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
  CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
  CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
  CRYPTOHOME_ERROR_KEY_QUOTA_EXCEEDED = 11;
  CRYPTOHOME_ERROR_KEY_LABEL_EXISTS = 12;
  CRYPTOHOME_ERROR_BACKING_STORE_FAILURE = 13;
  CRYPTOHOME_ERROR_UPDATE_SIGNATURE_INVALID = 14;
  CRYPTOHOME_ERROR_KEY_NOT_FOUND = 15;
  CRYPTOHOME_ERROR_LOCKBOX_SIGNATURE_INVALID = 16;
  CRYPTOHOME_ERROR_LOCKBOX_CANNOT_SIGN = 17;
  CRYPTOHOME_ERROR_BOOT_ATTRIBUTE_NOT_FOUND = 18;
  CRYPTOHOME_ERROR_BOOT_ATTRIBUTES_CANNOT_SIGN = 19;
  CRYPTOHOME_ERROR_TPM_EK_NOT_AVAILABLE = 20;
  CRYPTOHOME_ERROR_ATTESTATION_NOT_READY = 21;
  CRYPTOHOME_ERROR_CANNOT_CONNECT_TO_CA = 22;
  CRYPTOHOME_ERROR_CA_REFUSED_ENROLLMENT = 23;
  CRYPTOHOME_ERROR_CA_REFUSED_CERTIFICATE = 24;
  CRYPTOHOME_ERROR_INTERNAL_ATTESTATION_ERROR = 25;
  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID = 26;
  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_STORE = 27;
  CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_CANNOT_REMOVE = 28;
  CRYPTOHOME_ERROR_MOUNT_OLD_ENCRYPTION = 29;
  CRYPTOHOME_ERROR_MOUNT_PREVIOUS_MIGRATION_INCOMPLETE = 30;
  CRYPTOHOME_ERROR_MIGRATE_KEY_FAILED = 31;
  CRYPTOHOME_ERROR_REMOVE_FAILED = 32;
  CRYPTOHOME_ERROR_INVALID_ARGUMENT = 33;
  CRYPTOHOME_ERROR_INSTALL_ATTRIBUTES_GET_FAILED = 34;
  CRYPTOHOME_ERROR_INSTALL_ATTRIBUTES_SET_FAILED = 35;
  CRYPTOHOME_ERROR_INSTALL_ATTRIBUTES_FINALIZE_FAILED = 36;
  CRYPTOHOME_ERROR_UPDATE_USER_ACTIVITY_TIMESTAMP_FAILED = 37;
  CRYPTOHOME_ERROR_FAILED_TO_READ_PCR = 38;
  CRYPTOHOME_ERROR_PCR_ALREADY_EXTENDED = 39;
  CRYPTOHOME_ERROR_FAILED_TO_EXTEND_PCR = 40;
  CRYPTOHOME_ERROR_TPM_UPDATE_REQUIRED = 41;
  CRYPTOHOME_ERROR_FINGERPRINT_ERROR_INTERNAL = 42;
  // Fingerprint match failed but at least one retry count left.
  CRYPTOHOME_ERROR_FINGERPRINT_RETRY_REQUIRED = 43;
  // Fingerprint match failed and maximum retry count reached.
  CRYPTOHOME_ERROR_FINGERPRINT_DENIED = 44;
  CRYPTOHOME_ERROR_VAULT_UNRECOVERABLE = 45;
  CRYPTOHOME_ERROR_FIDO_MAKE_CREDENTIAL_FAILED = 46;
  CRYPTOHOME_ERROR_FIDO_GET_ASSERTION_FAILED = 47;
  CRYPTOHOME_TOKEN_SERIALIZATION_FAILED = 48;
  CRYPTOHOME_INVALID_AUTH_SESSION_TOKEN = 49;
  CRYPTOHOME_ADD_CREDENTIALS_FAILED = 50;
  CRYPTOHOME_ERROR_UNAUTHENTICATED_AUTH_SESSION = 51;
  CRYPTOHOME_ERROR_UNKNOWN_LEGACY = 52;
  CRYPTOHOME_ERROR_UNUSABLE_VAULT = 53;
  CRYPTOHOME_REMOVE_CREDENTIALS_FAILED = 54;
  CRYPTOHOME_UPDATE_CREDENTIALS_FAILED = 55;
  CRYPTOHOME_ERROR_RECOVERY_TRANSIENT = 56;
  CRYPTOHOME_ERROR_RECOVERY_FATAL = 57;
  CRYPTOHOME_ERROR_BIOMETRICS_BUSY = 58;
  CRYPTOHOME_ERROR_CREDENTIAL_LOCKED = 59;
  // Authentication is attempted towards an expired LE credential. A highier
  // tier credential type has to be entered to reset the LE credential's
  // expiration. If a credential is both locked out due to too many wrong
  // attempts AND expired, CRYPTOHOME_ERROR_CREDENTIAL_EXPIRED will take
  // precedence and be returned.
  CRYPTOHOME_ERROR_CREDENTIAL_EXPIRED = 60;
  CRYPTOHOME_RELABEL_CREDENTIALS_FAILED = 61;
  CRYPTOHOME_REPLACE_CREDENTIALS_FAILED = 62;
  // Note: After adding new fields to this enum, the new enum should be added
  // to ash/components/login/auth/auth_session_authenticator.cc's
  // AuthSessionAuthenticator::ProcessCryptohomeError() so that Chromium
  // can handle them properly.
}

///////////////////////////////////////////////////////////////////////////////
// Error handling related
///////////////////////////////////////////////////////////////////////////////

// PrimaryAction is used to indicate that cryptohomed believes that a certain
// condition is true and thus the corresponding action should be carried out or
// it can resolve the issues.
enum PrimaryAction {
  // PRIMARY_NO_ERROR indicates that there's no error.
  PRIMARY_NO_ERROR = 0;

  // PRIMARY_NONE indicates that cryptohomed is not sure. Caller should check
  // PossibleAction.
  PRIMARY_NONE = 1;

  // PRIMARY_CREATE_REQUIRED indicates that the user doesn't exist and the
  // caller should add CreateRequest to the Mount() call.
  PRIMARY_CREATE_REQUIRED = 2;

  // PRIMARY_NOTIFY_OLD_ENCRYPTION_POLICY indicates that the vault is using
  // legacy crypto and the policy doesn't allow it. The caller should notify
  // users regarding the policy.
  PRIMARY_NOTIFY_OLD_ENCRYPTION_POLICY = 3;

  // PRIMARY_RESUME_PREVIOUS_MIGRATION indicates that eCryptfs is being
  // migrated to dircrypto but it's not completed yet. Caller should finish
  // the migration before trying again.
  PRIMARY_RESUME_PREVIOUS_MIGRATION = 4;

  // PRIMARY_TPM_UDPATE_REQUIRED indicates that the TPM firmware should be
  // updated before proceeding.
  PRIMARY_TPM_UDPATE_REQUIRED = 5;

  // PRIMARY_TPM_NEEDS_REBOOT indicates that the TPM encountered a critical
  // error that can only be resolved by rebooting.
  PRIMARY_TPM_NEEDS_REBOOT = 6;

  // PRIMARY_TPM_LOCKOUT indicates that the TPM is in dictionary attack lockout
  // state. The caller should advise the user to wait it out.
  PRIMARY_TPM_LOCKOUT = 7;

  // PRIMARY_INCORRECT_AUTH indicates that the supplied auth material
  // (password) is incorrect. The caller should notify the user as such.
  // Note that it is a special case, see CryptohomeErrorInfo's
  // probable_action field for more info.
  PRIMARY_INCORRECT_AUTH = 8;

  // PRIMARY_FACTOR_LOCKED_OUT indicates that authentication is attempted
  // towards a locked out credential. Different types of credentials could
  // be locked out by different reasons (some factor types might even have
  // multiple lockout reasons), and the detailed information of lockout can
  // be checked in AuthFactorWithStatus's StatusInfo field. For example:
  // - CryptohomeRecovery locked out: system is accessed remotely. Needs to
  //   be rebooted to unlock.
  // - PIN locked out: too many wrong attempts. StatusInfo will show how long
  //   the user has to wait until unlock. Can be unlocked by another full auth
  //   as well.
  // - Fingerprint locked out: too many wrong attempts or the user hasn't
  //   performed any auth for a while. StatusInfo will show how long the user
  //   has to wait (for too many wrong attempts) and how much time left until
  //   lockout (if user doesn't perform any auth). Can be unlocked by another
  //   full auth as well.
  PRIMARY_FACTOR_LOCKED_OUT = 9;

  reserved 10;  // PRIMARY_LE_EXPIRED
}

// PossibleAction is used to indicate that cryptohomed believies some actions
// are more likely to resolve the error than other actions.
enum PossibleAction {
  // POSSIBLY_NONE is not used, it's defined to take the 0 position.
  POSSIBLY_NONE = 0;

  // POSSIBLY_RETRY suggests the caller to retry immediately.
  POSSIBLY_RETRY = 1;

  // POSSIBLY_REBOOT suggests the caller to reboot then retry.
  POSSIBLY_REBOOT = 2;

  // POSSIBLY_AUTH suggests the caller to try another authentication method.
  POSSIBLY_AUTH = 3;

  reserved 4;  // POSSIBLY_INCORRECT_AUTH

  // POSSIBLY_DELETE_VAULT suggests the caller to delete the user's vault
  // because it's unrecoverable.
  POSSIBLY_DELETE_VAULT = 5;

  // POSSIBLY_POWERWASH suggests the caller to powerwash because certain TPM
  // state is corrupted and can only be obtained at OOBE.
  POSSIBLY_POWERWASH = 6;

  // POSSIBLY_DEV_CHECK_UNEXPECTED_STATE suggests that it's the developer's
  // problem. Software developers should investigate if this error ever occurs.
  POSSIBLY_DEV_CHECK_UNEXPECTED_STATE = 7;

  // POSSIBLY_FATAL suggests that there's no way to resolve the issue.
  // It should not have happened and the caller should not retry.
  POSSIBLY_FATAL = 8;
}

// CryptohomeErrorInfo contains the information regarding an error or a
// condition that occurred.
// Note on the migration: During the migration process, both the legacy
// CryptohomeErrorCode and the new CryptohomeErrorInfo field will be available.
// Before the Phase 1 of the migration is completed (b/229804686), callers of
// Cryptohome API should rely on the legacy CryptohomeErrorCode. After Phase 1
// is completed, which will be indicated in the issue tracker entry, callers
// can assume that both the legacy CryptohomeErrorCode field and
// CryptohomeErrorInfo field contains valid information and the callers can
// proceed to refactor to use the new fields, this is Phase 2 (b/229805195).
// The legacy CryptohomeErrorCode field that coexists with CryptohomeErrorInfo
// will be removed in Phase 3 (b/229807416).
// We are currently in the process of completing Phase 1, and thus caller
// should still rely on the legacy CryptohomeErrorCode field.
message CryptohomeErrorInfo {
  // error_id is a unique identifier that identifies the location that the
  // error occurred within cryptohome. More effectively, it's a "smart
  // stacktrace" that remains the same from version to version for the same
  // error.
  // There's no guarantee on the exact formatting to users external to
  // cryptohome, except that it should be short enough to be displayed on
  // one line and contains fine-grained and detailed information on the error.
  // For cryptohome developers, see cryptohome/docs/error_reporting.md.
  // Example: "42-15-3"
  string error_id = 1;

  // readable_error_id is the human readable version of the error_id. It
  // encompasses all information that is in error_id and is more human
  // readable. However, it may or may not remain the same from version to
  // version.
  // There's no guarantee on the exact formatting of this field to users
  // external to cryptohome, except that it should be at most a few lines in
  // length and should be reasonable to write to the logs.
  // For cryptohome developers, see cryptohome/docs/error_reporting.md.
  string readable_error_id = 2;

  // primary_action is when cryptohome is quite certain that something can
  // be done to resolve the error/condition. Usually primary_action is used
  // to indicate to the Chromium side that an action should be done.
  PrimaryAction primary_action = 3;

  // probable_action is when cryptohome is not quite sure how the error
  // occurred, but believes that some of the actions (as listed in this field)
  // are more likely to resolve the error than other actions.
  // The entries in this repeated field are not ordered.
  // This field can be ignored if primary_action is not PRIMARY_NONE.
  repeated PossibleAction possible_actions = 4;
}

///////////////////////////////////////////////////////////////////////////////
// Actual request/reply goes below
///////////////////////////////////////////////////////////////////////////////

// ------------------------- UserDataAuth Interface -------------------------

// Input parameters to IsMounted()
message IsMountedRequest {
  // If username is available, then it'll check if a specific user's home
  // directory is mounted. Otherwise, it'll check if any home directory is
  // mounted.
  string username = 1;
}

// Output parameters for IsMounted()
message IsMountedReply {
  // If the requested home directory is mounted.
  bool is_mounted = 1;
  // If the mount is ephemeral, that is, if the contents get cleared once
  // the user logs out.
  // Note that if there's no username specified in the IsMountedRequest,
  // then this field is set to true if any mount is ephemeral.
  bool is_ephemeral_mount = 2;
}

// Input parameters to GetVaultProperties()
// The call will return an error in the following scenarios:
// 1. Username is empty.
// 2. Mount is guest or ephemeral.
// 3. User does not exist.
// 4. User is not logged in.
message GetVaultPropertiesRequest {
  // Username is required to get properties.
  string username = 1;
}

// Output parameters for GetVaultPropertiesReply()
message GetVaultPropertiesReply {
  // Indicates an error if |error| is not empty.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;

  // Encryption type used for the current mount for the user.
  // This will be populated with default CRYPTOHOME_VAULT_ENCRYPTION_ANY
  // for an ephemeral or a tempfs mount.
  // In any case, if the value is CRYPTOHOME_VAULT_ENCRYPTION_ANY,
  // it should not be considered reliable.
  VaultEncryptionType encryption_type = 3;
}

// Input parameters to Unmount()
// Currently we only support unmounting all mounted cryptohomes but in the
// future we may implement per-user unmount, at which point we can extend this
// proto with the necessary information.
message UnmountRequest {}

// Output parameters for Unmount()
message UnmountReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Input parameters to Remove()
// If an AuthSession ID is provided, then that will be used and validated.
message RemoveRequest {
  // Identifies the user, whose home directory to remove
  cryptohome.AccountIdentifier identifier = 1;
  // Token that would be get user id from AuthSession.
  bytes auth_session_id = 2;
}

// Output parameters for Remove()
message RemoveReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Signal that account has been removed.
message RemoveCompleted {
  string sanitized_username = 1;
}

// Input parameters to GetWebAuthnSecret()
message GetWebAuthnSecretRequest {
  // This represents the "single user" that the secret belongs to.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for GetWebAuthnSecret()
message GetWebAuthnSecretReply {
  CryptohomeErrorCode error = 1;

  // The WebAuthn secret.
  bytes webauthn_secret = 2;
}

// Input parameters to GetWebAuthnSecretHash()
message GetWebAuthnSecretHashRequest {
  // This represents the "single user" that the secret belongs to.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for GetWebAuthnSecretHash()
message GetWebAuthnSecretHashReply {
  CryptohomeErrorCode error = 1;

  // The WebAuthn secret hash.
  bytes webauthn_secret_hash = 2;
}

// TODO(b/126307305): For the messages, below, we'll need to add the
// documentations for them.

// Input parameters to StartMigrateToDircrypto().
message StartMigrateToDircryptoRequest {
  // The owner of the cryptohome that we are going to migrate.
  cryptohome.AccountIdentifier account_id = 1;

  // If true, only a few paths (specified in cryptohomed) that are necessary for
  // a working profile will be migrated. Most user data will be wiped.
  bool minimal_migration = 2;

  // Auth Session id will let migrate derive credentials from AuthSessions.
  // AuthSession needs to be authenticated for this to be successful. If both
  // account_id and auth_session_id is mentioned, auth_session_id would be
  // supersede and identity would be derived from that.
  bytes auth_session_id = 3;
}

// Output parameters for StartMigrateToDircrypto().
message StartMigrateToDircryptoReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Status code for the message DircryptoMigrationProgress below.
enum DircryptoMigrationStatus {
  // 0 means a successful completion.
  DIRCRYPTO_MIGRATION_SUCCESS = 0;
  // TODO(kinaba,dspaid): Add error codes as needed here.
  DIRCRYPTO_MIGRATION_FAILED = 1;
  // TODO(kinaba,dspaid): Add state codes as needed.
  DIRCRYPTO_MIGRATION_INITIALIZING = 2;
  DIRCRYPTO_MIGRATION_IN_PROGRESS = 3;
}

// The data that comes with DircryptoMigrationProgress signal.
message DircryptoMigrationProgress {
  // The status of the migration. If this is not
  // |DIRCRYPTO_MIGRATION_IN_PROGRESS|, the following two fields |current_bytes|
  // and |total_bytes| should be ignored as they are undefined.
  DircryptoMigrationStatus status = 1;

  // The amount of bytes that we've migrated over.
  uint64 current_bytes = 2;

  // The total amount of bytes in this migration operation.
  uint64 total_bytes = 3;
}

// Input parameters to NeedsDircryptoMigration().
message NeedsDircryptoMigrationRequest {
  // The account for which we want to check if Dircrypto migration is needed.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for NeedsDircryptoMigration().
message NeedsDircryptoMigrationReply {
  CryptohomeErrorCode error = 1;

  // Whether Dircrypto migration is needed.
  // Note that this is invalid and should be disregarded if |error| is not
  // empty.
  bool needs_dircrypto_migration = 2;
}

// Input parameters to GetSupportedKeyPolicies().
message GetSupportedKeyPoliciesRequest {}

// Output parameters for GetSupportedKeyPolicies().
// This informs the caller which KeyPolicy features are supported.
message GetSupportedKeyPoliciesReply {
  // Whether low entropy credentials is supported by the policies
  bool low_entropy_credentials_supported = 1;
}

// Input parameters to GetAccountDiskUsage().
message GetAccountDiskUsageRequest {
  // The owner of the home directory that we are going to compute the
  // size for.
  cryptohome.AccountIdentifier identifier = 1;
}

// Output parameters for GetAccountDiskUsage().
message GetAccountDiskUsageReply {
  // Note that for this API call, it is not an error to supply a non-existent
  // user in the |GetAccountDiskUsageRequest.identifier| parameter.
  CryptohomeErrorCode error = 1;

  // The size of cryptohome in bytes. If a non-existent user is given in the
  // request, size will be 0.
  // Negative values are reserved, see HomeDir::ComputeSize() for more
  // information.
  int64 size = 2;
}

// The data that comes with LowDiskSpace signal.
message LowDiskSpace {
  // The amount of remaining free disk space.
  uint64 disk_free_bytes = 1;
}

message StartAuthSessionRequest {
  // The account of the user whose home directory is requested for mounting.
  cryptohome.AccountIdentifier account_id = 1;
  // Specifies if this user is ephemeral or not.
  bool is_ephemeral_user = 4;
  // The target intent of the authentication. This parameter declares which kind
  // of operations the caller wants to perform after the successful
  // authentication. During authentication, cryptohome will only offer factors
  // eligible for the intent.
  // TODO(b/240596931): Stop assuming that leaving this unset is the same as
  // `AUTH_INTENT_DECRYPT`, and forbid `AUTH_INTENT_UNSPECIFIED`.
  AuthIntent intent = 3;

  reserved 2;
}

message StatusInfo {
  // This field will be used for factor lockout time. Once an auth factor is
  // locked out, this field will show the time the factor is locked out for.
  // If the auth factor is not locked, this field will be set to zero.
  // If the auth factor is locked out permanently (i.e. until it is unlocked
  // via a separate credential) this will be set to the maximum uint64 value.
  // |time_available_in| would be indicated in terms of a wall clock timer,
  // and it will not be affected by sleep. Time unit is millisecond.
  uint64 time_available_in = 1;
  // This field will be used for remaining time until the factor is expired.
  // Once an auth factor is expired it needs to be unlocked via a separate
  // credential.
  // If the auth factor is already expired, this field will be set to zero.
  // If the auth factor won't expire, this will be set to the maximum uint64
  // value, and will not decrement through time.
  // This field would be indicated in terms of a wall clock time, and keeps
  // counting through sleep. Time unit is millisecond.
  uint64 time_expiring_in = 2;
}

// AuthFactorWithStatus returns read-only AuthFactor with relevant status
// information about |auth_factor|. This can later be expanded to include
// time a particular factor is available for, etc. Note: This should not be used
// with authenticate, add or update AuthFactor operations.
message AuthFactorWithStatus {
  // AuthFactor read from disk.
  AuthFactor auth_factor = 1;
  // Gives the set of possible actions available for this auth_factor.
  // This reflects the user policy (through settings or enterprise policy)
  // configured for the factor type, but not other runtime status of the
  // factor that make it unavailable (like lockout or expiration).
  repeated AuthIntent available_for_intents = 2;

  StatusInfo status_info = 3;
}

// AuthFactorStatusUpdate is the dbus signal that is sent for the authenticating
// user. If an auth factor is locked out, this signal will be sent periodically
// to update the subscriber about the lock out time. The lock out time would be
// available in the |time_available_in| inside the |auth_factor_with_status|.
message AuthFactorStatusUpdate {
  // Broadcast ID allows chrome to identify the authenticatng user, however, it
  // cannot be used for authentication purposes.
  bytes broadcast_id = 1;
  // The auth factor for which the status update is being provided.
  AuthFactorWithStatus auth_factor_with_status = 2;
}

// AuthSessionProperties object contains information about the user's current
// authentication session, identified by the ID in the request. This object is
// returned along with replies to calls that can potentially change the
// authentication session properties. The properties that are necessary for the
// user today are the intents that the authentication session is authorized for
// and the amount of time remaining in the authentication session.
message AuthSessionProperties {
  // The intents that the Auth Session has been authorized for. This starts from
  // an empty set when the session is created, and is updated when a factor is
  // successfully authenticated.
  repeated AuthIntent authorized_for = 4;
  // The time left in the current AuthSession after authentication.
  optional uint32 seconds_left = 5;
}

message StartAuthSessionReply {
  reserved 4, 7;

  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 6;

  // Token that would be used to conduct any auth-related operation.
  bytes auth_session_id = 2;
  // Token that is used to identify the session in other replies and signals.
  // Unlike the session ID this cannot be used as an input to perform actions
  // with the session and so is safe to share.
  bytes broadcast_id = 8;

  // True if the user that the Auth Session is created for exists or not.
  bool user_exists = 3;
  // List of AuthFactors configured and available for authentication in the
  // context of this session.
  repeated AuthFactor auth_factors = 5;

  // AuthFactor with status returns available authfactors for account_id
  // provided in the request, along with their status information.
  repeated AuthFactorWithStatus configured_auth_factors_with_status = 9;
}

message InvalidateAuthSessionRequest {
  // Serialized form of token that is used to identify Auth Session that needs
  // to be invalidated.
  bytes auth_session_id = 1;
}

message InvalidateAuthSessionReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

message ExtendAuthSessionRequest {
  // Serialized form of token that is used to identify Auth Session that needs
  // to be extended.
  bytes auth_session_id = 1;
  // Duration of the extension requested in seconds, with a default of
  // 60 seconds if not specified. The API will extend AuthSessions validity to
  // this duration or the current expiration time, whichever is higher.
  uint32 extension_duration = 2;
}

message ExtendAuthSessionReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // The time left in the current AuthSession after extension.
  optional uint32 seconds_left = 3;
}

message CreatePersistentUserRequest {
  // Id of the auth session associated with the user we aim to create.
  bytes auth_session_id = 1;
}

// AuthFactorAdded is the dbus signal that is sent whenever an AuthFactor
// is added (freshly added or replaced).
message AuthFactorAdded {
  // Broadcast ID allows chrome to identify the authenticatng user, however, it
  // cannot be used for authentication purposes.
  bytes broadcast_id = 1;
  // AuthFactor that was just added and is read from disk.
  AuthFactor auth_factor = 2;
}

// AuthFactorRemoved is the dbus signal that is sent whenever an
// AuthFactor is removed.
message AuthFactorRemoved {
  // Broadcast ID allows chrome to identify the authenticatng user, however, it
  // cannot be used for authentication purposes.
  bytes broadcast_id = 1;
  // AuthFactor that was just removed and was last read from disk.
  AuthFactor auth_factor = 2;
}

// AuthFactorUpdated is the dbus signal that is sent whenever an
// AuthFactor is updated (including relabled, update key or metadata).
// Note that Replace is a remove and add, so they would be two separate events.
message AuthFactorUpdated {
  // Broadcast ID allows chrome to identify the authenticatng user, however, it
  // cannot be used for authentication purposes.
  bytes broadcast_id = 1;
  // AuthFactor that was just updated and was read from disk.
  AuthFactor auth_factor = 2;
}

// AuthSessionExpiring is the dbus signal that is sent whenever an
// AuthSession has less than a minute remaining.
message AuthSessionExpiring {
  // Broadcast ID allows chrome to identify the authenticatng user, however, it
  // cannot be used for authentication purposes.
  bytes broadcast_id = 1;
  // Time left before which this auth session expires.
  uint32 time_left = 2;
}

message CreatePersistentUserReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 3;

  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Properties for the auth_session_id after the current call.
  AuthSessionProperties auth_properties = 4;
}

message PrepareGuestVaultRequest {}

message PrepareGuestVaultReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 3;

  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;
}

message PrepareEphemeralVaultRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
}

message PrepareEphemeralVaultReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 3;

  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;

  // Properties for the auth_session_id after the current call.
  AuthSessionProperties auth_properties = 4;
}

message GetAuthSessionStatusRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
}

message GetAuthSessionStatusReply {
  reserved 2, 3, 4;
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 5;

  // Properties for the auth_session_id after the current call.
  AuthSessionProperties auth_properties = 6;
}

enum VaultEncryptionType {
  CRYPTOHOME_VAULT_ENCRYPTION_ANY = 0;
  CRYPTOHOME_VAULT_ENCRYPTION_ECRYPTFS = 1;
  CRYPTOHOME_VAULT_ENCRYPTION_FSCRYPT = 2;
  CRYPTOHOME_VAULT_ENCRYPTION_DMCRYPT = 3;
}

message PreparePersistentVaultRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
  // Whether ecryptfs mount should be prohibited
  // TODO(dlunev): deprecate the field once we migrate to the new interface.
  // |force_encryption_type| will fully supercede it for all cases later on, but
  // in the interim we need to preserve it for backward compatibility.
  bool block_ecryptfs = 2;
  // Expected encryption type.
  // TODO(dlunev): for now it is enforced only for the vault creation. After
  // removing the old interface it will superceded |block_ecryptfs| flag to
  // enforce mandatory migrations.
  VaultEncryptionType encryption_type = 3;
}

message PreparePersistentVaultReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 3;

  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;
}

message PrepareVaultForMigrationRequest {
  // Id of the auth session associated with the user we aim to prepare vault
  // for.
  bytes auth_session_id = 1;
}

message PrepareVaultForMigrationReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 3;

  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 2;
}

// Input parameters to GetArcDiskFeatures().
message GetArcDiskFeaturesRequest {}

// Output parameters for GetArcDiskFeatures().
message GetArcDiskFeaturesReply {
  // Set to true if Quota feature is supported for ARC Disk/Storage.
  bool quota_supported = 1;
}

// Input parameters for SetUserDataStorageWriteEnabled().
message SetUserDataStorageWriteEnabledRequest {
  // The owner of the home directory that we are going to set access rights to.
  cryptohome.AccountIdentifier account_id = 1;
  // Whether write access to MyFiles should be enabled or not.
  bool enabled = 2;
}

// Output parameters for SetUserDataStorageWriteEnabled().
message SetUserDataStorageWriteEnabledReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// ------------------------- PKCS#11 Interface -------------------------

// Represents the information about a token in PKCS#11, used by
// Pkcs11GetTpmTokenInfo()
message TpmTokenInfo {
  // The label of the token.
  string label = 1;

  // The pin that is used to access the token.
  // Note that in most cases this is a default well known value.
  string user_pin = 2;

  // The slot number of the token.
  int32 slot = 3;
}

// Input parameters to Pkcs11IsTpmTokenReady()
message Pkcs11IsTpmTokenReadyRequest {
  // Nothing at the moment.
}

// Output parameters for Pkcs11IsTpmTokenReady()
message Pkcs11IsTpmTokenReadyReply {
  // True if the TPM-backed token store for all mount is ready for access.
  // That is, every TPM-backed token store associated with a mount is in an
  // initialized state.
  bool ready = 1;
}

// Input parameters to Pkcs11GetTpmTokenInfo()
message Pkcs11GetTpmTokenInfoRequest {
  // If username is empty or not set, then the information regarding system TPM
  // token is returned. Otherwise, the user TPM token is returned.
  string username = 1;
}

// Output parameters for Pkcs11GetTpmTokenInfo()
message Pkcs11GetTpmTokenInfoReply {
  // The TPM Token information, generally it's the stuffs required to access
  // the TPM token.
  TpmTokenInfo token_info = 1;
}

// Input parameters to Pkcs11Terminate()
message Pkcs11TerminateRequest {
  // This call will remove all PKCS#11 token store that is associated with a
  // mount.

  // Username is currently unused.
  string username = 1;
}

// Output parameters for Pkcs11Terminate()
message Pkcs11TerminateReply {
  // Nothing at the moment.
}

// Input parameters to Pkcs11RestoreTpmTokens()
message Pkcs11RestoreTpmTokensRequest {
  // This call will retrieve all the tokens to chaps.

  // Nothing at the moment.
}

// Output parameters for Pkcs11RestoreTpmTokens()
message Pkcs11RestoreTpmTokensReply {
  // Nothing at the moment.
}

// ----------------------- Install Attributes Interface -----------------------

// The possible states of Install Attributes module, this is used by
// InstallAttributesGetStatus().
enum InstallAttributesState {
  // See InstallAttributes::Status in install_attributes.h for definition
  // of these states.
  UNKNOWN = 0;
  TPM_NOT_OWNED = 1;
  FIRST_INSTALL = 2;
  VALID = 3;
  INVALID = 4;
}

// Input parameters to InstallAttributesGet()
message InstallAttributesGetRequest {
  // Name of the install attributes to retrieve.
  // There's no explicit requirement about the name, so generally it can be
  // any valid string.
  string name = 1;
}

// Output parameters for InstallAttributesGet()
message InstallAttributesGetReply {
  CryptohomeErrorCode error = 1;

  // The value associated with the install attributes.
  bytes value = 2;
}

// Input parameters to InstallAttributesSet()
message InstallAttributesSetRequest {
  // Name of the install attributes to set.
  // There's no explicit requirement about the name, so generally it can be
  // any valid string.
  string name = 1;

  // Value to set for the install attributes.
  bytes value = 2;
}

// Output parameters for InstallAttributesSet()
message InstallAttributesSetReply {
  CryptohomeErrorCode error = 1;
}

// Input parameters to InstallAttributesFinalize()
message InstallAttributesFinalizeRequest {
  // There's no parameters to InstallAttributesFinalize() right now.
}

// Output parameters for InstallAttributesFinalize()
message InstallAttributesFinalizeReply {
  // If the install attributes are not finalized successfully, then this
  // error code would be set. Otherwise, the install attribute is correctly
  // finalized.
  CryptohomeErrorCode error = 1;
}

// Input parameters to InstallAttributesGetStatus()
message InstallAttributesGetStatusRequest {}

// Output parameters for InstallAttributesGetStatus()
message InstallAttributesGetStatusReply {
  CryptohomeErrorCode error = 1;

  // How many install attributes are there?
  int32 count = 2;

  // Returns true if the attribute storage is securely stored. It does not
  // indicate if the store has been finalized, just if the system TPM/Lockbox
  // is being used.
  bool is_secure = 3;

  // The state the install attributes are in.
  InstallAttributesState state = 4;
}

// ----------------- Firmware Management Parameters Interface -----------------

// This represents the content of Firmware Management Parameters
message FirmwareManagementParameters {
  // The Developer Flags, this is part of the FWMP.
  uint32 flags = 1;

  // Developer Key Hash, this is part of the FWMP.
  // For current version of the FWMP (V1.0), this is the size of SHA256.
  bytes developer_key_hash = 2;
}

// Input parameters to GetFirmwareManagementParameters()
message GetFirmwareManagementParametersRequest {}

// Output parameters for GetFirmwareManagementParameters()
message GetFirmwareManagementParametersReply {
  CryptohomeErrorCode error = 1;

  // The firmware management parameters that is retrieved.
  FirmwareManagementParameters fwmp = 2;
}

// Input parameters to RemoveFirmwareManagementParameters()
message RemoveFirmwareManagementParametersRequest {
  // Note that calling this function will destroy the NVRAM space that
  // stores the FWMP (if defined).
}

// Output parameters for RemoveFirmwareManagementParameters()
message RemoveFirmwareManagementParametersReply {
  CryptohomeErrorCode error = 1;
}

// Input parameters to SetFirmwareManagementParameters()
message SetFirmwareManagementParametersRequest {
  // The firmware management parameters to set.
  FirmwareManagementParameters fwmp = 1;
}

// Output parameters for SetFirmwareManagementParameters()
message SetFirmwareManagementParametersReply {
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetSystemSalt()
message GetSystemSaltRequest {
  // No parameter is needed to retrieve the system salt.
}

// Output parameters for GetSystemSalt()
message GetSystemSaltReply {
  // The system salt.
  // Note that the caller should not expect the system salt to be a particular
  // size. The length is defined by the kCryptohomeDefaultSaltLength
  // constant.
  bytes salt = 1;
}

// Input parameters to UpdateCurrentUserActivityTimestamp()
message UpdateCurrentUserActivityTimestampRequest {
  // This is the time, expressed in number of seconds since the last
  // user activity.
  // For instance, if the unix timestamp now is x, if this value is 5,
  // then the last user activity happened at x-5 unix timestamp.
  // Note that negative values for this parameter is reserved, and should not
  // be used.
  int32 time_shift_sec = 1;
}

// Output parameters for UpdateCurrentUserActivityTimestamp()
message UpdateCurrentUserActivityTimestampReply {
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetSanitizedUsername()
message GetSanitizedUsernameRequest {
  // The username to sanitize.
  string username = 1;
}

// Output parameters for GetSanitizedUsername()
message GetSanitizedUsernameReply {
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 1;
}

// Input parameters to GetLoginStatus()
message GetLoginStatusRequest {}

// Output parameters for GetLoginStatus()
message GetLoginStatusReply {
  CryptohomeErrorCode error = 1;

  // This is set to true if an owner user is specified in the device policy.
  bool owner_user_exists = 2;

  // Note that |boot_lockbox_finalized| is not supplied because current version
  // of bootlockbox doesn't support querying whether it's finalized. The
  // previous version that does support that has been deprecated.

  bool is_locked_to_single_user = 3;
}

// Input parameters to LockToSingleUserMountUntilReboot()
// Lock the device to single user use.
message LockToSingleUserMountUntilRebootRequest {
  // This represents the "single user", whose mount we are going to lock to.
  cryptohome.AccountIdentifier account_id = 1;
}

// Output parameters for LockToSingleUserMountUntilReboot()
// Informs the caller whether the disabling succeeded, that is, whether we are
// now locked to a single user mount.
message LockToSingleUserMountUntilRebootReply {
  CryptohomeErrorCode error = 1;
}

// Input parameters to GetRsuDeviceId()
message GetRsuDeviceIdReply {
  // This will be set if there's a problem getting device ID.
  // Note that to be compliant with behaviours before the refactor, failure
  // in this method call will be reported through DBus error.
  CryptohomeErrorCode error = 1;

  // Returns lookup key for Remote Server Unlock
  bytes rsu_device_id = 2;
}

// Output parameters for GetRsuDeviceId()
message GetRsuDeviceIdRequest {}

// Input parameters to ResetApplicationContainer()
message ResetApplicationContainerRequest {
  // Represents the user whose application container needs to be reset.
  cryptohome.AccountIdentifier account_id = 1;
  // Application container name.
  string application_name = 2;
}

// Output parameters for ResetApplicationContainer().
message ResetApplicationContainerReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Fido make credential public key options.
message FidoMakeCredentialRequest {
  cryptohome.AccountIdentifier account_id = 1;
  cryptohome.fido.PublicKeyCredentialCreationOptions make_credential_options =
      2;
}

// Fido make credential response.
message FidoMakeCredentialReply {
  CryptohomeErrorCode error = 1;
  // Contains MakeCredentialAuthenticatorResponse.
  cryptohome.fido.MakeCredentialAuthenticatorResponse make_credential_response =
      2;
}

// Fido challenge
message FidoGetAssertionRequest {
  cryptohome.fido.PublicKeyCredentialRequestOptions get_assertion_options = 1;
}

message FidoGetAssertionReply {
  CryptohomeErrorCode error = 1;
  // Contains GetAssertionAuthenticatorResponse.
  cryptohome.fido.GetAssertionAuthenticatorResponse get_assertion_response = 2;
}

// AddAuthFactorRequest is built when a user is trying to add an AuthFactor
// for a user. When the call is made, AuthSession should be authenticated. After
// the operation the AuthSession would still be in the authenticated state.
message AddAuthFactorRequest {
  // AuthFactor cannot be added without an active AuthSession running. This id
  // would be used to associate the AuthFactor to an AuthSession.
  bytes auth_session_id = 1;
  // The AuthFactor that will be added for a given user. This should be
  // populated with any factor specific data and metadata.
  // If AuthFactor in the request be constructed with an existing label, the
  // call would return an error.
  AuthFactor auth_factor = 2;
  // In some cases, such as password, the secret would be user supplied. In
  // those cases the secret can be passed here.
  AuthInput auth_input = 3;
}

message AddAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // When successful, the field will be set and AuthFactor with status returns
  // newly added authfactors along with their status information.
  AuthFactorWithStatus added_auth_factor = 3;
}

// AuthenticateAuthFactorRequest is a request to authenticate a user with an
// AuthFactor. The call can be made multiple times to attempt to authorize the
// AuthSession for the intents requested by the AuthFactor. If the AuthSession
// was already authenticated, it will be authorized for a superset of existing
// intents and the new intents of the AuthFactor.
message AuthenticateAuthFactorRequest {
  reserved 2;

  // AuthFactor cannot be authenticated without an active AuthSession running.
  // This id would be used to associate the AuthFactor to an AuthSession.
  bytes auth_session_id = 1;
  // Inputs that need to be supplied by the user as part of the authentication,
  // such as the user's secret for password or PIN authentication.
  AuthInput auth_input = 3;
  // The AuthFactor labels would be used to determine the AuthFactors that
  // needs to be authenticated. For the most cases, there should only be one
  // label. For legacy fingerprint which is unlock only,  no label should be
  // specified as there is no legacy fingerprint auth factor. For sign-in
  // fingerprint, more than one labels can be specified.
  repeated string auth_factor_labels = 4;
}

message AuthenticateAuthFactorReply {
  reserved 3, 4, 5;

  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // Properties for the auth_session_id after the current call.
  AuthSessionProperties auth_properties = 6;
}

// UpdateAuthFactorRequest is built when a user is trying to
// update an AuthFactor for a user. auth_factor_label would identify
// the AuthFactor that the request is trying to update. When the call is made,
// AuthSession is in an authenticated state. After the operation the
// AuthSession would still be in an authenticated state.
message UpdateAuthFactorRequest {
  // AuthFactor cannot be updated without an active and authenticated
  // AuthSession running. This id would be used to associate the AuthFactor to
  // an AuthSession.
  bytes auth_session_id = 1;
  // Label to identify the existing AuthFactor. Updated auth factor will be
  // associated with the same label.
  string auth_factor_label = 2;
  // The AuthFactor that we will replace the existing AuthFactor with. The full
  // structure should be populated with factor specific data and metadata. The
  // type of the AuthFactor should match the existing one.
  AuthFactor auth_factor = 3;
  // In some cases, such as password, the secret would be user supplied. In
  // those cases the secret can be passed here
  AuthInput auth_input = 4;
}

message UpdateAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // When successful, the field will be set and AuthFactor with status returns
  // newly added authfactors along with their status information.
  AuthFactorWithStatus updated_auth_factor = 3;
}

message UpdateAuthFactorMetadataRequest {
  // The id of a running AuthSession.
  bytes auth_session_id = 1;
  // Label to identify the existing AuthFactor. Updated auth factor will be
  // associated with the same label.
  string auth_factor_label = 2;
  // The AuthFactor that we will replace the existing AuthFactor with. The full
  // structure should be populated with factor specific data and metadata. The
  // type of the AuthFactor should match the existing one, otherwise an error
  // will be returned.
  // New auth factor will not be created with this since the request
  // does not contain AuthInput.
  // Metadata fields populated by service cryptohome will be ignored in the
  // request, e.g. `chromeos_version_last_updated` in CommonMetadata. See each
  // metadata field for details.
  AuthFactor auth_factor = 3;
}

message UpdateAuthFactorMetadataReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // AuthFactorWithStatus returns newly updated authfactors along with their
  // status information. This will be unset should the request not be
  // successful.
  AuthFactorWithStatus updated_auth_factor = 3;
}

// RelabelAuthFactor will change the label of an auth factor without modifying
// the factor itself. Because the factor is not modified it does not require
// an AuthInput but it does still require an authenticated session.
message RelabelAuthFactorRequest {
  // AuthFactor cannot be relabelled without an active and authenticated
  // AuthSession running. This id would be used to associate the AuthFactor to
  // an AuthSession.
  bytes auth_session_id = 1;
  // Label used to identify the existing AuthFactor.
  string auth_factor_label = 2;
  // New label to apply to the auth factor. It must be different from the
  // original label and not already in use.
  string new_auth_factor_label = 3;
}

message RelabelAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // AuthFactorWithStatus returns newly updated auth factor. This will only be
  // set if the relabel operation succeeds.
  AuthFactorWithStatus relabelled_auth_factor = 3;
}

// ReplaceAuthFactor will remove an existing auth factor and add a new one to
// replace it. The new factor must have a different label from the original.
// The end result of this operation is similar to doing an Add+Remove of an auth
// factor but executed atomically so that you should never end up with two or
// zero auth factors afterwards.
message ReplaceAuthFactorRequest {
  // AuthFactor cannot be replaced without an active and authenticated
  // AuthSession running. This id would be used to associate the AuthFactor to
  // an AuthSession.
  bytes auth_session_id = 1;
  // Label to identify the existing AuthFactor to be replaced.
  string auth_factor_label = 2;
  // The AuthFactor that we will replace the existing AuthFactor with. The full
  // structure should be populated with factor specific data and metadata.
  AuthFactor auth_factor = 3;
  // In some cases, such as password, the secret would be user supplied. In
  // those cases the secret can be passed here.
  AuthInput auth_input = 4;
}

message ReplaceAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // When successful, this field will be set populated with factor and status
  // information for the replacement auth factor.
  AuthFactorWithStatus replacement_auth_factor = 3;
}

// RemoveAuthFactorRequest is built when a user is trying to
// remove an AuthFactor for a user. auth_factor_label would identify
// the AuthFactor that the request is trying to remove. When the call is made,
// AuthSession is in an authenticated state. After the operation the
// AuthSession would still be in an authenticated state.
message RemoveAuthFactorRequest {
  // AuthFactor cannot be removed without an authenticated AuthSession running.
  // This id would be used to get the user whose AuthFactor the call is trying
  // to delete.
  bytes auth_session_id = 1;
  // The AuthFactor label would be used to determine the AuthFactor that
  // needs to be removed.
  // If this AuthFactor is the last AuthFactor for a given user, then the call
  // would return an error stating that.
  string auth_factor_label = 2;
}

message RemoveAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Specifies the intents that are available, or which could be available, for a
// given type of auth factor.
message AuthIntentsForAuthFactorType {
  AuthFactorType type = 1;
  // The currently available intents for the type based on current policy.
  repeated AuthIntent current = 2;
  // The minimal intents for the type. These intents are always available for
  // this type and cannot be disabled via policy.
  repeated AuthIntent minimum = 3;
  // The maximal intents for the type. Intents not in this list cannot be used
  // with this type of factor, regardless of policy.
  repeated AuthIntent maximum = 4;
}

// List all of the auth factors that are configured, as well as the set of auth
// factor types which are supported.
message ListAuthFactorsRequest {
  // The account of a user.
  cryptohome.AccountIdentifier account_id = 1;
}

message ListAuthFactorsReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // All of the auth factors configured for the user.
  repeated AuthFactor configured_auth_factors = 3;
  // AuthFactor with status returns available authfactors for account_id
  // provided in the request, along with their status information.
  repeated AuthFactorWithStatus configured_auth_factors_with_status = 5;
  // All of the auth factor types supported for this user.
  repeated AuthFactorType supported_auth_factors = 4;
  // All of the auth factor intents available for the currently supported types.
  repeated AuthIntentsForAuthFactorType auth_intents_for_types = 6;
}

message RecoveryExtendedInfoRequest {
  // Max number of latest RecoveryIds to be returned.
  uint32 max_depth = 1;
}

message RecoveryExtendedInfoReply {
  // List of latest recovery_ids of the user or empty list if they do not exist.
  // The list begins with the current recovery_id and contains |max_depth| or
  // the total number of ids generated so far whichever is bigger.
  repeated string recovery_ids = 1;
  // Used to generate recovery ids.
  string recovery_seed = 2;
}

// Send a request to Cryptohome to lock the AuthFactor with auth_factor_type
// against the authentication operation until the system is rebooted.
message LockFactorUntilRebootRequest {
  // Currently implemented only for CryptohomeRecovery factor type.
  AuthFactorType auth_factor_type = 1;
}

message LockFactorUntilRebootReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

message GetAuthFactorExtendedInfoRequest {
  // The account of a user.
  cryptohome.AccountIdentifier account_id = 1;
  // Label of the AuthFactor to be returned.
  string auth_factor_label = 2;
  // Specifies the bits of data expected in the response.
  oneof extended_info {
    RecoveryExtendedInfoRequest recovery_info_request = 3;
  }
}

message GetAuthFactorExtendedInfoReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // All of the auth factors configured for the user.
  AuthFactor auth_factor = 3;
  // Extended data for for the AuthFactor.
  oneof extended_info {
    RecoveryExtendedInfoReply recovery_info_reply = 4;
  }
}

// CreateVaultKeysetRequest is built when a user is trying to create a
// VaultKeyset for a user, it is a similar operation to AddAuthFactor, but for
// testing purposes with legacy VaultKeysets.
message CreateVaultKeysetRequest {
  // Serialized form of token that is used to identify Auth Session that needs
  // to be extended.
  bytes auth_session_id = 1;
  // The secret or password used to create the VaultKeyset.
  bytes passkey = 2;
  // Label to identify the VaultKeyset. An empty label is for legacy keys,
  // for which the label has a fallback of being inferred as "legacy-n".
  string key_label = 3;
  // AuthFactorType will help us determine the type and subsequently help us
  // create the right AuthBlock for derivation or authentication.
  AuthFactorType type = 4;
  // A flag to disable the creation of KeyData with the VaultKeyset. Used to
  // emulate legacy VaultKeysets before M91.
  bool disable_key_data = 5;
  // Optional parameters for SmartCard input.
  // Parameters for connecting and making requests to a key delegate service:
  // |dbus_service_name|, the D-Bus service name of the key delegate service
  // that exports the key delegate object.
  string key_delegate_dbus_service_name = 6;
  // Specifies the key which is asked to sign the data. Contains the DER-encoded
  // blob of the X.509 Subject Public Key Info.
  bytes public_key_spki_der = 7;
}

message CreateVaultKeysetReply {
  // Return the status of the request.
  CryptohomeErrorCode error = 1;

  // Indicate an error if this field exists.
  // This field is replacing the |error| field above, for more information on
  // which field to use and the process on the migration, see comment in
  // CryptohomeErrorInfo.
  CryptohomeErrorInfo error_info = 2;
}

message PrepareAuthFactorRequest {
  // The id of a running AuthSession.
  // Async AuthFactor preparation must be associated with an ongoing
  // AuthSession.
  bytes auth_session_id = 1;
  // The type of the asynchronous AuthFactor.
  AuthFactorType auth_factor_type = 2;
  // Specify the purpose such as adding/enrolling a new auth factor
  // or authentication an existing factor.
  AuthFactorPreparePurpose purpose = 3;
  // In some cases, such as recovery, additional input is required to prepare
  // for the authentication operation.
  PrepareInput prepare_input = 4;
}

message PrepareAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
  // In some cases, such as recovery, the prepare process produces output which
  // the caller will need to use to assemble the actual authentication request.
  PrepareOutput prepare_output = 3;
}

message TerminateAuthFactorRequest {
  // The id of a running AuthSession.
  bytes auth_session_id = 1;
  // The type of the asynchronous AuthFactor, of which any pending preparation
  // will be stopped.
  AuthFactorType auth_factor_type = 2;
}

message TerminateAuthFactorReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Send a request to modify the available intents for a user. This can be used
// to persistently enable or disable the use of a specific type of auth factor
// for a specific intent.
message ModifyAuthFactorIntentsRequest {
  // The id of an authenticated AuthSession. The policy changes will be applied
  // to the user associated with the session.
  bytes auth_session_id = 1;
  // The type for which the policy should be changed.
  AuthFactorType type = 2;
  // The set of intents which should be enabled for this policy.
  //
  // Note that it is not considered an error to specify intents which the type
  // does not support, or to exclude intents which are mandatory. Only the
  // intents which are configurable will be adjusted. It follows from this that
  // you can set the available intents to the minimum set by passing an empty
  // list of intents, and to the maximum set by passing a full list.
  repeated AuthIntent intents = 3;
}

message ModifyAuthFactorIntentsReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  // The new auth intents for the modified type.
  AuthIntentsForAuthFactorType auth_intents = 3;
}

message MigrateLegacyFingerprintsRequest {
  // The id of a running AuthSession.
  bytes auth_session_id = 1;
}

message MigrateLegacyFingerprintsReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
}

// Fingerprint scan results.
enum FingerprintScanResult {
  FINGERPRINT_SCAN_RESULT_SUCCESS = 0;

  // Scan results for authentication.
  FINGERPRINT_SCAN_RESULT_RETRY = 1;
  FINGERPRINT_SCAN_RESULT_LOCKOUT = 2;

  // Internal error.
  FINGERPRINT_SCAN_RESULT_FATAL_ERROR = 3;

  // Scan results for enrollment.
  // Sensor needs more data.
  FINGERPRINT_SCAN_RESULT_PARTIAL = 4;
  // Image doesn't contain enough details.
  FINGERPRINT_SCAN_RESULT_INSUFFICIENT = 5;
  // Sensor needs to be cleaned.
  FINGERPRINT_SCAN_RESULT_SENSOR_DIRTY = 6;
  // Not enough data collected (swipe type sensor).
  FINGERPRINT_SCAN_RESULT_TOO_SLOW = 7;
  // User removed finger too fast.
  FINGERPRINT_SCAN_RESULT_TOO_FAST = 8;
  // User didn't move finger during enrollment.
  FINGERPRINT_SCAN_RESULT_IMMOBILE = 9;
  FINGERPRINT_SCAN_RESULT_ENROLL_OTHER = 10;
}

// The message included in signal AuthScanResultSignal.
message AuthScanResult {
  // The result of the scan
  oneof scan_result {
    FingerprintScanResult fingerprint_result = 1;
  }
}

// Fingerprint enrollment progress.
message FingerprintEnrollmentProgress {
  int32 percent_complete = 1;
}

// The message included in signal AuthEnrollmentProgressSignal
message AuthEnrollmentProgress {
  // The result of the latest scan
  AuthScanResult scan_result = 1;
  bool done = 2;
  // The biometrics-type specific progress
  oneof progress {
    FingerprintEnrollmentProgress fingerprint_progress = 3;
  }
}

// The message included in signal AuthScanDoneSignal
message AuthScanDone {
  // The result of the latest scan. Note that this doesn't represent the match
  // result, but just whether the scan is successful.
  AuthScanResult scan_result = 1;
}

// The message included in PrepareAuthFactorProgress when the purpose is add.
message PrepareAuthFactorForAddProgress {
  AuthFactorType auth_factor_type = 1;
  oneof progress {
    // The progress of biometrics auth factors, e.g., FingerprintAuthFactor.
    AuthEnrollmentProgress biometrics_progress = 2;
  }
}

// The message included in PrepareAuthFactorProgress when the purpose is auth.
message PrepareAuthFactorForAuthProgress {
  AuthFactorType auth_factor_type = 1;
  oneof progress {
    // The progress of biometrics auth factors, e.g., FingerprintAuthFactor.
    AuthScanDone biometrics_progress = 2;
  }
}

// The message included in signal PrepareAuthFactorProgressSignal.
message PrepareAuthFactorProgress {
  AuthFactorPreparePurpose purpose = 1;
  oneof progress {
    PrepareAuthFactorForAddProgress add_progress = 2;
    PrepareAuthFactorForAuthProgress auth_progress = 3;
  }
}

// Used to signal the start of an Authentication operation. Note that creating
// a new user is also considered to be such an operation since creating a new
// user implicitly authenticates.
message AuthenticateStarted {
  // Unique ID associated with the authenticate operation.
  uint64 operation_id = 1;

  oneof auth_factor {
    // The type of factor being used for authentication. Set on authentication
    // of an existing user.
    AuthFactorType auth_factor_type = 2;

    // Set to true when the authentication is an implicit result of a user
    // creation operation.
    bool user_creation = 3;
  }

  // The user that is authenticating.
  string username = 4;
  // The sanitized username, this is basically a hashed representation
  // of the username used in the paths of user's home directory.
  string sanitized_username = 5;
}

// Used to signal the completion of an authentication operation.
// TODO(b/316597268): Rename to AuthenticateCompleted.
message AuthenticateAuthFactorCompleted {
  // Unique ID associated with the authenticate operation. Will match the ID of
  // the corresponding start signal.
  uint64 operation_id = 5;

  // Set to indicate that the authentication operation failed. Unset in the
  // case of a successful authentication.
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;

  oneof auth_factor {
    // See AuthenticateStarted.auth_factor_type.
    AuthFactorType auth_factor_type = 3;

    // See AuthenticateStarted.user_creation.
    bool user_creation = 4;
  }

  // See AuthenticateStarted.username.
  string username = 6;
  // See AuthenticateStarted.sanitized_username.
  string sanitized_username = 7;
}

// Used to signal the start of a Mount operation.
message MountStarted {
  // Unique ID associated with the mount operation.
  uint64 operation_id = 1;
}

// Used to signal the completion of a Mount operation.
message MountCompleted {
  // Unique ID associated with the mount operation. Will match the ID of the
  // corresponding start signal.
  uint64 operation_id = 1;

  // Populated with error information in the case that the mount operation
  // fails. On success these fields will be left unset.
  CryptohomeErrorCode error = 2;
  CryptohomeErrorInfo error_info = 3;
}

// GetRecoverableKeyStores fetches all of the recoverable key stores of the
// given user.

// The request message of GetRecoverableKeyStores.
message GetRecoverableKeyStoresRequest {
  // The account of a user.
  cryptohome.AccountIdentifier account_id = 1;
}

// The reply message of GetRecoverableKeyStores.
message GetRecoverableKeyStoresReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
  repeated cryptohome.RecoverableKeyStore key_stores = 3;
}

// GetPinWeaverInfo returns the device PinWeaver information.
message GetPinWeaverInfoRequest {
  // No parameter is needed to retrieve PinWeaver info.
}

// The reply message of GetPinWeaverInfo.
message GetPinWeaverInfoReply {
  CryptohomeErrorCode error = 1;
  CryptohomeErrorInfo error_info = 2;
  // Whether there's any PinWeaver credential on the device.
  bool has_credential = 3;
}