// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This file is a subset copy of
// third_party/cros_system_api/dbus/attestation/attestation_ca.proto
// third_party/cros_system_api is only for ChromeOS.
syntax = "proto2";
option optimize_for = LITE_RUNTIME;
package enterprise_connectors;
// Holds encrypted data and information required to decrypt it.
message EncryptedData {
// A key that has been sealed to the TPM or wrapped by another key.
optional bytes wrapped_key = 2;
// The initialization vector used during encryption.
optional bytes iv = 3;
// MAC of (iv + encrypted_data).
optional bytes mac = 4;
optional bytes encrypted_data = 5;
// An identifier for the wrapping key to assist in decryption.
optional bytes wrapping_key_id = 6;
}
// The wrapper message of any data and its signature.
message SignedData {
// The data to be signed.
optional bytes data = 1;
// The signature of the data field.
optional bytes signature = 2;
}
// The challenge data (as in challenge-response) generated by the server.
// Before transmitted to the client, this message will be wrapped as a
// SignedData message, in which the data field is the serialized Challenge
// message, and the signature field is the signature of the data field signed
// by the enterprise server using a hard-coded key. The signature algorithm is
// RSASSA-PKCS1-v1_5-SHA256.
message Challenge {
// A string for the client to sanity check a legitimate challenge.
optional string prefix = 1;
// A 256-bit random value generated by the server.
optional bytes nonce = 2;
// A timestamp for a stateless server to limit the timeframe during which the
// challenge may be replayed.
optional int64 timestamp = 3;
}
// The response data (as in challenge-response) generated by the client.
// Before transmitted to the server, this message will be wrapped as a
// SignedData message, in which the data field is the serialized
// ChallengeResponse message, and the signature field is the signature of the
// data field signed by the client using the key being challenged. The
// signature algorithm is RSASSA-PKCS1-v1_5-SHA256.
message ChallengeResponse {
// The original challenge data.
optional SignedData challenge = 1;
// A 256-bit random value generated by the client. Mixing in this nonce
// prevents a caller from using a challenge to sign arbitrary data.
optional bytes nonce = 2;
// The KeyInfo message encrypted using a public encryption key, pushed via
// policy with the following parameters:
// Key encryption: RSA-OAEP with no custom parameters.
// Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
// MAC: HMAC-SHA-512 using the AES key.
optional EncryptedData encrypted_key_info = 3;
}
// The data type of the message decrypted from
// ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds
// information required by the Verified Access server API (VA) to complete the
// verification.
message KeyInfo {
// Determines the verification flow on VA and the content of the VA response.
optional VerifiedAccessFlow flow_type = 1;
// Domain information about the device or user associated with the VA flow
// type. For `flow_type` ENTERPRISE_MACHINE, this value is the enrolled
// domain. For `flow_type` ENTERPRISE_USER, this value is the user's email
// address.
optional string domain = 2;
// The virtual device ID associated with the device or user.
optional bytes device_id = 3;
// If the `flow_type` is ENTERPRISE_MACHINE, this value is the PCA-issued
// certificate for the key.
optional bytes certificate = 4;
// If the `flow_type` is ENTERPRISE_USER, this value may hold a
// SignedPublicKeyAndChallenge with a random challenge. The
// SignedPublicKeyAndChallenge specification is here:
// https://developer.mozilla.org/en-US/docs/HTML/Element/keygen.
optional bytes signed_public_key_and_challenge = 5;
// The identifier of the customer, as defined by the Google Admin SDK at
// https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers
optional string customer_id = 6;
// A new field which contains public key generated by the CBCM-enrolled
// browser if key type is CBCM
optional bytes browser_instance_public_key = 7;
// A new field which indicated the signing scheme used for the outer
// SignedData message. We should populate this for any `flow_type`. For
// `flow_type` ENTERPRISE_USER/ENTERPRISE_MACHINE (ChromeOS use case), this
// will currently say "SHA256withRSA" at all times, but we should start
// supporting ECDSA signing in the near future as per 2020 OKRs. For
// `flow_type` CBCM, this will be one of the permitted_schemes from
// DeviceIdentity policy.
optional string signing_scheme = 8;
// Device Trust Signals
// Deprecated due to signals collection change to store signals in a
// dictionary and converting them to a JSON string. Use
// `device_trust_signals_json` instead.
optional DeviceTrustSignals device_trust_signals = 9 [deprecated = true];
// Device Trust Signals
optional string device_trust_signals_json = 10;
// DM token to be used for this request.
optional string dm_token = 11;
// The identifier of the customer for the managed user, as defined by the
// Google Admin SDK at
// https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers.
optional string user_customer_id = 12;
// Obfuscated gaia ID associated with the signed in managed user.
optional string obfuscated_gaia_id = 13;
// The ID of a profile on the device.
optional string profile_id = 14;
}
// Device Trust Signals
message DeviceTrustSignals {
// Device Id
optional string device_id = 1;
// Obfuscated CBCM-enrolled Customer Id
optional string obfuscated_customer_id = 2;
// Device serial number
optional string serial_number = 3;
// Human readable name for this device
optional string display_name = 4;
// OS running on the device (e.g. Chrome OS)
optional string os = 5;
// Device manufacturer (e.g. Dell)
optional string device_manufacturer = 6;
// Device model (e.g. iPhone 12 Max)
optional string device_model = 7;
// OS version (e.g. macOS 10.15.7)
optional string os_version = 8;
// IMEI
repeated string imei = 9;
// MEID
repeated string meid = 10;
// Hash of the EKPub certificate of the TPM on the device, if available.
optional string tpm_hash = 11;
// Is the disk encrypted
optional bool is_disk_encrypted = 12;
// Value of the AllowScreenLock policy.
// https://chromeenterprise.google/policies/?policy=AllowScreenLock
optional bool allow_screen_lock = 13;
// Is the access to the OS user protected by a password
optional bool is_protected_by_password = 14;
// Is the device jailbroken or modified
optional bool is_jailbroken = 15;
// The CBCM enrollment domain of the browser.
optional string enrollment_domain = 16;
// Browser Version
optional string browser_version = 17;
// Value of the SafeBrowsingProtectionLevel policy.
// https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel
optional int32 safe_browsing_protection_level = 18;
// Value of the SitePerProcess policy.
// https://chromeenterprise.google/policies/#SitePerProcess
optional bool site_isolation_enabled = 19;
// ThirdPartyBlockingEnabled
optional bool third_party_blocking_enabled = 20;
// To determine whether users can access other computers
// from Chrome using Chrome Remote Desktop
optional bool remote_desktop_available = 21;
// Signed in profile name
optional string signed_in_profile_name = 22;
// ChromeCleanupEnabled
optional bool chrome_cleanup_enabled = 23;
// PasswordProtectionWarningTrigger
optional int32 password_protection_warning_trigger = 24;
// DNS address
optional string dns_address = 25;
// BuiltInDnsClientEnabled
optional bool built_in_dns_client_enabled = 26;
// Whether the OS firewall is turned on
optional bool firewall_on = 27;
// The Windows domain the device has joined
optional string windows_domain = 28;
}
// Possible VA flows supported by the Verified Access server API and chromium.
// The values will be used to distinguish between different prerequisites,
// verification methods and contents of VA challenge response.
enum VerifiedAccessFlow {
// The flow of creating a challenge response for enterprise machine
// verification. The VA challenge will be signed with the EMK. ChromeOS only.
// Uses CertificateProfile: ENTERPRISE_MACHINE_CERTIFICATE
// Uses AttestationKeyType: KEY_DEVICE
ENTERPRISE_MACHINE = 0;
// The flow of creating a challenge response for enterprise user verification.
// The VA challenge will be signed with the EUK. ChromeOS only.
// Uses CertificateProfile: ENTERPRISE_USER_CERTIFICATE
// Uses AttestationKeyType: KEY_USER
ENTERPRISE_USER = 1;
// The flow of creating a challenge response for verifying a managed Chrome
// Browser. It does not use remote attestation and instead relies on a key
// exchange to sign the VA challenge. Chrome Browser only.
// Uses CertificateProfile: n.a.
// Uses AttestationKeyType: n.a.
CBCM = 2;
// The flow of creating a challenge response for verification during the
// Device Trust Connector handshake. The VA challenge will be signed with a
// device key. ChromeOS only.
// Uses CertificateProfile: DEVICE_TRUST_USER_CERTIFICATE
// Uses AttestationKeyType: KEY_DEVICE
DEVICE_TRUST_CONNECTOR = 3;
}
Codebase Browser
chromium