github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/attestation_custom.proto (about) 1 syntax = "proto3"; 2 3 package ntt.iam.v1; 4 5 import "edgelq-sdk/iam/proto/v1/attestation_domain.proto"; 6 import "edgelq-sdk/iam/proto/v1/attestation_domain_change.proto"; 7 import "edgelq-sdk/iam/proto/v1/common.proto"; 8 9 option go_package = "github.com/cloudwan/edgelq-sdk/iam/client/v1/attestation;attestation_client"; 10 option java_multiple_files = false; 11 option java_outer_classname = "AttestationCustomProto"; 12 option java_package = "com.ntt.iam.pb.v1"; 13 14 // Request message for method [Verify][ntt.iam.v1.Verify] 15 message VerifyRequest { 16 oneof msg { 17 AskForChallenge ask_for_challenge = 1; 18 19 ChallengeResponse challenge_response = 2; 20 } 21 22 message AskForChallenge { 23 // This will be used to set "sub" claim for attestation token. 24 // This "sub" should be compared to "sub" of JWT access token during 25 // validation. "Sub" comparison ties both tokens together and protects 26 // against theft/reuse of one of them by another service account. 27 string subject = 1; 28 29 // attestation domain ref 30 string attestation_domain = 2; 31 32 TpmVersion tpm_version = 3; 33 34 // PKIX encoded EK public 35 bytes ekpub = 4; 36 37 // ASN.1 DER encoded EK certificate. 38 bytes ekcert = 5; 39 40 // For Intel TPMs, Intel hosts certificates at a public URL derived from the 41 // Public key. Clients or servers can perform an HTTP GET to this URL, and 42 // use ParseEKCertificate on the response body. 43 string ekcerturl = 6; 44 45 // https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf 46 // https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf 47 // TPMT_PUBLIC (TPM 2.0) or TPM_PUBKEY (TPM 1.2) 48 bytes akpub = 7; 49 50 // TPMS_CREATION_DATA 51 bytes creation_data = 8; 52 53 // TPMS_ATTEST 54 bytes attest = 9; 55 56 // TPMT_SIGNATURE 57 bytes signature = 10; 58 59 // ChallengeFormat defines the method of generating identity activation 60 // challenge by the Verifier (server). It should affect the interpretation 61 // ChallengeResponse fields cred_encrypted_by_ekpub and 62 // secret_encrypted_by_cred. Attestor (client) is responsible for chosing 63 // the right format depending on TPM version and the presence of TrouSerS 64 // daemon. 65 ChallengeFormat challenge_format = 11; 66 67 enum ChallengeFormat { 68 // Credential Protection as defined in section 24 of the TPM specification 69 // revision 2 part 1 See: 70 // https://trustedcomputinggroup.org/resource/tpm-library-specification/ 71 // Returned primitives are of type TPM2B_ID_OBJECT and 72 // TPM2B_ENCRYPTED_SECRET. 73 // NOTE: ECC is not supported. 74 // 75 // Reference implementation: 76 // github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM20, 77 // which uses 78 // github.com/google/go-tmp@v0.3.2/tmp2/credactivation/credential_activation.go:Generate 79 TPM20_CREDENTIAL = 0; 80 81 // Challenge as defined in section 15.1 of the TPM 1.2 commands spec 82 // See: 83 // https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf 84 // Returned primitives are of type TPM12_EKBLOB (with 85 // TPM_EK_BLOB_ACTIVATE) and bytes. 86 // 87 // Reference implementation: 88 // github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, 89 // which uses 90 // github.com/google/go-attestation@v0.3.2/attest/challenge.go:generateChallenge12 91 TPM12_EKBLOB = 1; 92 93 // TSPI_EKBLOB is a TPM1.2 challenge format accepted by TrouSerS daemon's 94 // Tspi_TPM_ActivateIdentity function. As far as I can tell, it's not 95 // documented except in the code. Returned primitives are of type 96 // TPM12_EKBLOB (with TPM_EK_BLOB_ACTIVATE) and bytes. 97 // 98 // Reference implementation: 99 // github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, 100 // which uses 101 // github.com/google/go-tspi@v0.3.0/verification/verification.go:GenerateChallengeEx 102 TSPI_EKBLOB = 2; 103 } 104 } 105 106 message ChallengeResponse { 107 bytes ak_activation_decrypted_secret = 1; 108 109 repeated Quote quotes = 2; 110 111 repeated PCR pcrs = 3; 112 113 // Binary contents of /sys/kernel/security/tpm0/binary_bios_measurements 114 bytes eventlog = 4; 115 116 message Quote { 117 // TPMS_ATTEST (TSS_VALIDATION.Data or TSS_VALIDATION.rgbData) 118 // This contains PCR selection information for which the signature was 119 // calculated and other required data, like nonce. 120 bytes quote = 1; 121 122 // TSS_VALIDATION.ValidationData or TSS_VALIDATION.rgbValidationData 123 bytes signature = 2; 124 } 125 } 126 } 127 128 // Response message for method [Verify][ntt.iam.v1.Verify] 129 message VerifyResponse { 130 oneof msg { 131 Challenge challenge = 1; 132 133 AttestationSuccessful attestation_successful = 2; 134 } 135 136 message Challenge { 137 // Platform attestation 138 bytes platform_attestation_nonce = 1; 139 140 // AK Identity Activation 141 bytes cred_encrypted_by_ekpub = 2; 142 143 bytes secret_encrypted_by_cred = 3; 144 } 145 146 message AttestationSuccessful { string attestation_token = 1; } 147 }