github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1alpha2/attestation_custom.proto (about) 1 syntax = "proto3"; 2 3 package ntt.iam.v1alpha2; 4 5 import "edgelq-sdk/iam/proto/v1alpha2/attestation_domain.proto"; 6 import "edgelq-sdk/iam/proto/v1alpha2/attestation_domain_change.proto"; 7 import "edgelq-sdk/iam/proto/v1alpha2/common.proto"; 8 import "google/api/resource.proto"; 9 10 option go_package = "github.com/cloudwan/edgelq-sdk/iam/client/v1alpha2/attestation;attestation_client"; 11 option java_multiple_files = false; 12 option java_outer_classname = "AttestationCustomProto"; 13 option java_package = "com.ntt.iam.pb.v1alpha2"; 14 15 // Request message for method [Verify][ntt.iam.v1alpha2.Verify] 16 message VerifyRequest { 17 oneof msg { 18 AskForChallenge ask_for_challenge = 1; 19 20 ChallengeResponse challenge_response = 2; 21 } 22 23 message AskForChallenge { 24 // This will be used to set "sub" claim for attestation token. 25 // This "sub" should be compared to "sub" of JWT access token during 26 // validation. "Sub" comparison ties both tokens together and protects 27 // against theft/reuse of one of them by another service account. 28 string subject = 1; 29 30 // attestation domain ref 31 string attestation_domain = 2 32 [ (google.api.resource_reference) = {type : "AttestationDomain"} ]; 33 34 TpmVersion tpm_version = 3; 35 36 // PKIX encoded EK public 37 bytes ekpub = 4; 38 39 // ASN.1 DER encoded EK certificate. 40 bytes ekcert = 5; 41 42 // For Intel TPMs, Intel hosts certificates at a public URL derived from the 43 // Public key. Clients or servers can perform an HTTP GET to this URL, and 44 // use ParseEKCertificate on the response body. 45 string ekcerturl = 6; 46 47 // https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-2-TPM-Structures_v1.2_rev116_01032011.pdf 48 // https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf 49 // TPMT_PUBLIC (TPM 2.0) or TPM_PUBKEY (TPM 1.2) 50 bytes akpub = 7; 51 52 // TPMS_CREATION_DATA 53 bytes creation_data = 8; 54 55 // TPMS_ATTEST 56 bytes attest = 9; 57 58 // TPMT_SIGNATURE 59 bytes signature = 10; 60 61 // ChallengeFormat defines the method of generating identity activation 62 // challenge by the Verifier (server). It should affect the interpretation 63 // ChallengeResponse fields cred_encrypted_by_ekpub and 64 // secret_encrypted_by_cred. Attestor (client) is responsible for chosing 65 // the right format depending on TPM version and the presence of TrouSerS 66 // daemon. 67 ChallengeFormat challenge_format = 11; 68 69 enum ChallengeFormat { 70 // Credential Protection as defined in section 24 of the TPM specification 71 // revision 2 part 1 See: 72 // https://trustedcomputinggroup.org/resource/tpm-library-specification/ 73 // Returned primitives are of type TPM2B_ID_OBJECT and 74 // TPM2B_ENCRYPTED_SECRET. 75 // NOTE: ECC is not supported. 76 // 77 // Reference implementation: 78 // github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM20, 79 // which uses 80 // github.com/google/go-tmp@v0.3.2/tmp2/credactivation/credential_activation.go:Generate 81 TPM20_CREDENTIAL = 0; 82 83 // Challenge as defined in section 15.1 of the TPM 1.2 commands spec 84 // See: 85 // https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-3-Commands_v1.2_rev116_01032011.pdf 86 // Returned primitives are of type TPM12_EKBLOB (with 87 // TPM_EK_BLOB_ACTIVATE) and bytes. 88 // 89 // Reference implementation: 90 // github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, 91 // which uses 92 // github.com/google/go-attestation@v0.3.2/attest/challenge.go:generateChallenge12 93 TPM12_EKBLOB = 1; 94 95 // TSPI_EKBLOB is a TPM1.2 challenge format accepted by TrouSerS daemon's 96 // Tspi_TPM_ActivateIdentity function. As far as I can tell, it's not 97 // documented except in the code. Returned primitives are of type 98 // TPM12_EKBLOB (with TPM_EK_BLOB_ACTIVATE) and bytes. 99 // 100 // Reference implementation: 101 // github.com/google/go-attestation@v0.3.2/attest/activation.go:generateChallengeTPM12, 102 // which uses 103 // github.com/google/go-tspi@v0.3.0/verification/verification.go:GenerateChallengeEx 104 TSPI_EKBLOB = 2; 105 } 106 } 107 108 message ChallengeResponse { 109 bytes ak_activation_decrypted_secret = 1; 110 111 repeated Quote quotes = 2; 112 113 repeated PCR pcrs = 3; 114 115 // Binary contents of /sys/kernel/security/tpm0/binary_bios_measurements 116 bytes eventlog = 4; 117 118 message Quote { 119 // TPMS_ATTEST (TSS_VALIDATION.Data or TSS_VALIDATION.rgbData) 120 // This contains PCR selection information for which the signature was 121 // calculated and other required data, like nonce. 122 bytes quote = 1; 123 124 // TSS_VALIDATION.ValidationData or TSS_VALIDATION.rgbValidationData 125 bytes signature = 2; 126 } 127 } 128 } 129 130 // Response message for method [Verify][ntt.iam.v1alpha2.Verify] 131 message VerifyResponse { 132 oneof msg { 133 Challenge challenge = 1; 134 135 AttestationSuccessful attestation_successful = 2; 136 } 137 138 message Challenge { 139 // Platform attestation 140 bytes platform_attestation_nonce = 1; 141 142 // AK Identity Activation 143 bytes cred_encrypted_by_ekpub = 2; 144 145 bytes secret_encrypted_by_cred = 3; 146 } 147 148 message AttestationSuccessful { string attestation_token = 1; } 149 }