1// Copyright 2019 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5// The messages in this file comprise the messages to communicate to FIDO 6// security keys. This file translates 7// <chrome/src>/third_party/blink/public/mojom/webauthn/authenticator.mojom 8// to protobuf. 9// The protobuf requests are translated to /device/fido requests in the key 10// challenge service in Chrome. 11 12syntax = "proto2"; 13 14option optimize_for = LITE_RUNTIME; 15package cryptohome.fido; 16 17message Url { 18 optional string url = 1; 19} 20 21// Fido authenticator status. 22enum AuthenticatorStatus { 23 SUCCESS = 0; 24 PENDING_REQUEST = 1; 25 NOT_ALLOWED_ERROR = 2; 26 INVALID_DOMAIN = 3; 27 INVALID_ICON_URL = 4; 28 CREDENTIAL_EXCLUDED = 5; 29 30 // TODO(crbug/964439): Unused in Desktop, but kept around for Android. Delete 31 // once it's fully obsolete. 32 CREDENTIAL_NOT_RECOGNIZED = 6; 33 34 NOT_IMPLEMENTED = 7; 35 NOT_FOCUSED = 8; 36 RESIDENT_CREDENTIALS_UNSUPPORTED = 9; 37 USER_VERIFICATION_UNSUPPORTED = 10; 38 ALGORITHM_UNSUPPORTED = 11; 39 EMPTY_ALLOW_CREDENTIALS = 12; 40 ANDROID_NOT_SUPPORTED_ERROR = 13; 41 PROTECTION_POLICY_INCONSISTENT = 14; 42 ABORT_ERROR = 15; 43 OPAQUE_DOMAIN = 16; 44 INVALID_PROTOCOL = 17; 45 BAD_RELYING_PARTY_ID = 18; 46 UNKNOWN_ERROR = 19; 47} 48 49enum AuthenticatorTransport { 50 USB = 0; 51 NFC = 1; 52 BLE = 2; 53 CABLE = 3; 54 INTERNAL = 4; 55} 56 57// Credential information returned by both Authenticator::MakeCredential 58// and Authenticator::GetAssertion. 59message CommonCredentialInfo { 60 // The base64url encoding of |raw_id|. 61 optional string id = 1; 62 63 // An identifier for the credential. 64 optional bytes raw_id = 2; 65 66 // A blob of data containing the JSON serialization of client data passed 67 // to the authenticator. 68 optional bytes client_data_json = 3; 69} 70 71// The public key and attestation returned by Authenticator::MakeCredential. 72message MakeCredentialAuthenticatorResponse { 73 optional CommonCredentialInfo info = 1; 74 75 // A blob of data returned by the authenticator after creating a credential. 76 optional bytes attestation_object = 2; 77 78 // A list of transports that the authenticator supports, with the transport 79 // used for the registration as the first element. 80 repeated AuthenticatorTransport transports = 3; 81 82 // True if getClientExtensionResults() called on the returned 83 // PublicKeyCredential instance should contain an `hmacCreateSecret` 84 // extension output. If so, |hmac_create_secret| contains the actual value. 85 optional bool echo_hmac_create_secret = 4; 86 optional bool hmac_create_secret = 5; 87} 88 89message GetAssertionAuthenticatorResponse { 90 optional CommonCredentialInfo info = 1; 91 92 // A blob of data returned by the authenticator after generating an assertion. 93 optional bytes authenticator_data = 2; 94 95 // Cryptographic signature proving possession of the credential private key. 96 optional bytes signature = 3; 97 98 // Only supported by CTAP devices, not by U2F devices. 99 // Equivalent of the `user.id` passed into create(). 100 // Maximum 64 bytes. 101 optional bytes user_handle = 4; 102 103 // True if getClientExtensionResults() called on the returned 104 // PublicKeyCredential instance should contain an `appid` extension output. 105 // If so, |appid_extension| contains the actual value. 106 optional bool echo_appid_extension = 5; 107 optional bool appid_extension = 6; 108} 109 110// Information about the relying party. These fields take arbitrary input. 111message PublicKeyCredentialRpEntity { 112 // An ASCII serialization of an origin. 113 optional string id = 1; 114 115 // Friendly name associated with the relying party intended for display. 116 // e.g. "Acme Corporation". 117 optional string name = 2; 118 119 // Image associated with the entity. e.g. a relying party's logo. 120 optional Url icon = 3; 121} 122 123// Information about the account held by the user. These fields take 124// arbitrary input. 125message PublicKeyCredentialUserEntity { 126 // Unique identifier for a user account An opaque byte sequence with a 127 // maximum size of 64 bytes. 128 optional bytes id = 1; 129 130 // Friendly name associated with the entity intended for display. 131 // e.g."john.p.smith@example.com" or "+14255551234" for a user. 132 optional string name = 2; 133 134 // Image associated with the entity. For example, a user's avatar. 135 optional Url icon = 3; 136 137 // Contains a friendly name for the user account (e.g., "John P. Smith"). 138 optional string display_name = 4; 139} 140 141// Parameters that are used to generate an appropriate public key credential. 142message PublicKeyCredentialParameters { 143 optional PublicKeyCredentialType type = 1; 144 optional int32 algorithm_identifier = 2; 145} 146 147enum UserVerificationRequirement { 148 REQUIRED = 0; 149 PREFERRED = 1; 150 DISCOURAGED = 2; 151} 152 153// Cloud-assisted BLE extension data for getAssertion. 154message CableAuthentication { 155 // The caBLE version requested. 156 optional uint32 version = 1; 157 158 // A 16-byte ephemeral identifier that the browser will advertise. 159 optional bytes client_eid = 2; 160 161 // A 16-byte ephemeral identifier that the browser expects to receive from a 162 // responding authenticator. 163 optional bytes authenticator_eid = 3; 164 165// A 32-byte pre-key used to compute a session key to encrypt messages between 166 // a paired client and authenticator following a successful discovery. 167 optional bytes session_pre_key = 4; 168} 169 170// Cloud-assisted BLE extension data for makeCredential. 171message CableRegistration { 172 // The caBLE versions supported by the relying party. 173 optional bytes versions = 1; 174 175 // The 65-byte ECDSA ephemeral public key belonging to the relying party 176 // for use in establishing an encrypted caBLE channel with an authenticator. 177 optional bytes relying_party_public_key = 2; 178} 179 180// Parameters passed into calls to GetAssertion. 181message PublicKeyCredentialRequestOptions { 182 // An indefinite-length blob passed from the the relying party server, 183 // to be sent to an authenticator for signing 184 optional bytes challenge = 1; 185 186 // Time to wait for an authenticator to complete an operation. 187 // Adjusted to fall within a client-defined range. 188 optional int64 adjusted_timeout = 2; 189 190 // An ASCII serialization of the origin claimed by the relying party. 191 optional string relying_party_id = 3; 192 193 // A list of credentials the relying party knows about and would 194 // accept as the signing credential. 195 repeated PublicKeyCredentialDescriptor allow_credentials = 4; 196 // Indicates the relying party's need for a user-verifying authenticator. 197 optional UserVerificationRequirement user_verification = 5; 198 199 // The contents of the appid extension, if any. See 200 // https://w3c.github.io/webauthn/#sctn-appid-extension 201 optional string appid = 6; 202 203 // The contents of the cloud assisted BLE extension for getAssertion 204 // requests, if any. This extension permits browsers and authenticator 205 // devices to establish a pairingless BLE connection. 206 // TODO(crbug.com/842371): Add link to spec when available. 207 // There may be multiple sets if multiple caBLE credentials have been 208 // registered with the relying party. 209 repeated CableAuthentication cable_authentication_data = 7; 210} 211 212// See https://w3c.github.io/webauthn/#enumdef-attestationconveyancepreference 213enum AttestationConveyancePreference { 214 NONE_ATTESTATION_PREFERENCE = 0; 215 INDIRECT = 1; 216 DIRECT = 2; 217 // A non-standard addition that we hope will become standard. This indicates 218 // that the RP desires individual attestaion from the device. 219 ENTERPRISE = 3; 220} 221 222// https://w3c.github.io/webauthn/#enumdef-authenticatorattachment. 223enum AuthenticatorAttachment { 224 NO_PREFERENCE = 0; 225 PLATFORM = 1; 226 CROSS_PLATFORM = 2; 227} 228 229enum ProtectionPolicy { 230 // UNSPECIFIED means that no value was given at the Javascript level. 231 UNSPECIFIED = 0; 232 NONE_PROTECTION_POLICY = 1; 233 UV_OR_CRED_ID_REQUIRED = 2; 234 UV_REQUIRED = 3; 235} 236 237// See https://w3c.github.io/webauthn/#dictdef-authenticatorselectioncriteria. 238message AuthenticatorSelectionCriteria { 239 // Filter authenticators by attachment type. 240 optional AuthenticatorAttachment authenticator_attachment = 1; 241 242 // Whether the authenticator should store the created key so that the key 243 // can later be selected given only an RP ID (e.g. when |allow_credentials| 244 // is empty). 245 optional bool require_resident_key = 2; 246 247 // Indicates the relying party's need for a user-verifying authenticator. 248 optional UserVerificationRequirement user_verification = 3; 249} 250 251 252// Parameters passed into calls to MakeCredential. 253message PublicKeyCredentialCreationOptions { 254 // Information about the relying party and user entities, respectively. 255 // Used by the authenticator to create or retrieve an appropriate public key 256 // credential for the requested account. 257 optional PublicKeyCredentialRpEntity relying_party = 1; 258 optional PublicKeyCredentialUserEntity user = 2; 259 260 // An indefinite-length blob passed from the the relying party server, 261 // to be sent to an authenticator to make a credential. 262 optional bytes challenge = 3; 263 264 // Parameters defining the type of created credential that the relying 265 // party would accept. 266 repeated PublicKeyCredentialParameters public_key_parameters = 4; 267 268 // Time in ms to wait for an authenticator to complete an operation. 269 // Adjusted to fall within a client-defined range. 270 optional int64 adjusted_timeout = 5; 271 272 // A list of credentials the relying party knows about. If an 273 // authenticator has one of these credentials, it should not 274 // create a new one 275 repeated PublicKeyCredentialDescriptor exclude_credentials = 6; 276 277 // Specify the relying party's authenticator attribute requirements. 278 optional AuthenticatorSelectionCriteria authenticator_selection = 7; 279 280 // Specifies whether the RP wants attestation information for the created 281 // credential. 282 optional AttestationConveyancePreference attestation = 8; 283 284 // The contents of the cloud assisted BLE extension for makeCredential 285 // requests, if any. This extension permits browsers and authenticator 286 // devices to establish a pairingless BLE connection. 287 // TODO(crbug.com/842371): Add link to spec when available. 288 optional CableRegistration cable_registration_data = 9; 289 290 // The contents of the hmacCreateSecret extension, if any. See 291 // https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension 292 optional bool hmac_create_secret = 10; 293 294 // The value of the `credentialProtectionPolicy` extension, or UNSPECIFIED if 295 // none was provided 296 optional ProtectionPolicy protection_policy = 11; 297 298 // The value of the `enforceCredentialProtectionPolicy`, or false if none was 299 // provided 300 optional bool enforce_protection_policy = 12; 301 302 // The contents of the appidExclude extension, if any. See 303 // https://w3c.github.io/webauthn/#sctn-appid-exclude-extension 304 305 optional string appid_exclude = 13; 306} 307enum PublicKeyCredentialType { 308 PUBLIC_KEY = 0; 309} 310 311// Describes the credentials that the relying party already knows about for 312// the given account. If any of these are known to the authenticator, 313// it should not create a new credential. 314message PublicKeyCredentialDescriptor { 315 optional PublicKeyCredentialType type = 1; 316 // Blob representing a credential key handle. Up to 255 bytes for 317 // U2F authenticators. 318 optional bytes id = 2; 319 repeated AuthenticatorTransport transports = 3; 320} 321