1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// https://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS-IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package privacy.ppn; 18 19import "quiche/blind_sign_auth/proto/any.proto"; 20 21option java_multiple_files = true; 22option java_outer_classname = "AttestationProto"; 23option java_package = "com.google.android.libraries.privacy.ppn.proto"; 24 25message NonceRequest {} 26 27message NonceResponse { 28 // A nonce with the following format: 29 // ECDSA( 30 // SHA256( 31 // <random bytes of length [64, 128]>.<expiry time in ms>)). 32 bytes nonce = 1; 33 34 // Nonce signature. 35 bytes sig = 2; 36 37 // Algorithm used to sign the nonce. Should be "es256". 38 bytes alg = 3; 39} 40 41message ValidateDeviceRequest { 42 // Attestation data that is returned by the client. 43 oneof attestation_data { 44 AndroidAttestationData android_attestation_data = 1; 45 IosAttestationData ios_attestation_data = 2; 46 } 47 AttestationData attestation = 3; 48 49 string package_name = 4; 50 51 // If attestation is AndroidAttestationData device models should be listed in: 52 // https://storage.googleapis.com/play_public/supported_devices.html 53 repeated string allowed_models = 5; 54} 55 56message ValidateDeviceResponse { 57 // True iff all checks passed 58 // (integrity token, nonce, hardware properties are legitimate). 59 // Hardware properties check will be performed by the calling service 60 // as attestation only checks to see if the device's hardware properties 61 // are genuine. 62 bool device_verified = 1; 63 64 // Detailed information on what specifically passed and what did not. 65 VerdictBreakdown breakdown = 2; 66 67 // If verified, contains the device model. 68 string verified_device_type = 3; 69} 70 71message VerdictBreakdown { 72 enum Verdict { 73 VERDICT_UNKNOWN = 0; 74 VERDICT_PASS = 1; 75 VERDICT_FAIL = 2; 76 } 77 78 // Integrity verdict as determined by either Play Server or AppAttest. 79 Verdict integrity_verdict = 1; 80 81 // Whether nonce check passed. 82 Verdict nonce_verdict = 2; 83 84 // Whether or not the device properties sent by the client are 85 // legitimate. 86 Verdict device_properties_verdict = 3; 87} 88 89message PrepareAttestationData { 90 bytes attestation_nonce = 2; 91} 92 93message AndroidAttestationData { 94 // Play IntegrityToken returned by Play Integrity API is detailed in 95 // https://developer.android.com/google/play/integrity/verdict. 96 string attestation_token = 1; 97 98 // X509 Certificate chain generated by Android Keystore used for 99 // Hardware-Backed Key Attestation. 100 repeated bytes hardware_backed_certs = 2; 101} 102 103message IosAttestationData { 104 // AppAttest attestation token. 105 // Encoded in CBOR format. 106 bytes attestation_token = 1; 107} 108 109message AttestationData { 110 quiche.protobuf.Any attestation_data = 1; 111} 112