Device enterprise registration with a certificate.

components/policy/proto/device_management_backend.proto

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
-// The wrapper message of any data and its signature.
-// Note: this should be compatible with the definition of SignedData in:
-// "third_party/chromiumos_platform_cryptohome/attestation.proto"
+// Data along with a cryptographic signature verifying their authenticity.
 message SignedData {
   // The data to be signed.
   optional bytes data = 1;
   // The signature of the data field.
   optional bytes signature = 2;
+  // How many bytes were added to the end of original data before signature
+  // (e.g. a nonce to avoid proxy attacks of the signing service).

[pastarmovj, 2016/08/22 15:09:43]

out of curiosity, can you explain this comment to me?

[The one and only Dr. Crash, 2016/08/22 16:00:02]

The signing code adds a nonce at the end of the data before it signs it
(https://cs.corp.google.com/chromeos_public/src/platform2/cryptohome/attestati...).
This is to avoid proxy attacks where someone could get another service to sign
something and pretend it was the one doing the signing. Because of TPM 2.0 the
size of the nonce is now variable
(https://cs.corp.google.com/chromeos_public/src/platform2/cryptohome/attestati...)
so it cannot be hardcoded in the server anymore as it has been up to now. so we
compute it and pass it. (It could be passed by the attestation code eventually
if dkrahn agrees to that idea).

+  optional int32 extra_data_bytes = 3;
 }
 
 // Request from device to server to register device.
 message DeviceRegisterRequest {
   // Reregister device without erasing server state.  It can be used
   // to refresh dmtoken etc.  Client MUST set this value to true if it
   // reuses an existing device id.
   optional bool reregister = 1;
 
   // Device register type.  This field does not exist for TT release.
@@ skipping 1052 matching lines @@
 
 // Response from server to device for check for Android-for-Work service with
 // DPC enforcement request.
 // SC_CONFLICT HTTP code is returned if DPC enforcement is required.
 message CheckAndroidManagementResponse {}
 
 // Request to register a new device (authenticated by enterprise enrollment
 // certificate).
 // The response message will be the DeviceRegisterReponse.
 message CertificateBasedDeviceRegisterRequest {
-  // signed_request.data is CertificateBasedDeviceRegistrationData type
-  // signed_request.signature is a signature generated with device cert's
-  // private key
-  optional SignedData signed_request = 2;
+  // Signed request to register with a certificate. The signed_request.data
+  // field contains a CertificateBasedDeviceRegistrationData with a nonce
+  // (as added by the Chrome OS cryptohome client) appended. The
+  // signed_request.signature field is a signature of the data field signed
+  // with the enrollment certificate's private key.
+  optional SignedData signed_request = 1;
 }
 
 message CertificateBasedDeviceRegistrationData {
   enum CertificateType {
     UNKNOWN = 0;
     ENTERPRISE_ENROLLMENT_CERTIFICATE = 1;
   }
 
   optional CertificateType certificate_type = 1;
   // device certificate in X.509 format.
@@ skipping 25 matching lines @@
 //     * ping
 //     * policy
 //     * register
 //     * status
 //     * unregister
 //     * remote_commands
 //     * attribute_update_permission
 //     * attribute_update
 //     * gcm_id_update
 //     * check_android_management
+//     * certificate_based_register
 //
 //   * devicetype: MUST BE "1" for Android or "2" for Chrome OS.
 //   * apptype: MUST BE Android or Chrome.
 //   * deviceid: MUST BE no more than 64-char in [\x21-\x7E].
 //   * agent: MUST BE a string of characters.
 // * HTTP Authorization header MUST be in the following formats:
 //   * For register, ping and check_android_management requests
 //     Authorization: GoogleLogin auth=<auth cookie for Mobile Sync>
 //
 //   * For unregister, policy, status, cert_upload, remote commands requests,
 //     and gcm id update requests
 //      Authorization: GoogleDMToken token=<dm token from register>
 //
-//   * The Authorization header isn't used for enterprise_check
-//     request, nor for register requests using OAuth. In the latter case,
-//     the OAuth token is passed in the "oauth" parameter.
+//   * The Authorization header isn't used for enterprise_check or for
+//     certificate_based_register requests, nor for register requests
+//     using OAuth. In the latter case, the OAuth token is passed in the
+//     "oauth" parameter.
 //
 // DeviceManagementRequest should only contain one request which matches the
 // HTTP query parameter - request, as listed below. Other requests within the
 // container will be ignored.
 //   cert_upload: cert_upload_request
 //   check_device_pairing: check_device_pairing_request
 //   device_pairing: device_pairing_request
 //   device_state_retrieval: device_state_retrieval_request
 //   enterprise_check: auto_enrollment_request
 //   ping: policy_request
 //   policy: policy_request
 //   register: register_request
 //   status: device_status_report_request or session_status_report_request
 //   unregister: unregister_request
 //   remote_commands: remote_command_request
 //   attribute_update_permission: device_attribute_update_permission_request
 //   attribute_update: device_attribute_update_request
 //   gcm_id_update: gcm_id_update_request
 //   check_android_management: check_android_management_request
+//   certificate_based_register: cert_based_register_request
 //
 message DeviceManagementRequest {
   // Register request.
   optional DeviceRegisterRequest register_request = 1;
 
   // Unregister request.
   optional DeviceUnregisterRequest unregister_request = 2;
 
   // Policy request.
   optional DevicePolicyRequest policy_request = 3;
@@ skipping 32 matching lines @@
 
   // Update device attribute.
   optional DeviceAttributeUpdateRequest device_attribute_update_request
       = 15;
 
   // Update the GCM id to device_id mapping.
   optional GcmIdUpdateRequest gcm_id_update_request = 16;
 
   // Check if user is a managed Android-for-Work user with DPC enforcement.
   optional CheckAndroidManagementRequest check_android_management_request = 17;
+
+  // Request to register with a registration certificate.
+  optional CertificateBasedDeviceRegisterRequest
+      cert_based_register_request = 18;
+
 }
 
 // Response from server to device.
 //
 // The server uses the following numbers as HTTP status codes
 // to report top-level errors.
 //
 // 200 OK: valid response is returned to client.
 // 400 Bad Request: invalid argument.
 // 401 Unauthorized: invalid auth cookie or DM token.
@@ skipping 52 matching lines @@
   // Response to update device attribute.
   optional DeviceAttributeUpdateResponse device_attribute_update_response = 16;
 
   // Response to GCM id update request.
   optional GcmIdUpdateResponse gcm_id_update_response = 17;
 
   // Response to check Android management request.
   optional CheckAndroidManagementResponse
       check_android_management_response = 18;
 }