Device enterprise registration with a certificate.

components/policy/proto/device_management_backend.proto

Index: components/policy/proto/device_management_backend.proto
diff --git a/components/policy/proto/device_management_backend.proto b/components/policy/proto/device_management_backend.proto
index 2a4bab38d33eda3f90942b71f4a334876f0167a6..80a6268b795e679837b20a58a741f5a1a5378f85 100644
--- a/components/policy/proto/device_management_backend.proto
+++ b/components/policy/proto/device_management_backend.proto
@@ -8,14 +8,15 @@ option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
-// The wrapper message of any data and its signature.
-// Note: this should be compatible with the definition of SignedData in:
-// "third_party/chromiumos_platform_cryptohome/attestation.proto"
+// Data along with a cryptographic signature verifying their authenticity.
 message SignedData {
   // The data to be signed.
   optional bytes data = 1;
   // The signature of the data field.
   optional bytes signature = 2;
+  // How many bytes were added to the end of original data before signature
+  // (e.g. a nonce to avoid proxy attacks of the signing service).

[pastarmovj, 2016/08/22 15:09:43]

out of curiosity, can you explain this comment to me?

[The one and only Dr. Crash, 2016/08/22 16:00:02]

The signing code adds a nonce at the end of the data before it signs it
(https://cs.corp.google.com/chromeos_public/src/platform2/cryptohome/attestati...).
This is to avoid proxy attacks where someone could get another service to sign
something and pretend it was the one doing the signing. Because of TPM 2.0 the
size of the nonce is now variable
(https://cs.corp.google.com/chromeos_public/src/platform2/cryptohome/attestati...)
so it cannot be hardcoded in the server anymore as it has been up to now. so we
compute it and pass it. (It could be passed by the attestation code eventually
if dkrahn agrees to that idea).

+  optional int32 extra_data_bytes = 3;
 }
 
 // Request from device to server to register device.
@@ -1088,10 +1089,12 @@ message CheckAndroidManagementResponse {}
 // certificate).
 // The response message will be the DeviceRegisterReponse.
 message CertificateBasedDeviceRegisterRequest {
-  // signed_request.data is CertificateBasedDeviceRegistrationData type
-  // signed_request.signature is a signature generated with device cert's
-  // private key
-  optional SignedData signed_request = 2;
+  // Signed request to register with a certificate. The signed_request.data
+  // field contains a CertificateBasedDeviceRegistrationData with a nonce
+  // (as added by the Chrome OS cryptohome client) appended. The
+  // signed_request.signature field is a signature of the data field signed
+  // with the enrollment certificate's private key.
+  optional SignedData signed_request = 1;
 }
 
 message CertificateBasedDeviceRegistrationData {
@@ -1137,6 +1140,7 @@ message CertificateBasedDeviceRegistrationData {
 //     * attribute_update
 //     * gcm_id_update
 //     * check_android_management
+//     * certificate_based_register
 //
 //   * devicetype: MUST BE "1" for Android or "2" for Chrome OS.
 //   * apptype: MUST BE Android or Chrome.
@@ -1150,9 +1154,10 @@ message CertificateBasedDeviceRegistrationData {
 //     and gcm id update requests
 //      Authorization: GoogleDMToken token=<dm token from register>
 //
-//   * The Authorization header isn't used for enterprise_check
-//     request, nor for register requests using OAuth. In the latter case,
-//     the OAuth token is passed in the "oauth" parameter.
+//   * The Authorization header isn't used for enterprise_check or for
+//     certificate_based_register requests, nor for register requests
+//     using OAuth. In the latter case, the OAuth token is passed in the
+//     "oauth" parameter.
 //
 // DeviceManagementRequest should only contain one request which matches the
 // HTTP query parameter - request, as listed below. Other requests within the
@@ -1172,6 +1177,7 @@ message CertificateBasedDeviceRegistrationData {
 //   attribute_update: device_attribute_update_request
 //   gcm_id_update: gcm_id_update_request
 //   check_android_management: check_android_management_request
+//   certificate_based_register: cert_based_register_request
 //
 message DeviceManagementRequest {
   // Register request.
@@ -1224,6 +1230,11 @@ message DeviceManagementRequest {
 
   // Check if user is a managed Android-for-Work user with DPC enforcement.
   optional CheckAndroidManagementRequest check_android_management_request = 17;
+
+  // Request to register with a registration certificate.
+  optional CertificateBasedDeviceRegisterRequest
+      cert_based_register_request = 18;
+
 }
 
 // Response from server to device.