Device enterprise registration with a certificate.

components/policy/proto/device_management_backend.proto

Index: components/policy/proto/device_management_backend.proto
diff --git a/components/policy/proto/device_management_backend.proto b/components/policy/proto/device_management_backend.proto
index 2c2d6131c5887079be226b811c1ece270973bbcd..f80cd1be2a5c829bdfd90c53be111a15e2df0891 100644
--- a/components/policy/proto/device_management_backend.proto
+++ b/components/policy/proto/device_management_backend.proto
@@ -8,14 +8,15 @@ option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
-// The wrapper message of any data and its signature.
-// Note: this should be compatible with the definition of SignedData in:
-// "third_party/chromiumos_platform_cryptohome/attestation.proto"
+// Data along with a cryptographic signature verifying their authenticity.
 message SignedData {
   // The data to be signed.
   optional bytes data = 1;
   // The signature of the data field.
   optional bytes signature = 2;
+  // How many bytes were added to the end of original data before signature
+  // (e.g. a nonce to avoid proxy attacks of the signing service).
+  optional int32 extra_data_bytes = 3;
 }
 
 // Request from device to server to register device.
@@ -1093,10 +1094,12 @@ message CheckAndroidManagementResponse {}
 // certificate).
 // The response message will be the DeviceRegisterReponse.
 message CertificateBasedDeviceRegisterRequest {
-  // signed_request.data is CertificateBasedDeviceRegistrationData type
-  // signed_request.signature is a signature generated with device cert's
-  // private key
-  optional SignedData signed_request = 2;
+  // Signed request to register with a certificate. The signed_request.data
+  // field contains a CertificateBasedDeviceRegistrationData with a nonce
+  // (as added by the Chrome OS cryptohome client) appended. The
+  // signed_request.signature field is a signature of the data field signed
+  // with the enrollment certificate's private key.
+  optional SignedData signed_request = 1;
 }
 
 message CertificateBasedDeviceRegistrationData {
@@ -1142,6 +1145,7 @@ message CertificateBasedDeviceRegistrationData {
 //     * attribute_update
 //     * gcm_id_update
 //     * check_android_management
+//     * certificate_based_register
 //
 //   * devicetype: MUST BE "1" for Android or "2" for Chrome OS.
 //   * apptype: MUST BE Android or Chrome.
@@ -1155,9 +1159,10 @@ message CertificateBasedDeviceRegistrationData {
 //     and gcm id update requests
 //      Authorization: GoogleDMToken token=<dm token from register>
 //
-//   * The Authorization header isn't used for enterprise_check
-//     request, nor for register requests using OAuth. In the latter case,
-//     the OAuth token is passed in the "oauth" parameter.
+//   * The Authorization header isn't used for enterprise_check or for
+//     certificate_based_register requests, nor for register requests
+//     using OAuth. In the latter case, the OAuth token is passed in the
+//     "oauth" parameter.
 //
 // DeviceManagementRequest should only contain one request which matches the
 // HTTP query parameter - request, as listed below. Other requests within the
@@ -1177,6 +1182,7 @@ message CertificateBasedDeviceRegistrationData {
 //   attribute_update: device_attribute_update_request
 //   gcm_id_update: gcm_id_update_request
 //   check_android_management: check_android_management_request
+//   certificate_based_register: cert_based_register_request
 //
 message DeviceManagementRequest {
   // Register request.
@@ -1229,6 +1235,11 @@ message DeviceManagementRequest {
 
   // Check if user is a managed Android-for-Work user with DPC enforcement.
   optional CheckAndroidManagementRequest check_android_management_request = 17;
+
+  // Request to register with a registration certificate.
+  optional CertificateBasedDeviceRegisterRequest
+      cert_based_register_request = 18;
+
 }
 
 // Response from server to device.