OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 syntax = "proto2"; | 5 syntax = "proto2"; |
6 | 6 |
7 option optimize_for = LITE_RUNTIME; | 7 option optimize_for = LITE_RUNTIME; |
8 | 8 |
9 package enterprise_management; | 9 package enterprise_management; |
10 | 10 |
(...skipping 465 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
476 // is supplied. | 476 // is supplied. |
477 // Or, client might not have verification public key (legacy Chrome build | 477 // Or, client might not have verification public key (legacy Chrome build |
478 // before verification key was introduced, or outdated build which has | 478 // before verification key was introduced, or outdated build which has |
479 // old/compromised verification key). In that case, verification signature | 479 // old/compromised verification key). In that case, verification signature |
480 // cannot be provided. | 480 // cannot be provided. |
481 // If client is missing both public keys (old signing key and verification | 481 // If client is missing both public keys (old signing key and verification |
482 // key), then we are unable to produce any valid signature and client must | 482 // key), then we are unable to produce any valid signature and client must |
483 // drop such PolicyFetchResponse. | 483 // drop such PolicyFetchResponse. |
484 optional bytes new_public_key_verification_data = 8; | 484 optional bytes new_public_key_verification_data = 8; |
485 | 485 |
486 // If new_public_key is specified, this field contains a signature | 486 // If new_public_key is specified, this field contains the signature of a |
487 // of a PolicyPublicKeyAndDomain protobuf, signed using a key only | 487 // PublicKeyVerificationData protobuf, signed using a key only available to |
488 // available to DMServer. The public key portion of this well-known key is | 488 // DMServer. The public key portion of this well-known key is embedded into |
489 // embedded into the Chrome binary. The hash of that embedded key is passed | 489 // the Chrome binary. The hash of that embedded key is passed to DMServer as |
490 // to DMServer as verification_key_hash field in PolicyFetchRequest. DMServer | 490 // verification_key_hash field in PolicyFetchRequest. DMServer picks a private |
491 // will pick a private key on the server which matches the hash (matches | 491 // key on the server which matches the hash (matches public key on the |
492 // public key on the client). If DMServer is unable to find matching key, it | 492 // client). If DMServer is unable to find matching key, it returns an error |
493 // will return an error instead of policy data. | 493 // instead of policy data. In case a hash was not specified, DMServer leaves |
494 // In case hash was not specified, DMServer will leave verification signature | 494 // the verification signature field empty (legacy behavior). |
495 // field empty (legacy behavior). | 495 // This signature is provided to better protect first key delivery (since the |
496 // In addition to the checks between new_public_key | 496 // browser does not possess the previous signing key, DMServer cannot compute |
497 // and new_public_key_signature described above, Chrome also verifies | 497 // new_public_key_signature). |
498 // new_public_key with the embedded public key and | 498 // See http://go/chrome-nac-server-design for more information. |
499 // new_public_key_verification_signature. | |
500 optional bytes new_public_key_verification_data_signature = 9; | 499 optional bytes new_public_key_verification_data_signature = 9; |
501 } | 500 } |
502 | 501 |
503 // DEPRECATED ON THE SERVER: Protobuf used to generate the deprecated | 502 // DEPRECATED ON THE SERVER: Protobuf used to generate the deprecated |
504 // new_public_key_verification_signature field. | 503 // new_public_key_verification_signature field. |
505 message PolicyPublicKeyAndDomain { | 504 message PolicyPublicKeyAndDomain { |
506 // The public key to sign (taken from the |new_public_key| field in | 505 // The public key to sign (taken from the |new_public_key| field in |
507 // PolicyFetchResponse). | 506 // PolicyFetchResponse). |
508 optional bytes new_public_key = 1; | 507 optional bytes new_public_key = 1; |
509 | 508 |
(...skipping 792 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1302 optional CheckAndroidManagementRequest check_android_management_request = 17; | 1301 optional CheckAndroidManagementRequest check_android_management_request = 17; |
1303 | 1302 |
1304 // Request to register with a registration certificate. | 1303 // Request to register with a registration certificate. |
1305 optional CertificateBasedDeviceRegisterRequest | 1304 optional CertificateBasedDeviceRegisterRequest |
1306 certificate_based_register_request = 18; | 1305 certificate_based_register_request = 18; |
1307 | 1306 |
1308 } | 1307 } |
1309 | 1308 |
1310 // Response from server to device. | 1309 // Response from server to device. |
1311 // | 1310 // |
1312 // The server uses the following numbers as HTTP status codes | 1311 // For release clients, DMServer returns errors using HTTP Status Code, so that |
1313 // to report top-level errors. | 1312 // clients only need to check one place for all error codes. It is also easier |
| 1313 // to perform log analysis and customer support since HTTP Status Code is easily |
| 1314 // visible in the logs. |
| 1315 // |
| 1316 // The following list defines the error code returned by this API: |
1314 // | 1317 // |
1315 // 200 OK: valid response is returned to client. | 1318 // 200 OK: valid response is returned to client. |
1316 // 400 Bad Request: invalid argument. | 1319 // 400 Bad Request: invalid argument. |
1317 // 401 Unauthorized: invalid auth cookie or DM token. | 1320 // 401 Unauthorized: invalid auth cookie or DM token. |
1318 // 403 Forbidden: device management is not allowed. | 1321 // 403 Forbidden: device management is not allowed. |
1319 // 404 Not Found: the request URL is invalid. | 1322 // 404 Not Found: the request URL is invalid. |
1320 // 410 Device Not Found: the device id is not found. | 1323 // 410 Device Not Found: the device id is not found. |
1321 // 491 Request Pending: the request is pending approval. | 1324 // 491 Request Pending: the request is pending approval. |
1322 // 500 Internal Server Error: most likely a bug in DM server. | 1325 // 500 Internal Server Error: most likely a bug in DM server. |
1323 // 503 Service Unavailable: most likely a backend error. | 1326 // 503 Service Unavailable: most likely a backend error. |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1398 // Response to update device attribute. | 1401 // Response to update device attribute. |
1399 optional DeviceAttributeUpdateResponse device_attribute_update_response = 16; | 1402 optional DeviceAttributeUpdateResponse device_attribute_update_response = 16; |
1400 | 1403 |
1401 // Response to GCM id update request. | 1404 // Response to GCM id update request. |
1402 optional GcmIdUpdateResponse gcm_id_update_response = 17; | 1405 optional GcmIdUpdateResponse gcm_id_update_response = 17; |
1403 | 1406 |
1404 // Response to check Android management request. | 1407 // Response to check Android management request. |
1405 optional CheckAndroidManagementResponse | 1408 optional CheckAndroidManagementResponse |
1406 check_android_management_response = 18; | 1409 check_android_management_response = 18; |
1407 } | 1410 } |
OLD | NEW |