File: database.proto

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (172 lines) | stat: -rw-r--r-- 6,433 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
 
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

syntax = "proto2";

option optimize_for = LITE_RUNTIME;

import "attestation_ca.proto";
import "keystore.proto";

package attestation;
option go_package = "go.chromium.org/chromiumos/system_api/attestation_proto";

// Holds TPM credentials that the attestation server will need to see. These
// credentials must be cleared once the attestation server has certified the
// AIK.
message TPMCredentials {
  reserved 3, 4, 7, 8;

  // The key type of endorsement key stored in |endorsement_public_key| and
  // |endorsement_credential|.
  optional KeyType endorsement_key_type = 10 [default = KEY_TYPE_RSA];
  // The DER encoded SubjectPublicKeyInfo for endorsement key.
  optional bytes endorsement_public_key = 11;
  // The DER encoded X.509 certificate of endorsement key.
  optional bytes endorsement_credential = 2;

  // The DER encoded RSAPublicKey for RSA endorsement key.
  reserved 1, 5, 6;

  // Map of |endorsement_credential| encrypted with a public key associated with
  // Chrome OS Privacy CA, by CA.
  map<int32, EncryptedData> encrypted_endorsement_credentials = 9;
}

// Holds information relevant to a particular AIK.
message IdentityKey {
  // The key type of stored key.
  optional KeyType identity_key_type = 5 [default = KEY_TYPE_RSA];
  // The DER encoded public key. RSAPublicKey for RSA key. SubjectPublicKeyInfo
  // for ECC key.
  optional bytes identity_public_key_der = 1;
  // The TPM-specific key blob that can be loaded back into the TPM.
  optional bytes identity_key_blob = 2;
  // A credential issued by the attestation server. (Now in
  // IdentityCertificate.)
  reserved 3;
  // The computed enrollment ID, present only for enrolled devices.
  reserved 4;
}

// Holds information required to verify the binding of an AIK to an EK. This
// information should be cleared once the attestation server has certified the
// AIK. This is not used for TPM 2.0 attestation and if it exists, only the
// public key fields are meaningful.
message IdentityBinding {
  // The binding data, as output by the TPM_MakeIdentity operation.
  optional bytes identity_binding = 1;
  // The AIK public key, DER encoded.
  optional bytes identity_public_key_der = 2;
  // The AIK public key, the raw TPM format. (TPM_PUBKEY for TPM 1.2,
  // TPMT_PUBLIC for TPM 2.0).
  optional bytes identity_public_key_tpm_format = 3;
  // The label used during AIK creation.
  optional bytes identity_label = 4;
  // The PCA public key used during AIK creation, in TPM_PUBKEY form.
  optional bytes pca_public_key = 5;
}

// Holds owner delegation information.
message Delegation {
  reserved 4;
  reserved "can_read_internal_pub";
  // The delegate owner blob.
  optional bytes blob = 1;
  // The authorization secret.
  optional bytes secret = 2;
  // Whether this delegate has permissions to call TPM_ResetLockValue.
  optional bool has_reset_lock_permissions = 3;
}

// Holds information about a certified key.
message CertifiedKey {
  // The TPM-wrapped key blob.
  optional bytes key_blob = 1;
  // The public key in ASN.1 DER form.
  optional bytes public_key = 2;
  // The credential of the certified key in X.509 format.
  optional bytes certified_key_credential = 3;
  // The issuer intermediate CA certificate in X.509 format.
  optional bytes intermediate_ca_cert = 4;
  // A key name.  This is not necessarily a unique identifier.
  optional bytes key_name = 5;
  // An arbitrary payload associated with the key.
  optional bytes payload = 6;
  // Addtional intermediate CA certificates that helps chaining up to the root
  // CA. See |AttestationCertificateResponse.additional_intermediate_ca_cert|
  // for more detail.
  repeated bytes additional_intermediate_ca_cert = 7;
  // The public key in TPM_PUBKEY form (TPMT_PUBLIC for TPM 2.0).
  optional bytes public_key_tpm_format = 8;
  // The serialized TPM_CERTIFY_INFO for the certified key (TPMS_ATTEST for
  // TPM 2.0).
  optional bytes certified_key_info = 9;
  // The signature of the TPM_CERTIFY_INFO or TPMS_ATTEST by the AIK.
  optional bytes certified_key_proof = 10;
  // The original key type specified when the key was created.
  optional KeyType key_type = 11;
  // The original key usage specified when the key was created.
  optional KeyUsage key_usage = 12;
}

// Features of an identity (bitwise enumeration).
enum IdentityFeatures {
  // No identity features.
  NO_IDENTITY_FEATURES = 0;
  // This identity carries an EID.
  IDENTITY_FEATURE_ENTERPRISE_ENROLLMENT_ID = 1;
}

// Holds all information that a client stores locally.
message AttestationDatabase {
  reserved 1, 9, 10, 11, 13;
  optional TPMCredentials credentials = 2;

  // These deprecated fields are now in identities and identity certificates.
  reserved 3, 4, 5, 12;

  optional Delegation delegate = 6;
  repeated CertifiedKey device_keys = 7;

  message TemporalIndexRecord {
    optional bytes user_hash = 1;
    optional bytes origin_hash = 2;
    optional int32 temporal_index = 3;
  }
  repeated TemporalIndexRecord temporal_index_record = 8;

  // Holds identity-related values generated by the TPM.
  message Identity {
    optional int32 features = 1;
    optional IdentityBinding identity_binding = 2;
    optional IdentityKey identity_key = 3;
    // PCR quotes. Keys are PCR indices.
    map<int32, Quote> pcr_quotes = 4;
    // NVRAM quoted by AIK. Keys are values of NVRAMQuoteType.
    map<int32, Quote> nvram_quotes = 5;
  }

  // The unique device EID.
  optional bytes enrollment_id = 14;

  // All the known identities. Identity 0 is guaranteed to exist and to have
  // identity features of IDENTITY_FEATURE_ENTERPRISE_ENROLLMENT_ID.
  repeated Identity identities = 15;

  // Holds all identity-related value for a combination of Identity and ACA.
  message IdentityCertificate {
    // The Identity used for this certificate.
    optional int32 identity = 1;
    // The attestation server that this certificate was created with.
    optional int32 aca = 2;
    // A credential issued by the attestation server.
    optional bytes identity_credential = 3;
  }

  // All the identity certificates we know of. Keys 0 and 1 are reserved
  // for backwards compatibility and represent identity 0 enrolled with the
  // default and test ACA respectively.
  map<int32, IdentityCertificate> identity_certificates = 16;
}