cryptohome/flatbuffer_schemas/structures.fbs - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2021 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // Our Python generator removes the "_serialized_" namespace when generating
 // the code, to avoid symbol clash with the code generated by flatc.
 namespace cryptohome.structure._serialized_;

 // Defined the attributes that may be used in this schema file.
 attribute "optional";
 attribute "secure";
 attribute "serializable";

 // Cryptographic signature algorithm type for challenge requests. Used with
 // challenge-response cryptohome keys.
 enum ChallengeSignatureAlgorithm : int {
   kRsassaPkcs1V15Sha1 = 1,
   kRsassaPkcs1V15Sha256 = 2,
   kRsassaPkcs1V15Sha384 = 3,
   kRsassaPkcs1V15Sha512 = 4,
 }

 // Data for the TPM 2.0 method based on the "TPM2_PolicySigned" feature.
 table Tpm2PolicySignedData {
   // DER-encoded blob of the X.509 Subject Public Key Info of the key that
   // should be used for unsealing.
   public_key_spki_der:[ubyte] (id: 0);

   // The secret blob, wrapped by the TPM's Storage Root Key.
   srk_wrapped_secret:[ubyte] (id: 1);

   // The signature scheme (TPM_ALG_ID) that should be used for unsealing.
   scheme:int = null (id: 2);

   // The signature hash algorithm (TPM_ALG_ID) that should be used for
   // unsealing.
   hash_alg:int = null (id: 3);

   // TPM policy digest for the TPM2_PolicyPCR command executed with default PCR
   // map.
   default_pcr_policy_digest:[ubyte] (id: 4);

   // TPM policy digest for the TPM2_PolicyPCR command executed with extended PCR
   // map.
   extended_pcr_policy_digest:[ubyte] (id: 5);
 }

 // Data for the TPM 1.2 method based on the "Certified Migratable Key"
 // functionality.
 table Tpm12CertifiedMigratableKeyData {
   // DER-encoded blob of the X.509 Subject Public Key Info of the key that
   // should be used for unsealing.
   public_key_spki_der:[ubyte] (id: 0);

   // The blob of the Certified Migratable Key wrapped by the TPM's Storage
   // Root Key.
   srk_wrapped_cmk:[ubyte] (id: 1);

   // The TPM_PUBKEY blob of the Certified Migratable Key.
   cmk_pubkey:[ubyte] (id: 2);

   // The AuthData blob encrypted by the CMK using the RSAES-OAEP MGF1
   // algorithm.
   cmk_wrapped_auth_data:[ubyte] (id: 3);

   // The secret blob, which is bound to the default PCR map.
   default_pcr_bound_secret:[ubyte] (id: 4);

   // The secret blob, which is bound to the extended PCR map.
   extended_pcr_bound_secret:[ubyte] (id: 5);
 }

 union SignatureSealedData {
   Tpm2PolicySignedData,
   Tpm12CertifiedMigratableKeyData
 }

 // Fields specific to the challenge-response protection.
 // The Scrypt KDF passphrase, used for the protection of the keyset, is
 // defined as a concatenation of two values:
 // * The first is the blob which is sealed in |sealed_secret|.
 // * The second is the deterministic signature of |salt| using the
 //   |salt_signature_algorithm| algorithm.
 // The cryptographic key specified in |public_key_spki_der| is used for both.
 table SignatureChallengeInfo (serializable) {
   // DER-encoded blob of the X.509 Subject Public Key Info of the key to be
   // challenged in order to obtain the KDF passphrase for decrypting the vault
   // keyset.
   public_key_spki_der:[ubyte] (id: 0);
   // Container with the secret data which is sealed using the TPM in a way
   // that the process of its unsealing involves signature challenges against
   // the specified key. This secret data is one of the sources for building
   // the KDF passphrase.
   sealed_secret:SignatureSealedData (id: 2);
   // Salt whose signature is another source for building the KDF passphrase.
   salt:[ubyte] (id: 3);
   // Signature algorithm to be used for signing |salt|.
   // NOTE: the signature algorithm has to be deterministic (that is, always
   // produce the same output for the same input).
   salt_signature_algorithm:ChallengeSignatureAlgorithm = null (id: 4);
 }

 // Description of a public key of an asymmetric cryptographic key. Used with
 // challenge-response cryptohome keys.
 table ChallengePublicKeyInfo {
   // DER-encoded blob of the X.509 Subject Public Key Info.
   public_key_spki_der:[ubyte] (id: 0);
   // Supported signature algorithms, in the order of preference (starting from
   // the most preferred). Absence of this field denotes that the key cannot be
   // used for signing.
   signature_algorithm:[ChallengeSignatureAlgorithm] (id: 1);
 }

 root_type SignatureChallengeInfo;
	// Copyright 2021 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// Our Python generator removes the "_serialized_" namespace when generating
	// the code, to avoid symbol clash with the code generated by flatc.
	namespace cryptohome.structure._serialized_;

	// Defined the attributes that may be used in this schema file.
	attribute "optional";
	attribute "secure";
	attribute "serializable";

	// Cryptographic signature algorithm type for challenge requests. Used with
	// challenge-response cryptohome keys.
	enum ChallengeSignatureAlgorithm : int {
	kRsassaPkcs1V15Sha1 = 1,
	kRsassaPkcs1V15Sha256 = 2,
	kRsassaPkcs1V15Sha384 = 3,
	kRsassaPkcs1V15Sha512 = 4,
	}

	// Data for the TPM 2.0 method based on the "TPM2_PolicySigned" feature.
	table Tpm2PolicySignedData {
	// DER-encoded blob of the X.509 Subject Public Key Info of the key that
	// should be used for unsealing.
	public_key_spki_der:[ubyte] (id: 0);

	// The secret blob, wrapped by the TPM's Storage Root Key.
	srk_wrapped_secret:[ubyte] (id: 1);

	// The signature scheme (TPM_ALG_ID) that should be used for unsealing.
	scheme:int = null (id: 2);

	// The signature hash algorithm (TPM_ALG_ID) that should be used for
	// unsealing.
	hash_alg:int = null (id: 3);

	// TPM policy digest for the TPM2_PolicyPCR command executed with default PCR
	// map.
	default_pcr_policy_digest:[ubyte] (id: 4);

	// TPM policy digest for the TPM2_PolicyPCR command executed with extended PCR
	// map.
	extended_pcr_policy_digest:[ubyte] (id: 5);
	}

	// Data for the TPM 1.2 method based on the "Certified Migratable Key"
	// functionality.
	table Tpm12CertifiedMigratableKeyData {
	// DER-encoded blob of the X.509 Subject Public Key Info of the key that
	// should be used for unsealing.
	public_key_spki_der:[ubyte] (id: 0);

	// The blob of the Certified Migratable Key wrapped by the TPM's Storage
	// Root Key.
	srk_wrapped_cmk:[ubyte] (id: 1);

	// The TPM_PUBKEY blob of the Certified Migratable Key.
	cmk_pubkey:[ubyte] (id: 2);

	// The AuthData blob encrypted by the CMK using the RSAES-OAEP MGF1
	// algorithm.
	cmk_wrapped_auth_data:[ubyte] (id: 3);

	// The secret blob, which is bound to the default PCR map.
	default_pcr_bound_secret:[ubyte] (id: 4);

	// The secret blob, which is bound to the extended PCR map.
	extended_pcr_bound_secret:[ubyte] (id: 5);
	}

	union SignatureSealedData {
	Tpm2PolicySignedData,
	Tpm12CertifiedMigratableKeyData
	}

	// Fields specific to the challenge-response protection.
	// The Scrypt KDF passphrase, used for the protection of the keyset, is
	// defined as a concatenation of two values:
	// * The first is the blob which is sealed in \|sealed_secret\|.
	// * The second is the deterministic signature of \|salt\| using the
	// \|salt_signature_algorithm\| algorithm.
	// The cryptographic key specified in \|public_key_spki_der\| is used for both.
	table SignatureChallengeInfo (serializable) {
	// DER-encoded blob of the X.509 Subject Public Key Info of the key to be
	// challenged in order to obtain the KDF passphrase for decrypting the vault
	// keyset.
	public_key_spki_der:[ubyte] (id: 0);
	// Container with the secret data which is sealed using the TPM in a way
	// that the process of its unsealing involves signature challenges against
	// the specified key. This secret data is one of the sources for building
	// the KDF passphrase.
	sealed_secret:SignatureSealedData (id: 2);
	// Salt whose signature is another source for building the KDF passphrase.
	salt:[ubyte] (id: 3);
	// Signature algorithm to be used for signing \|salt\|.
	// NOTE: the signature algorithm has to be deterministic (that is, always
	// produce the same output for the same input).
	salt_signature_algorithm:ChallengeSignatureAlgorithm = null (id: 4);
	}

	// Description of a public key of an asymmetric cryptographic key. Used with
	// challenge-response cryptohome keys.
	table ChallengePublicKeyInfo {
	// DER-encoded blob of the X.509 Subject Public Key Info.
	public_key_spki_der:[ubyte] (id: 0);
	// Supported signature algorithms, in the order of preference (starting from
	// the most preferred). Absence of this field denotes that the key cannot be
	// used for signing.
	signature_algorithm:[ChallengeSignatureAlgorithm] (id: 1);
	}

	root_type SignatureChallengeInfo;