// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// DEPRECATED! Attestation is moving to aosp/system/tpm/attestation. In
// particular, all work for supporting TPM 2.0 is there. This file should be
// kept in sync with aosp/system/tpm/attestation/common/*.proto but should not
// contain any changes not already present there.

package cryptohome;

// Holds TPM credentials that the attestation server will need to see. These
// credentials must be cleared once the attestation server has certified the
// AIK.
message TPMCredentials {
  optional bytes endorsement_public_key = 1;
  optional bytes endorsement_credential = 2;
  optional bytes platform_credential = 3;
  optional bytes conformance_credential = 4;
  // The |endorsement_credential| encrypted with a public key associated with
  // the default Chrome OS Privacy CA.
  optional EncryptedData default_encrypted_endorsement_credential = 5;
  optional EncryptedData test_encrypted_endorsement_credential = 6;
  optional bytes ecc_endorsement_public_key = 7;
  optional bytes ecc_endorsement_credential = 8;
  optional EncryptedData alternate_encrypted_endorsement_credential = 9;
}

// Holds information relevant to a particular AIK.
message IdentityKey {
  // The DER encoded public key.
  optional bytes identity_public_key = 1;
  // The TPM-specific key blob that can be loaded back into the TPM.
  optional bytes identity_key_blob = 2;
  // A credential issued by the attestation server.
  optional bytes identity_credential = 3;
}

// Holds information required to verify the binding of an AIK to an EK. This
// information should be cleared once the attestation server has certified the
// AIK.
message IdentityBinding {
  // The binding data, as output by the TPM_MakeIdentity operation.
  optional bytes identity_binding = 1;
  // The AIK public key, DER encoded.
  optional bytes identity_public_key_der = 2;
  // The AIK public key, in TPM_PUBKEY form.
  optional bytes identity_public_key = 3;
  // The label used during AIK creation.
  optional bytes identity_label = 4;
  // The PCA public key used during AIK creation, in TPM_PUBKEY form.
  optional bytes pca_public_key = 5;
}

// Holds information about a quote generated by the TPM.
message Quote {
  // The quote; a signature generated with the AIK.
  optional bytes quote = 1;
  // The serialized data that was quoted; this assists in verifying the quote.
  optional bytes quoted_data = 2;
  // The value of the PCR(s) at the time the quote was generated.
  optional bytes quoted_pcr_value = 3;
  // Source data which was originally used to extend the PCR. If this field
  // exists it can be expected that SHA1(pcr_source_hint) was extended into the
  // PCR.
  optional bytes pcr_source_hint = 4;
}

// Holds owner delegation information.
message Delegation {
  // The delegate owner blob.
  optional bytes blob = 1;
  // The authorization secret.
  optional bytes secret = 2;
  // Whether this delegate has permissions to call TPM_ResetLockValue.
  optional bool has_reset_lock_permissions = 3;
}

enum TpmVersion {
  TPM_1_2 = 1;  // NOTE: This is the default. It must remain listed first.
  TPM_2_0 = 2;
}

// This message holds all information to be sent to the attestation server in
// order to complete enrollment.
message AttestationEnrollmentRequest {
  // The EK cert, in X.509 form, encrypted using the server's public key with
  // the following parameters:
  //   Key encryption: RSA-OAEP with no custom parameters.
  //   Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
  //   MAC: HMAC-SHA-512 using the AES key.
  optional EncryptedData encrypted_endorsement_credential = 1;
  // The AIK public key, in TPM_PUBKEY form.
  optional bytes identity_public_key = 2;
  // PCR0 quoted by AIK.
  optional Quote pcr0_quote = 3;
  // PCR1 quoted by AIK.
  optional Quote pcr1_quote = 4;
  // DEN for enterprise zero-touch enrollment (crbug/624187).
  optional bytes enterprise_enrollment_nonce = 5;
  // The device TPM version.
  optional TpmVersion tpm_version = 6;
}

// These two fields are suitable for passing to Tspi_TPM_ActivateIdentity()
// directly.
message EncryptedIdentityCredential {
  // TPM_ASYM_CA_CONTENTS, encrypted with EK public key.
  optional bytes asym_ca_contents = 1;
  // TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents.
  optional bytes sym_ca_attestation = 2;

  optional TpmVersion tpm_version = 3;

  // The following fields are used only for TPM 2.0. For details see the TPM 2.0
  // specification Part 1 Rev 1.16:
  // - Section 9.5.3.3: General description of the scheme.
  // - Section 24: More details including how to use the seed to compute the
  //               values for 'credential_mac' and 'wrapped_certificate->
  //               wrapped_key'
  // - Section B.10.4: Encrypting the seed with a RSA EK.
  // - Section C.7.4: Encrypting the seed with an EC EK.

  // A seed encrypted with the EK public key. The TPM will use this seed to
  // derive both an HMAC key to verify the 'credential_mac' field and an AES key
  // to unwrap the 'wrapped_certificate->wrapped_key' field.
  optional bytes encrypted_seed = 4;

  // An integrity value computed using HMAC-SHA256 over the
  // 'wrapped_certificate.wrapped_key' field and the 'Name' of the identity key.
  optional bytes credential_mac = 5;

  // A certificate encrypted with a 'credential' that is decrypted by the TPM.
  // The 'wrapped_key' field contains the encrypted credential which is
  // encrypted using AES-256-CFB with a zero IV. The encryption of the
  // certificate itself uses AES-256-CBC with PKCS #5 padding and a random IV.
  // The encryption key is derived from the 'credential' using:
  //   SHA256('ENCRYPT' + credential)
  // The mac uses HMAC-SHA256 with a key derived using:
  //   SHA256('MAC' + credential)
  optional EncryptedData wrapped_certificate = 6;
}

enum ResponseStatus {
  OK = 0;
  // Internal server error.
  SERVER_ERROR = 1;
  // The server cannot parse the request.
  BAD_REQUEST = 2;
  // The server rejects the request.
  REJECT = 3;
  // Only appears in enrollment response. The server returns the same generated
  // id and reports the quota limit exceeded status when the number of reset
  // action in a specified time window is more than self reset limitation.
  QUOTA_LIMIT_EXCEEDED = 4;
}

// The response from the attestation server for the enrollment request.
message AttestationEnrollmentResponse {
  optional ResponseStatus status = 1;
  // Detail response message. Included when the result is not OK.
  optional string detail = 2;
  optional EncryptedIdentityCredential encrypted_identity_credential = 3;
}

enum CertificateProfile {
  // A certificate intended for enterprise-owned devices.  It has the following
  // subjectName fields:
  //   CN=<stable device identifier>
  //   OU=state:[verified|developer]
  //   O=Chrome Device Enterprise
  ENTERPRISE_MACHINE_CERTIFICATE = 0;

  // A certificate intended for enterprise-owned user accounts.  It has the
  // following subjectName fields:
  //   OU=state:[verified|developer]
  //   O=Chrome Device Enterprise
  ENTERPRISE_USER_CERTIFICATE = 1;

  // A certificate intended for platform verification by providers of protected
  // content.  It has the following subjectName fields:
  //   O=Chrome Device Content Protection
  CONTENT_PROTECTION_CERTIFICATE = 2;

  // Like above, but it also includes a stable ID and origin.
  //   CN=<origin-specific device identifier>
  //   OU=<origin>
  //   O=Chrome Device Content Protection
  CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3;

  // A certificate intended for cast devices.
  CAST_CERTIFICATE = 4;

  GFSC_CERTIFICATE = 5;

  JETSTREAM_CERTIFICATE = 6;

  // A certificate for enterprise enrollment.
  ENTERPRISE_ENROLLMENT_CERTIFICATE = 7;

  // A certificate for signing Android Testsuite Results using CTS-in-a-box.
  XTS_CERTIFICATE = 8;
}

// The certificate request to be sent to the attestation server.
message AttestationCertificateRequest {
  // The AIK cert in X.509 format.
  optional bytes identity_credential = 1;
  // A certified public key in TPM_PUBKEY.
  optional bytes certified_public_key = 3;
  // The serialized TPM_CERTIFY_INFO for the certified key.
  optional bytes certified_key_info = 4;
  // The signature of the TPM_CERTIFY_INFO by the AIK.
  optional bytes certified_key_proof = 5;
  // A message identifier to be included in the response.
  optional bytes message_id = 10;
  // The certificate profile defines the type of certificate to issue.
  optional CertificateProfile profile = 11;
  // Information about the origin of the request which may be used depending on
  // the certificate profile.
  optional string origin = 12;
  // The index of a temporal value.  This may be used or ignored depending on
  // the certificate profile.
  optional int32 temporal_index = 13;
  // The device TPM version.
  optional TpmVersion tpm_version = 14;
}

// The response from the attestation server for the certificate request.
message AttestationCertificateResponse {
  optional ResponseStatus status = 1;
  // Detail response message. Included when the result is not OK.
  optional string detail = 2;
  // The credential of the certified key in X.509 format.
  optional bytes certified_key_credential = 3;
  // The issuer intermediate CA certificate in X.509 format.
  optional bytes intermediate_ca_cert = 5;
  // A message identifier from the request this message is responding to.
  optional bytes message_id = 6;
  // Additional intermediate CA certificates that can help in validation.
  // Certificate chaining order is from the leaf to the root. That is,
  // |certified_key_credential| is signed by
  // |intermediate_ca_cert|, which is signed by
  // |additional_intermediate_ca_cert(0)|, which is signed by
  // |additional_intermediate_ca_cert(1)|, ... and so on.
  repeated bytes additional_intermediate_ca_cert = 7;
}

// Holds all information that a client stores locally.
message AttestationDatabase {
  optional TPMCredentials credentials = 2;
  optional IdentityBinding identity_binding = 3;
  optional IdentityKey identity_key = 4;
  optional Quote pcr0_quote = 5;
  optional Quote pcr1_quote = 12;
  optional Delegation delegate = 6;
  repeated CertifiedKey device_keys = 7;

  message TemporalIndexRecord {
    optional bytes user_hash = 1;
    optional bytes origin_hash = 2;
    optional int32 temporal_index = 3;
  }
  repeated TemporalIndexRecord temporal_index_record = 8;

  optional IdentityBinding alternate_identity_binding = 9;
  optional IdentityKey alternate_identity_key = 10;
  optional Quote alternate_pcr0_quote = 11;
  optional Quote alternate_pcr1_quote = 13;
}

// Holds encrypted data and information required to decrypt it.
message EncryptedData {
  // A key that has been sealed to the TPM or wrapped by another key.
  optional bytes wrapped_key = 2;
  // The initialization vector used during encryption.
  optional bytes iv = 3;
  // MAC of (iv || encrypted_data).
  optional bytes mac = 4;
  optional bytes encrypted_data = 5;
  // An identifier for the wrapping key to assist in decryption.
  optional bytes wrapping_key_id = 6;
}

// The reset request to be sent to the attestation server.
message AttestationResetRequest {
  // The AIK cert, in X.509 form, encrypted using the server's public key with
  // the following parameters:
  //   Key encryption: RSA-OAEP with no custom parameters.
  //   Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
  //   MAC: HMAC-SHA-512 using the AES key.
  optional EncryptedData encrypted_identity_credential = 1;

  // The one time token to make sure the reset process can be triggered only once.
  optional bytes token = 2;

  // The EK cert, in X.509 form, encrypted using the server's public key with
  // the following parameters:
  //   Key encryption: RSA-OAEP with no custom parameters.
  //   Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
  //   MAC: HMAC-SHA-512 using the AES key.
  optional EncryptedData encrypted_endorsement_credential = 3;
}

// The response from the attestation server for the reset request.
message AttestationResetResponse {
  // The response status.
  optional ResponseStatus status = 1;
  // Detail response message. Included when the result is not OK.
  optional string detail = 2;
}

// The wrapper message of any data and its signature.
message SignedData {
  // The data to be signed.
  optional bytes data = 1;
  // The signature of the data field.
  optional bytes signature = 2;
}

// The challenge data (as in challenge-response) generated by the server.
// Before transmitted to the client, this message will be wrapped as a
// SignedData message, in which the data field is the serialized Challenge
// message, and the signature field is the signature of the data field signed
// by the enterprise server using a hard-coded key. The signature algorithm is
// RSASSA-PKCS1-v1_5-SHA256.
message Challenge {
  // A string for the client to sanity check a legitimate challenge.
  optional string prefix = 1;
  // A 256-bit random value generated by the server.
  optional bytes nonce = 2;
  // A timestamp for a stateless server to limit the timeframe during which the
  // challenge may be replayed.
  optional int64 timestamp = 3;
}

// The response data (as in challenge-response) generated by the client.
// Before transmitted to the server, this message will be wrapped as a
// SignedData message, in which the data field is the serialized
// ChallengeResponse message, and the signature field is the signature of the
// data field signed by the client using the key being challenged. The
// signature algorithm is RSASSA-PKCS1-v1_5-SHA256.
message ChallengeResponse {
  // The original challenge data.
  optional SignedData challenge = 1;
  // A 256-bit random value generated by the client. Mixing in this nonce
  // prevents a caller from using a challenge to sign arbitrary data.
  optional bytes nonce = 2;
  // The KeyInfo message encrypted using a public encryption key, pushed via
  // policy with the following parameters:
  //   Key encryption: RSA-OAEP with no custom parameters.
  //   Data encryption: 256-bit key, AES-CBC with PKCS5 padding.
  //   MAC: HMAC-SHA-512 using the AES key.
  optional EncryptedData encrypted_key_info = 3;
}

// Holds information about a certified key.
message CertifiedKey {
  // The TPM-wrapped key blob.
  optional bytes key_blob = 1;
  // The public key in ASN.1 DER form.
  optional bytes public_key = 2;
  // The credential of the certified key in X.509 format.
  optional bytes certified_key_credential = 3;
  // The issuer intermediate CA certificate in X.509 format.
  optional bytes intermediate_ca_cert = 4;
  // A key name.  This is not necessarily a unique identifier.
  optional bytes key_name = 5;
  // An arbitrary payload associated with the key.
  optional bytes payload = 6;
  // Addtional intermediate CA certificates that helps chaining up to the root
  // CA. See |AttestationCertificateResponse.additional_intermediate_ca_cert|
  // for more detail.
  repeated bytes additional_intermediate_ca_cert = 7;
}

// The data type of the message decrypted from
// ChallengeResponse.encrypted_key_info.encrypted_data field. This message holds
// information required by enterprise server to complete the verification.
message KeyInfo {
  // Indicates whether the key is an EMK or EUK.
  optional KeyType key_type = 1;
  // Domain information about the device or user associated with the key. For an
  // EMK, this value is the enrolled domain. For an EUK, this value is the
  // user's email address.
  optional string domain = 2;
  // The virtual device ID associated with the device or user.
  optional bytes device_id = 3;
  // If the key is an EUK, this value is the PCA-issued certificate for the key.
  optional bytes certificate = 4;
  // If the key is an EUK, this value may hold a SignedPublicKeyAndChallenge
  // with a random challenge.  The SignedPublicKeyAndChallenge specification is
  // here: https://developer.mozilla.org/en-US/docs/HTML/Element/keygen.
  optional bytes signed_public_key_and_challenge = 5;
}

enum KeyType {
  // Enterprise machine key.
  EMK = 0;
  // Enterprise user key.
  EUK = 1;
}