cryptohome/flatbuffer_schemas/structures.fbs - third_party/platform2 - Git at Google

 // Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 include "libhwsec/structures/signature_sealed_data.fbs";

 // Our Python generator removes the "_serialized_" namespace when generating
 // the code, to avoid symbol clash with the code generated by flatc.
 namespace cryptohome._serialized_;

 // Defined the attributes that may be used in this schema file.
 attribute "optional";
 attribute "secure";
 attribute "serializable";

 // Cryptographic signature algorithm type for challenge requests. Used with
 // challenge-response cryptohome keys.
 enum SerializedChallengeSignatureAlgorithm : int {
   kRsassaPkcs1V15Sha1 = 1,
   kRsassaPkcs1V15Sha256 = 2,
   kRsassaPkcs1V15Sha384 = 3,
   kRsassaPkcs1V15Sha512 = 4,
 }

 // Fields specific to the challenge-response protection.
 // The Scrypt KDF passphrase, used for the protection of the keyset, is
 // defined as a concatenation of two values:
 // * The first is the blob which is sealed in |sealed_secret|.
 // * The second is the deterministic signature of |salt| using the
 //   |salt_signature_algorithm| algorithm.
 // The cryptographic key specified in |public_key_spki_der| is used for both.
 table SerializedSignatureChallengeInfo (serializable) {
   // DER-encoded blob of the X.509 Subject Public Key Info of the key to be
   // challenged in order to obtain the KDF passphrase for decrypting the vault
   // keyset.
   public_key_spki_der:[ubyte] (id: 0);
   // Container with the secret data which is sealed using the TPM in a way
   // that the process of its unsealing involves signature challenges against
   // the specified key. This secret data is one of the sources for building
   // the KDF passphrase.
   sealed_secret:hwsec._serialized_.SignatureSealedData (id: 2);
   // Salt whose signature is another source for building the KDF passphrase.
   salt:[ubyte] (id: 3);
   // Signature algorithm to be used for signing |salt|.
   // NOTE: the signature algorithm has to be deterministic (that is, always
   // produce the same output for the same input).
   salt_signature_algorithm:SerializedChallengeSignatureAlgorithm = null (id: 4);
 }

 // Description of a public key of an asymmetric cryptographic key. Used with
 // challenge-response cryptohome keys.
 table SerializedChallengePublicKeyInfo {
   // DER-encoded blob of the X.509 Subject Public Key Info.
   public_key_spki_der:[ubyte] (id: 0);
   // Supported signature algorithms, in the order of preference (starting from
   // the most preferred). Absence of this field denotes that the key cannot be
   // used for signing.
   signature_algorithm:[SerializedChallengeSignatureAlgorithm] (id: 1);
 }

 root_type SerializedSignatureChallengeInfo;
	// Copyright 2021 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	include "libhwsec/structures/signature_sealed_data.fbs";

	// Our Python generator removes the "_serialized_" namespace when generating
	// the code, to avoid symbol clash with the code generated by flatc.
	namespace cryptohome._serialized_;

	// Defined the attributes that may be used in this schema file.
	attribute "optional";
	attribute "secure";
	attribute "serializable";

	// Cryptographic signature algorithm type for challenge requests. Used with
	// challenge-response cryptohome keys.
	enum SerializedChallengeSignatureAlgorithm : int {
	kRsassaPkcs1V15Sha1 = 1,
	kRsassaPkcs1V15Sha256 = 2,
	kRsassaPkcs1V15Sha384 = 3,
	kRsassaPkcs1V15Sha512 = 4,
	}

	// Fields specific to the challenge-response protection.
	// The Scrypt KDF passphrase, used for the protection of the keyset, is
	// defined as a concatenation of two values:
	// * The first is the blob which is sealed in \|sealed_secret\|.
	// * The second is the deterministic signature of \|salt\| using the
	// \|salt_signature_algorithm\| algorithm.
	// The cryptographic key specified in \|public_key_spki_der\| is used for both.
	table SerializedSignatureChallengeInfo (serializable) {
	// DER-encoded blob of the X.509 Subject Public Key Info of the key to be
	// challenged in order to obtain the KDF passphrase for decrypting the vault
	// keyset.
	public_key_spki_der:[ubyte] (id: 0);
	// Container with the secret data which is sealed using the TPM in a way
	// that the process of its unsealing involves signature challenges against
	// the specified key. This secret data is one of the sources for building
	// the KDF passphrase.
	sealed_secret:hwsec._serialized_.SignatureSealedData (id: 2);
	// Salt whose signature is another source for building the KDF passphrase.
	salt:[ubyte] (id: 3);
	// Signature algorithm to be used for signing \|salt\|.
	// NOTE: the signature algorithm has to be deterministic (that is, always
	// produce the same output for the same input).
	salt_signature_algorithm:SerializedChallengeSignatureAlgorithm = null (id: 4);
	}

	// Description of a public key of an asymmetric cryptographic key. Used with
	// challenge-response cryptohome keys.
	table SerializedChallengePublicKeyInfo {
	// DER-encoded blob of the X.509 Subject Public Key Info.
	public_key_spki_der:[ubyte] (id: 0);
	// Supported signature algorithms, in the order of preference (starting from
	// the most preferred). Absence of this field denotes that the key cannot be
	// used for signing.
	signature_algorithm:[SerializedChallengeSignatureAlgorithm] (id: 1);
	}

	root_type SerializedSignatureChallengeInfo;