| // Copyright 2015 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| option optimize_for = LITE_RUNTIME; |
| |
| package attestation; |
| |
| // Describes key type. |
| enum KeyType { |
| KEY_TYPE_RSA = 1; |
| KEY_TYPE_ECC = 2; |
| } |
| |
| // Describes allowed key usage. |
| enum KeyUsage { |
| KEY_USAGE_SIGN = 1; |
| KEY_USAGE_DECRYPT = 2; |
| } |
| |
| // Enumerates various certificate profiles supported by the Attestation CA. |
| enum CertificateProfile { |
| // A certificate intended for enterprise-owned devices. It has the following |
| // subjectName fields: |
| // CN=<stable device identifier> |
| // OU=state:[verified|developer] |
| // O=Chrome Device Enterprise |
| ENTERPRISE_MACHINE_CERTIFICATE = 0; |
| |
| // A certificate intended for enterprise-owned user accounts. It has the |
| // following subjectName fields: |
| // OU=state:[verified|developer] |
| // O=Chrome Device Enterprise |
| ENTERPRISE_USER_CERTIFICATE = 1; |
| |
| // A certificate intended for platform verification by providers of protected |
| // content. It has the following subjectName fields: |
| // O=Chrome Device Content Protection |
| CONTENT_PROTECTION_CERTIFICATE = 2; |
| |
| // Like above, but it also includes a stable ID and origin. |
| // CN=<origin-specific device identifier> |
| // OU=<origin> |
| // O=Chrome Device Content Protection |
| CONTENT_PROTECTION_CERTIFICATE_WITH_STABLE_ID = 3; |
| |
| // A certificate intended for cast devices. |
| CAST_CERTIFICATE = 4; |
| |
| GFSC_CERTIFICATE = 5; |
| } |
| |
| // Holds information about a quote generated by the TPM. |
| message Quote { |
| // The quote; a signature generated with the AIK. |
| optional bytes quote = 1; |
| // The serialized data that was quoted; this assists in verifying the quote. |
| optional bytes quoted_data = 2; |
| // The value of the PCR(s) at the time the quote was generated. |
| optional bytes quoted_pcr_value = 3; |
| // Source data which was originally used to extend the PCR. If this field |
| // exists it can be expected that SHA1(pcr_source_hint) was extended into the |
| // PCR. |
| optional bytes pcr_source_hint = 4; |
| } |
| |
| // Holds encrypted data and information required to decrypt it. |
| message EncryptedData { |
| // A key that has been sealed to the TPM or wrapped by another key. |
| optional bytes wrapped_key = 2; |
| // The initialization vector used during encryption. |
| optional bytes iv = 3; |
| // MAC of (iv || encrypted_data). |
| optional bytes mac = 4; |
| optional bytes encrypted_data = 5; |
| // An identifier for the wrapping key to assist in decryption. |
| optional bytes wrapping_key_id = 6; |
| } |
| |
| // The wrapper message of any data and its signature. |
| message SignedData { |
| // The data to be signed. |
| optional bytes data = 1; |
| // The signature of the data field. |
| optional bytes signature = 2; |
| } |
| |
| // These two fields are suitable for passing to Tspi_TPM_ActivateIdentity() |
| // directly. |
| message EncryptedIdentityCredential { |
| // TPM_ASYM_CA_CONTENTS, encrypted with EK public key. |
| optional bytes asym_ca_contents = 1; |
| // TPM_SYM_CA_ATTESTATION, encrypted with the key in aysm_ca_contents. |
| optional bytes sym_ca_attestation = 2; |
| } |
| |