// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

option optimize_for = LITE_RUNTIME;

import "common.proto";

package attestation;

// Holds TPM credentials that the attestation server will need to see. These
// credentials must be cleared once the attestation server has certified the
// AIK.
message TPMCredentials {
  optional bytes endorsement_public_key = 1;
  optional bytes endorsement_credential = 2;
  optional bytes platform_credential = 3;
  optional bytes conformance_credential = 4;
  // The |endorsement_credential| encrypted with a public key associated with
  // the default Chrome OS Privacy CA.
  optional EncryptedData default_encrypted_endorsement_credential = 5;
  optional EncryptedData alternate_encrypted_endorsement_credential = 6;
}

// Holds information relevant to a particular AIK.
message IdentityKey {
  // The DER encoded public key.
  optional bytes identity_public_key = 1;
  // The TPM-specific key blob that can be loaded back into the TPM.
  optional bytes identity_key_blob = 2;
  // A credential issued by the attestation server.
  optional bytes identity_credential = 3;
}

// Holds information required to verify the binding of an AIK to an EK. This
// information should be cleared once the attestation server has certified the
// AIK.
message IdentityBinding {
  // The binding data, as output by the TPM_MakeIdentity operation.
  optional bytes identity_binding = 1;
  // The AIK public key, DER encoded.
  optional bytes identity_public_key_der = 2;
  // The AIK public key, in TPM_PUBKEY form.
  optional bytes identity_public_key = 3;
  // The label used during AIK creation.
  optional bytes identity_label = 4;
  // The PCA public key used during AIK creation, in TPM_PUBKEY form.
  optional bytes pca_public_key = 5;
}

// Holds owner delegation information.
message Delegation {
  // The delegate owner blob.
  optional bytes blob = 1;
  // The authorization secret.
  optional bytes secret = 2;
  // Whether this delegate has permissions to call TPM_ResetLockValue.
  optional bool has_reset_lock_permissions = 3;
}

// Holds information about a certified key.
message CertifiedKey {
  // The TPM-wrapped key blob.
  optional bytes key_blob = 1;
  // The public key in ASN.1 DER form.
  optional bytes public_key = 2;
  // The credential of the certified key in X.509 format.
  optional bytes certified_key_credential = 3;
  // The issuer intermediate CA certificate in X.509 format.
  optional bytes intermediate_ca_cert = 4;
  // A key name.  This is not necessarily a unique identifier.
  optional bytes key_name = 5;
  // An arbitrary payload associated with the key.
  optional bytes payload = 6;
  // Addtional intermediate CA certificates that helps chaining up to the root
  // CA. See |AttestationCertificateResponse.additional_intermediate_ca_cert|
  // for more detail.
  repeated bytes additional_intermediate_ca_cert = 7;
  // The public key in TPM_PUBKEY form.
  optional bytes public_key_tpm_format = 8;
  // The serialized TPM_CERTIFY_INFO for the certified key.
  optional bytes certified_key_info = 9;
  // The signature of the TPM_CERTIFY_INFO by the AIK.
  optional bytes certified_key_proof = 10;
  // The original key type specified when the key was created.
  optional KeyType key_type = 11;
  // The original key usage specified when the key was created.
  optional KeyUsage key_usage = 12;
}

// Holds all information that a client stores locally.
message AttestationDatabase {
  optional TPMCredentials credentials = 2;
  optional IdentityBinding identity_binding = 3;
  optional IdentityKey identity_key = 4;
  optional Quote pcr0_quote = 5;
  optional Quote pcr1_quote = 12;
  optional Delegation delegate = 6;
  repeated CertifiedKey device_keys = 7;

  message TemporalIndexRecord {
    optional bytes user_hash = 1;
    optional bytes origin_hash = 2;
    optional int32 temporal_index = 3;
  }
  repeated TemporalIndexRecord temporal_index_record = 8;

  optional IdentityBinding alternate_identity_binding = 9;
  optional IdentityKey alternate_identity_key = 10;
  optional Quote alternate_pcr0_quote = 11;
  optional Quote alternate_pcr1_quote = 13;
}