OSX/sec/securityd/SecDbBackupManager-protobufs/SecDbBackupRecoverySet.proto

   1 syntax = "proto2";
   2
   3 option objc_class_naming = "extended";
   4
   5 // Maintain identity consistency by including this in key and bag messages
   6 message SecDbBackupBagIdentity {
   7     optional bytes baguuid = 1;
   8     optional bytes baghash = 2;
   9 }
  10
  11 // Insert into backupkeyclasssigningkeys table, v12_keyClassSigningKey column
  12 message SecDbBackupKeyClassSigningKey {
  13     optional int32 keyClass = 1;
  14     optional bytes publicKey = 3;
  15     optional bytes aksRefKey = 4;                   // Contains bag identity as authenticated data
  16     optional bytes aksWrappedKey = 5;               // SFECIESKeyPair wrapped by AKS ref key
  17     optional bytes backupWrappedKey = 6;            // SFECIESKeyPair wrapped by KCSKSecret in RecoverySet. Also authenticates bag identity
  18 }
  19
  20 // Insert into metadatakeys table, v12_metadatakeydata column
  21 message SecDbBackupMetadataClassKey {
  22     optional int32 keyClass = 1;
  23     optional bytes backupWrappedMetadataKey = 2;    // wrapped by appropriate backup keyclass for recovery
  24 //    optional bytes aksWrappedMetadataKey = 3;     // wrapped by device bag for daily use. Not in use right now.
  25 }
  26
  27 // Insert into backuprecoverysets table, v12_recoverySet column
  28 message SecDbBackupRecoverySet {
  29     optional int32 recoveryType = 1;
  30     optional SecDbBackupBagIdentity bagIdentity = 2;
  31     optional bytes wrappedBagSecret = 3;            // 'passphrase' to unlock backup bag's private keys
  32     optional bytes wrappedKCSKSecret = 4;           // recovers KCSKs to verify authenticity of IKs and MCKs
  33     optional bytes wrappedRecoveryKey = 5;          // wraps the above two secrets
  34 }
  35
  36 // Insert into backupbags table, v12_backupBag column
  37 message SecDbBackupBag {
  38     optional SecDbBackupBagIdentity bagIdentity = 1;
  39     optional bytes keybag = 2;
  40 }