--- /dev/null
+syntax = "proto2";
+
+option objc_class_naming = "extended";
+
+// Maintain identity consistency by including this in key and bag messages
+message SecDbBackupBagIdentity {
+ optional bytes baguuid = 1;
+ optional bytes baghash = 2;
+}
+
+// Insert into backupkeyclasssigningkeys table, v12_keyClassSigningKey column
+message SecDbBackupKeyClassSigningKey {
+ optional int32 keyClass = 1;
+ optional bytes publicKey = 3;
+ optional bytes aksRefKey = 4; // Contains bag identity as authenticated data
+ optional bytes aksWrappedKey = 5; // SFECIESKeyPair wrapped by AKS ref key
+ optional bytes backupWrappedKey = 6; // SFECIESKeyPair wrapped by KCSKSecret in RecoverySet. Also authenticates bag identity
+}
+
+// Insert into metadatakeys table, v12_metadatakeydata column
+message SecDbBackupMetadataClassKey {
+ optional int32 keyClass = 1;
+ optional bytes backupWrappedMetadataKey = 2; // wrapped by appropriate backup keyclass for recovery
+// optional bytes aksWrappedMetadataKey = 3; // wrapped by device bag for daily use. Not in use right now.
+}
+
+// Insert into backuprecoverysets table, v12_recoverySet column
+message SecDbBackupRecoverySet {
+ optional int32 recoveryType = 1;
+ optional SecDbBackupBagIdentity bagIdentity = 2;
+ optional bytes wrappedBagSecret = 3; // 'passphrase' to unlock backup bag's private keys
+ optional bytes wrappedKCSKSecret = 4; // recovers KCSKs to verify authenticity of IKs and MCKs
+ optional bytes wrappedRecoveryKey = 5; // wraps the above two secrets
+}
+
+// Insert into backupbags table, v12_backupBag column
+message SecDbBackupBag {
+ optional SecDbBackupBagIdentity bagIdentity = 1;
+ optional bytes keybag = 2;
+}
projects / apple / security.git / blobdiff