| // Copyright 2021 The Pigweed Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| // use this file except in compliance with the License. You may obtain a copy of |
| // the License at |
| // |
| // https://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| // License for the specific language governing permissions and limitations under |
| // the License. |
| // |
| // Implementation of metadata formats specified in TUF Specification. |
| // See https://theupdateframework.github.io/specification/latest/ |
| |
| syntax = "proto3"; |
| |
| package pw.software_update; |
| |
| import "google/protobuf/timestamp.proto"; |
| |
| // Metadata for a particular TUF role (e.g. targets metadata). |
| // Was TufMetadata |
| message SignedRootMetadata { |
| // Serialized RootMetadata message that is the data portion of the metadata. |
| bytes serialized_root_metadata = 1; |
| |
| // Signature of the canonical form of the role's serialized metadata |
| // (serialized_root_metadata). |
| repeated Signature signatures = 2; |
| } |
| |
| message SignedTimestampMetadata { |
| // Serialized TimestampMetadata message that is the data portion of the |
| // metadata. |
| bytes serialized_timestamp_metadata = 1; |
| |
| // Signature of the canonical form of the role's serialized metadata |
| // (serialized_timestamp_metadata). |
| repeated Signature signatures = 2; |
| } |
| |
| message SignedSnapshotMetadata { |
| // Serialized SnapshotMetadata message that is the data portion of the |
| // metadata. |
| bytes serialized_snapshot_metadata = 1; |
| |
| // Signature of the canonical form of the role's serialized metadata |
| // (serialized_snapshot_metadata). |
| repeated Signature signatures = 2; |
| } |
| |
| message SignedTargetsMetadata { |
| // Serialized TargetsMetadata message that is the data portion of the |
| // metadata. |
| bytes serialized_targets_metadata = 1; |
| |
| // Signature of the canonical form of the role's serialized metadata |
| // (serialized_targets_metadata). |
| repeated Signature signatures = 2; |
| } |
| |
| message CommonMetadata { |
| // Version number of the TUF Specification. |
| // Follows the Semantic Versioning 2.0.0 (semver) format. Metadata is |
| // written according to this version, and clients MUST verify that |
| // "spec_version" matches the expected version number. |
| // E.g. "1.0.0". |
| string spec_version = 1; |
| |
| // Metadata file version. |
| // Clients MUST NOT replace a metadata file with a version number less than |
| // the one currently trusted. |
| uint32 version = 2; |
| |
| // Expiration time for the metadata. |
| // Indicates when this metadata should be considered expired and no longer |
| // trusted by clients. Notice the TUF Specification defines this as a JSON |
| // string following the ISO 8601 standard. The expected format of the date and |
| // time string is "YYYY-MM-DDTHH:MM:SSZ". Time is always in UTC, and the "Z" |
| // time zone designator is attached to indicate a zero UTC offset. |
| // E.g. "2030-08-26T16:48:27Z". |
| optional google.protobuf.Timestamp expires = 3; |
| |
| // Role type for the metadata. |
| // Indicates the type of the metadata. Valid values are 'root', 'targets', |
| // 'snapshot' and 'timestamp' as defined in the TUF spec, though we don't |
| // plan to support 'mirrors'. |
| // |
| // This field serves as a "magic code" that identifies a particular type of |
| // a metadata. During verification, the client is expected to check this |
| // field against the expected role type immediately after verifying the |
| // signatures of a metadata. This can be considered a "confidence booster" |
| // in the absence of canonical protobuf -- i.e. it makes the various |
| // `serialized_x_metadata` fields more tamper resistant. |
| optional string role = 4; |
| } |
| |
| // This content is signed. |
| message RootMetadata { |
| CommonMetadata common_metadata = 1; |
| |
| // Whether the repo supports consistent snapshots. If the repo has frequent |
| // updates, you should set this to true. |
| bool consistent_snapshot = 2; |
| |
| // Map from Keyid to Key. |
| // Keyid is a unique identifier that identifies a cryptographic key. |
| // Contains all of cryptographic keys used by this repository. |
| repeated KeyMapping keys = 3; |
| |
| // KeyConfig is the list of keys use for a particular role and the threshold. |
| // Threshold is number of keys of that role whose signatures are required in |
| // order to consider a file as being properly signed by that role. |
| SignatureRequirement root_signature_requirement = 4; |
| SignatureRequirement timestamp_signature_requirement = 5; |
| SignatureRequirement snapshot_signature_requirement = 6; |
| SignatureRequirement targets_signature_requirement = 7; |
| |
| // This is NOT a part of the TUF Specification. |
| reserved 8 to 31; // Reserved for TUF Specification changes. |
| |
| reserved 32 to 64; // Reserved for future Pigweed usage. |
| |
| reserved 65 to 255; // Reserved for project-specific usage. |
| } |
| |
| // The timestamp role is used for freshness check of the snapshot. Any |
| // project-specific update metadata should go in the top-level targets_metadata |
| // or with the TargetFile information |
| message TimestampMetadata { |
| CommonMetadata common_metadata = 1; |
| |
| // Only one snapshot_metadata is used per timestamp. |
| MetadataFile snapshot_metadata = 2; |
| |
| // This is NOT a part of the TUF Specification. |
| reserved 3 to 31; // Reserved for TUF Specification changes. |
| |
| reserved 32 to 64; // Reserved for future Pigweed usage. |
| |
| reserved 65 to 255; // Reserved for project-specific usage. |
| } |
| |
| // The snapshot role is used to ensure that the collection of targets_metadata |
| // files is securely consistent (no target metadata mix and match). Any |
| // project-specific update metadata should go in the top-level targets_metadata |
| // or with the TargetFile information |
| message SnapshotMetadata { |
| CommonMetadata common_metadata = 1; |
| |
| // Map from Target metadata file name to MetadataFile. |
| // File name can be an arbitrary name or a full file name with relative path. |
| // This map should contain an entry for the top level targets role and all |
| // delegated roles. |
| repeated MetadataFile targets_metadata = 2; |
| |
| // This is NOT a part of the TUF Specification. |
| reserved 3 to 31; // Reserved for TUF Specification changes. |
| |
| reserved 32 to 64; // Reserved for future Pigweed usage. |
| |
| reserved 65 to 255; // Reserved for project-specific usage. |
| } |
| |
| // The targets role describes the target files that comprise the software |
| // update. Targets metadata is organized in to a top-level targets metadata file |
| // and optional multiple deligated targets metadata files |
| // |
| // The top-level targets metatdata is the correct place to put any |
| // project-specific build version information, including build ID, hardware rev, |
| // etc. |
| message TargetsMetadata { |
| CommonMetadata common_metadata = 1; |
| |
| // Collection of target file information |
| repeated TargetFile target_files = 2; |
| // Target file name can be an arbitrary name or a path that describes where |
| // the file lives relative to the base directory of the repository, e.g. |
| // "path/to/amber_tools/0". |
| |
| // TODO: When it is time to support delegation, add delegation information |
| // here. |
| |
| // This is NOT a part of the TUF Specification. |
| reserved 9 to 31; // Reserved for TUF Specification changes. |
| |
| reserved 32 to 64; // Reserved for future Pigweed usage. |
| |
| reserved 65 to 255; // Reserved for project-specific usage. |
| } |
| |
| message Signature { |
| // Identifier of the key, which is bytes of the SHA-256 hash of the |
| // canonical form of the key. |
| bytes key_id = 1; |
| |
| // The signature of the canonical form of the role's serialized metadata |
| // (serialized_{root,timestamp,snapshot,targets}_metadata). |
| bytes sig = 2; |
| } |
| |
| message KeyMapping { |
| // Identifier of the key, which is bytes of the SHA-256 hash of the |
| // canonical form of the key. |
| bytes key_id = 1; |
| |
| // Cryptographic key |
| Key key = 2; |
| } |
| |
| // Identifies an asymmetric cryptographic key. |
| message Key { |
| // Denotes a public key signature system, such as RSA or ECDSA. |
| KeyType key_type = 1; |
| |
| // Denotes the signature scheme corresponding to the key type. For example: |
| // "rsassa-pss-sha256" or "ecdsa-sha2-nistp256". |
| KeyScheme scheme = 2; |
| |
| // Stores the serialized public key for this cryptographic algorithm. |
| bytes keyval = 3; |
| } |
| |
| // The set of cryptographic keys used by a specific role. For example, list of |
| // key_ids used by the top level role "root". |
| message SignatureRequirement { |
| // Set of Keyid's. |
| // Keyid is a unique identifier that identifies a cryptographic key. |
| // E.g. "f2d5020d08aea06a0a9192eb6a4f549e17032ebefa1aa9ac167c1e3e727930d6". |
| repeated bytes key_ids = 1; |
| |
| // Threshold of signatures required to trust given file. |
| // In other words; the number of keys of that role whose signatures are |
| // required in order to consider a file as being properly signed by that role. |
| uint32 threshold = 2; |
| } |
| |
| enum HashFunction { |
| // Never use this in any TUF metadata. |
| UNKNOWN_HASH_FUNCTION = 0; |
| |
| SHA256 = 1; |
| } |
| |
| message Hash { |
| HashFunction function = 1; |
| // Digest of the cryptographic hash function computed on the target file. |
| bytes hash = 2; |
| } |
| |
| // Descriptor for a file stored in this repository. Linked to from target |
| // metadata. |
| message TargetFile { |
| // Target file name can be an arbitrary name or a path that describes where |
| // the file lives relative to the base directory of the repository, e.g. |
| // "path/to/amber_tools/0". |
| string file_name = 1; |
| |
| // Size of the target file (element payload) in bytes. This the size as stored |
| // in the bundle. The final applied size can be different due to optional |
| // compression. |
| uint64 length = 2; |
| |
| // Map from algorithm name to Hash. |
| // Algorithm name is the name of a cryptographic hash function. E.g. "sha256". |
| // The Hash string is the hex digest of the cryptographic function computed on |
| // the target file. E.g. |
| // "65b8c67f51c993d898250f40aa57a317d854900b3a04895464313e48785440da". |
| repeated Hash hashes = 3; |
| |
| // This is NOT a part of the TUF Specification. |
| reserved 4 to 15; // Reserved for TUF Specification changes. |
| |
| reserved 16 to 31; // Reserved for future Pigweed usage. |
| |
| reserved 32 to 255; // Reserved for future project-specific usage. |
| } |
| |
| message MetadataFile { |
| // Target file name can be an arbitrary name or a path that describes where |
| // the file lives relative to the base directory of the repository, e.g. |
| // "path/to/target/0". |
| optional string file_name = 1; |
| |
| // Metadata file version. E.g. 3. |
| uint32 version = 2; |
| |
| // Size of the target file in bytes. |
| optional uint64 length = 3; |
| |
| // Map from algorithm name to Hash. |
| // Algorithm name is the name of a cryptographic hash function. E.g. "sha256". |
| // The Hash is the hex digest of the cryptographic function computed on the |
| // target file. E.g. |
| // "65b8c67f51c993d898250f40aa57a317d854900b3a04895464313e48785440da". |
| repeated Hash hashes = 4; |
| } |
| |
| enum KeyType { |
| // Never use this in any TUF metadata. |
| UNKNOWN_KEY_TYPE = 0; |
| |
| RSA = 1; |
| |
| ED25519 = 2; |
| |
| ECDSA_SHA2_NISTP256 = 3; |
| } |
| |
| enum KeyScheme { |
| // Never use this in any TUF metadata. |
| UNKNOWN_KEY_SCHEME = 0; |
| |
| // RSA Probabilistic signature scheme with appendix. |
| // The underlying hash function is SHA256. |
| // In TUF Specification, this is referred to as "rsassa-pss-sha256". |
| RSASSA_PSS_SHA256_SCHEME = 1; |
| |
| // Elliptic Curve digital signature algorithm based on Twisted Edwards curves. |
| // See https://ed25519.cr.yp.to/. |
| // In TUF Specification, it is referred to as "ed25519". |
| ED25519_SCHEME = 2; |
| |
| // Elliptic Curve Digital Signature Algorithm with NIST P-256 curve signing |
| // and SHA-256 hashing. See |
| // https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm In |
| // TUF Specification, it is referred to as "ecdsa-sha2-nistp256". |
| ECDSA_SHA2_NISTP256_SCHEME = 3; |
| } |