# -*- Mode: Python -*-
# vim: filetype=python
#

##
# = Cryptography
##

##
# @QCryptoTLSCredsEndpoint:
#
# The type of network endpoint that will be using the credentials.
# Most types of credential require different setup / structures
# depending on whether they will be used in a server versus a client.
#
# @client: the network endpoint is acting as the client
#
# @server: the network endpoint is acting as the server
#
# Since: 2.5
##
{ 'enum': 'QCryptoTLSCredsEndpoint',
  'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
  'data': ['client', 'server']}

##
# @QCryptoSecretFormat:
#
# The data format that the secret is provided in
#
# @raw: raw bytes.  When encoded in JSON only valid UTF-8 sequences
#     can be used
#
# @base64: arbitrary base64 encoded binary data
#
# Since: 2.6
##
{ 'enum': 'QCryptoSecretFormat',
  'prefix': 'QCRYPTO_SECRET_FORMAT',
  'data': ['raw', 'base64']}

##
# @QCryptoHashAlgorithm:
#
# The supported algorithms for computing content digests
#
# @md5: MD5. Should not be used in any new code, legacy compat only
#
# @sha1: SHA-1. Should not be used in any new code, legacy compat only
#
# @sha224: SHA-224. (since 2.7)
#
# @sha256: SHA-256. Current recommended strong hash.
#
# @sha384: SHA-384. (since 2.7)
#
# @sha512: SHA-512. (since 2.7)
#
# @ripemd160: RIPEMD-160. (since 2.7)
#
# Since: 2.6
##
{ 'enum': 'QCryptoHashAlgorithm',
  'prefix': 'QCRYPTO_HASH_ALG',
  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}

##
# @QCryptoCipherAlgorithm:
#
# The supported algorithms for content encryption ciphers
#
# @aes-128: AES with 128 bit / 16 byte keys
#
# @aes-192: AES with 192 bit / 24 byte keys
#
# @aes-256: AES with 256 bit / 32 byte keys
#
# @des: DES with 56 bit / 8 byte keys.  Do not use except in VNC.
#     (since 6.1)
#
# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
#
# @cast5-128: Cast5 with 128 bit / 16 byte keys
#
# @serpent-128: Serpent with 128 bit / 16 byte keys
#
# @serpent-192: Serpent with 192 bit / 24 byte keys
#
# @serpent-256: Serpent with 256 bit / 32 byte keys
#
# @twofish-128: Twofish with 128 bit / 16 byte keys
#
# @twofish-192: Twofish with 192 bit / 24 byte keys
#
# @twofish-256: Twofish with 256 bit / 32 byte keys
#
# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
  'prefix': 'QCRYPTO_CIPHER_ALG',
  'data': ['aes-128', 'aes-192', 'aes-256',
           'des', '3des',
           'cast5-128',
           'serpent-128', 'serpent-192', 'serpent-256',
           'twofish-128', 'twofish-192', 'twofish-256',
           'sm4']}

##
# @QCryptoCipherMode:
#
# The supported modes for content encryption ciphers
#
# @ecb: Electronic Code Book
#
# @cbc: Cipher Block Chaining
#
# @xts: XEX with tweaked code book and ciphertext stealing
#
# @ctr: Counter (Since 2.8)
#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherMode',
  'prefix': 'QCRYPTO_CIPHER_MODE',
  'data': ['ecb', 'cbc', 'xts', 'ctr']}

##
# @QCryptoIVGenAlgorithm:
#
# The supported algorithms for generating initialization vectors for
# full disk encryption.  The 'plain' generator should not be used for
# disks with sector numbers larger than 2^32, except where
# compatibility with pre-existing Linux dm-crypt volumes is required.
#
# @plain: 64-bit sector number truncated to 32-bits
#
# @plain64: 64-bit sector number
#
# @essiv: 64-bit sector number encrypted with a hash of the encryption
#     key
#
# Since: 2.6
##
{ 'enum': 'QCryptoIVGenAlgorithm',
  'prefix': 'QCRYPTO_IVGEN_ALG',
  'data': ['plain', 'plain64', 'essiv']}

##
# @QCryptoBlockFormat:
#
# The supported full disk encryption formats
#
# @qcow: QCow/QCow2 built-in AES-CBC encryption.  Use only for
#     liberating data from old images.
#
# @luks: LUKS encryption format.  Recommended for new images
#
# Since: 2.6
##
{ 'enum': 'QCryptoBlockFormat',
#  'prefix': 'QCRYPTO_BLOCK_FORMAT',
  'data': ['qcow', 'luks']}

##
# @QCryptoBlockOptionsBase:
#
# The common options that apply to all full disk encryption formats
#
# @format: the encryption format
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockOptionsQCow:
#
# The options that apply to QCow/QCow2 AES-CBC encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#     decryption key.  Mandatory except when probing image for
#     metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsQCow',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockOptionsLUKS:
#
# The options that apply to LUKS encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#     decryption key.  Mandatory except when probing image for
#     metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsLUKS',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockCreateOptionsLUKS:
#
# The options that apply to LUKS encryption format initialization
#
# @cipher-alg: the cipher algorithm for data encryption Currently
#     defaults to 'aes-256'.
#
# @cipher-mode: the cipher mode for data encryption Currently defaults
#     to 'xts'
#
# @ivgen-alg: the initialization vector generator Currently defaults
#     to 'plain64'
#
# @ivgen-hash-alg: the initialization vector generator hash Currently
#     defaults to 'sha256'
#
# @hash-alg: the master key hash algorithm Currently defaults to
#     'sha256'
#
# @iter-time: number of milliseconds to spend in PBKDF passphrase
#     processing.  Currently defaults to 2000. (since 2.8)
#
# @detached-header: create a detached LUKS header. (since 9.0)
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
  'base': 'QCryptoBlockOptionsLUKS',
  'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
            '*cipher-mode': 'QCryptoCipherMode',
            '*ivgen-alg': 'QCryptoIVGenAlgorithm',
            '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
            '*hash-alg': 'QCryptoHashAlgorithm',
            '*iter-time': 'int',
            '*detached-header': 'bool'}}

##
# @QCryptoBlockOpenOptions:
#
# The options that are available for all encryption formats when
# opening an existing volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockOpenOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockOptionsLUKS' } }

##
# @QCryptoBlockCreateOptions:
#
# The options that are available for all encryption formats when
# initializing a new volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockCreateOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockCreateOptionsLUKS' } }

##
# @QCryptoBlockInfoBase:
#
# The common information that applies to all full disk encryption
# formats
#
# @format: the encryption format
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockInfoLUKSSlot:
#
# Information about the LUKS block encryption key slot options
#
# @active: whether the key slot is currently in use
#
# @key-offset: offset to the key material in bytes
#
# @iters: number of PBKDF2 iterations for key material
#
# @stripes: number of stripes for splitting key material
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKSSlot',
  'data': {'active': 'bool',
           '*iters': 'int',
           '*stripes': 'int',
           'key-offset': 'int' } }

##
# @QCryptoBlockInfoLUKS:
#
# Information about the LUKS block encryption options
#
# @cipher-alg: the cipher algorithm for data encryption
#
# @cipher-mode: the cipher mode for data encryption
#
# @ivgen-alg: the initialization vector generator
#
# @ivgen-hash-alg: the initialization vector generator hash
#
# @hash-alg: the master key hash algorithm
#
# @detached-header: whether the LUKS header is detached (Since 9.0)
#
# @payload-offset: offset to the payload data in bytes
#
# @master-key-iters: number of PBKDF2 iterations for key material
#
# @uuid: unique identifier for the volume
#
# @slots: information about each key slot
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKS',
  'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
           'cipher-mode': 'QCryptoCipherMode',
           'ivgen-alg': 'QCryptoIVGenAlgorithm',
           '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
           'hash-alg': 'QCryptoHashAlgorithm',
           'detached-header': 'bool',
           'payload-offset': 'int',
           'master-key-iters': 'int',
           'uuid': 'str',
           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}

##
# @QCryptoBlockInfo:
#
# Information about the block encryption options
#
# Since: 2.7
##
{ 'union': 'QCryptoBlockInfo',
  'base': 'QCryptoBlockInfoBase',
  'discriminator': 'format',
  'data': { 'luks': 'QCryptoBlockInfoLUKS' } }

##
# @QCryptoBlockLUKSKeyslotState:
#
# Defines state of keyslots that are affected by the update
#
# @active: The slots contain the given password and marked as active
#
# @inactive: The slots are erased (contain garbage) and marked as
#     inactive
#
# Since: 5.1
##
{ 'enum': 'QCryptoBlockLUKSKeyslotState',
  'data': [ 'active', 'inactive' ] }

##
# @QCryptoBlockAmendOptionsLUKS:
#
# This struct defines the update parameters that activate/de-activate
# set of keyslots
#
# @state: the desired state of the keyslots
#
# @new-secret: The ID of a QCryptoSecret object providing the password
#     to be written into added active keyslots
#
# @old-secret: Optional (for deactivation only) If given will
#     deactivate all keyslots that match password located in
#     QCryptoSecret with this ID
#
# @iter-time: Optional (for activation only) Number of milliseconds to
#     spend in PBKDF passphrase processing for the newly activated
#     keyslot.  Currently defaults to 2000.
#
# @keyslot: Optional.  ID of the keyslot to activate/deactivate.  For
#     keyslot activation, keyslot should not be active already (this
#     is unsafe to update an active keyslot), but possible if 'force'
#     parameter is given.  If keyslot is not given, first free keyslot
#     will be written.
#
#     For keyslot deactivation, this parameter specifies the exact
#     keyslot to deactivate
#
# @secret: Optional.  The ID of a QCryptoSecret object providing the
#     password to use to retrieve current master key.  Defaults to the
#     same secret that was used to open the image
#
# Since: 5.1
##
{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
  'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
            '*new-secret': 'str',
            '*old-secret': 'str',
            '*keyslot': 'int',
            '*iter-time': 'int',
            '*secret': 'str' } }

##
# @QCryptoBlockAmendOptions:
#
# The options that are available for all encryption formats when
# amending encryption settings
#
# Since: 5.1
##
{ 'union': 'QCryptoBlockAmendOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': {
          'luks': 'QCryptoBlockAmendOptionsLUKS' } }

##
# @SecretCommonProperties:
#
# Properties for objects of classes derived from secret-common.
#
# @loaded: if true, the secret is loaded immediately when applying
#     this option and will probably fail when processing the next
#     option.  Don't use; only provided for compatibility.
#     (default: false)
#
# @format: the data format that the secret is provided in
#     (default: raw)
#
# @keyid: the name of another secret that should be used to decrypt
#     the provided data.  If not present, the data is assumed to be
#     unencrypted.
#
# @iv: the random initialization vector used for encryption of this
#     particular secret.  Should be a base64 encrypted string of the
#     16-byte IV. Mandatory if @keyid is given.  Ignored if @keyid is
#     absent.
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 2.6
##
{ 'struct': 'SecretCommonProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*format': 'QCryptoSecretFormat',
            '*keyid': 'str',
            '*iv': 'str' } }

##
# @SecretProperties:
#
# Properties for secret objects.
#
# Either @data or @file must be provided, but not both.
#
# @data: the associated with the secret from
#
# @file: the filename to load the data associated with the secret from
#
# Since: 2.6
##
{ 'struct': 'SecretProperties',
  'base': 'SecretCommonProperties',
  'data': { '*data': 'str',
            '*file': 'str' } }

##
# @SecretKeyringProperties:
#
# Properties for secret_keyring objects.
#
# @serial: serial number that identifies a key to get from the kernel
#
# Since: 5.1
##
{ 'struct': 'SecretKeyringProperties',
  'base': 'SecretCommonProperties',
  'data': { 'serial': 'int32' } }

##
# @TlsCredsProperties:
#
# Properties for objects of classes derived from tls-creds.
#
# @verify-peer: if true the peer credentials will be verified once the
#     handshake is completed.  This is a no-op for anonymous
#     credentials.  (default: true)
#
# @dir: the path of the directory that contains the credential files
#
# @endpoint: whether the QEMU network backend that uses the
#     credentials will be acting as a client or as a server
#     (default: client)
#
# @priority: a gnutls priority string as described at
#     https://gnutls.org/manual/html_node/Priority-Strings.html
#
# Since: 2.5
##
{ 'struct': 'TlsCredsProperties',
  'data': { '*verify-peer': 'bool',
            '*dir': 'str',
            '*endpoint': 'QCryptoTLSCredsEndpoint',
            '*priority': 'str' } }

##
# @TlsCredsAnonProperties:
#
# Properties for tls-creds-anon objects.
#
# @loaded: if true, the credentials are loaded immediately when
#     applying this option and will ignore options that are processed
#     later.  Don't use; only provided for compatibility.
#     (default: false)
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 2.5
##
{ 'struct': 'TlsCredsAnonProperties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }

##
# @TlsCredsPskProperties:
#
# Properties for tls-creds-psk objects.
#
# @loaded: if true, the credentials are loaded immediately when
#     applying this option and will ignore options that are processed
#     later.  Don't use; only provided for compatibility.
#     (default: false)
#
# @username: the username which will be sent to the server.  For
#     clients only.  If absent, "qemu" is sent and the property will
#     read back as an empty string.
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 3.0
##
{ 'struct': 'TlsCredsPskProperties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*username': 'str' } }

##
# @TlsCredsX509Properties:
#
# Properties for tls-creds-x509 objects.
#
# @loaded: if true, the credentials are loaded immediately when
#     applying this option and will ignore options that are processed
#     later.  Don't use; only provided for compatibility.
#     (default: false)
#
# @sanity-check: if true, perform some sanity checks before using the
#     credentials (default: true)
#
# @passwordid: For the server-key.pem and client-key.pem files which
#     contain sensitive private keys, it is possible to use an
#     encrypted version by providing the @passwordid parameter.  This
#     provides the ID of a previously created secret object containing
#     the password for decryption.
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 2.5
##
{ 'struct': 'TlsCredsX509Properties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*sanity-check': 'bool',
            '*passwordid': 'str' } }
##
# @QCryptoAkCipherAlgorithm:
#
# The supported algorithms for asymmetric encryption ciphers
#
# @rsa: RSA algorithm
#
# Since: 7.1
##
{ 'enum': 'QCryptoAkCipherAlgorithm',
  'prefix': 'QCRYPTO_AKCIPHER_ALG',
  'data': ['rsa']}

##
# @QCryptoAkCipherKeyType:
#
# The type of asymmetric keys.
#
# Since: 7.1
##
{ 'enum': 'QCryptoAkCipherKeyType',
  'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
  'data': ['public', 'private']}

##
# @QCryptoRSAPaddingAlgorithm:
#
# The padding algorithm for RSA.
#
# @raw: no padding used
#
# @pkcs1: pkcs1#v1.5
#
# Since: 7.1
##
{ 'enum': 'QCryptoRSAPaddingAlgorithm',
  'prefix': 'QCRYPTO_RSA_PADDING_ALG',
  'data': ['raw', 'pkcs1']}

##
# @QCryptoAkCipherOptionsRSA:
#
# Specific parameters for RSA algorithm.
#
# @hash-alg: QCryptoHashAlgorithm
#
# @padding-alg: QCryptoRSAPaddingAlgorithm
#
# Since: 7.1
##
{ 'struct': 'QCryptoAkCipherOptionsRSA',
  'data': { 'hash-alg':'QCryptoHashAlgorithm',
            'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}

##
# @QCryptoAkCipherOptions:
#
# The options that are available for all asymmetric key algorithms
# when creating a new QCryptoAkCipher.
#
# @alg: encryption cipher algorithm
#
# Since: 7.1
##
{ 'union': 'QCryptoAkCipherOptions',
  'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
  'discriminator': 'alg',
  'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}