diff options
author | Maksim Ivanov <emaxx@google.com> | 2018-02-21 02:51:07 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2018-02-21 02:51:07 +0000 |
commit | e268d8094e999b19c562a390d4c579111930ede3 (patch) | |
tree | e432c2636857629a6782ca4416953aca25b8c91a | |
parent | d91c832f32b4c958074e315174509c008767d06b (diff) | |
parent | b05e5038a7dbc914036537b1bbb4af34eba7da5d (diff) | |
download | system_api-e268d8094e999b19c562a390d4c579111930ede3.tar.gz |
system_api: New fields and messages for challenge-response cryptohome keys am: 0eae09da95 am: 2ef11fd320 am: 5da9de9c52
am: b05e5038a7
Change-Id: I5e77a6bb51cc5fe92a383aa0f6b4885fd0b7f8cf
-rw-r--r-- | dbus/cryptohome/key.proto | 31 | ||||
-rw-r--r-- | dbus/cryptohome/rpc.proto | 49 |
2 files changed, 80 insertions, 0 deletions
diff --git a/dbus/cryptohome/key.proto b/dbus/cryptohome/key.proto index fb95b48..5d23768 100644 --- a/dbus/cryptohome/key.proto +++ b/dbus/cryptohome/key.proto @@ -60,11 +60,39 @@ message KeyProviderData { repeated Entry entry = 1; } +// Cryptographic signature algorithm type for challenge requests. Used with +// challenge-response cryptohome keys. +enum ChallengeSignatureAlgorithm { + RSASSA_PKCS1_V1_5_SHA1 = 1; + RSASSA_PKCS1_V1_5_SHA256 = 2; + RSASSA_PKCS1_V1_5_SHA384 = 3; + RSASSA_PKCS1_V1_5_SHA512 = 4; +} + +// Description of a public key of an asymmetric cryptographic key. Used with +// challenge-response cryptohome keys. +message ChallengePublicKeyInfo { + // DER-encoded blob of the X.509 Subject Public Key Info. + optional bytes public_key_spki_der = 1; + // Supported signature algorithms, in the order of preference (starting from + // the most preferred). Absence of this field denotes that the key cannot be + // used for signing. + repeated ChallengeSignatureAlgorithm signature_algorithm = 2; +} + +// Non-secret data describing the key. message KeyData { // The KeyType should specify the handling needed by Cryptohome // and not a provider KeyType. enum KeyType { + // Password-based key. The password's text or its hashed/transformed + // representation is transmitted in the |secret| field of the Key message. KEY_TYPE_PASSWORD = 0; + // The challenge-response type of key. The secret data for such key is not + // passed clear-text through D-Bus calls, but is instead handled by + // cryptohome internally. In order to authenticate using such key, + // cryptohome will issue one or multiple challenge requests. + KEY_TYPE_CHALLENGE_RESPONSE = 1; } optional KeyType type = 1; // All keys must be labeled when persisted to disk, but when KeyData @@ -80,6 +108,9 @@ message KeyData { // of passwords or custom provider key typing. // This will be size-limited by serialized size (e.g., 4096 bytes). optional KeyProviderData provider_data = 6; + // Is set when |type| is |KEY_TYPE_CHALLENGE_RESPONSE|. Specifies the list of + // keys that should be used for challenge requests. + repeated ChallengePublicKeyInfo challenge_response_key = 7; } // Key is not presently persisted to disk, but it acts as the single authority diff --git a/dbus/cryptohome/rpc.proto b/dbus/cryptohome/rpc.proto index 1b5d7c1..7682303 100644 --- a/dbus/cryptohome/rpc.proto +++ b/dbus/cryptohome/rpc.proto @@ -352,3 +352,52 @@ message MigrateToDircryptoRequest { // a working profile will be migrated. Most user data will be wiped. optional bool minimal_migration = 1; } + +// Request parameters for challenge requests for keys of the +// |KEY_TYPE_CHALLENGE_RESPONSE| type. +message KeyChallengeRequest { + // An opaque identifier of the request. Should be used for sending the + // response back. + optional int64 request_id = 1; + // Specifies challenge types. + enum ChallengeType { + // Challenge is a request of a cryptographic signature of the specified data + // using the specified key. + CHALLENGE_TYPE_SIGNATURE = 1; + } + // Type of the requested challenge. + optional ChallengeType challenge_type = 2; + // Is set when |challenge_type| is |CHALLENGE_TYPE_SIGNATURE|. Contains the + // challenge request data. + optional SignatureKeyChallengeRequestData signature_request_data = 3; +} + +// Request data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| request +// type. +message SignatureKeyChallengeRequestData { + // The blob of data for which the signature is asked. + optional bytes data_to_sign = 1; + // Specifies the key which is asked to sign the data. Contains the DER-encoded + // blob of the X.509 Subject Public Key Info. + optional bytes public_key_spki_der = 2; + // Specifies the signature algorithm that has to be used. + optional ChallengeSignatureAlgorithm signature_algorithm = 3; +} + +// Response for challenge requests. +message KeyChallengeResponse { + // The request identifier. Should be taken from the |request_id| field of the + // KeyChallengeRequest message. + optional int64 request_id = 1; + // Is set for responses to challenge requests of the + // |CHALLENGE_TYPE_SIGNATURE| challenge type. Contains the challenge + // response data. + optional SignatureKeyChallengeResponseData signature_response_data = 2; +} + +// Response data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| +// challenge type. +message SignatureKeyChallengeResponseData { + // The signature blob of the requested data. + optional bytes signature = 1; +} |