system_api: New fields and messages for challenge-response cryptohome keys am: 0eae09da95 am: 2ef11fd320 am: 5da9de9c52

am: b05e5038a7

Change-Id: I5e77a6bb51cc5fe92a383aa0f6b4885fd0b7f8cf

2 files changed, 80 insertions, 0 deletions

diff --git a/dbus/cryptohome/key.proto b/dbus/cryptohome/key.proto
index fb95b48..5d23768 100644
--- a/dbus/cryptohome/key.proto
+++ b/dbus/cryptohome/key.proto
@@ -60,11 +60,39 @@ message KeyProviderData {
   repeated Entry entry = 1;
 }
 
+// Cryptographic signature algorithm type for challenge requests. Used with
+// challenge-response cryptohome keys.
+enum ChallengeSignatureAlgorithm {
+  RSASSA_PKCS1_V1_5_SHA1 = 1;
+  RSASSA_PKCS1_V1_5_SHA256 = 2;
+  RSASSA_PKCS1_V1_5_SHA384 = 3;
+  RSASSA_PKCS1_V1_5_SHA512 = 4;
+}
+
+// Description of a public key of an asymmetric cryptographic key. Used with
+// challenge-response cryptohome keys.
+message ChallengePublicKeyInfo {
+  // DER-encoded blob of the X.509 Subject Public Key Info.
+  optional bytes public_key_spki_der = 1;
+  // Supported signature algorithms, in the order of preference (starting from
+  // the most preferred). Absence of this field denotes that the key cannot be
+  // used for signing.
+  repeated ChallengeSignatureAlgorithm signature_algorithm = 2;
+}
+
+// Non-secret data describing the key.
 message KeyData {
   // The KeyType should specify the handling needed by Cryptohome
   // and not a provider KeyType.
   enum KeyType {
+    // Password-based key. The password's text or its hashed/transformed
+    // representation is transmitted in the |secret| field of the Key message.
     KEY_TYPE_PASSWORD = 0;
+    // The challenge-response type of key. The secret data for such key is not
+    // passed clear-text through D-Bus calls, but is instead handled by
+    // cryptohome internally. In order to authenticate using such key,
+    // cryptohome will issue one or multiple challenge requests.
+    KEY_TYPE_CHALLENGE_RESPONSE = 1;
   }
   optional KeyType type = 1;
   // All keys must be labeled when persisted to disk, but when KeyData
@@ -80,6 +108,9 @@ message KeyData {
   // of passwords or custom provider key typing.
   // This will be size-limited by serialized size (e.g., 4096 bytes).
   optional KeyProviderData provider_data = 6;
+  // Is set when |type| is |KEY_TYPE_CHALLENGE_RESPONSE|. Specifies the list of
+  // keys that should be used for challenge requests.
+  repeated ChallengePublicKeyInfo challenge_response_key = 7;
 }
 
 // Key is not presently persisted to disk, but it acts as the single authority
diff --git a/dbus/cryptohome/rpc.proto b/dbus/cryptohome/rpc.proto
index 1b5d7c1..7682303 100644
--- a/dbus/cryptohome/rpc.proto
+++ b/dbus/cryptohome/rpc.proto
@@ -352,3 +352,52 @@ message MigrateToDircryptoRequest {
   // a working profile will be migrated. Most user data will be wiped.
   optional bool minimal_migration = 1;
 }
+
+// Request parameters for challenge requests for keys of the
+// |KEY_TYPE_CHALLENGE_RESPONSE| type.
+message KeyChallengeRequest {
+  // An opaque identifier of the request. Should be used for sending the
+  // response back.
+  optional int64 request_id = 1;
+  // Specifies challenge types.
+  enum ChallengeType {
+    // Challenge is a request of a cryptographic signature of the specified data
+    // using the specified key.
+    CHALLENGE_TYPE_SIGNATURE = 1;
+  }
+  // Type of the requested challenge.
+  optional ChallengeType challenge_type = 2;
+  // Is set when |challenge_type| is |CHALLENGE_TYPE_SIGNATURE|. Contains the
+  // challenge request data.
+  optional SignatureKeyChallengeRequestData signature_request_data = 3;
+}
+
+// Request data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| request
+// type.
+message SignatureKeyChallengeRequestData {
+  // The blob of data for which the signature is asked.
+  optional bytes data_to_sign = 1;
+  // Specifies the key which is asked to sign the data. Contains the DER-encoded
+  // blob of the X.509 Subject Public Key Info.
+  optional bytes public_key_spki_der = 2;
+  // Specifies the signature algorithm that has to be used.
+  optional ChallengeSignatureAlgorithm signature_algorithm = 3;
+}
+
+// Response for challenge requests.
+message KeyChallengeResponse {
+  // The request identifier. Should be taken from the |request_id| field of the
+  // KeyChallengeRequest message.
+  optional int64 request_id = 1;
+  // Is set for responses to challenge requests of the
+  // |CHALLENGE_TYPE_SIGNATURE| challenge type. Contains the challenge
+  // response data.
+  optional SignatureKeyChallengeResponseData signature_response_data = 2;
+}
+
+// Response data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE|
+// challenge type.
+message SignatureKeyChallengeResponseData {
+  // The signature blob of the requested data.
+  optional bytes signature = 1;
+}