cryptohome: add the new data wrappers and method params

This change unifies the new Cryptohome DBus calls to
rely on rpc.proto for passing future-extensible
parameters to a call.

It also defines the wire-protocol for passing Key data
and Key attributes which may be persisted to disk.

Note that the use of Request and Reply mimics the approach
of proto2 RPC, but using DBus.  The new Chrome DBus bindings
do not accommodate passing well-defined error codes, but rather
standard DBus error strings.  Passing a Reply avoids sharing
statically defined strings though it isn't ideal.  Callers should
still expect DBus errors on invalid arguments or call failure, but
we won't reuse those errors for application errors.

TEST=compiles (platform2)
BUG=chromium:316189

Change-Id: Iec8e08478b48f14f9a9bf42c5bd44ebb3eb8d670
Reviewed-on: https://chromium-review.googlesource.com/186561
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Queue: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>

4 files changed, 193 insertions, 81 deletions

diff --git a/dbus/cryptohome/key.proto b/dbus/cryptohome/key.proto
new file mode 100644
index 0000000..01a2e77
--- /dev/null
+++ b/dbus/cryptohome/key.proto
@@ -0,0 +1,78 @@
+// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Provides wire-type for cryptohome Key objects.  It does not
+// represent the entirety of the bookkeeping data needed by Cryptohome.
+//
+// Anything in this file may be persisted on disk.  Update carefully!
+
+option optimize_for = LITE_RUNTIME;
+
+package cryptohome;
+
+message KeyAuthorizationSecretUsage {
+  optional bool encrypt = 1;
+  optional bool sign = 2;
+}
+
+message KeyAuthorizationSecret {
+  optional KeyAuthorizationSecretUsage usage = 1;
+  optional bytes symmetric_key = 2;
+  optional bytes public_key = 3;
+}
+
+message KeyAuthorizationData {
+  enum KeyAuthorizationType {
+    KEY_AUTHORIZATION_TYPE_HMACSHA256 = 0;
+    KEY_AUTHORIZATION_TYPE_AES256CBC_HMACSHA256 = 1;
+  }
+  optional KeyAuthorizationType type = 1;
+  repeated KeyAuthorizationSecret secrets = 2;
+}
+
+// Software-enforced privileges.
+message KeyPrivileges {
+  // Allows the key to mount the cryptohome.
+  optional bool mount = 1 [default=true];
+  // Allows new keys to be added.
+  optional bool add = 2 [default=true];
+  // Allows other existing keys to be removed.
+  optional bool remove = 3 [default=true];
+  // Allows the key to update itself.
+  optional bool update = 4 [default=true];
+  // Allows a key to update itself iff the requested change
+  // is authorized as per KeyAuthorizationData.
+  optional bool authorized_update = 5 [default=false];
+}
+
+message KeyData {
+  enum KeyType {
+    // All password wrapping prior to the creation of this enum.
+    KEY_TYPE_PASSWORD_CROS_LEGACY = 0;
+  }
+  optional KeyType type = 1;
+  // All keys must be labeled when persisted to disk, but when KeyData
+  // is used in an UpdateKeyRequest, only defined fields are necessary
+  // (so that the caller doesn't need the full KeyData first).
+  optional string label = 2;
+  // If undefined, use the default settings.
+  optional KeyPrivileges privileges = 3;
+  optional int64 revision = 4;
+  // At present, only support for one authorization mechanism is implemented.
+  repeated KeyAuthorizationData authorization_data = 5;
+}
+
+// Key is not presently persisted to disk, but it acts as the single authority
+// for what comprises a key.
+message Key {
+  // In most cases, |data| is required.  When used in an UpdateKeyRequest, it
+  // is only required if KeyData is changing.  If only the |secret| is changing,
+  // this field may be left unset.
+  optional KeyData data = 1;
+  // |secret| is required for many requests, like AddKeyRequest, but not all.
+  // An UpdateKeyRequest only requires the changes to the Key that was
+  // was authorized in the AuthorizationRequest. Making |secret| required would
+  // logically force a key rotation even if the values were the same.
+  optional bytes secret = 2;
+}
diff --git a/dbus/cryptohome/key_enums.proto b/dbus/cryptohome/key_enums.proto
deleted file mode 100644
index e5ce286..0000000
--- a/dbus/cryptohome/key_enums.proto
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package cryptohome;
-
-enum KeyType {
-  PASSWORD_CROS_LEGACY = 0;
-  // Password plain which is signed by a RSA-SHA256 key
-  PASSWORD_PLAIN = 1;
-}
-
-// Software-enforced privileges.
-enum KeyPrivileges {
-  // Can mount
-  MOUNT = 1;
-  // Can add other keys
-  ADD = 2;
-  // Can remove other keys
-  REMOVE = 4;
-  // Destroys all other keys and replaces the old key.
-  MIGRATE = 8;
-  DEFAULT = 15; // (MOUNT|ADD|REMOVE|MIGRATE)
-  // Allows a key to be updated in place if authorized (e.g., by a signature).
-  AUTHORIZED_UPDATE = 16;
-}
-
-enum KeyAuthorizationType {
-  // Changes must be authorized by a HMAC-SHA256
-  // with a sub-key of the privilege_key, which is wrapped by the
-  // wrapped_keyset, used to authenticate the encrypted payload of
-  // (revision||new_passphrase), encrypted using a sub-key of
-  // the unwrapped privilege_key.
-  // The subkeys are computed as one-half of a SHA512 of the priv_key.
-  AES256_HMAC_SHA256 = 0;
-}
diff --git a/dbus/cryptohome/key_parameters.proto b/dbus/cryptohome/key_parameters.proto
deleted file mode 100644
index dd206b3..0000000
--- a/dbus/cryptohome/key_parameters.proto
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-option optimize_for = LITE_RUNTIME;
-
-package cryptohome;
-
-import "key_enums.proto";
-
-message KeyParameters {
-  message KeyAuthorization {
-    required string label = 1;
-    // At present, the only signature authorized privilege is
-    // a superviser user key which will can replace itself iff
-    // the new key and the new revision have a valid signature
-    // (and the revision is not old).
-    optional bytes authorization_signature = 3;
-  }
-  optional KeyAuthorization auth = 1;
-
-  // Used when a key is being added, even if it is being
-  // clobbered as long as the authorizing key is not the same.
-  message KeyAddition {
-    required KeyType type = 1;
-    required string label = 2;
-    optional KeyPrivileges
-      privs = 3 [default=DEFAULT];
-    optional KeyAuthorizationType
-      authorization_type = 4;
-    optional bytes authorization_key = 5;
-  }
-  optional KeyAddition add = 2;
-
-  // Used when a key is updating itself.  If another key is being used,
-  // it should be a clobbering KeyAddition.
-  message KeyUpdate {
-    // These fields only need to be specified if an explicit change is required.
-    optional string label = 1;
-    // The new_revision must be larger than the current revision.
-    // Revisions are not incremented automatically.
-    optional int64 new_revision = 2;
-  }
-  optional KeyUpdate update = 3;
-}
diff --git a/dbus/cryptohome/rpc.proto b/dbus/cryptohome/rpc.proto
new file mode 100644
index 0000000..db61de3
--- /dev/null
+++ b/dbus/cryptohome/rpc.proto
@@ -0,0 +1,115 @@
+// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// The messages in this file comprise the DBus/Proto interface for
+// Cryptohome where there is an AccountIdentifer argument, an
+// AuthorizationRequest (if needed for the call), and the call's
+// parameters as <Call>Request.
+//
+// 'optional' annotations are used heavily in the RPC definition
+// because the RPC endpoints most properly sanity check the contents
+// for application-specific logic, and the more optional-with-default
+// parameters exist, the less data is actually transferred on the wire
+// in "default" situations.
+
+option optimize_for = LITE_RUNTIME;
+
+package cryptohome;
+
+import "key.proto";
+
+// Error codes do not need to be sequential per-call.
+// Prefixes by Request/Reply type should be used to help
+// callers know if specialized errors apply.
+enum CryptohomeErrorCode {
+  // 0 is the default value of BaseReply::error. It
+  // should never be used.
+  CRYPTOHOME_ERROR_NOT_SET = 0;
+
+  CRYPTOHOME_ERROR_ACCOUNT_NOT_FOUND = 1;
+  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_NOT_FOUND = 2;
+  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED = 3;
+  CRYPTOHOME_ERROR_NOT_IMPLEMENTED = 4;
+  CRYPTOHOME_ERROR_MOUNT_FATAL = 5;
+  CRYPTOHOME_ERROR_MOUNT_MOUNT_POINT_BUSY = 6;
+  CRYPTOHOME_ERROR_TPM_COMM_ERROR = 7;
+  CRYPTOHOME_ERROR_TPM_DEFEND_LOCK = 8;
+  CRYPTOHOME_ERROR_TPM_NEEDS_REBOOT = 9;
+  CRYPTOHOME_ERROR_AUTHORIZATION_KEY_DENIED = 10;
+}
+
+message AccountIdentifier {
+  optional string email = 1;
+}
+
+message AuthorizationRequest {
+  // |key| must supply at least a |key.secret()|.  If no |key.data()| or
+  // |key.data().label()| is supplied, the |key.secret()| will be tested
+  // against all compatible |key.data().type()| keys, where
+  // KEY_TYPE_PASSWORD_CROS_LEGACY is the default type.  If
+  // |key.data().label()| is supplied, then the |key.secret()| will only be
+  // tested against the matching VaultKeyset.
+  optional Key key = 1;
+};
+
+// These parameters are for inbound data to Cryptohome RPC
+// interfaces.  When calls are added that return data, a
+// <Call>Response should be defined.
+message MountRequest {
+  // Perform an ephemeral mount only.
+  optional bool require_ephemeral = 1 [default=false];
+  // If defined, the account will be created if it does not exist.
+  // Additionally, a failed AuthorizationRequest will be expected as
+  // there will be no existing keys.
+  optional CreateRequest create = 2;
+}
+
+// A BaseReply type is used for all cryptohomed responses. A shared base class
+// is used because all calls will always reply with no-error or an error value.
+// A centralized definition allows for a reusable reply handler for cases where
+// there is no Request-specific reply data.  Any specialized data will live in
+// an extension as per MountReply below:
+//   if (reply.HasExtension(MountReply::reply)) { ... }
+//
+message BaseReply {
+  // If a call was successful, error will not be defined (clear_error()).
+  // If a call failed, it must set an error code (set_error(CODE)).
+  // In either case, call-specific data may be added as an extension.
+  optional CryptohomeErrorCode error = 1;
+
+  extensions 1000 to max;
+}
+
+// The MountRequest call may return more than just success or failure
+// so it embeds itself in a BaseReply as an extension.
+message MountReply {
+  extend BaseReply {
+    optional MountReply reply = 1000;
+  }
+  // |recreated| is set when the cryptohome had to be wiped
+  // because the key or data was an unrecoverable.  It does not imply
+  // failure to Mount nor is it 'true' when a CreateRequest creates
+  // a cryptohome for the first time.
+  optional bool recreated = 1 [default=false];
+};
+
+message CreateRequest {
+  repeated Key keys = 1;
+  // Explicitly use the |key| from the AuthorizationRequest.
+  // Setting this value means that the KeyData is filled as it
+  // would be with a Key above or in an AddKeyRequest.
+  optional bool copy_authorization_key = 2 [default=false];
+  // In the future, this will contain account-wide data like
+  // the deletion priority or the IdP's origin.
+}
+
+message AddKeyRequest {
+  optional Key key = 1;
+  optional bool clobber_if_exists = 2 [default=false];
+}
+
+message UpdateKeyRequest {
+  optional Key changes = 1;
+  optional bytes authorization_signature = 2;
+}