diff options
-rw-r--r-- | dbus/cryptohome/key.proto | 31 | ||||
-rw-r--r-- | dbus/cryptohome/rpc.proto | 49 |
2 files changed, 80 insertions, 0 deletions
diff --git a/dbus/cryptohome/key.proto b/dbus/cryptohome/key.proto index fb95b48..5d23768 100644 --- a/dbus/cryptohome/key.proto +++ b/dbus/cryptohome/key.proto @@ -60,11 +60,39 @@ message KeyProviderData { repeated Entry entry = 1; } +// Cryptographic signature algorithm type for challenge requests. Used with +// challenge-response cryptohome keys. +enum ChallengeSignatureAlgorithm { + RSASSA_PKCS1_V1_5_SHA1 = 1; + RSASSA_PKCS1_V1_5_SHA256 = 2; + RSASSA_PKCS1_V1_5_SHA384 = 3; + RSASSA_PKCS1_V1_5_SHA512 = 4; +} + +// Description of a public key of an asymmetric cryptographic key. Used with +// challenge-response cryptohome keys. +message ChallengePublicKeyInfo { + // DER-encoded blob of the X.509 Subject Public Key Info. + optional bytes public_key_spki_der = 1; + // Supported signature algorithms, in the order of preference (starting from + // the most preferred). Absence of this field denotes that the key cannot be + // used for signing. + repeated ChallengeSignatureAlgorithm signature_algorithm = 2; +} + +// Non-secret data describing the key. message KeyData { // The KeyType should specify the handling needed by Cryptohome // and not a provider KeyType. enum KeyType { + // Password-based key. The password's text or its hashed/transformed + // representation is transmitted in the |secret| field of the Key message. KEY_TYPE_PASSWORD = 0; + // The challenge-response type of key. The secret data for such key is not + // passed clear-text through D-Bus calls, but is instead handled by + // cryptohome internally. In order to authenticate using such key, + // cryptohome will issue one or multiple challenge requests. + KEY_TYPE_CHALLENGE_RESPONSE = 1; } optional KeyType type = 1; // All keys must be labeled when persisted to disk, but when KeyData @@ -80,6 +108,9 @@ message KeyData { // of passwords or custom provider key typing. // This will be size-limited by serialized size (e.g., 4096 bytes). optional KeyProviderData provider_data = 6; + // Is set when |type| is |KEY_TYPE_CHALLENGE_RESPONSE|. Specifies the list of + // keys that should be used for challenge requests. + repeated ChallengePublicKeyInfo challenge_response_key = 7; } // Key is not presently persisted to disk, but it acts as the single authority diff --git a/dbus/cryptohome/rpc.proto b/dbus/cryptohome/rpc.proto index 1b5d7c1..7682303 100644 --- a/dbus/cryptohome/rpc.proto +++ b/dbus/cryptohome/rpc.proto @@ -352,3 +352,52 @@ message MigrateToDircryptoRequest { // a working profile will be migrated. Most user data will be wiped. optional bool minimal_migration = 1; } + +// Request parameters for challenge requests for keys of the +// |KEY_TYPE_CHALLENGE_RESPONSE| type. +message KeyChallengeRequest { + // An opaque identifier of the request. Should be used for sending the + // response back. + optional int64 request_id = 1; + // Specifies challenge types. + enum ChallengeType { + // Challenge is a request of a cryptographic signature of the specified data + // using the specified key. + CHALLENGE_TYPE_SIGNATURE = 1; + } + // Type of the requested challenge. + optional ChallengeType challenge_type = 2; + // Is set when |challenge_type| is |CHALLENGE_TYPE_SIGNATURE|. Contains the + // challenge request data. + optional SignatureKeyChallengeRequestData signature_request_data = 3; +} + +// Request data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| request +// type. +message SignatureKeyChallengeRequestData { + // The blob of data for which the signature is asked. + optional bytes data_to_sign = 1; + // Specifies the key which is asked to sign the data. Contains the DER-encoded + // blob of the X.509 Subject Public Key Info. + optional bytes public_key_spki_der = 2; + // Specifies the signature algorithm that has to be used. + optional ChallengeSignatureAlgorithm signature_algorithm = 3; +} + +// Response for challenge requests. +message KeyChallengeResponse { + // The request identifier. Should be taken from the |request_id| field of the + // KeyChallengeRequest message. + optional int64 request_id = 1; + // Is set for responses to challenge requests of the + // |CHALLENGE_TYPE_SIGNATURE| challenge type. Contains the challenge + // response data. + optional SignatureKeyChallengeResponseData signature_response_data = 2; +} + +// Response data for challenge requests of the |CHALLENGE_TYPE_SIGNATURE| +// challenge type. +message SignatureKeyChallengeResponseData { + // The signature blob of the requested data. + optional bytes signature = 1; +} |