• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright (c) 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4//
5// Provides wire-type for cryptohome Key objects.  It does not
6// represent the entirety of the bookkeeping data needed by Cryptohome.
7//
8// Anything in this file may be persisted on disk.  Update carefully!
9
10syntax = "proto2";
11
12option optimize_for = LITE_RUNTIME;
13
14package cryptohome;
15
16message KeyAuthorizationSecretUsage {
17  optional bool encrypt = 1;
18  optional bool sign = 2;
19}
20
21message KeyAuthorizationSecret {
22  optional KeyAuthorizationSecretUsage usage = 1;
23  optional bytes symmetric_key = 2;
24  optional bytes public_key = 3;
25  // Indicates if the symmetric_key is wrapped.
26  optional bool wrapped = 4 [default=false];
27}
28
29message KeyAuthorizationData {
30  enum KeyAuthorizationType {
31    KEY_AUTHORIZATION_TYPE_HMACSHA256 = 0;
32    KEY_AUTHORIZATION_TYPE_AES256CBC_HMACSHA256 = 1;
33  }
34  optional KeyAuthorizationType type = 1;
35  repeated KeyAuthorizationSecret secrets = 2;
36}
37
38// Software-enforced privileges.
39message KeyPrivileges {
40  // Allows the key to mount the cryptohome.
41  optional bool mount = 1 [default=true];
42  // Allows new keys to be added.
43  optional bool add = 2 [default=true];
44  // Allows other existing keys to be removed.
45  optional bool remove = 3 [default=true];
46  // Allows the key to update itself.
47  optional bool update = 4 [default=true];
48  // Allows a key to update itself iff the requested change
49  // is authorized as per KeyAuthorizationData.
50  optional bool authorized_update = 5 [default=false];
51}
52
53// Public metadata stored on behalf of the KeyProvider.
54message KeyProviderData {
55  message Entry {
56    optional string name = 1;
57    optional int64 number = 2;
58    optional bytes bytes = 3;
59  }
60  repeated Entry entry = 1;
61}
62
63// Cryptographic signature algorithm type for challenge requests. Used with
64// challenge-response cryptohome keys.
65enum ChallengeSignatureAlgorithm {
66  CHALLENGE_RSASSA_PKCS1_V1_5_SHA1 = 1;
67  CHALLENGE_RSASSA_PKCS1_V1_5_SHA256 = 2;
68  CHALLENGE_RSASSA_PKCS1_V1_5_SHA384 = 3;
69  CHALLENGE_RSASSA_PKCS1_V1_5_SHA512 = 4;
70}
71
72// Description of a public key of an asymmetric cryptographic key. Used with
73// challenge-response cryptohome keys.
74message ChallengePublicKeyInfo {
75  // DER-encoded blob of the X.509 Subject Public Key Info.
76  optional bytes public_key_spki_der = 1;
77  // Supported signature algorithms, in the order of preference (starting from
78  // the most preferred). Absence of this field denotes that the key cannot be
79  // used for signing.
80  repeated ChallengeSignatureAlgorithm signature_algorithm = 2;
81}
82
83// Policies which determine how a key can be used. |GetSupportedKeyPolicies|
84// request can be used to determine if a given policy value is supported.
85// This message is also used inside of |GetKeyDataReply|, which allows clients
86// to query current key state without submitting an authentication attempt.
87message KeyPolicy {
88  // Is this key additionally protected from brute force attacks as a low
89  // entropy credential? For such keys, delays between subsequent unsuccessful
90  // authorization attempts and/or a limit on the number of such attempts are
91  // enforced to slow down dictionary-based attacks. Set this to true when
92  // registering a key to protect it.
93  optional bool low_entropy_credential = 1;
94  // If true, the key is "locked" after too many unsuccessful authorization
95  // attempts. Future authentication attempts against a locked key fail with
96  // CRYPTOHOME_ERROR_TPM_DEFEND_LOCK error.
97  // Currently, such locking is supported only for keys with
98  // |low_entropy_credential| policy set to true,
99  // This field is ignored when registering a new key.
100  optional bool auth_locked = 2;
101}
102
103// Non-secret data describing the key.
104message KeyData {
105  // The KeyType should specify the handling needed by Cryptohome
106  // and not a provider KeyType.
107  enum KeyType {
108    // Password-based key. The password's text or its hashed/transformed
109    // representation is transmitted in the |secret| field of the Key message.
110    KEY_TYPE_PASSWORD = 0;
111    // The challenge-response type of key. The secret data for such key is not
112    // passed clear-text through D-Bus calls, but is instead handled by
113    // cryptohome internally. In order to authenticate using such key,
114    // cryptohome will issue one or multiple challenge requests.
115    KEY_TYPE_CHALLENGE_RESPONSE = 1;
116  }
117  optional KeyType type = 1;
118  // All keys must be labeled when persisted to disk, but when KeyData
119  // is used in an UpdateKeyRequest, only defined fields are necessary
120  // (so that the caller doesn't need the full KeyData first).
121  optional string label = 2;
122  // If undefined, use the default settings.
123  optional KeyPrivileges privileges = 3;
124  optional int64 revision = 4;
125  // At present, only support for one authorization mechanism is implemented.
126  repeated KeyAuthorizationData authorization_data = 5;
127  // Data stored for use by the provider of the key, often for pre-processing
128  // of passwords or custom provider key typing.
129  // This will be size-limited by serialized size (e.g., 4096 bytes).
130  optional KeyProviderData provider_data = 6;
131  // Is set when |type| is |KEY_TYPE_CHALLENGE_RESPONSE|. Specifies the list of
132  // keys that should be used for challenge requests.
133  repeated ChallengePublicKeyInfo challenge_response_key = 7;
134  // Optional additional policy to apply to the key. Certain policy values
135  // require hardware support which may not be available.
136  optional KeyPolicy policy = 8;
137}
138
139// Key is not presently persisted to disk, but it acts as the single authority
140// for what comprises a key.
141message Key {
142  // In most cases, |data| is required.  When used in an UpdateKeyRequest, it
143  // is only required if KeyData is changing.  If only the |secret| is changing,
144  // this field may be left unset.
145  optional KeyData data = 1;
146  // |secret| is required for many requests, like AddKeyRequest, but not all.
147  // An UpdateKeyRequest only requires the changes to the Key that was
148  // was authorized in the AuthorizationRequest. Making |secret| required would
149  // logically force a key rotation even if the values were the same.
150  optional bytes secret = 2;
151}
152