cryptohome: support key policies and LE credentials
This CL adds new functionality to cryptohome API:
1) Specifying policies for keys.
2) Requesting info on the supported key policies.
3) Key policy for low entropy credentials.
BUG=chromium:794010
TEST=emerge system_api
Change-Id: I86f111291366fa6b88632b8ba919183b644fc76b
Reviewed-on: https://chromium-review.googlesource.com/448976
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
diff --git a/dbus/cryptohome/dbus-constants.h b/dbus/cryptohome/dbus-constants.h
index d11de93..428ca23 100644
--- a/dbus/cryptohome/dbus-constants.h
+++ b/dbus/cryptohome/dbus-constants.h
@@ -134,6 +134,7 @@
const char kCryptohomeMigrateToDircrypto[] = "MigrateToDircrypto";
const char kCryptohomeMigrateToDircryptoEx[] = "MigrateToDircryptoEx";
const char kCryptohomeNeedsDircryptoMigration[] = "NeedsDircryptoMigration";
+const char kCryptohomeGetSupportedKeyPolicies[] = "GetSupportedKeyPolicies";
// Signals
const char kSignalAsyncCallStatus[] = "AsyncCallStatus";
diff --git a/dbus/cryptohome/key.proto b/dbus/cryptohome/key.proto
index 5d23768..ccd850e 100644
--- a/dbus/cryptohome/key.proto
+++ b/dbus/cryptohome/key.proto
@@ -80,6 +80,26 @@
repeated ChallengeSignatureAlgorithm signature_algorithm = 2;
}
+// Policies which determine how a key can be used. |GetSupportedKeyPolicies|
+// request can be used to determine if a given policy value is supported.
+// This message is also used inside of |GetKeyDataReply|, which allows clients
+// to query current key state without submitting an authentication attempt.
+message KeyPolicy {
+ // Is this key additionally protected from brute force attacks as a low
+ // entropy credential? For such keys, delays between subsequent unsuccessful
+ // authorization attempts and/or a limit on the number of such attempts are
+ // enforced to slow down dictionary-based attacks. Set this to true when
+ // registering a key to protect it.
+ optional bool low_entropy_credential = 1;
+ // If true, the key is "locked" after too many unsuccessful authorization
+ // attempts. Future authentication attempts against a locked key fail with
+ // CRYPTOHOME_ERROR_TPM_DEFEND_LOCK error.
+ // Currently, such locking is supported only for keys with
+ // |low_entropy_credential| policy set to true,
+ // This field is ignored when registering a new key.
+ optional bool auth_locked = 2;
+}
+
// Non-secret data describing the key.
message KeyData {
// The KeyType should specify the handling needed by Cryptohome
@@ -111,6 +131,9 @@
// Is set when |type| is |KEY_TYPE_CHALLENGE_RESPONSE|. Specifies the list of
// keys that should be used for challenge requests.
repeated ChallengePublicKeyInfo challenge_response_key = 7;
+ // Optional additional policy to apply to the key. Certain policy values
+ // require hardware support which may not be available.
+ optional KeyPolicy policy = 8;
}
// Key is not presently persisted to disk, but it acts as the single authority
diff --git a/dbus/cryptohome/rpc.proto b/dbus/cryptohome/rpc.proto
index 7682303..31ccd60 100644
--- a/dbus/cryptohome/rpc.proto
+++ b/dbus/cryptohome/rpc.proto
@@ -117,6 +117,7 @@
optional CryptohomeErrorCode error = 1;
extensions 1000 to max;
+ // Next ID to use for extensions: 1011
}
// The MountRequest call may return more than just success or failure
@@ -401,3 +402,19 @@
// The signature blob of the requested data.
optional bytes signature = 1;
}
+
+// Request a GetSupportedKeyPoliciesReply from cryptohome.
+message GetSupportedKeyPoliciesRequest {
+}
+
+// Response that informs the caller which KeyPolicy features are supported.
+message GetSupportedKeyPoliciesReply {
+ // Next ID to use: 2
+
+ extend BaseReply {
+ optional GetSupportedKeyPoliciesReply reply = 1010;
+ }
+
+ // Does it support low entropy credentials.
+ optional bool low_entropy_credentials = 1;
+}