blob: 95c68f38c40830c3b00b10e13f9a0f4c18cd3bdd [file] [log] [blame]
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Next MinVersion: 1
// This file defines the mojo interface between arc-keymaster and Chrome for the
// keys hardware-backed and accessible by Chrome.
module arc.keymaster.mojom;
// Enumerates the crypto algorithms supported by Host.
enum Algorithm {
// Enumerates the digests supported by Host.
enum Digest {
// Enumerates the result codes of signature operation.
enum SignatureResult {
// Failed with net or internal error on chrome side.
// The possible chaps slots relevant for arc-keymaster. Note this does NOT map
// to the PKCS#11 CK_SLOT_ID, but rather to an abstract representation of the
// value. The corresponding CK_SLOT_ID must be queried from cryptohome.
// Note this must be kept in sync with proto/key_data.proto and with the
// ContextAdaptor::Slot enum.
enum ChapsSlot {
// The key is stored in the user slot.
[Default] kUser,
// The key is stored in the system slot.
// Metadata to uniquely identify a chaps key.
struct ChapsKeyData {
// Maps to the CKA_LABEL of the CKO_PRIVATE_KEY in PKCS#11.
string label;
// Maps to the CKA_ID of the CKO_PRIVATE_KEY in PKCS#11.
string id;
// The slot where this key is stored. Does NOT map to the PKCS#11 CK_SLOT_ID.
[MinVersion=1] ChapsSlot slot;
// Union of Chrome OS keys from different sources.
union KeyData {
ChapsKeyData chaps_key_data;
// Describes a placeholder for a Chrome OS key along with metadata about the
// original key.
struct ChromeOsKey {
string base64_subject_public_key_info;
KeyData key_data;
// Interface exposed by Chrome.
// Next method ID: 1
interface CertStoreHost {
// Returns an interface to SecurityTokenOperation.
GetSecurityTokenOperation@0(SecurityTokenOperation& operation) => ();
// Interface exposed by arc-keymaster daemon.
// Next method ID: 2
interface CertStoreInstance {
// Establishes full-duplex communication with the host.
Init@0(CertStoreHost host_ptr) => ();
// Updates info about the latest set of keys owned by Chrome OS.
UpdatePlaceholderKeys@1(array<ChromeOsKey> keys) => (bool success);
// Implemented in Chrome.
// Next method ID: 1
interface SecurityTokenOperation {
// Signs input |data| pre-hashed with the given |digest|.
// Retrieves a |signature| signed by a certificate identified by
// |subject_public_key_info| by |algorithm| (currently, only RSA is
// supported).
// In case of any error, |signature| is null.
SignDigest@0(string subject_public_key_info, Algorithm algorithm,
Digest digest, array<uint8> data) => (SignatureResult result,
array<uint8>? signature);