cryptohome/key_objects.h - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2020 The ChromiumOS Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CRYPTOHOME_KEY_OBJECTS_H_
 #define CRYPTOHOME_KEY_OBJECTS_H_

 #include <optional>
 #include <string>
 #include <vector>

 #include <brillo/secure_blob.h>

 #include "cryptohome/cryptorecovery/cryptorecovery.pb.h"
 #include "cryptohome/flatbuffer_schemas/structures.h"
 #include "cryptohome/username.h"

 namespace cryptohome {

 // Data required for Cryptohome Recovery flow.
 // For creation of the recovery key, `mediator_pub_key` field should be set.
 // For derivation of the recovery key, `epoch_pub_key`, `ephemeral_pub_key`,
 // `recovery_response`, `ledger_name`, `ledger_key_hash`, `ledger_public_key`
 // fields should be set.
 struct CryptohomeRecoveryAuthInput {
   // Public key of the mediator for Cryptohome recovery flow.
   std::optional<brillo::SecureBlob> mediator_pub_key;
   // GaiaId of the owner of cryptohome to be recovered.
   std::string user_gaia_id;
   // Unique identifier generated on cryptohome creation.
   std::string device_user_id;
   // Serialized cryptorecovery::CryptoRecoveryEpochResponse.
   // An epoch response received from Recovery Mediator service containing epoch
   // beacon value for Cryptohome recovery flow.
   std::optional<brillo::SecureBlob> epoch_response;
   // Ephemeral public key for Cryptohome recovery flow.
   std::optional<brillo::SecureBlob> ephemeral_pub_key;
   // Serialized cryptorecovery::CryptoRecoveryRpcResponse.
   // A response received from Recovery Mediator service and used by Cryptohome
   // recovery flow to derive the wrapping keys.
   std::optional<brillo::SecureBlob> recovery_response;

   // The ledger info from the chrome side and used by Cryptohome
   // recovery flow to determine which ledger is used:
   // Ledger's name.
   std::string ledger_name;
   // Ledger's public key hash.
   uint32_t ledger_key_hash;
   // Ledger's public key.
   std::optional<brillo::SecureBlob> ledger_public_key;
 };

 // Data required for Challenge Credential flow.
 struct ChallengeCredentialAuthInput {
   // DER-encoded blob of the X.509 Subject Public Key Info.
   brillo::Blob public_key_spki_der;
   // Supported signature algorithms, in the order of preference
   // (starting from the most preferred). Absence of this field
   // denotes that the key cannot be used for signing.
   std::vector<structure::ChallengeSignatureAlgorithm>
       challenge_signature_algorithms;
   // Dbus service name used when generating a KeyChallengeService,
   // also used to create the ChallengeCredential AuthBlock.
   std::string dbus_service_name;
 };

 struct AuthInput {
   // The user input, such as password.
   std::optional<brillo::SecureBlob> user_input;
   // Whether or not the PCR is extended, this is usually false.
   std::optional<bool> locked_to_single_user;
   // The username accosiated with the running AuthSession.
   Username username;
   // The obfuscated username.
   std::optional<ObfuscatedUsername> obfuscated_username;
   // A generated reset secret to unlock a rate limited credential. This will be
   // used for USS.
   std::optional<brillo::SecureBlob> reset_secret;
   // reset_seed used to generate a reset secret.
   // This will be removed after full migration to USS.
   std::optional<brillo::SecureBlob> reset_seed;
   // reset_salt used to generate a reset secret.
   // This will be removed after full migration to USS.
   std::optional<brillo::SecureBlob> reset_salt;
   // Data required for Cryptohome Recovery flow.
   std::optional<CryptohomeRecoveryAuthInput> cryptohome_recovery_auth_input;
   // Data required for Challenge Credential flow.
   std::optional<ChallengeCredentialAuthInput> challenge_credential_auth_input;
 };

 // This struct is populated by the various authentication methods, with the
 // secrets derived from the user input.
 struct KeyBlobs {
   // Derives a secret used for wrapping the UserSecretStash main key. This
   // secret is not returned by auth blocks directly, but rather calculated as a
   // KDF of their output, allowing for adding new derived keys in the future.
   std::optional<brillo::SecureBlob> DeriveUssCredentialSecret() const;

   // The file encryption key. TODO(b/216474361): Rename to reflect this value is
   // used for deriving various values and not only for vault keysets, and add a
   // getter that returns the VKK.
   std::optional<brillo::SecureBlob> vkk_key;
   // The Scrypt chaps key. Used for ScryptAuthBlock for storing the chaps key.
   std::optional<brillo::SecureBlob> scrypt_chaps_key;
   // The Scrypt reset seed key. Used for ScryptAuthBlock for storing the reset
   // seed key.
   std::optional<brillo::SecureBlob> scrypt_reset_seed_key;

   // The file encryption IV.
   std::optional<brillo::SecureBlob> vkk_iv;
   // The IV to use with the chaps key.
   std::optional<brillo::SecureBlob> chaps_iv;
   // The reset secret used for LE credentials.
   std::optional<brillo::SecureBlob> reset_secret;
 };

 }  // namespace cryptohome

 #endif  // CRYPTOHOME_KEY_OBJECTS_H_
	// Copyright 2020 The ChromiumOS Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CRYPTOHOME_KEY_OBJECTS_H_
	#define CRYPTOHOME_KEY_OBJECTS_H_

	#include <optional>
	#include <string>
	#include <vector>

	#include <brillo/secure_blob.h>

	#include "cryptohome/cryptorecovery/cryptorecovery.pb.h"
	#include "cryptohome/flatbuffer_schemas/structures.h"
	#include "cryptohome/username.h"

	namespace cryptohome {

	// Data required for Cryptohome Recovery flow.
	// For creation of the recovery key, `mediator_pub_key` field should be set.
	// For derivation of the recovery key, `epoch_pub_key`, `ephemeral_pub_key`,
	// `recovery_response`, `ledger_name`, `ledger_key_hash`, `ledger_public_key`
	// fields should be set.
	struct CryptohomeRecoveryAuthInput {
	// Public key of the mediator for Cryptohome recovery flow.
	std::optional<brillo::SecureBlob> mediator_pub_key;
	// GaiaId of the owner of cryptohome to be recovered.
	std::string user_gaia_id;
	// Unique identifier generated on cryptohome creation.
	std::string device_user_id;
	// Serialized cryptorecovery::CryptoRecoveryEpochResponse.
	// An epoch response received from Recovery Mediator service containing epoch
	// beacon value for Cryptohome recovery flow.
	std::optional<brillo::SecureBlob> epoch_response;
	// Ephemeral public key for Cryptohome recovery flow.
	std::optional<brillo::SecureBlob> ephemeral_pub_key;
	// Serialized cryptorecovery::CryptoRecoveryRpcResponse.
	// A response received from Recovery Mediator service and used by Cryptohome
	// recovery flow to derive the wrapping keys.
	std::optional<brillo::SecureBlob> recovery_response;

	// The ledger info from the chrome side and used by Cryptohome
	// recovery flow to determine which ledger is used:
	// Ledger's name.
	std::string ledger_name;
	// Ledger's public key hash.
	uint32_t ledger_key_hash;
	// Ledger's public key.
	std::optional<brillo::SecureBlob> ledger_public_key;
	};

	// Data required for Challenge Credential flow.
	struct ChallengeCredentialAuthInput {
	// DER-encoded blob of the X.509 Subject Public Key Info.
	brillo::Blob public_key_spki_der;
	// Supported signature algorithms, in the order of preference
	// (starting from the most preferred). Absence of this field
	// denotes that the key cannot be used for signing.
	std::vector<structure::ChallengeSignatureAlgorithm>
	challenge_signature_algorithms;
	// Dbus service name used when generating a KeyChallengeService,
	// also used to create the ChallengeCredential AuthBlock.
	std::string dbus_service_name;
	};

	struct AuthInput {
	// The user input, such as password.
	std::optional<brillo::SecureBlob> user_input;
	// Whether or not the PCR is extended, this is usually false.
	std::optional<bool> locked_to_single_user;
	// The username accosiated with the running AuthSession.
	Username username;
	// The obfuscated username.
	std::optional<ObfuscatedUsername> obfuscated_username;
	// A generated reset secret to unlock a rate limited credential. This will be
	// used for USS.
	std::optional<brillo::SecureBlob> reset_secret;
	// reset_seed used to generate a reset secret.
	// This will be removed after full migration to USS.
	std::optional<brillo::SecureBlob> reset_seed;
	// reset_salt used to generate a reset secret.
	// This will be removed after full migration to USS.
	std::optional<brillo::SecureBlob> reset_salt;
	// Data required for Cryptohome Recovery flow.
	std::optional<CryptohomeRecoveryAuthInput> cryptohome_recovery_auth_input;
	// Data required for Challenge Credential flow.
	std::optional<ChallengeCredentialAuthInput> challenge_credential_auth_input;
	};

	// This struct is populated by the various authentication methods, with the
	// secrets derived from the user input.
	struct KeyBlobs {
	// Derives a secret used for wrapping the UserSecretStash main key. This
	// secret is not returned by auth blocks directly, but rather calculated as a
	// KDF of their output, allowing for adding new derived keys in the future.
	std::optional<brillo::SecureBlob> DeriveUssCredentialSecret() const;

	// The file encryption key. TODO(b/216474361): Rename to reflect this value is
	// used for deriving various values and not only for vault keysets, and add a
	// getter that returns the VKK.
	std::optional<brillo::SecureBlob> vkk_key;
	// The Scrypt chaps key. Used for ScryptAuthBlock for storing the chaps key.
	std::optional<brillo::SecureBlob> scrypt_chaps_key;
	// The Scrypt reset seed key. Used for ScryptAuthBlock for storing the reset
	// seed key.
	std::optional<brillo::SecureBlob> scrypt_reset_seed_key;

	// The file encryption IV.
	std::optional<brillo::SecureBlob> vkk_iv;
	// The IV to use with the chaps key.
	std::optional<brillo::SecureBlob> chaps_iv;
	// The reset secret used for LE credentials.
	std::optional<brillo::SecureBlob> reset_secret;
	};

	} // namespace cryptohome

	#endif // CRYPTOHOME_KEY_OBJECTS_H_