File: dbus-constants.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (197 lines) | stat: -rw-r--r-- 10,385 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
 
// Copyright 2023 The ChromiumOS Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef SYSTEM_API_DBUS_CHAPS_DBUS_CONSTANTS_H_
#define SYSTEM_API_DBUS_CHAPS_DBUS_CONSTANTS_H_

#include <stdint.h>

#include <cstdint>

namespace chaps {

inline constexpr uint64_t kTokenLabelSize = 32;

// Chaps-specific attributes:

// PKCS #11 v2.20 section A Manifest constants page 377. PKCS11_ prefix is added
// to avoid name collisions with #define-d constants.
inline constexpr uint32_t PKCS11_CKA_VENDOR_DEFINED = 0x80000000;
inline constexpr uint32_t kKeyBlobAttribute = PKCS11_CKA_VENDOR_DEFINED + 1;
inline constexpr uint32_t kAuthDataAttribute = PKCS11_CKA_VENDOR_DEFINED + 2;
// If this attribute is set to true at creation or generation time, then the
// object will not be stored/wrapped in hardware-backed security element, and
// will remain purely in software.
inline constexpr uint32_t kForceSoftwareAttribute =
    PKCS11_CKA_VENDOR_DEFINED + 4;
// This attribute is set to false if the key is stored in hardware-backed
// security element, and true otherwise.
inline constexpr uint32_t kKeyInSoftwareAttribute =
    PKCS11_CKA_VENDOR_DEFINED + 5;
// If this attribute is set to true at creation or generation time, then the
// object may be generated in software, but still stored/wrapped in the
// hardware-backed security element.
inline constexpr uint32_t kAllowSoftwareGenAttribute =
    PKCS11_CKA_VENDOR_DEFINED + 6;
// If this attribute is set to true at creation or generation time, then the
// object can be wrapped with the kChapsKeyWrapMechanism (define below). The
// attribute can be changed from CK_TRUE to CK_FALSE, but not the other way
// around.
inline constexpr uint32_t kChapsWrappableAttribute =
    PKCS11_CKA_VENDOR_DEFINED + 7;

// Chaps-specific mechanisms:

// PKCS #11 v2.20 section A Manifest constants page 381. PKCS11_ prefix is added
// to avoid name collisions with #define-d constants.
inline constexpr uint32_t PKCS11_CKM_VENDOR_DEFINED = 0x80000000UL;
inline constexpr uint32_t CKM_CHAPS_SPECIFIC_FIRST =
    PKCS11_CKM_VENDOR_DEFINED + 0x10000000;

// The kChapsKeyWrapMechanism mechanism can wrap and unwrap a target key of any
// length and type using chaps' internal random seed during the wrapping/
// unwrapping process. This mechanism is used when we want to securely move a
// key between tokens on the same device (specifically, from the system-token to
// the user-token), while the wrapped_key cannot be decrypted without having
// access to chaps' internal random seed.
//
// The mechanism is designed based on the CKM_AES_KEY_WRAP_KWP, which is using
// a same AES key to wrap/unwrap the target key. However, instead of retrieving
// the wrapping/unwrapping key from the handle, kChapsKeyWrapMechanism uses
// chaps' internal random seed (which is shared between chaps tokens) to derive
// the temporary AES key. As a result, no wrapping/unwrapping key is needed for
// this mechanism.
//
// For wrapping, the mechanism -
//  1. Generates a random blob of length=32.
//  2. Use HmacSha512() with input [random blob] and [Chaps' random seed] to
//     derive a temporary AES key.
//  3. Wraps the target key with the temporary AES key using
//     CKM_AES_KEY_WRAP_KWP ([AES KEYWRAP] section 6.3).
//  4. Zeroizes the temporary AES key
//  5. Fill the [random blob] and the wrapped target key into some protobuf and
//     output the serialized result.
//
// For unwrapping, the mechanism -
//  1. Deserializes the input protobuf and obtains the [random blob] and the
//     wrapped target key.
//  2. Use HmacSha512() with input [random blob] and [Chaps' random seed] to
//     derive a temporary AES key. Note that [Chaps' random seed] is shared
//     across tokens so we'll obtain the same temporary AES key.
//  3. Unwraps the target key with the temporary AES key using
//     CKM_AES_KEY_WRAP_KWP ([AES KEYWRAP] section 6.3).
//  4. Zeroizes the temporary AES key.
//  5. Returns the handle to the newly unwrapped target key.
inline constexpr uint32_t kChapsKeyWrapMechanism = CKM_CHAPS_SPECIFIC_FIRST + 1;

// Chaps-specific return values:

// PKCS #11 v2.20 section A Manifest constants page 382. PKCS11_ prefix is added
// to avoid name collisions with #define-d constants.
inline constexpr uint32_t PKCS11_CKR_VENDOR_DEFINED = 0x80000000UL;
inline constexpr uint32_t CKR_CHAPS_SPECIFIC_FIRST =
    PKCS11_CKR_VENDOR_DEFINED + 0x47474c00;
// Error code returned in case if the operation would block waiting
// for private objects to load for the token. This value is persisted to logs
// and should not be renumbered and numeric values should never be reused.
// Please keep in sync with "ChapsSessionStatus" in
// tools/metrics/histograms/enums.xml in the Chromium repo.
inline constexpr uint32_t CKR_WOULD_BLOCK_FOR_PRIVATE_OBJECTS =
    CKR_CHAPS_SPECIFIC_FIRST + 0;
// Client side error code returned in case the D-Bus client is null.
inline constexpr uint32_t CKR_DBUS_CLIENT_IS_NULL =
    CKR_CHAPS_SPECIFIC_FIRST + 1;
// Client side error code returned in case D-Bus returned an empty response.
inline constexpr uint32_t CKR_DBUS_EMPTY_RESPONSE_ERROR =
    CKR_CHAPS_SPECIFIC_FIRST + 2;
// Client side error code returned in case the D-Bus response couldn't be
// decoded.
inline constexpr uint32_t CKR_DBUS_DECODING_ERROR =
    CKR_CHAPS_SPECIFIC_FIRST + 3;
// Client side error code returned in case a new PKCS#11 session could not be
// opened. It is useful to differentiate from CKR_SESSION_HANDLE_INVALID and
// CKR_SESSION_CLOSED errors because for those the receiver is expected to retry
// the operation immediately and kFailedToOpenSessionError indicates a more
// persistent failure.
inline constexpr uint32_t CKR_FAILED_TO_OPEN_SESSION =
    CKR_CHAPS_SPECIFIC_FIRST + 4;

// D-Bus service constants.
inline constexpr char kChapsInterface[] = "org.chromium.Chaps";
inline constexpr char kChapsServiceName[] = "org.chromium.Chaps";
inline constexpr char kChapsServicePath[] = "/org/chromium/Chaps";

// Methods, should be kept in sync with the
// chaps/dbus_bindings/org.chromium.Chaps.xml file. "OpenIsolate",
// "CloseIsolate", "InitPIN", "SetPIN", "Login", "Logout" methods are excluded
// because they are unlikely to be used.
inline constexpr char kLoadTokenMethod[] = "LoadToken";
inline constexpr char kUnloadTokenMethod[] = "UnloadToken";
inline constexpr char kGetTokenPathMethod[] = "GetTokenPath";
inline constexpr char kSetLogLevelMethod[] = "SetLogLevel";
inline constexpr char kGetSlotListMethod[] = "GetSlotList";
inline constexpr char kGetSlotInfoMethod[] = "GetSlotInfo";
inline constexpr char kGetTokenInfoMethod[] = "GetTokenInfo";
inline constexpr char kGetMechanismListMethod[] = "GetMechanismList";
inline constexpr char kGetMechanismInfoMethod[] = "GetMechanismInfo";
inline constexpr char kInitTokenMethod[] = "InitToken";
inline constexpr char kOpenSessionMethod[] = "OpenSession";
inline constexpr char kCloseSessionMethod[] = "CloseSession";
inline constexpr char kGetSessionInfoMethod[] = "GetSessionInfo";
inline constexpr char kGetOperationStateMethod[] = "GetOperationState";
inline constexpr char kSetOperationStateMethod[] = "SetOperationState";
inline constexpr char kCreateObjectMethod[] = "CreateObject";
inline constexpr char kCopyObjectMethod[] = "CopyObject";
inline constexpr char kDestroyObjectMethod[] = "DestroyObject";
inline constexpr char kGetObjectSizeMethod[] = "GetObjectSize";
inline constexpr char kGetAttributeValueMethod[] = "GetAttributeValue";
inline constexpr char kSetAttributeValueMethod[] = "SetAttributeValue";
inline constexpr char kFindObjectsInitMethod[] = "FindObjectsInit";
inline constexpr char kFindObjectsMethod[] = "FindObjects";
inline constexpr char kFindObjectsFinalMethod[] = "FindObjectsFinal";
inline constexpr char kEncryptInitMethod[] = "EncryptInit";
inline constexpr char kEncryptMethod[] = "Encrypt";
inline constexpr char kEncryptUpdateMethod[] = "EncryptUpdate";
inline constexpr char kEncryptFinalMethod[] = "EncryptFinal";
inline constexpr char kEncryptCancelMethod[] = "EncryptCancel";
inline constexpr char kDecryptInitMethod[] = "DecryptInit";
inline constexpr char kDecryptMethod[] = "Decrypt";
inline constexpr char kDecryptUpdateMethod[] = "DecryptUpdate";
inline constexpr char kDecryptFinalMethod[] = "DecryptFinal";
inline constexpr char kDecryptCancelMethod[] = "DecryptCancel";
inline constexpr char kDigestInitMethod[] = "DigestInit";
inline constexpr char kDigestMethod[] = "Digest";
inline constexpr char kDigestUpdateMethod[] = "DigestUpdate";
inline constexpr char kDigestKeyMethod[] = "DigestKey";
inline constexpr char kDigestFinalMethod[] = "DigestFinal";
inline constexpr char kDigestCancelMethod[] = "DigestCancel";
inline constexpr char kSignInitMethod[] = "SignInit";
inline constexpr char kSignMethod[] = "Sign";
inline constexpr char kSignUpdateMethod[] = "SignUpdate";
inline constexpr char kSignFinalMethod[] = "SignFinal";
inline constexpr char kSignCancelMethod[] = "SignCancel";
inline constexpr char kSignRecoverInitMethod[] = "SignRecoverInit";
inline constexpr char kSignRecoverMethod[] = "SignRecover";
inline constexpr char kVerifyInitMethod[] = "VerifyInit";
inline constexpr char kVerifyMethod[] = "Verify";
inline constexpr char kVerifyUpdateMethod[] = "VerifyUpdate";
inline constexpr char kVerifyFinalMethod[] = "VerifyFinal";
inline constexpr char kVerifyCancelMethod[] = "VerifyCancel";
inline constexpr char kVerifyRecoverInitMethod[] = "VerifyRecoverInit";
inline constexpr char kVerifyRecoverMethod[] = "VerifyRecover";
inline constexpr char kDigestEncryptUpdateMethod[] = "DigestEncryptUpdate";
inline constexpr char kDecryptDigestUpdateMethod[] = "DecryptDigestUpdate";
inline constexpr char kSignEncryptUpdateMethod[] = "SignEncryptUpdate";
inline constexpr char kDecryptVerifyUpdateMethod[] = "DecryptVerifyUpdate";
inline constexpr char kGenerateKeyMethod[] = "GenerateKey";
inline constexpr char kGenerateKeyPairMethod[] = "GenerateKeyPair";
inline constexpr char kWrapKeyMethod[] = "WrapKey";
inline constexpr char kUnwrapKeyMethod[] = "UnwrapKey";
inline constexpr char kDeriveKeyMethod[] = "DeriveKey";
inline constexpr char kSeedRandomMethod[] = "SeedRandom";
inline constexpr char kGenerateRandomMethod[] = "GenerateRandom";

}  // namespace chaps

#endif  // SYSTEM_API_DBUS_CHAPS_DBUS_CONSTANTS_H_