From 7698a065526b2ce68cf626177b28cbedb276b60d Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Sat, 28 Nov 2009 18:06:47 +0000 Subject: Use the OpenSession function for algorithm Negotiation. This has several benefits: * Removes gray area of whether a single session could renegotiate a different key exchange. * Removes strange state that a session is in before negotiation of an algorithm. * Less API. * OpenSession() could be called multiple times for algorithms that require more than one back and forth negotiation. We have none of these presently. --- secret-service/org.freedesktop.Secrets.xml | 31 +++++---------- secret-service/specification.xml | 60 +++++++++++++++++------------- 2 files changed, 45 insertions(+), 46 deletions(-) diff --git a/secret-service/org.freedesktop.Secrets.xml b/secret-service/org.freedesktop.Secrets.xml index c514438..430a81e 100644 --- a/secret-service/org.freedesktop.Secrets.xml +++ b/secret-service/org.freedesktop.Secrets.xml @@ -102,8 +102,17 @@ Open a unique session for the caller application. + + The algorithm the caller wishes to use. + + + Input arguments for the algorithm. + + + Output of the session algorithm negotiation. + - The object path of the session. + The object path of the session, if session was created. @@ -370,26 +379,6 @@ Close this session. - - Negotiate key agreement and encryption. - - - The algorithm the caller wishes to use. - - - - Input arguments for the algorithm. - - - - Output of the negotiation. - - - - Whether the negotiation is complete or requires further calls. - - - diff --git a/secret-service/specification.xml b/secret-service/specification.xml index 92f5f68..e69d116 100644 --- a/secret-service/specification.xml +++ b/secret-service/specification.xml @@ -254,12 +254,13 @@ application must agree on an algorithm, and some algorithm specific parameters (eg: a key). - The client application opens a session - with the service, and then calls the - - Negotiate() method on that session. The algorithms argument to the - Negotiate() method specifies a set of algorithms to be used together for - key agreement and encryption. The other arguments are algorithm specific. + When the client application opens a session + with the service, it calls the + + OpenSession() method on the service. The algorithms argument to the + OpenSession() method specifies a set of algorithms to be used + together for key agreement and encryption. The other arguments are algorithm + specific. If a service does not support a specific set of algorithms, a @@ -267,13 +268,20 @@ error is returned, and the client is free to try another set of algorithms. The plain algorithm is almost always supported. - An algorithm may require that the Negotiate() method is called multiple - times in succession to be complete. Each iteration transfers algorithm specific - data back forth between the service and the client. + An algorithm may require that the OpenSession() method is + called multiple times in succession to be complete. Each iteration transfers + algorithm specific data back forth between the service and the client. The object path + '/' is returned from OpenSession() when session negotiation is + incomplete. - Once an algorithm has been negotiated, it is used for all transfer of secrets - between the service and the client application in both directions. Algorithm - specific parameters may be transfered with each + None of the algorithms documented in this initial version of the specification + require multiple calls to OpenSession(). + + When OpenSession() completes, it returns the session object + path along with a valid session object path. + + Once an session algorithm has been negotiated, it is used for all transfer a + secrets whenever that session is specified along with the secret. @@ -282,11 +290,11 @@ - Algorithm string - - Negotiate input - - Negotiate output + Session algorithm + + Session input + + Session output Secret parameter @@ -309,23 +317,25 @@ - Algorithm string - - Negotiate input - - Negotiate output + Session algorithm + + Session input + + Session output Secret parameter dh-ietf1024-aes128-cbc-pkcs7 - client dh pub key as an array of bytes - service dh pub key as an array of bytes + Client DH pub key as an array of bytes + Service DH pub key as an array of bytes 16 byte AES initialization vector - TODO: Document + The public keys are transferred as an array of bytes representing an + unsigned integer of arbitrary size, most-significant byte first (e.g., the + integer 32768 is represented as the 2-byte string 0x80 0x00) -- cgit v1.2.3-70-g09d2