Secrets API Specification |
---|
Secrets 0.1
Copyright © 2008-2009 The Secrets API Authors
Table of Contents
The Secrets API allows client applications to store secrets securily in a service running in the user's login session.
The secrets are usually stored in an encrypted manner by the service. The service may need to be unlocked and/or authenticated by the user before the secrets become available for retrieval by client applications.
The Secrets service stores a secret along with a set of lookup attributes. The attributes can be used to lookup and retrieve a secret at a later date. The lookup attributes are not treated as secret material, and the service may choose to not encrypt attributes when storing them to disk.
A secret is something an application wishes to store securely. A good example is a password that an application needs to save and use at a later date.
Within this API a secret value is treated as an array of bytes. It is recommended that a secret consist of user readable text, although this API has no such requirement.
Applications wishing to store multiple values as part of a single secret, may choose to use a textual format to combine these values into one. For example, the 'desktop' key file format, or XML or another form of markup.
Secrets may be
The Secret structure encapsulates a secret value along with it's transfer encryption parameters.
Each secret is stored together with
A group of items together form a collection. A collection is similar in concept to the terms 'keyring' or 'wallet'.
Collections and items are represented as DBus objects, and each have their own object paths. However these may change from time to time.
It is strongly recommended that client applications use
An item or a collection may be initially in a locked state. When in a locked state the item or collection may not be modified in any way, and the secret may not be read. Client applications that require access to the secret of a locked item, or desire to modify a locked item, should unlock it before use.
The service must prevent locked collections or items from modification. On such an invalid access the IsLocked error should be raised.
Client applications without special requirements should store in the default collection. Use the DefaultCollection property on the Service interface to determine the default collection. In addition the default collection is always accessible through a specific object path.
Client applications with special needs can create a new collection by calling the
A collection may be marked as private on creation. A private collection and the items within it may only be unlocked by the application that created the collection. Service implementors may choose not to implement this feature and should ignore the private argument when creating a collection. Client applications that demand this feature, should check the the Private property after creating a collection to see if the request for a private collection was ignored.
A collection can be deleted by calling the
Attributes can and should be stored with a secret to facilitate lookup of the secret at a later date.
An attribute constists of a name, and a value. Both parts are simple strings.
The service may have additional requirements as to what can be present in an attribute name. It is recommended that attribute names are human readable, and kept simple for the sake of simplicity.
During a lookup, attribute names and values are matched via case-sensitive string equality.
It's important to remember that attributes are not part of the secret. Services implementing this API will probably store attributes in an unencrypted manner in order to support simple and effecient lookups.
A session is established between a client application and a service. A session is used to unlock items and collections when necessary. It is also used to negotiate encryption of transferred secrets between the client application and the service.
A session is established by calling the service's OpenSession() method. Once established, a session is bound to calling application's connection to the DBus session bus. Generally only one session can be established per client application. Calling OpenSession() a second time results in an AlreadyExists error.
A session is closed when the client application disconnects from the DBus session bus. Alternatively the client application can call the Close() method on the session interface. Once a session is closed all session specific negotiations and authentication should be dropped by the service.
Since this is a D-Bus API, the data in all method calls and other accesses in this API will go through multiple processes, and may be cached arbitrarily by the OS or elsewhere.
The Secrets API has provision to encrypt secrets while in transit between the service and the client application.
The encryption is not envisioned to withstand man in the middle attacks, or other active attacks. It is envisioned to minimize storage of plain text secrets in memory and prevent storage plain text storage of secrets in a swap file or other caching mechanism.
Many client applications may choose not to make use of the provisions to encrypt secrets in transit. In fact for applications unable to prevent their own memory from being paged to disk (eg: Java, C# or Python apps), transfering encrypted secrets would be an excersize of questionable value.
This API was desigened by GNOME and KDE developers with the goal of having a common way to store secrets. It's predecessors are the desktop specific APIs used by GNOME Keyring and KWallet.
In order to encrypt secrets in transit, the service and the client application must agree on an algorithm, and some algorithm specific parameters (eg: a key).
The client application opens a session with the service, and then calls the Negotiate() method on that session. The algorithms argument to the Negotiate() method specifies a set of algorithms to be used together for key agreement and encryption. The other arguments are algorithm specific.
If a service does not support a specific set of algorithms, a NotSupported error is returned, and the client is free to try another set of algorithms. The PLAIN algorithm is almost always supported.
An algorithm may require that the Negotiate() method is called multiple times in succession to be complete. Each iteration transfers algorithm specific data back forth between the service and the client.
Once an algorithm has been negotiated, it is used for all transfer of secrets between the service and the client application in both directions. Algorithm specific parameters may be transfered with each secret.
Algorithm string: PLAIN |
Negotiate input: empty string |
Negotiate output: empty string |
Secret parameter: empty string |
The plain algorithm does no encryption whatsoever.
It is strongly recommended that a service implementing this API support the PLAIN algorithm.
Algorithm string: DH-GROUP-???+AES-128 |
Negotiate input: ???TODO??? |
Negotiate output: ???TODO??? |
Secret parameter: 16 byte AES Initialization Vector. |
TODO: Document
Some items and/or collections may be marked as locked by the service. The secrets of locked items cannot be accessed. Locked items or collections cannot be modified by the client application.
In order to unlock an item or collection a session is established by the client application, and the BeginAuthenticate() method is called with one or more DBus object paths of items or collections. The BeginAuthenticate() method is asynchronous and may return before the item is actually unlocked.
The service will then unlock the item or collection, perhaps by prompting the user for a password, or it could require use a hardware token of some sort.
After the service tries to unlock an item or collection, whether successfully or unsuccessfully, the Authenticated signal on the session interface is emitted.
The client application may, but is not required to, call the CompleteAuthenticate() method. One or more DBus object paths of items or collections that BeginAuthenticate() was previously called with, can be passed in. The CompleteAuthenticate() returns the items that were successfully authenticated. In addition if the unlock process is not yet complete for some items or collections, the service should stop trying to ask the user to unlock or authenticate them.
It's up to the service whether to unlock items individually, or collections as a whole. The client application should act as if it must unlock each item individually.
A service may upon unlocking a collection, unlock all items in that collection. If a service is not able to unlock an item individually, it should treat a request to unlock an item as a request to unlock the connection that the item is in. The Authenticated signal should however still be emitted for the individual items that were requested to be unlocked.
A service may choose to authenticate items or collections just for a single client application. Alternatively the service may choose to allow any client application to access items or collections authenticated by a single client application. A client application should always be ready to call BeginAuthenticate() the secrets it needs, or objects it must modify. It must not assume that an item is already unlocked for whatever reason.
A service may implement additional DBus interfaces for further capabilities not included in this specification. Password management applications or other narrowly focused tools should make use of these when necessary.
This specification does not mandate the use of master passwords to lock a collection of secrets. The service may choose to implement any method for authenticating secrets.
This specification does not mandate any form of access control. The service may choose to allow certain applications to access a keyring, and others.
[TODO: complete]
Table of Contents
The various DBus object paths used with the Secrets API are designed to be human readable but not displayed to the user.
/org/freedesktop/Secrets/collection/xxxx
The object path for a collection, where xxxx represents a possibly encoded or truncated version of the initial label of the collection.
/org/freedesktop/Secrets/collection/xxxx/iiii
The object path for an item, where xxxx is the collection (above) and iiii is an auto-generated item specific identifier.
org.freedesktop.Secrets.Collection Interfaceorg.freedesktop.Secrets.Collection Interface — Collection of items |
Delete () SearchItems (IN Dict<String,String> fields, OUT Array<ObjectPath> results) CreateItem (IN Dict<String,String> fields, IN Secret secret, IN String label, IN Boolean replace, OUT ObjectPath item)
Items readable Array<ObjectPath> Private readable String Label readwrite String Locked readable String Created readable UInt64 Modified readable UInt64
SearchItems (IN Dict<String,String> fields, OUT Array<ObjectPath> results)
Search for items in this collection matching the lookup fields.
| Fields to match. |
| Items that matched the fields. |
CreateItem (IN Dict<String,String> fields, IN Secret secret, IN String label, IN Boolean replace, OUT ObjectPath item)
Create an item with the given fields, secret and label. If replace is set, then it replaces an item already present with the same values for the fields.
| The lookup fields for the new item. |
| The secret to store in the new item. |
| The label for the new item. |
| Whether to replace an item with the same fields or not. |
| The new item, or previous item if replaced. |
CreatedItem (ObjectPath item)
A new item in this collection was created.
| The item that was created. |
org.freedesktop.Secrets.Item Interfaceorg.freedesktop.Secrets.Item Interface — Item wraps a secret |
Delete ()
Locked readable Boolean Attributes readwrite Dict<String,String> Label readwrite String Secret readwrite Secret Created readable UInt64 Modified readable UInt64
org.freedesktop.Secrets.Service Interfaceorg.freedesktop.Secrets.Service Interface — Manages collections and sessions |
OpenSession (OUT ObjectPath result) CreateCollection (IN String label, IN Boolean private) LockService () SearchCollections (IN Dict<String,String> fields, OUT Array<ObjectPath> results, OUT Array<ObjectPath> locked) RetrieveSecrets (IN Array<ObjectPath> items, OUT Array<Secret> secrets)
OpenSession (OUT ObjectPath result)
Open a unique session for the caller application.
| The object path of the session. |
CreateCollection (IN String label, IN Boolean private)
Create a new collection with the specified access attributes
| The display name of the new collection |
| Whether this is a private collection or not. |
LockService ()
Lock down the entire service. Remove secrets from memory, lock all collections etc...
SearchCollections (IN Dict<String,String> fields, OUT Array<ObjectPath> results, OUT Array<ObjectPath> locked)
Find items in any collection.
| Find secrets in any collection. |
| Items found. |
| Items found that require authentication. |
org.freedesktop.Secrets.Session Interfaceorg.freedesktop.Secrets.Session Interface — Client application session |
Close () Negotiate (IN String algorithm, IN Variant input, OUT Variant output) BeginAuthenticate (IN Array<ObjectPath> objects, IN String window-id) CompleteAuthenticate (IN Array<ObjectPath> objects, IN Array<ObjectPath> authenticated)
Negotiate (IN String algorithm, IN Variant input, OUT Variant output)
Negotiate key agreement and encryption.
| The algorithm the caller wishes to use. |
| Input arguments for the algorithm. |
| Output of the negotiation. |
BeginAuthenticate (IN Array<ObjectPath> objects, IN String window-id)
Start asynchronous authentication of objects for the caller.
| Objects to authenticate or unlock. |
| Platform specific window handle to use for showing any prompts. |
CompleteAuthenticate (IN Array<ObjectPath> objects, IN Array<ObjectPath> authenticated)
Complete asynchronous authentication of objects for the caller.
| Objects to authenticate or unlock. |
| Objects that were successfully authenticated. |
Secret StructureSecret Structure — A secret |
{ String algorithm, Array<Byte> parameters, Array<Byte> value }
The Secret type holds a (possibly encoded) secret.
| Algorithm used to encode the secret value. |
| Algorithm dependent parameters for secret value encoding. |
| Possibly encoded secret value. |
org.freedesktop.Secrets.Error.* Error Domainorg.freedesktop.Secrets.Error.* Error Domain — Errors |
{ org.freedesktop.Secrets.Error.AlreadyExists, org.freedesktop.Secrets.Error.IsLocked, org.freedesktop.Secrets.Error.NotSupported }
Errors returned by the Secrets API.
An object (session, collection) already exists with the same name. | |
The object must be unlocked before this action can be carried out. | |
The algorithm is not supported. |