Server side support for D-Bus Secret Service API #46
Comments
|
Few notes:
|
Do you know what the differences between the keyring formats are? oo7 uses the same format as libsecret inside Flatpaks. I always assumed those formats were the same. |
|
The legacy keyring format is internally used by gnome-keyring, marked as "version 0" in the header (while libsecret one is the version 1). They are particularly different in that the legacy one encrypts everything as a whole, while the new one encrypts individual items. |
|
Good to know. Might make sense to somewhat document those things somewhere. I'm not that versed in crypto but while re-implementing keyring v1 I noticed that libsecret claims to use AES256 but doesn't pass a key long enough to do so, which causes libgcrypt to silently downgrade the encryption to AES128. Maybe it would make sense to deprecate v1 and replace it with a v2 with stronger encryption before using it in even more places? |
|
Oh, I wasn't aware of that; I agree that we should bump it then. |
|
If not anyone working on this, can you please assign this for me? @bilelmoussaoui |
The original code tries to encrypt the file format using AES-256-CBC, though actually AES-128-CBC was used because the key size is shorter and libgcrypt automatically degrades to AES-128-CBC based on the key size. Reported by Sophie Herold in: bilelmoussaoui/oo7#46 (comment) Signed-off-by: Daiki Ueno <[email protected]>
Although the D-Bus Secret Service API has several limitations and there is already a migration support from it to file storage, it would be nice if there is a server side implementation of the D-Bus API to make transition from gnome-keyring easier.
I would suggest having the server implementation backed by the oo7::portal::Keyring, while also providing automatic migration from the legacy keyring format.
The text was updated successfully, but these errors were encountered: