Initial skeletal implementation of the PrincipalService. Also, use the Login()/GetUserBlessing()

mojo/services/vanadium/security/public/interfaces/principal.mojom

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+module mojo;
+
+// Represents the name of an application. |url| is the url of the
+// application. |qualifier| is a string that allows to tie a specific
+// instance of an application to another. 
+struct AppName {

[ataly, 2015/07/31 19:04:04]

Should this be called "AppInstanceName"?
(In the comments inside the PrincipalService interface we use AppName to refer
to an application instance.)

[gauthamt, 2015/07/31 20:24:16]

Done.

+  string url;
+  string? qualifier;
+};
+
+// Signature represents a digital signature of a message.
+struct Signature {
+   // Purpose of the signature. Can be used to prevent type attacks.
+   // The actual signature (R, S values for ECDSA keys) is produced by signing
+   // Hash(Hash(message), Hash(Purpose)).
+   array<uint8> purpose;
+   // Cryptographic hash function applied to the message before computing
+   // the signature.
+   enum Hash {
+    SHA1Hash = 1,
+    SHA256Hash,
+    SHA384Hash,
+    SHA512Hash,
+   };
+   Hash hash;
+   // Pair of integers that make up an ECDSA signature
+   array<uint8> r;
+   array<uint8> s;
+};
+
+// Certificate represents a human-readable name/public-key pair. The private-key

[ataly, 2015/07/31 19:04:04]

Nit: we should say human-readable name and public-key pair.

[gauthamt, 2015/07/31 20:24:16]

Done.

+// for a certificate is only available for signing operations within the principal
+// service application.
+struct Certificate {
+   string extension;
+   array<uint8>? publickey;
+};
+
+// Blessing represents a user identity.

[ataly, 2015/07/31 19:04:04]

How about changing the comment to:

// Blessing is a credential binding a (human-readable) user identity to a public
key. The corresponding private key is only available for signing operations
within the PrincipalService application.

(This last sentence currently appears in the comment for Certificate but I think
we can remove it from there)

[gauthamt, 2015/07/31 20:24:16]

Done.

I'd left out binding before as we don't really sign it. 

+struct Blessing {
+   array<Certificate> chain;
+};
+
+// A service that binds that user identities to an application instance running

[ataly, 2015/07/31 19:04:04]

extra "that"

[gauthamt, 2015/07/31 20:24:16]

Done.

+// in Mojo. 
+interface PrincipalService {
+  // Login is called by an application instance (requestor_url/qualifier) that

[ataly, 2015/07/31 19:04:04]

Nit: We use "this" application instance in the comments below, should we change
it to "the calling" application instance? (I am not sure what the Mojo
convention is.)

[gauthamt, 2015/07/31 20:24:16]

Changed it to "Removes the user blessing for the application instance that
invokes the Logout method"

+  // wants to get a user blessing. The service may obtain the user blessing
+  // through a third-party authentication flow (eg:oauth2). The user blessing
+  // is bound to a public/private key-pair that this service generates and
+  // persists for this application instance.
+  Login() => (Blessing? user_blessing);
+
+  // Logout removes the user blessing for this application instance.
+  Logout();
+
+  // Sign returns a signature on the message using the private key that is
+  // persisted for this application instance.
+  Sign(array<uint8> message) => (Signature? signature);
+
+  // GetUserBlessing returns the user blessing for a given application instance.
+  // It returns an error if the application instance has not invoked Login().
+  GetUserBlessing(AppName app_name) => (Blessing? user_blessing);
+};
+