Initial skeletal implementation of the PrincipalService. Also, use the Login()/GetUserBlessing()

mojo/services/vanadium/security/public/interfaces/principal.mojom

Index: mojo/services/vanadium/security/public/interfaces/principal.mojom
diff --git a/mojo/services/vanadium/security/public/interfaces/principal.mojom b/mojo/services/vanadium/security/public/interfaces/principal.mojom
new file mode 100644
index 0000000000000000000000000000000000000000..46381d290d567d3f833776e72b0eb4884e70e9bf
--- /dev/null
+++ b/mojo/services/vanadium/security/public/interfaces/principal.mojom
@@ -0,0 +1,70 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+module mojo;
+
+// Represents the name of an application. |url| is the url of the
+// application. |qualifier| is a string that allows to tie a specific
+// instance of an application to another. 
+struct AppInstanceName {
+  string url;
+  string? qualifier;
+};
+
+// Signature represents a digital signature of a message.
+struct Signature {
+   // Purpose of the signature. Can be used to prevent type attacks.
+   // The actual signature (R, S values for ECDSA keys) is produced by signing
+   // Hash(Hash(message), Hash(Purpose)).
+   array<uint8> purpose;
+   // Cryptographic hash function applied to the message before computing
+   // the signature.
+   enum Hash {
+    SHA1Hash = 1,
+    SHA256Hash,
+    SHA384Hash,
+    SHA512Hash,
+   };
+   Hash hash;
+   // Pair of integers that make up an ECDSA signature
+   array<uint8> r;
+   array<uint8> s;

[jamesr, 2015/08/03 18:26:39]

are |r| and |s| of a predictable size? how are they encoded?

[gautham, 2015/08/03 21:45:04]

we'll probably end up using the openssl libraries for this. The size of the
signature depends on the curve params we choose. 

https://www.openssl.org/docs/crypto/ECDSA_sign_ex.html

+};
+
+// Certificate represents a human-readable name and public-key pair. The private-key
+// for a certificate is only available for signing operations within the principal
+// service application.
+struct Certificate {
+   string extension;
+   array<uint8>? publickey;
+};
+
+// Blessing is a credential binding a user identity to a public key. The corresponding
+// private key is only available for signing within the PrincipalService application.
+struct Blessing {
+   array<Certificate> chain;
+};
+
+// A service that binds user identities to an application instance running in Mojo
+interface PrincipalService {
+  // Login is called by an application instance (requestor_url/qualifier) that
+  // wants to get a user blessing. The service may obtain the user blessing
+  // through a third-party authentication flow (eg:oauth2). The user blessing
+  // is bound to a public/private key-pair that this service generates and
+  // persists for this application instance.
+  Login() => (Blessing? user_blessing);

[jamesr, 2015/08/03 18:26:39]

if the login fails for whatever reason, what happens? does this call result in a
null Blessing or a Blessing with an empty list of certificates?

[gautham, 2015/08/03 21:45:04]

// Returns null if login fails.

+
+  // Removes the user blessing for the application instance that invokes the
+  // Logout method.
+  Logout();
+
+  // Sign returns a signature on the message using the private key that is
+  // persisted for this application instance.
+  Sign(array<uint8> message) => (Signature? signature);
+
+  // GetUserBlessing returns the user blessing for a given application instance.
+  // It returns an error if the application instance has not invoked Login().
+  GetUserBlessing(AppInstanceName app) => (Blessing? user_blessing);
+};
+