-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server side support for D-Bus Secret Service API #46
Comments
Few notes:
|
Do you know what the differences between the keyring formats are? oo7 uses the same format as libsecret inside Flatpaks. I always assumed those formats were the same. |
The legacy keyring format is internally used by gnome-keyring, marked as "version 0" in the header (while libsecret one is the version 1). They are particularly different in that the legacy one encrypts everything as a whole, while the new one encrypts individual items. |
Good to know. Might make sense to somewhat document those things somewhere. I'm not that versed in crypto but while re-implementing keyring v1 I noticed that libsecret claims to use AES256 but doesn't pass a key long enough to do so, which causes libgcrypt to silently downgrade the encryption to AES128. Maybe it would make sense to deprecate v1 and replace it with a v2 with stronger encryption before using it in even more places? |
Oh, I wasn't aware of that; I agree that we should bump it then. |
If not anyone working on this, can you please assign this for me? @bilelmoussaoui |
The original code tries to encrypt the file format using AES-256-CBC, though actually AES-128-CBC was used because the key size is shorter and libgcrypt automatically degrades to AES-128-CBC based on the key size. Reported by Sophie Herold in: bilelmoussaoui/oo7#46 (comment) Signed-off-by: Daiki Ueno <[email protected]>
Although the D-Bus Secret Service API has several limitations and there is already a migration support from it to file storage, it would be nice if there is a server side implementation of the D-Bus API to make transition from gnome-keyring easier.
I would suggest having the server implementation backed by the oo7::portal::Keyring, while also providing automatic migration from the legacy keyring format.
The text was updated successfully, but these errors were encountered: