Skip to content

secret-service: add methods to transfer secrets via file descriptor

Daiki Ueno requested to merge dueno/xdg-specs:wip/dueno/kill-crypto into master

Currently, the protocol suggests two mechanisms ("algorithms") to transfer secrets: "plain" and "dh-ietf1024-sha256-aes128-cbc-pkcs7".

The former sends secret data in plaintext, while the latter encrypts the secret beforehand, though the wire encryption protocol is homebrew and the used crypto algorithm, namely 1024-bit 'Second Oakley Group', is being deprecated.

On the other hand, there is more secure mechanism to transfer sensitive data over D-Bus: sending it through a out-of-band channel, using file descriptor passing. This patch adds a new mechanism "external", in addition to a couple of D-Bus methods (GetSecretFromFd and SetSecretFromFd) to support the use of file descriptor passing.

Merge request reports