veyron2/security: Introduce a "purpose" in Signatures.
This commit changes the Signer interface so that Sign operations
can be provided a "purpose". While this field is currently not used,
the intent is for it to be used to prevent "type flaws" wherein a
signature obtained for one purpose is used for another.
Specifically, in the newer security API (work in progress),
this will allow signing operations for blessings (where the
contents of a certificate are signed) to be distinct from
signing operations for arbitrary bytes. Code verifying
signatures for blessings will ensure that the signature
was obtained for the purpose of blessing.
By calling out the intention behind a signature, we
should be able to audit all "bless" operations in the
"agent" process that will host the private key without
having to worry about bugs or exploits in the application
that attempt to circumvent the auditing by using the "Sign"
method to sign certificates for blessings.
(In the newer API, all private key operations will be
behind a "Principal" type which will have the following interface:
type Principal interface {
Bless(/* arguments */) (Blessings, error)
Sign(message []byte) (Signature, error)
/* other methods */
}
The intent is that the implementation of Bless and Sign will use
a different "purpose" when invoking Signer.Sign)
Change-Id: Iada2d7d402631ae6e06ef174d373391f0697e58f
5 files changed
