Context
Chromium on Linux has a third cipher tier we don't yet support: v12, used by SecretPortalKeyProvider for Flatpak / sandboxed installs that retrieve secrets via org.freedesktop.portal.Desktop.
Profiles from Flatpak-installed Chromium can carry v12-prefixed ciphertexts we cannot decrypt.
Current behavior
After #579, decryptValue emits a known-gap error rather than a generic one:
unsupported cipher version v12 (Chromium SecretPortal / Flatpak; not yet implemented)
The corresponding cookie.value / password.password fields end up empty.
What's needed
v12 uses a different algorithm from v10/v11/v20:
- Secret source:
org.freedesktop.portal.Desktop.RetrieveSecret (not libsecret)
- KDF: HKDF-SHA256 with salt
"fdo_portal_secret_salt" (not PBKDF2-HMAC-SHA1)
- Cipher: AES-256-GCM (not AES-128-CBC)
Implementation would add:
- New
SecretPortalRetriever populating keyretriever.Retrievers.V12
- HKDF + AES-256-GCM primitive in
crypto/
MasterKeys.V12 slot + decryptValue dispatch case- RFC-006 §5 update
References
Context
Chromium on Linux has a third cipher tier we don't yet support: v12, used by
SecretPortalKeyProviderfor Flatpak / sandboxed installs that retrieve secrets viaorg.freedesktop.portal.Desktop.Profiles from Flatpak-installed Chromium can carry v12-prefixed ciphertexts we cannot decrypt.
Current behavior
After #579,
decryptValueemits a known-gap error rather than a generic one:The corresponding
cookie.value/password.passwordfields end up empty.What's needed
v12 uses a different algorithm from v10/v11/v20:
org.freedesktop.portal.Desktop.RetrieveSecret(not libsecret)"fdo_portal_secret_salt"(not PBKDF2-HMAC-SHA1)Implementation would add:
SecretPortalRetrieverpopulatingkeyretriever.Retrievers.V12crypto/MasterKeys.V12slot +decryptValuedispatch caseReferences
secret_portal_key_provider.hsecret_portal_key_provider.cc