diff options
| author | gauravsh@chromium.org <gauravsh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-06-29 00:25:40 +0000 |
|---|---|---|
| committer | gauravsh@chromium.org <gauravsh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-06-29 00:25:40 +0000 |
| commit | 6a18d073a9794648bb14299f8adcf46b3fff9b56 (patch) | |
| tree | 813968a4a218a60bc2522fc864da598b6424f6c7 /chrome/browser/certificate_manager_model.h | |
| parent | 390214725736286d9d814e91804306b7e4a83f25 (diff) | |
| download | chromium_src-6a18d073a9794648bb14299f8adcf46b3fff9b56.zip chromium_src-6a18d073a9794648bb14299f8adcf46b3fff9b56.tar.gz chromium_src-6a18d073a9794648bb14299f8adcf46b3fff9b56.tar.bz2 | |
For PKCS12 private keys imported into a hardware backed token, mark them as unextractable
The certificate mangager in Chrome OS has an "import and bind to
device" option that allows imported private keys and associated
certificates to be imported into a hardware token (typically a TPM).
This change makes all private keys that are imported into a hardware
token unextractable by setting to CKA_EXTRACTABLE flag to false.
Export behavior is also changed to always perform the CKA_EXTRACTABLE flag
check irrespective of whether it's an internal (soft) or hardware backed
token and refusing export if set to false. Most hardware tokens will enforce
this. Internal soft tokens tend to ignore this flag. The flag is made to
take precedence irrespective of whether the underlying token will still
allow key export.
BUG=chromium-os:15838
TEST=unit tests
Review URL: http://codereview.chromium.org/7190027
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@90890 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/certificate_manager_model.h')
| -rw-r--r-- | chrome/browser/certificate_manager_model.h | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/chrome/browser/certificate_manager_model.h b/chrome/browser/certificate_manager_model.h index eda1f53..0852290 100644 --- a/chrome/browser/certificate_manager_model.h +++ b/chrome/browser/certificate_manager_model.h @@ -56,10 +56,12 @@ class CertificateManagerModel { // Get the data to be displayed in |column| for the given |cert|. string16 GetColumnText(const net::X509Certificate& cert, Column column) const; - // Import certificates from PKCS #12 encoded |data|, using the given - // |password|. Returns a net error code on failure. + // Import private keys and certificates from PKCS #12 encoded + // |data|, using the given |password|. If |is_extractable| is false, + // mark the private key as unextractable from the module. + // Returns a net error code on failure. int ImportFromPKCS12(net::CryptoModule* module, const std::string& data, - const string16& password); + const string16& password, bool is_extractable); // Import CA certificates. // Tries to import all the certificates given. The root will be trusted |