For PKCS12 private keys imported into a hardware backed token, mark them as unextractable

The certificate mangager in Chrome OS has an "import and bind to
device" option that allows imported private keys and associated 
certificates to be imported into a hardware token (typically a TPM).

This change makes all private keys that are imported into a hardware 
token unextractable by setting to CKA_EXTRACTABLE flag to false. 

Export behavior is also changed to always perform the CKA_EXTRACTABLE flag
check irrespective of whether it's an internal (soft) or hardware backed
token and refusing export if set to false. Most hardware tokens will enforce
 this. Internal soft tokens tend to ignore this flag. The flag is made to
take precedence irrespective of whether the underlying token will still
 allow key export.

BUG=chromium-os:15838
TEST=unit tests


Review URL: http://codereview.chromium.org/7190027

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@90890 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 2 deletions

diff --git a/net/base/cert_database_nss.cc b/net/base/cert_database_nss.cc
index 1e753de..179ee82 100644
--- a/net/base/cert_database_nss.cc
+++ b/net/base/cert_database_nss.cc
@@ -156,10 +156,12 @@ void CertDatabase::ListModules(CryptoModuleList* modules, bool need_rw) const {
 int CertDatabase::ImportFromPKCS12(
     CryptoModule* module,
     const std::string& data,
-    const string16& password) {
+    const string16& password,
+    bool is_extractable) {
   int result = psm::nsPKCS12Blob_Import(module->os_module_handle(),
                                         data.data(), data.size(),
-                                        password);
+                                        password,
+                                        is_extractable);
   if (result == net::OK)
     CertDatabase::NotifyObserversOfUserCertAdded(NULL);