From 6a18d073a9794648bb14299f8adcf46b3fff9b56 Mon Sep 17 00:00:00 2001 From: "gauravsh@chromium.org" Date: Wed, 29 Jun 2011 00:25:40 +0000 Subject: For PKCS12 private keys imported into a hardware backed token, mark them as unextractable The certificate mangager in Chrome OS has an "import and bind to device" option that allows imported private keys and associated certificates to be imported into a hardware token (typically a TPM). This change makes all private keys that are imported into a hardware token unextractable by setting to CKA_EXTRACTABLE flag to false. Export behavior is also changed to always perform the CKA_EXTRACTABLE flag check irrespective of whether it's an internal (soft) or hardware backed token and refusing export if set to false. Most hardware tokens will enforce this. Internal soft tokens tend to ignore this flag. The flag is made to take precedence irrespective of whether the underlying token will still allow key export. BUG=chromium-os:15838 TEST=unit tests Review URL: http://codereview.chromium.org/7190027 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@90890 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/browser/certificate_manager_model.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'chrome/browser/certificate_manager_model.h') diff --git a/chrome/browser/certificate_manager_model.h b/chrome/browser/certificate_manager_model.h index eda1f53..0852290 100644 --- a/chrome/browser/certificate_manager_model.h +++ b/chrome/browser/certificate_manager_model.h @@ -56,10 +56,12 @@ class CertificateManagerModel { // Get the data to be displayed in |column| for the given |cert|. string16 GetColumnText(const net::X509Certificate& cert, Column column) const; - // Import certificates from PKCS #12 encoded |data|, using the given - // |password|. Returns a net error code on failure. + // Import private keys and certificates from PKCS #12 encoded + // |data|, using the given |password|. If |is_extractable| is false, + // mark the private key as unextractable from the module. + // Returns a net error code on failure. int ImportFromPKCS12(net::CryptoModule* module, const std::string& data, - const string16& password); + const string16& password, bool is_extractable); // Import CA certificates. // Tries to import all the certificates given. The root will be trusted -- cgit v1.1