1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Use the <code>chrome.platformKeys</code> API to access client certificates
// managed by the platform. If the user or policy grants the permission, an
// extension can use such a certficate in its custom authentication protocol.
// E.g. this allows usage of platform managed certificates in third party VPNs
// (see $(ref:vpnProvider chrome.vpnProvider)).
namespace platformKeys {
[noinline_doc] dictionary Match {
// The DER encoding of a X.509 certificate.
ArrayBuffer certificate;
// The
// <a href="http://www.w3.org/TR/WebCryptoAPI/#key-algorithm-dictionary">
// KeyAlgorithm</a> of the certified key. This contains algorithm
// parameters that are inherent to the key of the certificate (e.g. the key
// length). Other parameters like the hash function used by the sign
// function are not included.
object keyAlgorithm;
};
enum ClientCertificateType {
rsaSign,
ecdsaSign
};
// Analogous to TLS1.1's CertificateRequest.
// See http://tools.ietf.org/html/rfc4346#section-7.4.4 .
dictionary ClientCertificateRequest {
// This field is a list of the types of certificates requested, sorted in
// order of the server's preference. Only certificates of a type contained
// in this list will be retrieved. If <code>certificateTypes</code> is the
// empty list, however, certificates of any type will be returned.
ClientCertificateType[] certificateTypes;
// List of distinguished names of certificate authorities allowed by the
// server. Each entry must be a DER-encoded X.509 DistinguishedName.
ArrayBuffer[] certificateAuthorities;
};
dictionary SelectDetails {
// Only certificates that match this request will be returned.
ClientCertificateRequest request;
// If given, the <code>selectClientCertificates</code> operates on this
// list. Otherwise, obtains the list of all certificates from the platform's
// certificate stores that are available to this extensions.
// Entries that the extension doesn't have permission for or which doesn't
// match the request, are removed.
ArrayBuffer[]? clientCerts;
// If true, the filtered list is presented to the user to manually select a
// certificate and thereby granting the extension access to the
// certificate(s) and key(s). Only the selected certificate(s) will be
// returned. If is false, the list is reduced to all certificates that the
// extension has been granted access to (automatically or manually).
boolean interactive;
};
// |matches|: The list of certificates that match the request, that the
// extension has permission for and, if <code>interactive</code> is true, that
// were selected by the user.
callback SelectCallback = void (Match[] matches);
// The public and private
// <a href="http://www.w3.org/TR/WebCryptoAPI/#dfn-CryptoKey">CryptoKey</a>
// of a certificate which can only be used with
// $(ref:platformKeys.subtleCrypto).
// |privateKey|: Might be <code>null</code> if this extension does not have
// access to it.
callback GetKeyPairCallback = void (object publicKey,
optional object privateKey);
interface Functions {
// This function filters from a list of client certificates the ones that
// are known to the platform, match <code>request</code> and for which the
// extension has permission to access the certificate and its private key.
// If <code>interactive</code> is true, the user is presented a dialog where
// he can select from matching certificates and grant the extension access
// to the certificate.
// The selected/filtered client certificates will be passed to
// <code>callback</code>.
[nocompile] static void selectClientCertificates(
SelectDetails details,
SelectCallback callback);
// Passes the key pair of <code>certificate</code> for usage with
// $(ref:platformKeys.subtleCrypto) to <code>callback</code>.
// |certificate|: The certificate of a $(ref:Match) returned by
// $(ref:selectClientCertificates).
// |parameters|: Determines signature/hash algorithm parameters additionally
// to the parameters fixed by the key itself. The same parameters are
// accepted as by WebCrypto's <code>importKey</code> function, e.g.
// <code>RsaHashedImportParams</code> for a RSASSA-PKCS1-v1_5 key.
// For RSASSA-PKCS1-v1_5 keys, additionally the parameters
// <code>{ 'hash': { 'name': 'none' } }</code> are supported. The sign
// function will then apply PKCS#1 v1.5 padding and but not hash the
// given data.
[nocompile] static void getKeyPair(ArrayBuffer certificate,
object parameters,
GetKeyPairCallback callback);
// An implementation of WebCrypto's
// <a href="http://www.w3.org/TR/WebCryptoAPI/#subtlecrypto-interface">
// SubtleCrypto</a>
// that allows crypto operations on keys of client certificates that are
// available to this extension.
[nocompile] static object subtleCrypto();
};
};
|