summaryrefslogtreecommitdiffstats
path: root/chrome/common/extensions/api/platform_keys.idl
blob: 862755638d39de3c6302b19d300a757de4c793e7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Use the <code>chrome.platformKeys</code> API to access client certificates
// managed by the platform. If the user or policy grants the permission, an
// extension can use such a certficate in its custom authentication protocol.
// E.g. this allows usage of platform managed certificates in third party VPNs
// (see $(ref:vpnProvider chrome.vpnProvider)).
namespace platformKeys {
  [noinline_doc] dictionary Match {
     // The DER encoding of a X.509 certificate.
     ArrayBuffer certificate;

     // The
     // <a href="http://www.w3.org/TR/WebCryptoAPI/#key-algorithm-dictionary">
     // KeyAlgorithm</a> of the certified key. This contains algorithm
     // parameters that are inherent to the key of the certificate (e.g. the key
     // length). Other parameters like the hash function used by the sign
     // function are not included.
     object keyAlgorithm;
  };

  enum ClientCertificateType {
    rsaSign,
    ecdsaSign
  };

  // Analogous to TLS1.1's CertificateRequest.
  // See http://tools.ietf.org/html/rfc4346#section-7.4.4 .
  dictionary ClientCertificateRequest {
    // This field is a list of the types of certificates requested, sorted in
    // order of the server's preference. Only certificates of a type contained
    // in this list will be retrieved. If <code>certificateTypes</code> is the
    // empty list, however, certificates of any type will be returned.
    ClientCertificateType[] certificateTypes;

    // List of distinguished names of certificate authorities allowed by the
    // server. Each entry must be a DER-encoded X.509 DistinguishedName.
    ArrayBuffer[] certificateAuthorities;
  };

  dictionary SelectDetails {
    // Only certificates that match this request will be returned.
    ClientCertificateRequest request;

    // If given, the <code>selectClientCertificates</code> operates on this
    // list. Otherwise, obtains the list of all certificates from the platform's
    // certificate stores that are available to this extensions.
    // Entries that the extension doesn't have permission for or which doesn't
    // match the request, are removed.
    ArrayBuffer[]? clientCerts;

    // If true, the filtered list is presented to the user to manually select a
    // certificate and thereby granting the extension access to the
    // certificate(s) and key(s). Only the selected certificate(s) will be
    // returned. If is false, the list is reduced to all certificates that the
    // extension has been granted access to (automatically or manually).
    boolean interactive;
  };

  // |matches|: The list of certificates that match the request, that the
  // extension has permission for and, if <code>interactive</code> is true, that
  // were selected by the user.
  callback SelectCallback = void (Match[] matches);

  // The public and private
  // <a href="http://www.w3.org/TR/WebCryptoAPI/#dfn-CryptoKey">CryptoKey</a>
  // of a certificate which can only be used with
  // $(ref:platformKeys.subtleCrypto).
  // |privateKey|: Might be <code>null</code> if this extension does not have
  //   access to it.
  callback GetKeyPairCallback = void (object publicKey, 
                                      optional object privateKey);

  interface Functions {
    // This function filters from a list of client certificates the ones that
    // are known to the platform, match <code>request</code> and for which the
    // extension has permission to access the certificate and its private key.
    // If <code>interactive</code> is true, the user is presented a dialog where
    // he can select from matching certificates and grant the extension access
    // to the certificate.
    // The selected/filtered client certificates will be passed to
    // <code>callback</code>.
    [nocompile] static void selectClientCertificates(
        SelectDetails details,
        SelectCallback callback);

    // Passes the key pair of <code>certificate</code> for usage with
    // $(ref:platformKeys.subtleCrypto) to <code>callback</code>.
    // |certificate|: The certificate of a $(ref:Match) returned by
    // $(ref:selectClientCertificates).
    // |parameters|: Determines signature/hash algorithm parameters additionally
    //   to the parameters fixed by the key itself. The same parameters are
    //   accepted as by WebCrypto's <code>importKey</code> function, e.g.
    //   <code>RsaHashedImportParams</code> for a RSASSA-PKCS1-v1_5 key.
    //   For RSASSA-PKCS1-v1_5 keys, additionally the parameters
    //   <code>{ 'hash': { 'name': 'none' } }</code> are supported. The sign
    //   function will then apply PKCS#1 v1.5 padding and but not hash the
    //   given data.
    [nocompile] static void getKeyPair(ArrayBuffer certificate,
                                       object parameters,
                                       GetKeyPairCallback callback);

    // An implementation of WebCrypto's
    // <a href="http://www.w3.org/TR/WebCryptoAPI/#subtlecrypto-interface">
    // SubtleCrypto</a>
    // that allows crypto operations on keys of client certificates that are
    // available to this extension.
    [nocompile] static object subtleCrypto();
  };
};