platformKeys: Add policy and corporate key tagging.

chrome/browser/chromeos/platform_keys/platform_keys_service.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/values.h"
@@ skipping 186 matching lines @@
   void DoStep() {
     switch (next_step_) {
       case Step::GET_EXTENSION_PERMISSIONS:
         next_step_ = Step::SIGN_OR_ABORT;
         GetExtensionPermissions();
         return;
       case Step::SIGN_OR_ABORT: {
         next_step_ = Step::DONE;
         bool sign_granted =
             extension_permissions_->CanUseKeyForSigning(public_key_);
+LOG(ERROR) << "sign_granted " << sign_granted;
         if (sign_granted) {
           Sign();
         } else {
           callback_.Run(std::string() /* no signature */,
                         kErrorKeyNotAllowedForSigning);
           DoStep();
         }
         return;
       }
       case Step::DONE:
@@ skipping 160 matching lines @@
   // |error_message| contain an error message.
   void GotMatchingCerts(scoped_ptr<net::CertificateList> matches,
                         const std::string& error_message) {
     if (!error_message.empty()) {
       next_step_ = Step::DONE;
       callback_.Run(nullptr /* no certificates */, error_message);
       DoStep();
       return;
     }
 
-    // If the type field does not contain any entries, certificates of all types
-    // shall be returned.
-    if (request_.certificate_key_types.size() == 0) {
-      matches_.swap(*matches);
-      DoStep();
-      return;
-    }
+    for (scoped_refptr<net::X509Certificate>& certificate : *matches) {
+      const std::string public_key_spki_der(
+          platform_keys::GetSubjectPublicKeyInfo(certificate));
+      LOG(ERROR)
+          << "user can grant permissions: "
+          << key_permissions_->CanUserGrantPermissionFor(public_key_spki_der)
+          << "can use for signing "
+          << extension_permissions_->CanUseKeyForSigning(public_key_spki_der)
+          << " " << public_key_spki_der.size();
+      // Skip this key if the user cannot grant any permission for it, except if
+      // this extension can already use it for signing.
+      if (!key_permissions_->CanUserGrantPermissionFor(public_key_spki_der) &&
+          !extension_permissions_->CanUseKeyForSigning(public_key_spki_der)) {
+        continue;
+      }
 
-    // Filter the retrieved certificates returning only those whose type is
-    // equal to one of the entries in the type field of the certificate request.
-    for (scoped_refptr<net::X509Certificate>& certificate : *matches) {
-      net::X509Certificate::PublicKeyType actual_key_type =
-          net::X509Certificate::kPublicKeyTypeUnknown;
-      size_t unused_key_size = 0;
-      net::X509Certificate::GetPublicKeyInfo(
-          certificate->os_cert_handle(), &unused_key_size, &actual_key_type);
-      const std::vector<net::X509Certificate::PublicKeyType>& accepted_types =
-          request_.certificate_key_types;
-      if (std::find(accepted_types.begin(), accepted_types.end(),
-                    actual_key_type) != accepted_types.end()) {
-        matches_.push_back(certificate.Pass());
+      // Filter the retrieved certificates returning only those whose type is
+      // equal to one of the entries in the type field of the certificate
+      // request.
+      // If the type field does not contain any entries, certificates of all
+      // types shall be returned.
+      if (!request_.certificate_key_types.empty()) {
+        net::X509Certificate::PublicKeyType actual_key_type =
+            net::X509Certificate::kPublicKeyTypeUnknown;
+        size_t unused_key_size = 0;
+        net::X509Certificate::GetPublicKeyInfo(
+            certificate->os_cert_handle(), &unused_key_size, &actual_key_type);
+        const std::vector<net::X509Certificate::PublicKeyType>& accepted_types =
+            request_.certificate_key_types;
+        if (std::find(accepted_types.begin(), accepted_types.end(),
+                      actual_key_type) == accepted_types.end()) {
+          continue;
+        }
       }
+
+      matches_.push_back(certificate.Pass());
     }
     DoStep();
   }
 
   // Calls |service_->select_delegate_->Select()| to select a cert from
   // |matches_|, which will be stored in |selected_cert_|.
   // Will call back to |GotSelection()|.
   void SelectCerts() {
     CHECK(interactive_);
     if (matches_.empty()) {
@@ skipping 26 matching lines @@
         platform_keys::GetSubjectPublicKeyInfo(selected_cert_));
     extension_permissions_->SetUserGrantedPermission(public_key_spki_der);
     DoStep();
   }
 
   // Filters from all matches (if not interactive) or from the selection (if
   // interactive), the certificates that the extension has unlimited sign
   // permission for. Passes the filtered certs to |callback_|.
   void FilterSelectionByPermission() {
     scoped_ptr<net::CertificateList> selection(new net::CertificateList);
+LOG(ERROR) << "int " << interactive_ << " sel " << selected_cert_;
     if (interactive_) {
       if (selected_cert_)
         selection->push_back(selected_cert_);
     } else {
       selection->assign(matches_.begin(), matches_.end());
     }
 
     scoped_ptr<net::CertificateList> filtered_certs(new net::CertificateList);
     for (scoped_refptr<net::X509Certificate> selected_cert : *selection) {
       const std::string public_key_spki_der(
           platform_keys::GetSubjectPublicKeyInfo(selected_cert));
 
+      LOG(ERROR) << "can use for signing "
+                 << extension_permissions_->CanUseKeyForSigning(
+                        public_key_spki_der)
+                 << " "
+                 << public_key_spki_der.size();
+
       if (!extension_permissions_->CanUseKeyForSigning(public_key_spki_der))
         continue;
 
       filtered_certs->push_back(selected_cert);
     }
     // Note: In the interactive case this should have filtered exactly the
     // one selected cert. Checking the permissions again is not striclty
     // necessary but this ensures that the permissions were updated correctly.
+LOG(ERROR) << "size " << filtered_certs->size();
+ if (filtered_certs->size() > 0)
+LOG(ERROR) << "first " << filtered_certs->front();
     CHECK(!selected_cert_ || (filtered_certs->size() == 1 &&
                               filtered_certs->front() == selected_cert_));
     callback_.Run(filtered_certs.Pass(), std::string() /* no error */);
     DoStep();
   }
 
   Step next_step_ = Step::GET_EXTENSION_PERMISSIONS;
 
   net::CertificateList matches_;
   scoped_refptr<net::X509Certificate> selected_cert_;
@@ skipping 10 matching lines @@
   DISALLOW_COPY_AND_ASSIGN(SelectTask);
 };
 
 PlatformKeysService::SelectDelegate::SelectDelegate() {
 }
 
 PlatformKeysService::SelectDelegate::~SelectDelegate() {
 }
 
 PlatformKeysService::PlatformKeysService(
+    PrefService* profile_prefs,
+    bool profile_is_managed,
+    policy::PolicyService* profile_policies,
     content::BrowserContext* browser_context,
     extensions::StateStore* state_store)
     : browser_context_(browser_context),
-      key_permissions_(state_store),
+      key_permissions_(profile_prefs,
+                       profile_is_managed,
+                       profile_policies,
+                       state_store),
       weak_factory_(this) {
   DCHECK(state_store);
 }
 
 PlatformKeysService::~PlatformKeysService() {
 }
 
 void PlatformKeysService::SetSelectDelegate(
     scoped_ptr<SelectDelegate> delegate) {
   select_delegate_ = delegate.Pass();
@@ skipping 59 matching lines @@
   while (!tasks_.empty() && tasks_.front()->IsDone())
     tasks_.pop();
 
   // Now either the queue is empty or the next task is not finished yet and it
   // can be started.
   if (!tasks_.empty())
     tasks_.front()->Start();
 }
 
 }  // namespace chromeos