platformKeys: Add policy and corporate key tagging.

components/policy/resources/policy_templates.json

Index: components/policy/resources/policy_templates.json
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index cc26e75ca6777ad4a8cd073985c35a800855f6ec..9f713ae7167e89748a625f275e9fa8dba63b41b2 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -123,7 +123,7 @@
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 301
+#   For your editing convenience: highest ID currently used: 302
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
@@ -7365,7 +7365,42 @@
       'desc': '''If this policy is set to true or not set usage of QUIC protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is allowed.
       If this policy is set to false usage of QUIC protocol is disallowed.''',
     },
+    {
+      'name': 'KeyPermissions',
+      'type': 'dict',
+      'schema': {
+        'type': 'object',
+        'additionalProperties': {
+          'type': 'object',
+          'properties': {
+            'allowCorporateKeyUsage': {
+              'description': '''If set to true, this extension can use all keys, that are designated for corporate usage, to sign arbitrary data. If set to false, it cannot access any such keys and the user cannot grant such permission either.''',
+              'type': 'boolean',
+            },
+          },
+        },
+      },
+      'supported_on': ['chrome_os:45-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': {
+        'extension1': {
+          'allowCorporateKeyUsage': 'true'
+        },
+        'extension2': {
+          'allowCorporateKeyUsage': 'false'
+        }
+      },
+      'id': 302,
+      'caption': 'Key Permissions',
+      'desc': '''Grants usage of platform keys by extensions.

[bartfab (slow), 2015/06/17 09:57:40]

Nit 1: s/usage of/acces to/
Nit 2: s/platform/corportate platform/
Nit 3: s/by/to/

[pneubeck (no reviews), 2015/06/17 13:00:36]

Done.

 
+      By default an extension cannot use a private key managed by the platform for signing data, which is equivalent to setting allowCorporateKeyUsage to false for that extension. A user cannot circumvent that restriction.
+
+      Only if allowCorporateKeyUsage is set to true for an extension, it can use any platform key marked for corporate usage to sign arbitrary data. This permission should only be granted if the extension is trusted to secure access to the key against attackers.''',
+    },

[bartfab (slow), 2015/06/17 09:57:40]

If you do decide to add a bit of explanation, I think it would be easiest to
phrase this description the other way around:

1. Describe what "corporate key" means.
2. State the default (no access).
3. Indicate that this policy can grant access.

[pneubeck (no reviews), 2015/06/17 13:00:36]

Done.

   ],
   'messages': {
     # Messages that are not associated to any policies.