| Index: chrome/browser/chromeos/platform_keys/platform_keys_service.cc
|
| diff --git a/chrome/browser/chromeos/platform_keys/platform_keys_service.cc b/chrome/browser/chromeos/platform_keys/platform_keys_service.cc
|
| index 60d3331d5baea7b723a93904e09ad9ab1e920486..5fc749855afd1e24ee9f54883e31e2fdf2629ed8 100644
|
| --- a/chrome/browser/chromeos/platform_keys/platform_keys_service.cc
|
| +++ b/chrome/browser/chromeos/platform_keys/platform_keys_service.cc
|
| @@ -204,6 +204,7 @@ class PlatformKeysService::SignTask : public Task {
|
| next_step_ = Step::DONE;
|
| bool sign_granted =
|
| extension_permissions_->CanUseKeyForSigning(public_key_);
|
| +LOG(ERROR) << "sign_granted " << sign_granted;
|
| if (sign_granted) {
|
| Sign();
|
| } else {
|
| @@ -384,28 +385,42 @@ class PlatformKeysService::SelectTask : public Task {
|
| return;
|
| }
|
|
|
| - // If the type field does not contain any entries, certificates of all types
|
| - // shall be returned.
|
| - if (request_.certificate_key_types.size() == 0) {
|
| - matches_.swap(*matches);
|
| - DoStep();
|
| - return;
|
| - }
|
| -
|
| - // Filter the retrieved certificates returning only those whose type is
|
| - // equal to one of the entries in the type field of the certificate request.
|
| for (scoped_refptr<net::X509Certificate>& certificate : *matches) {
|
| - net::X509Certificate::PublicKeyType actual_key_type =
|
| - net::X509Certificate::kPublicKeyTypeUnknown;
|
| - size_t unused_key_size = 0;
|
| - net::X509Certificate::GetPublicKeyInfo(
|
| - certificate->os_cert_handle(), &unused_key_size, &actual_key_type);
|
| - const std::vector<net::X509Certificate::PublicKeyType>& accepted_types =
|
| - request_.certificate_key_types;
|
| - if (std::find(accepted_types.begin(), accepted_types.end(),
|
| - actual_key_type) != accepted_types.end()) {
|
| - matches_.push_back(certificate.Pass());
|
| + const std::string public_key_spki_der(
|
| + platform_keys::GetSubjectPublicKeyInfo(certificate));
|
| + LOG(ERROR)
|
| + << "user can grant permissions: "
|
| + << key_permissions_->CanUserGrantPermissionFor(public_key_spki_der)
|
| + << "can use for signing "
|
| + << extension_permissions_->CanUseKeyForSigning(public_key_spki_der)
|
| + << " " << public_key_spki_der.size();
|
| + // Skip this key if the user cannot grant any permission for it, except if
|
| + // this extension can already use it for signing.
|
| + if (!key_permissions_->CanUserGrantPermissionFor(public_key_spki_der) &&
|
| + !extension_permissions_->CanUseKeyForSigning(public_key_spki_der)) {
|
| + continue;
|
| }
|
| +
|
| + // Filter the retrieved certificates returning only those whose type is
|
| + // equal to one of the entries in the type field of the certificate
|
| + // request.
|
| + // If the type field does not contain any entries, certificates of all
|
| + // types shall be returned.
|
| + if (!request_.certificate_key_types.empty()) {
|
| + net::X509Certificate::PublicKeyType actual_key_type =
|
| + net::X509Certificate::kPublicKeyTypeUnknown;
|
| + size_t unused_key_size = 0;
|
| + net::X509Certificate::GetPublicKeyInfo(
|
| + certificate->os_cert_handle(), &unused_key_size, &actual_key_type);
|
| + const std::vector<net::X509Certificate::PublicKeyType>& accepted_types =
|
| + request_.certificate_key_types;
|
| + if (std::find(accepted_types.begin(), accepted_types.end(),
|
| + actual_key_type) == accepted_types.end()) {
|
| + continue;
|
| + }
|
| + }
|
| +
|
| + matches_.push_back(certificate.Pass());
|
| }
|
| DoStep();
|
| }
|
| @@ -452,6 +467,7 @@ class PlatformKeysService::SelectTask : public Task {
|
| // permission for. Passes the filtered certs to |callback_|.
|
| void FilterSelectionByPermission() {
|
| scoped_ptr<net::CertificateList> selection(new net::CertificateList);
|
| +LOG(ERROR) << "int " << interactive_ << " sel " << selected_cert_;
|
| if (interactive_) {
|
| if (selected_cert_)
|
| selection->push_back(selected_cert_);
|
| @@ -464,6 +480,12 @@ class PlatformKeysService::SelectTask : public Task {
|
| const std::string public_key_spki_der(
|
| platform_keys::GetSubjectPublicKeyInfo(selected_cert));
|
|
|
| + LOG(ERROR) << "can use for signing "
|
| + << extension_permissions_->CanUseKeyForSigning(
|
| + public_key_spki_der)
|
| + << " "
|
| + << public_key_spki_der.size();
|
| +
|
| if (!extension_permissions_->CanUseKeyForSigning(public_key_spki_der))
|
| continue;
|
|
|
| @@ -472,6 +494,9 @@ class PlatformKeysService::SelectTask : public Task {
|
| // Note: In the interactive case this should have filtered exactly the
|
| // one selected cert. Checking the permissions again is not striclty
|
| // necessary but this ensures that the permissions were updated correctly.
|
| +LOG(ERROR) << "size " << filtered_certs->size();
|
| + if (filtered_certs->size() > 0)
|
| +LOG(ERROR) << "first " << filtered_certs->front();
|
| CHECK(!selected_cert_ || (filtered_certs->size() == 1 &&
|
| filtered_certs->front() == selected_cert_));
|
| callback_.Run(filtered_certs.Pass(), std::string() /* no error */);
|
| @@ -502,10 +527,16 @@ PlatformKeysService::SelectDelegate::~SelectDelegate() {
|
| }
|
|
|
| PlatformKeysService::PlatformKeysService(
|
| + PrefService* profile_prefs,
|
| + bool profile_is_managed,
|
| + policy::PolicyService* profile_policies,
|
| content::BrowserContext* browser_context,
|
| extensions::StateStore* state_store)
|
| : browser_context_(browser_context),
|
| - key_permissions_(state_store),
|
| + key_permissions_(profile_prefs,
|
| + profile_is_managed,
|
| + profile_policies,
|
| + state_store),
|
| weak_factory_(this) {
|
| DCHECK(state_store);
|
| }
|
|
|
Chromium Code Reviews
Issue 1150373002:
platformKeys: Add policy and corporate key tagging. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@key_perm