Add new certificateProvider extension API.

chrome/common/extensions/api/certificate_provider.idl

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Use this API to make certificates, for example from a Smart Card, available
+// to the platform which can then use these certificates for TLS client
+// authentication.
+namespace certificateProvider {
+  enum Hash {
+    MD5_SHA1,
+    SHA1,
+    SHA256,
+    SHA384,
+    SHA512
+  };
+
+  dictionary CertificateInfo {
+    // Must be the DER encoding of a X.509 client certificate.
+    ArrayBuffer certificate;
+
+    // Must be set to all hashes supported for this certificate. This extension
+    // will only be asked for signatures of digests calculated with one of these
+    // hash algorithms.
+    Hash[] supportedHashes;
+  };
+
+  dictionary SignRequest {
+    // The digest that must be signed.
+    ArrayBuffer digest;
+
+    // Refers to the hash algorithm that was used to create |digest|.
+    Hash hash;
+  };
+
+  // Either |error| or |signature| and not both must be set.
+  dictionary SignatureDetails {
+    // If the signature of the digest could not be calculated, this field must
+    // be set.
+    DOMString? error;
+
+    // If no error occurred, this field must be set to the signature of the
+    // digest using the private the of the requested client certificate.
+    // For an RSA key, the signature must be a PKCS#1 signature. The extension
+    // is responsible for prepending the DigestInfo prefix and adding PKCS#1
+    // padding.
+    ArrayBuffer? signature;
+  };
+
+  callback DoneCallback = void ();
+
+  interface Functions {
+    // Notifies Chrome that this extension serves the certificates listed in
+    // |certificates|. This list must only contain client certificates for
+    // which the extension can sign data with the according private key.

[Ryan Sleevi, 2015/07/10 12:07:56]

// Notifies Chrome that this extension is capable of responding to signing
requests for the certificates
// listed in |certificates|. The list must only contain certificates for which
the extension can sign data
// using the associated private key.


I'm trying to eliminate the "client certificate" portion, since it's conceivable
in some future world (like WebRTC) that we may wish to use 'server
certificates', and the API would be the same. We don't support that, certainly,
but there's no *strict* reason that a card implementing this API is limited to
client vs server. Further, the filtering (e.g. for TLS Client Auth in the EKUs)
will be done by Chrome, so you wouldn't want smart cards reimplementing that and
botching it all.

[pneubeck (no reviews), 2015/07/10 12:23:52]

Done.

+    static void publishClientCertificates(CertificateInfo[] certificates,
+                                          DoneCallback callback);
+
+    // Responses to a previous |onSignDigestRequested| event. |requestId| must
+    // match the id of such an event. For each id, this function must be called
+    // exactly once.
+    static void replyToSignRequest(long requestId, SignatureDetails reply);
+  };
+
+  interface Events {
+    // This event fires every time the browser navigates to a server that
+    // requests a client certificate provided by this extension using
+    // |publicClientCertificates|. To use a client certificate to authenticate

[Ryan Sleevi, 2015/07/10 12:07:56]

Comment-wise, I think you want to reword this to indicate it's not at all
related to navigation

// This event fires every time the browser needs to sign a message using a
certificate provided by this
// extension using |publishClientCertificates|. The extension must sign the data
in |request| using
// the appropriate algorithm and return it using |replyToSignRequest|.

[pneubeck (no reviews), 2015/07/10 12:23:52]

only added to your proposal:
 s/algorithm/algorithm and private key/
Done.

+    // to that server, the extension has to sign the digest of some data as
+    // provided in |request| with the according private key. The signature must
+    // be handed to the browser using the function |replyToSignRequest|.
+    // After this event is fired until the signature is returned, the browser
+    // navigation is blocked. Long delays reduce the user's experience.

[Ryan Sleevi, 2015/07/10 12:07:56]

I'd delete these two sentences entirely - we don't want to promise this
behaviour forever (e.g. we may want to have a "30 second extension timeout" in
the future, for example)

[pneubeck (no reviews), 2015/07/10 12:23:52]

Done.

+    static void onSignDigestRequested(long requestId, SignRequest request);
+  };
+};