Add new certificateProvider extension API.

chrome/common/extensions/api/certificate_provider.idl

Index: chrome/common/extensions/api/certificate_provider.idl
diff --git a/chrome/common/extensions/api/certificate_provider.idl b/chrome/common/extensions/api/certificate_provider.idl
index 631026e2206c85c10c13ba1e8de7dc3874246f1a..f99f60c1abec6329fa4465094220f3e9329c57d7 100644
--- a/chrome/common/extensions/api/certificate_provider.idl
+++ b/chrome/common/extensions/api/certificate_provider.idl
@@ -14,7 +14,7 @@ namespace certificateProvider {
   };
 
   dictionary CertificateInfo {
-    // Must be the DER encoding of a X.509 client certificate. Currently, only
+    // Must be the DER encoding of a X.509 certificate. Currently, only
     // certificates of RSA keys are supported.
     ArrayBuffer certificate;
 
@@ -31,44 +31,43 @@ namespace certificateProvider {
     // Refers to the hash algorithm that was used to create |digest|.
     Hash hash;
 
-    // The DER encoding of a X.509 client certificate. The extension must sign
-    // |digest| using the associated private key.
+    // The DER encoding of a X.509 certificate. The extension must sign |digest|
+    // using the associated private key.
     ArrayBuffer certificate;
   };
 
-  // Either |error| or |signature| and not both must be set.
-  dictionary SignatureDetails {
-    // If the signature of the digest could not be calculated, this field must
-    // be set.
-    DOMString? error;
-
-    // If no error occurred, this field must be set to the signature of the
-    // digest using the private the of the requested client certificate.
-    // For an RSA key, the signature must be a PKCS#1 signature. The extension
-    // is responsible for prepending the DigestInfo prefix and adding PKCS#1
-    // padding. If an MD5_SHA1 hash must be signed, the extension must not
-    // prepend a DigestInfo prefix but only add PKCS#1 padding.
-    ArrayBuffer? signature;
-  };
-
   callback DoneCallback = void ();
-  callback SignCallback = void(SignatureDetails reply, DoneCallback callback);
+  callback ResultCallback = void (ArrayBuffer[] rejectedCertificates);

[bartfab (slow), 2015/09/03 17:30:53]

Nit: Document who will call these two callbacks and when.

[pneubeck (no reviews), 2015/09/07 17:21:33]

Done.

+
+  // If no error occurred, this function must be called with the signature of
+  // the digest using the private of the requested certificate.

[bartfab (slow), 2015/09/03 17:30:53]

Nit: s/private/private key/

[pneubeck (no reviews), 2015/09/07 17:21:33]

Done.

+  // For an RSA key, the signature must be a PKCS#1 signature. The extension
+  // is responsible for prepending the DigestInfo prefix and adding PKCS#1
+  // padding. If an MD5_SHA1 hash must be signed, the extension must not
+  // prepend a DigestInfo prefix but only add PKCS#1 padding.
+  // If an error occurred, this callback should be called without signature.
+  callback SignCallback =
+      void(optional ArrayBuffer signature, DoneCallback callback);

[bartfab (slow), 2015/09/03 17:30:54]

Nit 1: Document |callback|. When will it be called, when *what* is done?
Nit 2: It seems that for callbacks, you put a space between return type and
brackets?

[pneubeck (no reviews), 2015/09/07 17:21:33]

Nit 1: Removed.
Nit 2: Done.

 
   // Notifies Chrome that this extension is capable of responding to signing
   // requests for the certificates listed in |certificates|. The list must
   // only contain certificates for which the extension can sign data
   // using the associated private key.
+  // If |certificates| contains invalid certificates, these will be ignored and
+  // be passed to |callback|. All valid certificates are still registered for
+  // the extension.

[bartfab (slow), 2015/09/03 17:30:54]

Will |callback| also be invoked if there are no invalid certificates?

[pneubeck (no reviews), 2015/09/07 17:21:33]

Done.

   callback CertificatesCallback =
-      void(CertificateInfo[] certificates, DoneCallback callback);
+      void(CertificateInfo[] certificates, ResultCallback callback);
 
   interface Events {
     // This event fires every time the browser requests the current list of
     // certificates provided by this extension. The extension must call
     // |callback| exactly once with the current list of certificates.
-    static void onClientCertificatesRequested(CertificatesCallback callback);
+    static void onCertificatesRequested(CertificatesCallback callback);
 
     // This event fires every time the browser needs to sign a message using a
-    // certificate provided by this extension using |publishClientCertificates|.
+    // certificate provided by this extension in reply to an
+    // |onCertificatesRequested| event.
     // The extension must sign the data in |request| using the appropriate
     // algorithm and private key and return it by calling |callback|. |callback|
     // must be called exactly once.