Add idl for new chrome.certificateProvider API.

chrome/common/extensions/api/certificate_provider.idl

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Use this API to expose certificates to the platform which can use these
+// certificates for TLS authentications.
+namespace certificateProvider {
+  enum Hash {

[davidben, 2015/08/17 15:42:52]

Oh, noticed this from the other CL, but MD5_SHA1 actually is needed. That's the
only "hash" that can be signed for TLS 1.0 and TLS 1.1. Only TLS 1.2 starts
signing other hashes.

(This is distinct from the hash on the signature in the certificate. This is
what the leaf's private key signs.)

[pneubeck (no reviews), 2015/08/18 06:45:33]

Done.

+    SHA1,
+    SHA256,
+    SHA384,
+    SHA512

[not at google - send to devlin, 2015/08/14 17:13:44]

it would be nice to have a standard set of certificate types shared across the
APIs that use them. not a big deal though.

[pneubeck (no reviews), 2015/08/17 12:13:49]

Acknowledged.

+  };
+
+  dictionary CertificateInfo {
+    // Must be the DER encoding of a X.509 client certificate.
+    // Currently, only certificates of RSA keys are supported.

[davidben, 2015/08/17 15:38:03]

Nit: Why is this comment wrapped differently from the others?

[pneubeck (no reviews), 2015/08/18 06:45:33]

Done.

+    ArrayBuffer certificate;
+
+    // Must be set to all hashes supported for this certificate. This extension
+    // will only be asked for signatures of digests calculated with one of these
+    // hash algorithms.
+    Hash[] supportedHashes;
+  };
+
+  dictionary SignRequest {
+    // The digest that must be signed.
+    ArrayBuffer digest;
+
+    // Refers to the hash algorithm that was used to create |digest|.
+    Hash hash;
+
+    // The DER encoding of a X.509 client certificate. The extension must sign
+    // |digest| using the associated private key.
+    ArrayBuffer certificate;
+  };
+
+  // Either |error| or |signature| and not both must be set.
+  dictionary SignatureDetails {
+    // If the signature of the digest could not be calculated, this field must
+    // be set.
+    DOMString? error;
+
+    // If no error occurred, this field must be set to the signature of the
+    // digest using the private the of the requested client certificate.
+    // For an RSA key, the signature must be a PKCS#1 signature. The extension
+    // is responsible for prepending the DigestInfo prefix and adding PKCS#1
+    // padding.
+    ArrayBuffer? signature;
+  };
+
+  callback DoneCallback = void ();
+  callback SignCallback = void(SignatureDetails reply, DoneCallback callback);
+
+  // Notifies Chrome that this extension is capable of responding to signing
+  // requests for the certificates listed in |certificates|. The list must
+  // only contain certificates for which the extension can sign data
+  // using the associated private key.
+  callback CertificatesCallback =
+      void(CertificateInfo[] certificates, DoneCallback callback);

[davidben, 2015/08/17 15:38:03]

I might not be understanding this idl syntax, but what's the DoneCallback for?

So, I'm guessing the extension implements something like:

  blah.onClientCertificatesRequested.addListener(function(cb) {
    queryCertificates().then(function(certs) {
      cb(certs, /* ??? */);
    })
  });

What's the extra parameter do?

[pneubeck2, 2015/08/17 15:42:56]

Errors that are only detected in c++ must be returned asynchronously, through a
callback.

[davidben, 2015/08/17 16:46:11]

But DoneCallback doesn't take any errors. I'm not sure I follow though. What
errors were you thinking?

+
+  interface Events {
+    // This event fires every time the browser requests the current list of
+    // certificates provided by this extension. The extension must call
+    // |callback| exactly once with the current list of certificates.
+    static void onClientCertificatesRequested(CertificatesCallback callback);
+
+    // This event fires every time the browser needs to sign a message using a
+    // certificate provided by this extension using |publishClientCertificates|.
+    // The extension must sign the data in |request| using the appropriate
+    // algorithm and private key and return it by calling |callback|. |callback|
+    // must be called exactly once.
+    static void onSignDigestRequested(SignRequest request,
+                                      SignCallback callback);
+  };
+};