Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(13)

Issue 2485813002: Allow ECDSA certs to be used for VPN and wifi (Closed)

Created:
4 years, 1 month ago by Kevin Cernekee
Modified:
3 years, 3 months ago
CC:
chromium-reviews, oshima+watch_chromium.org, davemoore+watch_chromium.org
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Allow ECDSA certs to be used for VPN and wifi These certs cannot be hardware-backed on legacy TPM hardware, so make an exception for them. RSA certs are still required to be hardware-backed. BUG=619273 TEST=manually import an ECDSA cert and use it to connect to an IPsec VPN

Patch Set 1 #

Total comments: 4

Patch Set 2 : update comments in *_config_view.cc #

Total comments: 2

Patch Set 3 : rebase on ToT #

Unified diffs Side-by-side diffs Delta from patch set Stats (+23 lines, -10 lines) Patch
M chrome/browser/chromeos/options/cert_library.h View 1 2 1 chunk +1 line, -1 line 0 comments Download
M chrome/browser/chromeos/options/cert_library.cc View 3 chunks +18 lines, -3 lines 0 comments Download
M chrome/browser/chromeos/options/vpn_config_view.cc View 1 1 chunk +2 lines, -3 lines 0 comments Download
M chrome/browser/chromeos/options/wifi_config_view.cc View 1 2 1 chunk +2 lines, -3 lines 0 comments Download

Messages

Total messages: 17 (9 generated)
stevenjb
This looks reaosnable to me, but please also find someone familiar with certificatee security to ...
4 years, 1 month ago (2016-11-08 20:09:37 UTC) #2
Kevin Cernekee
4 years, 1 month ago (2016-11-08 21:00:14 UTC) #3
Kevin Cernekee
https://codereview.chromium.org/2485813002/diff/1/chrome/browser/chromeos/options/vpn_config_view.cc File chrome/browser/chromeos/options/vpn_config_view.cc (right): https://codereview.chromium.org/2485813002/diff/1/chrome/browser/chromeos/options/vpn_config_view.cc#newcode1032 chrome/browser/chromeos/options/vpn_config_view.cc:1032: // Currently only hardware-backed user certificates are valid. On ...
4 years, 1 month ago (2016-11-08 21:00:41 UTC) #4
stevenjb
+mnissler@ I have OWNER status for this code, but I would like an additional lg ...
4 years, 1 month ago (2016-11-10 18:58:58 UTC) #6
Mattias Nissler (ping if slow)
OK, LGTM then :)
4 years, 1 month ago (2016-11-10 21:39:34 UTC) #7
August Huber
I think you need to revisit the assumptions that were made when we decided to ...
4 years ago (2016-11-28 18:29:40 UTC) #9
Kevin Cernekee
This CL will not work as-is because strongSwan cannot currently access certs/keys in UserNSSDB, but: ...
4 years ago (2016-11-28 20:09:06 UTC) #10
Kevin Cernekee
4 years ago (2016-11-28 20:41:57 UTC) #12
Per offline discussions with August:

Will - do you have any strong opinions on whether to drop the "cert must be HW
backed" check in the GUI for ECDSA only, RSA+ECDSA, or for neither?

Also, how should ONC handle it?

Powered by Google App Engine
This is Rietveld 408576698