Chromium Code Reviews| Index: chrome/browser/chromeos/options/cert_library.cc |
| diff --git a/chrome/browser/chromeos/options/cert_library.cc b/chrome/browser/chromeos/options/cert_library.cc |
| index 00084f64e07166fe44c48033642dcd9084df14c0..e39cf3ffdf2806c9a045e98a95920ad605baad2d 100644 |
| --- a/chrome/browser/chromeos/options/cert_library.cc |
| +++ b/chrome/browser/chromeos/options/cert_library.cc |
| @@ -5,6 +5,7 @@ |
| #include "chrome/browser/chromeos/options/cert_library.h" |
| #include <algorithm> |
| +#include <memory> |
| #include "base/command_line.h" |
| #include "base/i18n/string_compare.h" |
| @@ -153,7 +154,7 @@ int CertLibrary::NumCertificates(CertType type) const { |
| base::string16 CertLibrary::GetCertDisplayStringAt(CertType type, |
| int index) const { |
| net::X509Certificate* cert = GetCertificateAt(type, index); |
| - bool hardware_backed = IsCertHardwareBackedAt(type, index); |
| + bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert); |
| return GetDisplayString(cert, hardware_backed); |
| } |
| @@ -166,9 +167,23 @@ std::string CertLibrary::GetUserCertPkcs11IdAt(int index, int* slot_id) const { |
| return CertLoader::GetPkcs11IdAndSlotForCert(*cert, slot_id); |
| } |
| -bool CertLibrary::IsCertHardwareBackedAt(CertType type, int index) const { |
| +bool CertLibrary::IsCertSecureAt(CertType type, int index) const { |
|
August Huber
2016/11/28 18:29:39
What is the point of the name change?
Why are you
Kevin Cernekee
2016/11/28 20:09:06
They are as secure as possible, given the hardware
|
| net::X509Certificate* cert = GetCertificateAt(type, index); |
| - return CertLoader::IsCertificateHardwareBacked(cert); |
| + bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert); |
| + if (hardware_backed) |
| + return true; |
| + |
| + // An RSA private key is considered secure only if it is bound to the TPM, |
| + // because all Chromebooks support this. |
| + // Other key types such as ECSDA are not supported by all TPM hardware, so |
| + // it doesn't make sense to force users to bind them to the device in |
| + // order to use them for WiFi or VPN. |
| + net::X509Certificate::PublicKeyType actual_key_type = |
| + net::X509Certificate::kPublicKeyTypeUnknown; |
| + size_t unused_key_size = 0; |
| + net::X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(), |
| + &unused_key_size, &actual_key_type); |
| + return actual_key_type != net::X509Certificate::kPublicKeyTypeRSA; |
| } |
| int CertLibrary::GetServerCACertIndexByPEM( |