| Index: chrome/browser/chromeos/options/cert_library.cc
|
| diff --git a/chrome/browser/chromeos/options/cert_library.cc b/chrome/browser/chromeos/options/cert_library.cc
|
| index 00084f64e07166fe44c48033642dcd9084df14c0..e39cf3ffdf2806c9a045e98a95920ad605baad2d 100644
|
| --- a/chrome/browser/chromeos/options/cert_library.cc
|
| +++ b/chrome/browser/chromeos/options/cert_library.cc
|
| @@ -5,6 +5,7 @@
|
| #include "chrome/browser/chromeos/options/cert_library.h"
|
|
|
| #include <algorithm>
|
| +#include <memory>
|
|
|
| #include "base/command_line.h"
|
| #include "base/i18n/string_compare.h"
|
| @@ -153,7 +154,7 @@ int CertLibrary::NumCertificates(CertType type) const {
|
| base::string16 CertLibrary::GetCertDisplayStringAt(CertType type,
|
| int index) const {
|
| net::X509Certificate* cert = GetCertificateAt(type, index);
|
| - bool hardware_backed = IsCertHardwareBackedAt(type, index);
|
| + bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert);
|
| return GetDisplayString(cert, hardware_backed);
|
| }
|
|
|
| @@ -166,9 +167,23 @@ std::string CertLibrary::GetUserCertPkcs11IdAt(int index, int* slot_id) const {
|
| return CertLoader::GetPkcs11IdAndSlotForCert(*cert, slot_id);
|
| }
|
|
|
| -bool CertLibrary::IsCertHardwareBackedAt(CertType type, int index) const {
|
| +bool CertLibrary::IsCertSecureAt(CertType type, int index) const {
|
| net::X509Certificate* cert = GetCertificateAt(type, index);
|
| - return CertLoader::IsCertificateHardwareBacked(cert);
|
| + bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert);
|
| + if (hardware_backed)
|
| + return true;
|
| +
|
| + // An RSA private key is considered secure only if it is bound to the TPM,
|
| + // because all Chromebooks support this.
|
| + // Other key types such as ECSDA are not supported by all TPM hardware, so
|
| + // it doesn't make sense to force users to bind them to the device in
|
| + // order to use them for WiFi or VPN.
|
| + net::X509Certificate::PublicKeyType actual_key_type =
|
| + net::X509Certificate::kPublicKeyTypeUnknown;
|
| + size_t unused_key_size = 0;
|
| + net::X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(),
|
| + &unused_key_size, &actual_key_type);
|
| + return actual_key_type != net::X509Certificate::kPublicKeyTypeRSA;
|
| }
|
|
|
| int CertLibrary::GetServerCACertIndexByPEM(
|
|
|