Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(849)

Unified Diff: chrome/browser/chromeos/options/cert_library.cc

Issue 2485813002: Allow ECDSA certs to be used for VPN and wifi (Closed)
Patch Set: rebase on ToT Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/chromeos/options/cert_library.h ('k') | chrome/browser/chromeos/options/vpn_config_view.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/chromeos/options/cert_library.cc
diff --git a/chrome/browser/chromeos/options/cert_library.cc b/chrome/browser/chromeos/options/cert_library.cc
index 00084f64e07166fe44c48033642dcd9084df14c0..e39cf3ffdf2806c9a045e98a95920ad605baad2d 100644
--- a/chrome/browser/chromeos/options/cert_library.cc
+++ b/chrome/browser/chromeos/options/cert_library.cc
@@ -5,6 +5,7 @@
#include "chrome/browser/chromeos/options/cert_library.h"
#include <algorithm>
+#include <memory>
#include "base/command_line.h"
#include "base/i18n/string_compare.h"
@@ -153,7 +154,7 @@ int CertLibrary::NumCertificates(CertType type) const {
base::string16 CertLibrary::GetCertDisplayStringAt(CertType type,
int index) const {
net::X509Certificate* cert = GetCertificateAt(type, index);
- bool hardware_backed = IsCertHardwareBackedAt(type, index);
+ bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert);
return GetDisplayString(cert, hardware_backed);
}
@@ -166,9 +167,23 @@ std::string CertLibrary::GetUserCertPkcs11IdAt(int index, int* slot_id) const {
return CertLoader::GetPkcs11IdAndSlotForCert(*cert, slot_id);
}
-bool CertLibrary::IsCertHardwareBackedAt(CertType type, int index) const {
+bool CertLibrary::IsCertSecureAt(CertType type, int index) const {
net::X509Certificate* cert = GetCertificateAt(type, index);
- return CertLoader::IsCertificateHardwareBacked(cert);
+ bool hardware_backed = CertLoader::IsCertificateHardwareBacked(cert);
+ if (hardware_backed)
+ return true;
+
+ // An RSA private key is considered secure only if it is bound to the TPM,
+ // because all Chromebooks support this.
+ // Other key types such as ECSDA are not supported by all TPM hardware, so
+ // it doesn't make sense to force users to bind them to the device in
+ // order to use them for WiFi or VPN.
+ net::X509Certificate::PublicKeyType actual_key_type =
+ net::X509Certificate::kPublicKeyTypeUnknown;
+ size_t unused_key_size = 0;
+ net::X509Certificate::GetPublicKeyInfo(cert->os_cert_handle(),
+ &unused_key_size, &actual_key_type);
+ return actual_key_type != net::X509Certificate::kPublicKeyTypeRSA;
}
int CertLibrary::GetServerCACertIndexByPEM(
« no previous file with comments | « chrome/browser/chromeos/options/cert_library.h ('k') | chrome/browser/chromeos/options/vpn_config_view.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698