Chromium Code Reviews Chromium Code Reviews
Issue 312503004:
Make enterprise.platformKeys documentation public. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Use the <code>chrome.enterprise.platformKeys</code> API to generate | 5 // Use the <code>chrome.enterprise.platformKeys</code> API to generate |
| 6 // hardware-backed keys and to install certificates for these keys. The | 6 // hardware-backed keys and to install certificates for these keys. The |
| 7 // certificates will be available to the platform and can, for example, be used | 7 // certificates will be available to the platform and can, for example, be used |
| 8 // for TLS authentication and network access. | 8 // for TLS authentication and network access. |
| 9 [platforms = ("chromeos")] | 9 [platforms = ("chromeos")] |
| 10 namespace enterprise.platformKeys { | 10 namespace enterprise.platformKeys { |
| 11 [nocompile] dictionary Token { | 11 [nocompile] dictionary Token { |
|
not at google - send to devlin
2014/06/02 17:05:16
noinline_doc here should work, like [nocompile noi
pneubeck (no reviews)
2014/06/03 09:22:21
Awesome! Thanks.
| |
| 12 // Uniquely identifies this Token. Static IDs are 'user' and 'device', | 12 // Uniquely identifies this Token. Static IDs are 'user' and 'device', |
| 13 // referring to the platform's user-specific and the device-wide hardware | 13 // referring to the platform's user-specific and the device-wide hardware |
| 14 // token, respectively. Any other tokens (with other identifiers) might be | 14 // token, respectively. Any other tokens (with other identifiers) might be |
| 15 // returned by getTokens. | 15 // returned by getTokens. |
| 16 DOMString id; | 16 DOMString id; |
| 17 | 17 |
| 18 // Implements the WebCrypto's <code>SubtleCrypto</code> interface. The | 18 // Implements the WebCrypto's <a |
| 19 // crypto operations are hardware-backed. | 19 // href="http://www.w3.org/TR/WebCryptoAPI/#subtlecrypto-interface">SubtleCr ypto</a> |
| 20 // interface. The crypto operations are hardware-backed. | |
|
not at google - send to devlin
2014/06/02 17:05:16
why is being hardware backed important?
is it alw
Ryan Sleevi
2014/06/03 00:02:42
The cryptographic operations, including key genera
| |
| 21 // Only non-extractable RSASSA-PKCS1-V1_5 keys with moduloLength upto 2048 | |
|
not at google - send to devlin
2014/06/02 17:05:16
s/upto/up to
Ryan Sleevi
2014/06/03 00:02:42
modulo/modulus/
pneubeck (no reviews)
2014/06/03 09:22:21
Done.
pneubeck (no reviews)
2014/06/03 09:22:21
Done.
| |
| 22 // can be generated. Each key can be used for signing data at most once. | |
| 23 // Keys generated by a certain Token cannot be used with any other Token or | |
| 24 // with <code>window.crypto.subtle</code>. The opposite doesn't work either. | |
|
not at google - send to devlin
2014/06/02 17:05:16
I don't quite understand what these last 2 sentenc
Ryan Sleevi
2014/06/03 00:02:42
Keys generated on a specific token cannot be used
pneubeck (no reviews)
2014/06/03 09:22:21
Done.
pneubeck (no reviews)
2014/06/03 09:22:21
Done.
| |
| 20 [instanceOf = SubtleCrypto] object subtleCrypto; | 25 [instanceOf = SubtleCrypto] object subtleCrypto; |
| 21 }; | 26 }; |
| 22 | 27 |
| 23 // Invoked by <code>getTokens</code> with the list of available Tokens. | 28 // Invoked by <code>getTokens</code> with the list of available Tokens. |
| 24 callback GetTokensCallback = void(Token[] tokens); | 29 callback GetTokensCallback = void(Token[] tokens); |
| 25 | 30 |
| 26 // Callback to which the certificates are passed. | 31 // Callback to which the certificates are passed. |
| 27 // |certificates| The list of certificates, each in DER encoding of a X.509 | 32 // |certificates| The list of certificates, each in DER encoding of a X.509 |
| 28 // certificate. | 33 // certificate. |
| 29 callback GetCertificatesCallback = void(ArrayBuffer[] certificates); | 34 callback GetCertificatesCallback = void(ArrayBuffer[] certificates); |
| 30 | 35 |
| 31 // Invoked by importCertificate or removeCertificate when the respective | 36 // Invoked by importCertificate or removeCertificate when the respective |
| 32 // operation is finished. | 37 // operation is finished. |
| 33 callback DoneCallback = void(); | 38 callback DoneCallback = void(); |
| 34 | 39 |
| 35 interface Functions { | 40 interface Functions { |
| 36 // Returns the available Tokens. In a regular user's session the list will | 41 // Returns the available Tokens. In a regular user's session the list will |
| 37 // always contain the user's token with id 'user'. If a device-wide TPM | 42 // always contain the user's token with id 'user'. If a device-wide TPM |
| 38 // token is available it will also contain the device-wide token with id | 43 // token is available it will also contain the device-wide token with id |
| 39 // 'device'. The device-wide token will be the same for all sessions on this | 44 // 'device'. The device-wide token will be the same for all sessions on this |
| 40 // device (device in the sense of e.g. a Chromebook). | 45 // device (device in the sense of e.g. a Chromebook). |
| 46 // Note that the returned Tokens apply additional restrictions to the | |
| 47 // SubtleCrypto interface. | |
|
not at google - send to devlin
2014/06/02 17:05:16
what restrictions? can you link to them?
pneubeck (no reviews)
2014/06/03 09:22:21
Removed. That was rather redundant and misleading
| |
| 41 [nocompile] static void getTokens(GetTokensCallback callback); | 48 [nocompile] static void getTokens(GetTokensCallback callback); |
| 42 | 49 |
| 43 // Returns the list of all client certificates available from the given | 50 // Returns the list of all client certificates available from the given |
| 44 // token. Can be used to check for the existence and expiration of client | 51 // token. Can be used to check for the existence and expiration of client |
| 45 // certificates that are usable for a certain authentication. | 52 // certificates that are usable for a certain authentication. |
| 46 // |tokenId| The id of a Token returned by <code>getTokens</code>. | 53 // |tokenId| The id of a Token returned by <code>getTokens</code>. |
| 47 // |callback| Called back with the list of the available certificates. | 54 // |callback| Called back with the list of the available certificates. |
| 48 static void getCertificates(DOMString tokenId, | 55 static void getCertificates(DOMString tokenId, |
| 49 GetCertificatesCallback callback); | 56 GetCertificatesCallback callback); |
| 50 | 57 |
| 51 // Imports |certificate| to the given token if the certified key is already | 58 // Imports <code>certificate</code> to the given token if the certified key |
| 52 // stored in this token. | 59 // is already stored in this token. |
| 53 // After a successful certification request, this function should be used to | 60 // After a successful certification request, this function should be used to |
| 54 // store the obtained certificate and to make it available to the operating | 61 // store the obtained certificate and to make it available to the operating |
| 55 // system and browser for authentication. | 62 // system and browser for authentication. |
| 56 // TODO: Instead of ArrayBuffer should be (ArrayBuffer or ArrayBufferView), | |
| 57 // or at least (ArrayBuffer or Uint8Array). | |
| 58 // |tokenId| The id of a Token returned by <code>getTokens</code>. | 63 // |tokenId| The id of a Token returned by <code>getTokens</code>. |
| 59 // |certificate| The DER encoding of a X.509 certificate. | 64 // |certificate| The DER encoding of a X.509 certificate. |
| 60 // |callback| Called back when this operation is finished. | 65 // |callback| Called back when this operation is finished. |
| 61 static void importCertificate(DOMString tokenId, | 66 static void importCertificate(DOMString tokenId, |
| 62 ArrayBuffer certificate, | 67 ArrayBuffer certificate, |
| 63 optional DoneCallback callback); | 68 optional DoneCallback callback); |
| 64 | 69 |
| 65 // Removes |certificate| from the given token if present. | 70 // Removes <code>certificate</code> from the given token if present. |
| 66 // Should be used to remove obsolete certificates so that they are not | 71 // Should be used to remove obsolete certificates so that they are not |
| 67 // considered during authentication and do not clutter the certificate | 72 // considered during authentication and do not clutter the certificate |
| 68 // choice. Should be used to free storage in the certificate store. | 73 // choice. Should be used to free storage in the certificate store. |
| 69 // TODO: Instead of ArrayBuffer should be (ArrayBuffer or ArrayBufferView), | |
| 70 // or at least (ArrayBuffer or Uint8Array). | |
| 71 // |tokenId| The id of a Token returned by <code>getTokens</code>. | 74 // |tokenId| The id of a Token returned by <code>getTokens</code>. |
| 72 // |certificate| The DER encoding of a X.509 certificate. | 75 // |certificate| The DER encoding of a X.509 certificate. |
| 73 // |callback| Called back when this operation is finished. | 76 // |callback| Called back when this operation is finished. |
| 74 static void removeCertificate(DOMString tokenId, | 77 static void removeCertificate(DOMString tokenId, |
| 75 ArrayBuffer certificate, | 78 ArrayBuffer certificate, |
| 76 optional DoneCallback callback); | 79 optional DoneCallback callback); |
| 77 }; | 80 }; |
| 78 }; | 81 }; |
| OLD | NEW |
