Add the IDL for chrome.platformKeys.

chrome/common/extensions/api/platform_keys.idl

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Use the <code>chrome.platformKeys</code> API to use client certificates 
+// managed by the platform.
+[platforms = ("chromeos")]

[not at google - send to devlin, 2015/01/14 21:42:35]

annotation not necessary

[pneubeck (no reviews), 2015/01/15 14:32:06]

Done.

+namespace platformKeys {
+  dictionary Match {
+     // The DER encoding of a X.509 certificate.
+     ArrayBuffer certificate;
+
+     // The public
+     // <a href="http://www.w3.org/TR/WebCryptoAPI/#dfn-CryptoKey">CryptoKey</a>
+     // for $(ref:certificate) which can only be used with
+     // <code>chrome.certs.subtleCrypto</code>.
+     object publicKey;
+
+     // The private
+     // <a href="http://www.w3.org/TR/WebCryptoAPI/#dfn-CryptoKey">CryptoKey</a>
+     // for $(ref:certificate) which can only
+     // be used with <code>chrome.certs.subtleCrypto</code>. Might be null if
+     // this extension does not have access to it.
+     object privateKey;

[not at google - send to devlin, 2015/01/14 21:42:35]

make it an object? then

[pneubeck (no reviews), 2015/01/15 14:32:06]

Done.

+  };
+
+  enum ClientCertificateType {
+    rsaSign,
+    dssSign,
+    ecdsaSign
+  };
+
+  // Analogous to TLS1.1's CertificateRequest.
+  // See http://tools.ietf.org/html/rfc4346#section-7.4.4 .
+  dictionary ClientCertificateRequest {
+    // This field is a list of the types of certificates requested, sorted in
+    // order of the server's preference.
+    ClientCertificateType[] certificateTypes;
+
+    // List of distinguished names of certificate authorities allowed by the
+    // server. Each entry must be a DER-encoded X.509 DistinguishedName .
+    ArrayBuffer[] certificateAuthorities;
+  };
+
+  callback SelectCallback = void (Match[] certs);
+
+  interface Functions {
+    // This function filters from a list of client certificates the ones that
+    // are known to the platform, match <code>request</code> and for which the
+    // extension has permission to access the certificate and its private key.
+    // If <code>interactive</code> is true, the user is presented a dialog where
+    // he can select from matching certificates and grant the extension access
+    // to the certificate.
+    // The selected/filtered client certificates will be passed to
+    // <code>callback</code>.
+    //
+    // |request|: Only certificates that match this request will be returned.
+    // |clientCerts|: If given, the function operates on that list. Otherwise,
+    //   obtains the list of all certificates from the platform's certificate
+    //   stores that are available to this extensions.
+    // |interactive|> If true, the filtered list is presented to the user to
+    //   manually select a certificate and thereby granting the extension access
+    //   to the certificate(s) and key(s). Only the selected certificate(s) will
+    //   be returned.
+    //   If is false, the list is reduced to all certificates that the extension
+    //   has been granted access to (automatically or manually).
+    // |callback|: Will be called with the matching and, if
+    //   <code>interactive</code> is true, selected certificates that this
+    //   extension has access to.
+    [nocompile] static void selectClientCertificates(
+        boolean interactive,
+        ClientCertificateRequest request,
+        optional ArrayBuffer[] clientCerts,

[not at google - send to devlin, 2015/01/14 21:42:35]

Better if these 3 arguments are reduced to a single object, even if it involves
nesting, so extension would call like:

chrome.platformKeys.selectClientCertificates({
  interactive: true,
  request: {
    certificateTypes: ...,
    ...
  },
  clientCerts: ...
}, function(matches) {
  ...
});

[pneubeck (no reviews), 2015/01/15 14:32:06]

Done.

+        SelectCallback callback);
+
+    // An implementation of WebCrypto's
+    // <a href="http://www.w3.org/TR/WebCryptoAPI/#subtlecrypto-interface">SubtleCrypto</a>
+    // that allows crypto operations on keys of client certificates that are
+    // available to this extension.
+    [nocompile] static object subtleCrypto();

[not at google - send to devlin, 2015/01/14 21:42:35]

What would it look like to use this method?

[pneubeck (no reviews), 2015/01/15 09:23:52]

actually, this should be a static member, but I think that isn't supported by
our idl to json-schema converter?

usage would look like:

selectClientCertificates(..., function(certs) {
  subtleCrypto().
     sign(signAlgorithm, certs[0].privateKey, data).
     then(onSignSuccess, onSignFailure);
})

[pneubeck (no reviews), 2015/01/15 14:32:06]

Is there an easy way to make it a member and not a function?

[not at google - send to devlin, 2015/01/15 21:48:56]

It looks to me like you're wanting a global subtleCrypto() function there? like
window.subtleCrypto()?

To answer what might be your question, for doing anything more complex than just
generating chrome.namespace.myFunction you need to wire it up through a custom
binding.

[pneubeck (no reviews), 2015/01/19 08:54:00]

Yes, I shouldn't have shortcut in my example though:

chrome.platformKeys.selectClientCertificates(..., function(certs) {
  chrome.platformKeys.subtleCrypto().
     sign(signAlgorithm, certs[0].privateKey, data).
     then(onSignSuccess, onSignFailure);
})

subtleCrypto would not have to be a function, i.e.

  ... chrome.platformKeys.subtleCrypto.sign(...)

would be a tiny bit easier to use, but IMO not worth overhead in the codebase.
the registerHooks in custom bindings seem also to expect functions and not
object members.

The current definition of subtleCrypto seems to be alright then?

+  };
+};
+