Chromium Code Reviews Chromium Code Reviews
Issue 1685103003:
Copy challenge*Key methods to enterprise.platformKeys. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Use the <code>chrome.enterprise.platformKeys</code> API to generate | 5 // Use the <code>chrome.enterprise.platformKeys</code> API to generate |
| 6 // hardware-backed keys and to install certificates for these keys. The | 6 // hardware-backed keys and to install certificates for these keys. The |
| 7 // certificates will be managed by the platform and can be used for TLS | 7 // certificates will be managed by the platform and can be used for TLS |
| 8 // authentication, network access or by other extension through | 8 // authentication, network access or by other extension through |
| 9 // $(ref:platformKeys chrome.platformKeys). | 9 // $(ref:platformKeys chrome.platformKeys). |
| 10 [platforms = ("chromeos")] | 10 [platforms = ("chromeos")] |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 38 | 38 |
| 39 // Callback to which the certificates are passed. | 39 // Callback to which the certificates are passed. |
| 40 // |certificates|: The list of certificates, each in DER encoding of a X.509 | 40 // |certificates|: The list of certificates, each in DER encoding of a X.509 |
| 41 // certificate. | 41 // certificate. |
| 42 callback GetCertificatesCallback = void(ArrayBuffer[] certificates); | 42 callback GetCertificatesCallback = void(ArrayBuffer[] certificates); |
| 43 | 43 |
| 44 // Invoked by importCertificate or removeCertificate when the respective | 44 // Invoked by importCertificate or removeCertificate when the respective |
| 45 // operation is finished. | 45 // operation is finished. |
| 46 callback DoneCallback = void(); | 46 callback DoneCallback = void(); |
| 47 | 47 |
| 48 // Invoked by <code>challengeMachineKey</code> or | |
| 49 // <code>challengeUserKey</code> with the challenge response. | |
| 50 // |response|: The challenge response, encoded using Base64. | |
| 51 callback ChallengeCallback = void(DOMString response); | |
| 52 | |
| 48 interface Functions { | 53 interface Functions { |
| 49 // Returns the available Tokens. In a regular user's session the list will | 54 // Returns the available Tokens. In a regular user's session the list will |
| 50 // always contain the user's token with <code>id</code> <code>"user"</code>. | 55 // always contain the user's token with <code>id</code> <code>"user"</code>. |
| 51 // If a system-wide TPM token is available, the returned list will also | 56 // If a system-wide TPM token is available, the returned list will also |
| 52 // contain the system-wide token with <code>id</code> <code>"system"</code>. | 57 // contain the system-wide token with <code>id</code> <code>"system"</code>. |
| 53 // The system-wide token will be the same for all sessions on this device | 58 // The system-wide token will be the same for all sessions on this device |
| 54 // (device in the sense of e.g. a Chromebook). | 59 // (device in the sense of e.g. a Chromebook). |
| 55 [nocompile] static void getTokens(GetTokensCallback callback); | 60 [nocompile] static void getTokens(GetTokensCallback callback); |
| 56 | 61 |
| 57 // Returns the list of all client certificates available from the given | 62 // Returns the list of all client certificates available from the given |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 77 // Removes <code>certificate</code> from the given token if present. | 82 // Removes <code>certificate</code> from the given token if present. |
| 78 // Should be used to remove obsolete certificates so that they are not | 83 // Should be used to remove obsolete certificates so that they are not |
| 79 // considered during authentication and do not clutter the certificate | 84 // considered during authentication and do not clutter the certificate |
| 80 // choice. Should be used to free storage in the certificate store. | 85 // choice. Should be used to free storage in the certificate store. |
| 81 // |tokenId|: The id of a Token returned by <code>getTokens</code>. | 86 // |tokenId|: The id of a Token returned by <code>getTokens</code>. |
| 82 // |certificate|: The DER encoding of a X.509 certificate. | 87 // |certificate|: The DER encoding of a X.509 certificate. |
| 83 // |callback|: Called back when this operation is finished. | 88 // |callback|: Called back when this operation is finished. |
| 84 static void removeCertificate(DOMString tokenId, | 89 static void removeCertificate(DOMString tokenId, |
| 85 ArrayBuffer certificate, | 90 ArrayBuffer certificate, |
| 86 optional DoneCallback callback); | 91 optional DoneCallback callback); |
| 92 | |
| 93 // Challenges a hardware-backed Enterprise Machine Key and emits the | |
| 94 // response as part of a remote attestation protocol. Only useful on Chrome | |
| 95 // OS and in conjunction with the Verified Access Web API which both issues | |
| 96 // challenges and verifies responses. A successful verification by the | |
| 97 // Verified Access Web API is a strong signal of all of the following: | |
| 98 // * The current device is a legitimate Chrome OS device. | |
| 99 // * The current device is managed by the domain specified during | |
| 100 // verification. | |
| 101 // * The current signed-in user is managed by the domain specified during | |
| 102 // verification. | |
| 103 // * The current device state complies with enterprise device policy. For | |
| 104 // example, a policy may specify that the device must not be in developer | |
| 105 // mode. | |
| 106 // * Any device identity emitted by the verification is tightly bound to the | |
| 107 // hardware of the current device. | |
| 108 // This function is highly restricted and will fail if the current device | |
| 109 // is not managed, the current user is not managed, or if this operation | |
| 110 // has not explicitly been enabled for the caller by enterprise device | |
| 111 // policy. The Enterprise Machine Key does not reside in the | |
| 112 // <code>"system"</code> token and is not accessible by any other API. | |
| 113 // |challenge|: A challenge as emitted by the Verified Access Web API, | |
| 114 // encoded using Base64. | |
|
emaxx
2016/02/19 17:20:58
Isn't it better to use ArrayBuffer's instead of th
Devlin
2016/02/19 18:05:02
I don't know that one is inherently better than th
Darren Krahn
2016/02/23 23:39:46
Done.
| |
| 115 // |callback|: Called back with the challenge response. | |
| 116 static void challengeMachineKey(DOMString challenge, | |
| 117 ChallengeCallback callback); | |
| 118 | |
| 119 // Challenges a hardware-backed Enterprise User Key and emits the response | |
| 120 // as part of a remote attestation protocol. Only useful on Chrome OS and in | |
| 121 // conjunction with the Verified Access Web API which both issues challenges | |
| 122 // and verifies responses. A successful verification by the Verified Access | |
| 123 // Web API is a strong signal of all of the following: | |
| 124 // * The current device is a legitimate Chrome OS device. | |
| 125 // * The current device is managed by the domain specified during | |
| 126 // verification. | |
| 127 // * The current signed-in user is managed by the domain specified during | |
| 128 // verification. | |
| 129 // * The current device state complies with enterprise user policy. For | |
| 130 // example, a policy may specify that the device must not be in developer | |
| 131 // mode. | |
| 132 // * The public key emitted by the verification is tightly bound to the | |
| 133 // hardware of the current device and to the current signed-in user. | |
| 134 // This function is highly restricted and will fail if the current device is | |
| 135 // not managed, the current user is not managed, or if this operation has | |
| 136 // not explicitly been enabled for the caller by enterprise user policy. | |
| 137 // The Enterprise User Key does not reside in the <code>"user"</code> token | |
| 138 // and is not accessible by any other API. | |
| 139 // |challenge|: A challenge as emitted by the Verified Access Web API, | |
| 140 // encoded using Base64. | |
| 141 // |registerKey|: If set, the current Enterprise User Key is registered with | |
| 142 // the <code>"user"</code> token and relinquishes the | |
| 143 // Enterprise User Key role. The key can then be associated | |
| 144 // with a certificate and used like any other signing key. | |
| 145 // This key is 2048-bit RSA. Subsequent calls to this | |
| 146 // function will then generate a new Enterprise User Key. | |
| 147 // |callback|: Called back with the challenge response. | |
| 148 static void challengeUserKey(DOMString challenge, | |
| 149 boolean registerKey, | |
| 150 ChallengeCallback callback); | |
| 87 }; | 151 }; |
| 88 }; | 152 }; |
| OLD | NEW |
