Commit e0ad0896 authored by satorux@chromium.org's avatar satorux@chromium.org

certificate manager: Disable export option for TPM-backed certs.

Add a separate boolean property to indicate that a client certificate
is hardware (TPM) backed. Certificate manager should disable the export
button for such certificates because there is no way to extract the
private key from the TPM.

BUG=126886
TEST=lumpy

Review URL: https://chromiumcodereview.appspot.com/10407072
Patch from Haixia Shi <hshi@chromium.org>.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138314 0039d316-1c4b-4281-b951-d872f2087c98
parent ae77f320
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
......@@ -81,9 +81,7 @@ string16 CertificateManagerModel::GetColumnText(
#if defined(OS_CHROMEOS)
// TODO(xiyuan): Put this into a column when we have js tree-table.
if (crypto::IsTPMTokenReady() &&
cert.os_cert_handle()->slot ==
cert_db().GetPrivateModule()->os_module_handle()) {
if (IsHardwareBacked(&cert)) {
rv = l10n_util::GetStringFUTF16(
IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT,
rv,
......@@ -153,3 +151,14 @@ bool CertificateManagerModel::Delete(net::X509Certificate* cert) {
Refresh();
return result;
}
bool CertificateManagerModel::IsHardwareBacked(
const net::X509Certificate* cert) const {
#if defined(OS_CHROMEOS)
return crypto::IsTPMTokenReady() &&
cert->os_cert_handle()->slot ==
cert_db().GetPrivateModule()->os_module_handle();
#else
return false;
#endif
}
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
......@@ -100,6 +100,9 @@ class CertificateManagerModel {
// function returns.
bool Delete(net::X509Certificate* cert);
// IsHardwareBacked returns true if |cert| is hardware backed.
bool IsHardwareBacked(const net::X509Certificate* cert) const;
private:
// Callback used by Refresh() for when the cert slots have been unlocked.
// This method does the actual refreshing.
......
......@@ -116,12 +116,13 @@ cr.define('options', function() {
updateButtonState: function(data) {
var isCert = !!data && data.id.substr(0, 5) == 'cert-';
var readOnly = !!data && data.readonly;
var extractable = !!data && data.extractable;
var hasChildren = this.tree.items.length > 0;
this.viewButton.disabled = !isCert;
if (this.editButton !== null)
this.editButton.disabled = !isCert;
if (this.backupButton !== null)
this.backupButton.disabled = !isCert;
this.backupButton.disabled = !isCert || !extractable;
if (this.backupAllButton !== null)
this.backupAllButton.disabled = !hasChildren;
if (this.exportButton !== null)
......
......@@ -39,6 +39,7 @@ static const char kSubNodesId[] = "subnodes";
static const char kNameId[] = "name";
static const char kReadOnlyId[] = "readonly";
static const char kUntrustedId[] = "untrusted";
static const char kExtractableId[] = "extractable";
static const char kSecurityDeviceId[] = "device";
static const char kErrorId[] = "error";
......@@ -975,6 +976,9 @@ void CertificateManagerHandler::PopulateTree(const std::string& tab_name,
cert_dict->SetBoolean(
kUntrustedId,
certificate_manager_model_->cert_db().IsUntrusted(cert));
cert_dict->SetBoolean(
kExtractableId,
!certificate_manager_model_->IsHardwareBacked(cert));
// TODO(mattm): Other columns.
subnodes->Append(cert_dict);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment