certificate manager: Disable export option for TPM-backed certs.

Add a separate boolean property to indicate that a client certificate
is hardware (TPM) backed. Certificate manager should disable the export
button for such certificates because there is no way to extract the
private key from the TPM.

BUG=126886
TEST=lumpy

Review URL: https://chromiumcodereview.appspot.com/10407072
Patch from Haixia Shi <hshi@chromium.org>.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138314 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/certificate_manager_model.cc

-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -81,9 +81,7 @@ string16 CertificateManagerModel::GetColumnText(
 
 #if defined(OS_CHROMEOS)
       // TODO(xiyuan): Put this into a column when we have js tree-table.
-      if (crypto::IsTPMTokenReady() &&
-          cert.os_cert_handle()->slot ==
-            cert_db().GetPrivateModule()->os_module_handle()) {
+      if (IsHardwareBacked(&cert)) {
         rv = l10n_util::GetStringFUTF16(
             IDS_CERT_MANAGER_HARDWARE_BACKED_KEY_FORMAT,
             rv,
@@ -153,3 +151,14 @@ bool CertificateManagerModel::Delete(net::X509Certificate* cert) {
     Refresh();
   return result;
 }
+
+bool CertificateManagerModel::IsHardwareBacked(
+    const net::X509Certificate* cert) const {
+#if defined(OS_CHROMEOS)
+  return crypto::IsTPMTokenReady() &&
+         cert->os_cert_handle()->slot ==
+             cert_db().GetPrivateModule()->os_module_handle();
+#else
+  return false;
+#endif
+}

chrome/browser/certificate_manager_model.h

-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -100,6 +100,9 @@ class CertificateManagerModel {
   // function returns.
   bool Delete(net::X509Certificate* cert);
 
+  // IsHardwareBacked returns true if |cert| is hardware backed.
+  bool IsHardwareBacked(const net::X509Certificate* cert) const;
+
  private:
   // Callback used by Refresh() for when the cert slots have been unlocked.
   // This method does the actual refreshing.

chrome/browser/resources/options2/certificate_manager.js

@@ -116,12 +116,13 @@ cr.define('options', function() {
     updateButtonState: function(data) {
       var isCert = !!data && data.id.substr(0, 5) == 'cert-';
       var readOnly = !!data && data.readonly;
+      var extractable = !!data && data.extractable;
       var hasChildren = this.tree.items.length > 0;
       this.viewButton.disabled = !isCert;
       if (this.editButton !== null)
         this.editButton.disabled = !isCert;
       if (this.backupButton !== null)
-        this.backupButton.disabled = !isCert;
+        this.backupButton.disabled = !isCert || !extractable;
       if (this.backupAllButton !== null)
         this.backupAllButton.disabled = !hasChildren;
       if (this.exportButton !== null)

chrome/browser/ui/webui/options2/certificate_manager_handler2.cc

@@ -39,6 +39,7 @@ static const char kSubNodesId[] = "subnodes";
 static const char kNameId[] = "name";
 static const char kReadOnlyId[] = "readonly";
 static const char kUntrustedId[] = "untrusted";
+static const char kExtractableId[] = "extractable";
 static const char kSecurityDeviceId[] = "device";
 static const char kErrorId[] = "error";
 
@@ -975,6 +976,9 @@ void CertificateManagerHandler::PopulateTree(const std::string& tab_name,
         cert_dict->SetBoolean(
             kUntrustedId,
             certificate_manager_model_->cert_db().IsUntrusted(cert));
+        cert_dict->SetBoolean(
+            kExtractableId,
+            !certificate_manager_model_->IsHardwareBacked(cert));
         // TODO(mattm): Other columns.
         subnodes->Append(cert_dict);
       }