Google Git
Sign in
chromium / chromium / src.git / HEAD / . / chrome / browser / ash / platform_keys / key_permissions
tree: 5fcaddf428ac5572a9de47dd04d54eac60730a68 [path history] [tgz]
  1. arc_key_permissions_manager_delegate.cc
  2. arc_key_permissions_manager_delegate.h
  3. arc_key_permissions_manager_delegate_unittest.cc
  4. BUILD.gn
  5. DEPS
  6. fake_user_private_token_kpm_service.cc
  7. fake_user_private_token_kpm_service.h
  8. key_permissions_manager.h
  9. key_permissions_manager_browsertest.cc
  10. key_permissions_manager_impl.cc
  11. key_permissions_manager_impl.h
  12. key_permissions_manager_unittest.cc
  13. key_permissions_policy_handler.cc
  14. key_permissions_policy_handler.h
  15. key_permissions_service.cc
  16. key_permissions_service.h
  17. key_permissions_service_factory.cc
  18. key_permissions_service_factory.h
  19. key_permissions_service_impl.cc
  20. key_permissions_service_impl.h
  21. key_permissions_service_impl_unittest.cc
  22. key_permissions_util.cc
  23. key_permissions_util.h
  24. mock_key_permissions_manager.cc
  25. mock_key_permissions_manager.h
  26. mock_key_permissions_service.cc
  27. mock_key_permissions_service.h
  28. README.md
  29. user_private_token_kpm_service_factory.cc
  30. user_private_token_kpm_service_factory.h
chrome/browser/ash/platform_keys/key_permissions/README.md

Key Permissions

This directory contains code managing platform key permissions.

Key Usages

This can only be “corporate” or undefined. If a key is marked for “corporate” usage, only extensions listed in KeyPermissions policy will be allowed to access this key via chrome.platformKeys and chrome.enterprise.platformKeys APIs. Key Usages are considered to be properties / metadata attached to keys themselves. This metadata was historically persisted in a chromium Preference, but is now being migrated to the backing key store (which is implemented by the chaps daemon on Chrome OS).

Usage of keys/certificates for network authentication and TLS client authentication is currently not restricted by key usages, but this may change in the future.

Signing Permissions for Extensions

A (key, extension id) pair can have one of the following signing permissions:

  • The key can be used once for signing. This permission is granted if an extension generated the key using the enterprise.platformKeys API, so that it can build a certification request.

  • The key can not be used for signing. That will happen after an extension generates a key using the enterprise.platformKeys API, and signs using it for the first time to build a certification request.

  • The key can be used for signing unlimited number of times. This permission is granted by the user (only when the key is non-corporate and the profile is non-managed) or the KeyPermissions policy to allow the extension to use the key for signing through the enterprise.platformKeys or platformKeys API.