UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
Platform: 8743.85.0 (Official Build) stable-channel samus

Steps to reproduce the problem:
1. On a managed Chrome OS device, use chrome.enterprise.platformKeys.importCertificate to install a certificate into the user token
2. Install an extension with the platformKeys permission
3. Call chrome.platformKeys.selectClientCertificates({request: {certificateTypes: [], certificateAuthorities: []}, interactive: false}, function (certs) {console.log(certs)})

What is the expected behavior?

What went wrong?
chromeos::PlatformKeysService::SelectTask::GotMatchingCerts in src/chrome/browser/chromeos/platform_keys/platform_keys_service.cc removes keys that the current user doesn't have access to, so that they can't be used by extensions calling chrome.platformKeys.selectClientCertificate.

`key_permissions_->CanUserGrantPermissionFor` always returns false on a managed device, so that's not relevant.

`extension_permissions_->CanUseKeyForSigning` returns true IFF the key in question is a "corporate" key (installed via chrome.enterprise.platformKeys) AND there is a KeyPermissions policy set which has the allowCorporateKeyUsage flag set for the extension making the API call.

However, there doesn't seem to be any way to set the KeyPermissions policy. It seems like this makes it impossible for anything to use chrome.platformKeys on a managed device, without putting it into developer mode and disabling rootfs protection (and installing the policy manually).

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 54.0.2840.101  Channel: stable
OS Version: 54.0.2840.101
Flash Version: 23.0.0.207