Client certificates: Move certificate filtering logic to CertLoader |
|||
Issue descriptionThere are two classes which operate on client certificates with hardware-backed keys only (ClientCertResolver, NetworkCertMigrator). They use CertLoader as the source of all available certificates. Currently, it returns all available client certificates and all available CA certificates in one list. ClientCertResolver currently has its own logic to filter client certificates with hardware-backed keys from the input list[1]. NetworkCertMigrator does not filter. It should be in the responsibility of CertLoader to provide a list of client certificates with hardware-backed keys only. CertLoader also knows when the source certificate list changes, so it could cache the result. [1] https://cs.chromium.org/chromium/src/chromeos/network/client_cert_resolver.cc?rcl=aeb61e4fd2532764338ac9038f8d2e474ea66004&l=181
,
Nov 6 2017
,
Nov 9 2017
Note that while I originally thought we could perform the filtering when the certificate store changes (instead of when certificates are requested), I'm not 100% sure. If there is a way to add/remove private keys without CertLoader getting a notification, the result of the HasPrivateKey condition in the standard client cert filtering could change. We need to find out if that's something we need to consider.
,
Feb 6 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 Deleted