On Mon, Apr 25, 2016 at 1:02 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Mon, Apr 25, 2016 at 7:50 AM, Kevin Cernekee <cernekee at gmail.com> wrote: >> Chrome OS supports the notion of hardware-bound system keys, but it >> doesn't provide APIs that can be called directly by GnuTLS or p11kit. >> Instead, the application's NaCl module needs to pass certificate >> queries and signing requests back to JavaScript code that invokes the >> chrome.platformKeys APIs. This is implemented by registering a handler >> for URLs starting with the (somewhat arbitrarily chosen) "app:" prefix: > > Would it make sense to include that support in gnutls directly? The JS<->NaCl message passing interface is used for all RPCs between the two modules, so I suspect that some of the implementation details will vary from one app to the next. It would be easy for gnutls to send messages from NaCl->JS through PPAPI if everyone agreed on the format to use, but the app would still have to have code to "demux" the gnutls and app-specific messages, similar to this: https://chromium.googlesource.com/apps/nacl-openconnect/+/22dc518480bdf366f04f00c2ea5850cd680ad986/vpn_instance.cc#162 One thing that would have helped (slightly) is if the library user was allowed to override the "system:" or "pkcs11:" prefix.
