[PATCH] Load "app:" keys by URL

Kevin Cernekee cernekee at gmail.com
Mon Apr 25 08:19:00 PDT 2016

On Mon, Apr 25, 2016 at 1:02 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Mon, Apr 25, 2016 at 7:50 AM, Kevin Cernekee <cernekee at gmail.com> wrote:
>> Chrome OS supports the notion of hardware-bound system keys, but it
>> doesn't provide APIs that can be called directly by GnuTLS or p11kit.
>> Instead, the application's NaCl module needs to pass certificate
>> queries and signing requests back to JavaScript code that invokes the
>> chrome.platformKeys APIs.  This is implemented by registering a handler
>> for URLs starting with the (somewhat arbitrarily chosen) "app:" prefix:
> Would it make sense to include that support in gnutls directly?

The JS<->NaCl message passing interface is used for all RPCs between
the two modules, so I suspect that some of the implementation details
will vary from one app to the next.

It would be easy for gnutls to send messages from NaCl->JS through
PPAPI if everyone agreed on the format to use, but the app would still
have to have code to "demux" the gnutls and app-specific messages,
similar to this:


One thing that would have helped (slightly) is if the library user was
allowed to override the "system:" or "pkcs11:" prefix.

More information about the openconnect-devel mailing list