[Sync] Persist keystore key across restarts

sync/util/cryptographer.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SYNC_UTIL_CRYPTOGRAPHER_H_
 #define SYNC_UTIL_CRYPTOGRAPHER_H_
 
 #include <map>
 #include <string>
 
@@ skipping 80 matching lines @@
   // Cryptographer instance into the ready state (is_ready will be true).
   // It must be a string that was previously built by the
   // GetSerializedBootstrapToken function.  It is possible that the token is no
   // longer valid (due to server key change), in which case the normal
   // decryption code paths will fail and the user will need to provide a new
   // passphrase.
   // It is an error to call this if is_ready() == true, though it is fair to
   // never call Bootstrap at all.
   void Bootstrap(const std::string& restored_bootstrap_token);
 
+  // Bootstrap the keystore key.
+  void BootstrapKeystoreKey(
+      const std::string& restored_keystore_bootstrap_token);
+
   // Returns whether we can decrypt |encrypted| using the keys we currently know
   // about.
   bool CanDecrypt(const sync_pb::EncryptedData& encrypted) const;
 
   // Returns whether |encrypted| can be decrypted using the default encryption
   // key.
   bool CanDecryptUsingDefaultKey(const sync_pb::EncryptedData& encrypted) const;
 
   // Encrypts |message| into |encrypted|. Does not overwrite |encrypted| if
   // |message| already matches the decrypted data within |encrypted| and
@@ skipping 51 matching lines @@
                           has_pending_keys() == false; }
 
   // Returns whether there is a pending set of keys that needs to be decrypted.
   bool has_pending_keys() const { return NULL != pending_keys_.get(); }
 
   // Obtain a token that can be provided on construction to a future
   // Cryptographer instance to bootstrap itself.  Returns false if such a token
   // can't be created (i.e. if this Cryptograhper doesn't have valid keys).
   bool GetBootstrapToken(std::string* token) const;
 
+  // Obtain the bootstrap token based on the keystore encryption key.
+  bool GetKeystoreKeyBootstrapToken(std::string* token) const;
+
   // Update the cryptographer based on the contents of the nigori specifics.
   // This updates both the encryption keys and the set of encrypted types.
   // Returns NEEDS_PASSPHRASE if was unable to decrypt the pending keys,
   // SUCCESS otherwise.
   // Note: will not change the default key. If the nigori's keybag
   // is decryptable, all keys are added to the local keybag and the current
   // default is preserved. If the nigori's keybag is not decryptable, it is
   // stored in the |pending_keys_|.
   UpdateResult Update(const sync_pb::NigoriSpecifics& nigori);
 
   // Set the keystore-derived nigori from the provided key.
   // Returns true if we succesfully create the keystore derived nigori from the
   // provided key, false otherwise.
   bool SetKeystoreKey(const std::string& keystore_key);
 
   // Returns true if we currently have a keystore-derived nigori, false
   // otherwise.
-  bool HasKeystoreKey();
+  bool HasKeystoreKey() const;
 
   // The set of types that are always encrypted.
   static ModelTypeSet SensitiveTypes();
 
   // Reset our set of encrypted types based on the contents of the nigori
   // specifics.
   void UpdateEncryptedTypesFromNigori(const sync_pb::NigoriSpecifics& nigori);
 
   // Update the nigori to reflect the current set of encrypted types.
   void UpdateNigoriFromEncryptedTypes(sync_pb::NigoriSpecifics* nigori) const;
@@ skipping 25 matching lines @@
   // Returns true unless decryption of |encrypted| fails. The caller is
   // responsible for checking that CanDecrypt(encrypted) == true.
   // Does not update the default nigori.
   void InstallKeys(const sync_pb::EncryptedData& encrypted);
 
   // Helper method to instantiate Nigori instances for each set of key
   // parameters in |bag|.
   // Does not update the default nigori.
   void InstallKeyBag(const sync_pb::NigoriKeyBag& bag);
 
-  // Helper method to add a nigori as the new default nigori.
-  bool AddKeyImpl(Nigori* nigori);
+  // Helper method to add a nigori as either the new default nigori or the new
+  // keystore nigori.
+  bool AddKeyImpl(Nigori* nigori, bool is_keystore_key);
 
   // Functions to serialize + encrypt a Nigori object in an opaque format for
   // persistence by sync infrastructure.
   bool PackBootstrapToken(const Nigori* nigori, std::string* pack_into) const;
   Nigori* UnpackBootstrapToken(const std::string& token) const;
 
   Encryptor* const encryptor_;
 
   ObserverList<Observer> observers_;
 
   NigoriMap nigoris_;  // The Nigoris we know about, mapped by key name.
   NigoriMap::value_type* default_nigori_;  // The Nigori used for encryption.
   NigoriMap::value_type* keystore_nigori_; // Nigori generated from keystore.
 
   scoped_ptr<sync_pb::EncryptedData> pending_keys_;
 
   ModelTypeSet encrypted_types_;
   bool encrypt_everything_;
 
   DISALLOW_COPY_AND_ASSIGN(Cryptographer);
 };
 
 }  // namespace syncer
 
 #endif  // SYNC_UTIL_CRYPTOGRAPHER_H_