Update protobuf definitions for ChromeOS device policy support

chrome/browser/policy/proto/device_management_backend.proto

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
@@ skipping 125 matching lines @@
   // watermark last read from server if available.
   optional string watermark = 2;
 }
 
 message PolicyFetchRequest {
   // This is the policy type, which maps to D3 policy type internally.
   // By convention, we use "/" as separator to create policy namespace.
   // The policy type names are case insensitive.
   //
   // Possible values for Chrome OS are:
-  //   google/chromeos/device => ChromeSettingsProto
+  //   google/chromeos/device => ChromeDeviceSettingsProto
   //   google/chromeos/user => ChromeSettingsProto
   //   google/chromeos/unregistered_user => ChromeInitialSettingsProto
   optional string policy_type = 1;
 
   // This is the last policy timestamp that client received from server.
   optional int64 timestamp = 2;
 
   // Tell server what kind of security signature is required.
   enum SignatureType {
     NONE = 0;
-    X509 = 1;
+    SHA1_RSA = 1;
   }
   optional SignatureType signature_type = 3 [default = NONE];
+  
+  // The version number of the public key that is currently stored
+  // on the client. This should be the last number the server had
+  // supplied as new_public_key_version in PolicyData.
+  // This field is unspecified if the client does not yet have a
+  // public key.
+  optional int32 public_key_version = 4;
 }
 
 // This message is included in serialized form in PolicyFetchResponse
 // below.  It may also be signed, with the signature being created for
 // the serialized form.
 message PolicyData {
   // See PolicyFetchRequest.policy_type.
   optional string policy_type = 1;
 
   // [timestamp] is milli seconds since Epoch in UTC timezone. It is
@@ skipping 15 matching lines @@
   optional bytes policy_value = 4;
 
   // The device display name assigned by the server.  It is only
   // filled if the display name is available.
   //
   // The display name of the machine as generated by the server or set
   // by the Administrator in the CPanel GUI. This is the same thing as
   // |machine_name| in DeviceRegisterResponse but it might have
   // changed since then.
   optional string machine_name = 5;
+  
+  // Version number of the server's current public key. (The key that
+  // was used to sign this response. Numbering should start at 1 and be
+  // increased by 1 at each key rotation.)
+  optional int32 public_key_version = 6;
 }
 
 message PolicyFetchResponse {
   // Since a single policy request may ask for multiple policies, we
   // provide separate error code for each individual policy fetch.
 
   // We will use standard HTTP Status Code as error code.
   optional int32  error_code = 1;
 
   // Human readable error message for customer support purpose.
   optional string error_message = 2;
 
-  // This is a serialized bytes of PolicyData protobuf above.
+  // This is a serialized |PolicyData| protobuf (defined above).
   optional bytes policy_data = 3;
 
   // Signature of the policy data above.
   optional bytes policy_data_signature = 4;
 
-  // The chain of DER-encoded X.509 certificates of the server's
-  // signing key.  The first element should be the certificate whose
-  // private key was used for signing the response, and each of the
-  // following certificates signs the previous one.
-  //
-  // If this field does not exist, it means the policy_data is not
-  // signed.
-  repeated bytes certificate_chain = 5;
+  // If the public key has been rotated on the server, the new public
+  // key is sent here. It is already used for |policy_data_signature|
+  // above, whereas |new_public_key_signature| is created using the
+  // old key (so the client can trust the new key). If this is the
+  // first time when the client requests policies (so it doesn't have
+  // on old public key), then |new_public_key_signature| is empty.
+  optional bytes new_public_key = 5;
+  optional bytes new_public_key_signature = 6;
 }
 
 // Request from device to server for reading policies.
 message DevicePolicyRequest {
   // identify request scope: CrOS settings or other type of settings.
   // TODO(gfeher): remove this after Chrome OS TT is over.
   optional string policy_scope = 1;
   // identify key to the settings: proxy etc.
   // TODO(gfeher): remove this after Chrome OS TT is over.
   repeated DevicePolicySettingRequest setting_request = 2;
@@ skipping 72 matching lines @@
 
   // Register response
   optional DeviceRegisterResponse register_response = 3;
 
   // Unregister response
   optional DeviceUnregisterResponse unregister_response = 4;
 
   // Policy response.
   optional DevicePolicyResponse policy_response = 5;
 }