Index: chrome/browser/policy/proto/device_management_backend.proto |
diff --git a/chrome/browser/policy/proto/device_management_backend.proto b/chrome/browser/policy/proto/device_management_backend.proto |
index a192a254940156e35a73ff28b9592d2d2adf5c85..cf6b76b0dc1ced73f582bee30610feebb15f90f8 100644 |
--- a/chrome/browser/policy/proto/device_management_backend.proto |
+++ b/chrome/browser/policy/proto/device_management_backend.proto |
@@ -143,7 +143,7 @@ message PolicyFetchRequest { |
// The policy type names are case insensitive. |
// |
// Possible values for Chrome OS are: |
- // google/chromeos/device => ChromeSettingsProto |
+ // google/chromeos/device => ChromeDeviceSettingsProto |
// google/chromeos/user => ChromeSettingsProto |
// google/chromeos/unregistered_user => ChromeInitialSettingsProto |
optional string policy_type = 1; |
@@ -154,9 +154,16 @@ message PolicyFetchRequest { |
// Tell server what kind of security signature is required. |
enum SignatureType { |
NONE = 0; |
- X509 = 1; |
+ SHA1_RSA = 1; |
} |
optional SignatureType signature_type = 3 [default = NONE]; |
+ |
+ // The version number of the public key that is currently stored |
+ // on the client. This should be the last number the server had |
+ // supplied as new_public_key_version in PolicyData. |
+ // This field is unspecified if the client does not yet have a |
+ // public key. |
+ optional int32 public_key_version = 4; |
} |
// This message is included in serialized form in PolicyFetchResponse |
@@ -192,6 +199,11 @@ message PolicyData { |
// |machine_name| in DeviceRegisterResponse but it might have |
// changed since then. |
optional string machine_name = 5; |
+ |
+ // Version number of the server's current public key. (The key that |
+ // was used to sign this response. Numbering should start at 1 and be |
+ // increased by 1 at each key rotation.) |
+ optional int32 public_key_version = 6; |
} |
message PolicyFetchResponse { |
@@ -204,20 +216,20 @@ message PolicyFetchResponse { |
// Human readable error message for customer support purpose. |
optional string error_message = 2; |
- // This is a serialized bytes of PolicyData protobuf above. |
+ // This is a serialized |PolicyData| protobuf (defined above). |
optional bytes policy_data = 3; |
// Signature of the policy data above. |
optional bytes policy_data_signature = 4; |
- // The chain of DER-encoded X.509 certificates of the server's |
- // signing key. The first element should be the certificate whose |
- // private key was used for signing the response, and each of the |
- // following certificates signs the previous one. |
- // |
- // If this field does not exist, it means the policy_data is not |
- // signed. |
- repeated bytes certificate_chain = 5; |
+ // If the public key has been rotated on the server, the new public |
+ // key is sent here. It is already used for |policy_data_signature| |
+ // above, whereas |new_public_key_signature| is created using the |
+ // old key (so the client can trust the new key). If this is the |
+ // first time when the client requests policies (so it doesn't have |
+ // on old public key), then |new_public_key_signature| is empty. |
+ optional bytes new_public_key = 5; |
+ optional bytes new_public_key_signature = 6; |
} |
// Request from device to server for reading policies. |