Added support for signed policy blobs on desktop.

components/policy/core/common/cloud/cloud_policy_client.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/policy/core/common/cloud/cloud_policy_client.h"
 
 #include "base/bind.h"
 #include "base/guid.h"
 #include "base/logging.h"
 #include "base/stl_util.h"
@@ skipping 32 matching lines @@
 CloudPolicyClient::Observer::~Observer() {}
 
 void CloudPolicyClient::Observer::OnRobotAuthCodesFetched(
     CloudPolicyClient* client) {}
 
 CloudPolicyClient::StatusProvider::~StatusProvider() {}
 
 CloudPolicyClient::CloudPolicyClient(
     const std::string& machine_id,
     const std::string& machine_model,
+    const std::string& verification_key_hash,
     UserAffiliation user_affiliation,
     StatusProvider* status_provider,
     DeviceManagementService* service,
     scoped_refptr<net::URLRequestContextGetter> request_context)
     : machine_id_(machine_id),
       machine_model_(machine_model),
+      verification_key_hash_(verification_key_hash),
       user_affiliation_(user_affiliation),
       device_mode_(DEVICE_MODE_NOT_SET),
       submit_machine_id_(false),
       public_key_version_(-1),
       public_key_version_valid_(false),
       invalidation_version_(0),
       fetched_invalidation_version_(0),
       service_(service),                  // Can be NULL for unit tests.
       status_provider_(status_provider),  // Can be NULL for unit tests.
       status_(DM_STATUS_SUCCESS),
@@ skipping 85 matching lines @@
 
   // Build policy fetch requests.
   em::DevicePolicyRequest* policy_request = request->mutable_policy_request();
   for (NamespaceSet::iterator it = namespaces_to_fetch_.begin();
        it != namespaces_to_fetch_.end(); ++it) {
     em::PolicyFetchRequest* fetch_request = policy_request->add_request();
     fetch_request->set_policy_type(it->first);
     if (!it->second.empty())
       fetch_request->set_settings_entity_id(it->second);
 
-#if defined(OS_CHROMEOS)
-    // All policy types on ChromeOS ask for a signed policy blob.
+    // Request signed policy blobs to help prevent tampering on the client.
     fetch_request->set_signature_type(em::PolicyFetchRequest::SHA1_RSA);
-#else
-    // Don't request signed blobs for desktop policy.
-    fetch_request->set_signature_type(em::PolicyFetchRequest::NONE);
-#endif
     if (public_key_version_valid_)
       fetch_request->set_public_key_version(public_key_version_);
 
+    if (!verification_key_hash_.empty())
+      fetch_request->set_verification_key_hash(verification_key_hash_);
+
     // These fields are included only in requests for chrome policy.
     if (IsChromePolicy(it->first)) {
       if (submit_machine_id_ && !machine_id_.empty())
         fetch_request->set_machine_id(machine_id_);
       if (!last_policy_timestamp_.is_null()) {
         base::TimeDelta timestamp(
             last_policy_timestamp_ - base::Time::UnixEpoch());
         fetch_request->set_timestamp(timestamp.InMilliseconds());
       }
       if (!invalidation_payload_.empty()) {
@@ skipping 265 matching lines @@
 
 void CloudPolicyClient::NotifyRobotAuthCodesFetched() {
   FOR_EACH_OBSERVER(Observer, observers_, OnRobotAuthCodesFetched(this));
 }
 
 void CloudPolicyClient::NotifyClientError() {
   FOR_EACH_OBSERVER(Observer, observers_, OnClientError(this));
 }
 
 }  // namespace policy