Add device-level token entryption to CertLibrary.

chrome/browser/chromeos/cros/cert_library.h

Index: chrome/browser/chromeos/cros/cert_library.h
diff --git a/chrome/browser/chromeos/cros/cert_library.h b/chrome/browser/chromeos/cros/cert_library.h
index da360e7398c29885d49c6f5f4e8c7a0dd0a5fdff..fda3a799d6e1fc3aa4b01e8dc16d84c57c596ba1 100644
--- a/chrome/browser/chromeos/cros/cert_library.h
+++ b/chrome/browser/chromeos/cros/cert_library.h
@@ -101,11 +101,21 @@ class CertLibrary {
   // Returns the current list of server CA certificates.
   virtual const CertList& GetCACertificates() const = 0;
 
-  // Encrypts |token| with supplemental user key.
+  // Encrypts |token| with the system salt key (stable for the lifetime
+  // of the device).  Useful to avoid storing plain text in place like
+  // Local State.
+  virtual std::string EncryptDeviceToken(const std::string& token) = 0;

[zel, 2013/03/14 20:22:12]

EncryptWithSystemSalt might be a better name here.

[David Roche, 2013/03/14 23:03:29]

Done.

+
+  // Decrypts |token| with the system salt key (stable for the lifetime
+  // of the device).
+  virtual std::string DecryptDeviceToken(
+      const std::string& encrypted_token_hex) = 0;
+
+  // Encrypts |token| with supplemental user key (unique for each user).
   virtual std::string EncryptToken(const std::string& token) = 0;

[zel, 2013/03/14 20:22:12]

can we rename these to (Encrypt|Decrypt)WithUserKey

[David Roche, 2013/03/14 23:03:29]

Done.

 
-  // Decrypts |token| with supplemental user key.
-  virtual std::string DecryptToken(const std::string& encrypted_token) = 0;
+  // Decrypts |token| with supplemental user key (unique for each user).
+  virtual std::string DecryptToken(const std::string& encrypted_token_hex) = 0;
 };
 
 }  // namespace chromeos