Update policy signature verification to include policy domain.

components/policy/proto/device_management_backend.proto

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 syntax = "proto2";
 
 option optimize_for = LITE_RUNTIME;
 
 package enterprise_management;
 
@@ skipping 279 matching lines @@
   // If the public key has been rotated on the server, the new public
   // key is sent here. It is already used for |policy_data_signature|
   // above, whereas |new_public_key_signature| is created using the
   // old key (so the client can trust the new key). If this is the
   // first time when the client requests policies (so it doesn't have
   // on old public key), then |new_public_key_signature| is empty.
   optional bytes new_public_key = 5;
   optional bytes new_public_key_signature = 6;
 
   // If new_public_key is specified, this field contains a signature
-  // of that key, signed using a key only available to DMServer.  
-  // The public key portion of this well-known key is embedded into the
-  // Chrome binary. The hash of that embedded key is passed to DMServer
-  // as verification_key_hash field in PolicyFetchRequest. DMServer will
-  // pick a private key on the server which matches the hash (matches public
-  // key on the client). If DMServer is unable to find matching key, it will
-  // return an error instead of policy data.
+  // of a PolicyPublicKeyAndDomain protobuf, signed using a key only
+  // available to DMServer. The public key portion of this well-known key is
+  // embedded into the Chrome binary. The hash of that embedded key is passed
+  // to DMServer as verification_key_hash field in PolicyFetchRequest. DMServer
+  // will pick a private key on the server which matches the hash (matches
+  // public key on the client). If DMServer is unable to find matching key, it
+  // will return an error instead of policy data.
   // In case hash was not specified, DMServer will leave verification signature
   // field empty (legacy behavior).  
   // In addition to the checks between new_public_key
   // and new_public_key_signature described above, Chrome also verifies
   // new_public_key with the embedded public key and 
   // new_public_key_verification_signature.
   optional bytes new_public_key_verification_signature = 7;
 }
 
+// Protobuf used to generate the new_public_key_verification_signature field.
+message PolicyPublicKeyAndDomain {
+  // The public key to sign (taken from the |new_public_key| field in
+  // PolicyFetchResponse).
+  optional bytes new_public_key = 1;
+
+  // The domain associated with this key (should match the domain portion of
+  // the username field of the policy).
+  optional string domain = 2;
+}
+
 // Request from device to server for reading policies.
 message DevicePolicyRequest {
   // The policy fetch request.  If this field exists, the request must
   // comes from a non-TT client.  The repeated field allows client to
   // request multiple policies for better performance.
   repeated PolicyFetchRequest request = 3;
 }
 
 // Response from server to device for reading policies.
 message DevicePolicyResponse {
@@ skipping 323 matching lines @@
 
   // Auto-enrollment detection response.
   optional DeviceAutoEnrollmentResponse auto_enrollment_response = 8;
 
   // EMCert upload response.
   optional DeviceCertUploadResponse cert_upload_response = 9;
 
   // Response to OAuth2 authorization code request.
   optional DeviceServiceApiAccessResponse service_api_access_response = 10;
 }