Add public key and signature verification to browser-side API keys

content/browser/experiments/api_key.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_EXPERIMENTS_API_KEY_H_
 #define CONTENT_BROWSER_EXPERIMENTS_API_KEY_H_
 
 #include <string>
 
 #include "base/time/time.h"
@@ skipping 21 matching lines @@
 
   // Returns true if this API key has a valid signature, and has not expired.
   bool IsValidNow(const base::Time& now) const;
 
   std::string signature() { return signature_; }
   std::string data() { return data_; }
   GURL origin() { return origin_; }
   std::string api_name() { return api_name_; }
   uint64_t expiry_timestamp() { return expiry_timestamp_; }
 
+ protected:
+  friend class ApiKeyTest;
+
+  bool ValidateDate(const base::Time& now) const;
+  bool ValidateSignature(const char* publicKeyPEM) const;
+
+  static bool ValidateSignature(const std::string& signatureText,
+                                const std::string& data,
+                                const char* publicKeyPEM);
+
  private:
   ApiKey();
   ApiKey(const std::string& signature,
          const std::string& data,
          const GURL& origin,
          const std::string& api_name,
          uint64_t expiry_timestamp);
 
   // The base64-encoded-signature portion of the key. For the key to be valid,
   // this must be a valid signature for the data portion of the key, as verified
@@ skipping 10 matching lines @@
   // The name of the API experiment which this key enables
   std::string api_name_;
 
   // The time until which this key should be considered valid, in UTC, as
   // seconds since the Unix epoch.
   uint64_t expiry_timestamp_;
 };
 
 }  // namespace
 #endif  // CONTENT_BROWSER_EXPERIMENTS_API_KEY_H_