ChromeOS cryptohome should be able to use gaia id as user identifier.

chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

Index: chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc
diff --git a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc
index 04e1f324cbbd4c9b2e664bfcb36adca2f1a58fc3..3b6708c04ab860b511447e5bdd25343768181e04 100644
--- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc
+++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc
@@ -24,6 +24,7 @@
 #include "chromeos/attestation/attestation_constants.h"
 #include "chromeos/attestation/attestation_flow.h"
 #include "chromeos/cryptohome/async_method_caller.h"
+#include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_method_call_status.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
@@ -32,6 +33,7 @@
 #include "components/prefs/pref_service.h"
 #include "components/signin/core/account_id/account_id.h"
 #include "components/signin/core/browser/signin_manager.h"
+#include "components/user_manager/known_user.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "google_apis/gaia/gaia_auth_util.h"
@@ -58,18 +60,17 @@ const char EPKPChallengeKeyBase::kUserNotManaged[] =
 
 EPKPChallengeKeyBase::PrepareKeyContext::PrepareKeyContext(
     chromeos::attestation::AttestationKeyType key_type,
-    const std::string& user_id,
+    const AccountId& account_id,
     const std::string& key_name,
     chromeos::attestation::AttestationCertificateProfile certificate_profile,
     bool require_user_consent,
     const base::Callback<void(PrepareKeyResult)>& callback)
     : key_type(key_type),
-      user_id(user_id),
+      account_id(account_id),
       key_name(key_name),
       certificate_profile(certificate_profile),
       require_user_consent(require_user_consent),
-      callback(callback) {
-}
+      callback(callback) {}
 
 EPKPChallengeKeyBase::PrepareKeyContext::~PrepareKeyContext() {
 }
@@ -140,16 +141,21 @@ bool EPKPChallengeKeyBase::IsExtensionWhitelisted() const {
   return list->Find(value) != list->end();
 }
 
-bool EPKPChallengeKeyBase::IsUserManaged() const {
-  std::string email = GetUserEmail();
+AccountId EPKPChallengeKeyBase::GetAccountId() const {
+  SigninManagerBase* signin_manager =
+      SigninManagerFactory::GetForProfile(GetProfile());
+  if (!signin_manager)
+    return EmptyAccountId();
 
-  if (email.empty()) {
-    return false;
-  }
+  const AccountInfo& account_info =
+      signin_manager->GetAuthenticatedAccountInfo();

[xiyuan, 2016/02/17 23:14:25]

Not introduced by this CL but one edge case is that this would return an empty
AccountInfo when the profile does not have valid tokens (e.g. user password has
changed). Not sure what is the proper way to handle it though. Maybe return
EmptyAccountId() explicitly for such case? Or get the account id from user via
ProfileHelper::GetUserByProfile(GetProfile())?

[Alexander Alekseev, 2016/02/18 13:45:14]

Done.

+  return user_manager::known_user::GetAccountId(
+      gaia::CanonicalizeEmail(account_info.email), account_info.gaia);
+}
 
+bool EPKPChallengeKeyBase::IsUserManaged() const {
   const user_manager::User* const user =
-      user_manager::UserManager::Get()->FindUser(
-          AccountId::FromUserEmail(email));
+      user_manager::UserManager::Get()->FindUser(GetAccountId());
 
   if (user) {
     return user->is_affiliated();
@@ -163,13 +169,7 @@ std::string EPKPChallengeKeyBase::GetEnterpriseDomain() const {
 }
 
 std::string EPKPChallengeKeyBase::GetUserEmail() const {
-  SigninManagerBase* signin_manager =
-      SigninManagerFactory::GetForProfile(GetProfile());
-  if (!signin_manager)
-    return std::string();
-
-  return gaia::CanonicalizeEmail(
-      signin_manager->GetAuthenticatedAccountInfo().email);
+  return GetAccountId().GetUserEmail();
 }
 
 std::string EPKPChallengeKeyBase::GetDeviceId() const {
@@ -178,17 +178,14 @@ std::string EPKPChallengeKeyBase::GetDeviceId() const {
 
 void EPKPChallengeKeyBase::PrepareKey(
     chromeos::attestation::AttestationKeyType key_type,
-    const std::string& user_id,
+    const AccountId& account_id,
     const std::string& key_name,
     chromeos::attestation::AttestationCertificateProfile certificate_profile,
     bool require_user_consent,
     const base::Callback<void(PrepareKeyResult)>& callback) {
-  const PrepareKeyContext context = PrepareKeyContext(key_type,
-                                                      user_id,
-                                                      key_name,
-                                                      certificate_profile,
-                                                      require_user_consent,
-                                                      callback);
+  const PrepareKeyContext context =
+      PrepareKeyContext(key_type, account_id, key_name, certificate_profile,
+                        require_user_consent, callback);
   cryptohome_client_->TpmAttestationIsPrepared(base::Bind(
       &EPKPChallengeKeyBase::IsAttestationPreparedCallback, this, context));
 }
@@ -207,8 +204,9 @@ void EPKPChallengeKeyBase::IsAttestationPreparedCallback(
   }
   // Attestation is available, see if the key we need already exists.
   cryptohome_client_->TpmAttestationDoesKeyExist(
-      context.key_type, context.user_id, context.key_name, base::Bind(
-          &EPKPChallengeKeyBase::DoesKeyExistCallback, this, context));
+      context.key_type, cryptohome::Identification(context.account_id).id(),
+      context.key_name,
+      base::Bind(&EPKPChallengeKeyBase::DoesKeyExistCallback, this, context));
 }
 
 void EPKPChallengeKeyBase::DoesKeyExistCallback(
@@ -256,10 +254,9 @@ void EPKPChallengeKeyBase::AskForUserConsentCallback(
 
   // Generate a new key and have it signed by PCA.
   attestation_flow_->GetCertificate(
-      context.certificate_profile,
-      context.user_id,
+      context.certificate_profile, context.account_id,
       std::string(),  // Not used.
-      true,  // Force a new key to be generated.
+      true,           // Force a new key to be generated.
       base::Bind(&EPKPChallengeKeyBase::GetCertificateCallback, this,
                  context.callback));
 }
@@ -348,7 +345,7 @@ void EPKPChallengeMachineKey::GetDeviceAttestationEnabledCallback(
   }
 
   PrepareKey(chromeos::attestation::KEY_DEVICE,
-             std::string(),  // Not used.
+             EmptyAccountId(),  // Not used.
              kKeyName,
              chromeos::attestation::PROFILE_ENTERPRISE_MACHINE_CERTIFICATE,
              false,  // user consent is not required.
@@ -367,12 +364,9 @@ void EPKPChallengeMachineKey::PrepareKeyCallback(
   // Everything is checked. Sign the challenge.
   async_caller_->TpmAttestationSignEnterpriseChallenge(
       chromeos::attestation::KEY_DEVICE,
-      std::string(),  // Not used.
-      kKeyName,
-      GetEnterpriseDomain(),
-      GetDeviceId(),
-      chromeos::attestation::CHALLENGE_OPTION_NONE,
-      challenge,
+      cryptohome::Identification(EmptyAccountId()),  // Not used.
+      kKeyName, GetEnterpriseDomain(), GetDeviceId(),
+      chromeos::attestation::CHALLENGE_OPTION_NONE, challenge,
       base::Bind(&EPKPChallengeMachineKey::SignChallengeCallback, this));
 }
 
@@ -486,9 +480,7 @@ void EPKPChallengeUserKey::GetDeviceAttestationEnabledCallback(
     return;
   }
 
-  PrepareKey(chromeos::attestation::KEY_USER,
-             GetUserEmail(),
-             kKeyName,
+  PrepareKey(chromeos::attestation::KEY_USER, GetAccountId(), kKeyName,
              chromeos::attestation::PROFILE_ENTERPRISE_USER_CERTIFICATE,
              require_user_consent,
              base::Bind(&EPKPChallengeUserKey::PrepareKeyCallback, this,
@@ -507,16 +499,12 @@ void EPKPChallengeUserKey::PrepareKeyCallback(const std::string& challenge,
   // Everything is checked. Sign the challenge.
   async_caller_->TpmAttestationSignEnterpriseChallenge(
       chromeos::attestation::KEY_USER,
-      GetUserEmail(),
-      kKeyName,
-      GetUserEmail(),
+      cryptohome::Identification(GetAccountId()), kKeyName, GetUserEmail(),
       GetDeviceId(),
-      register_key ?
-          chromeos::attestation::CHALLENGE_INCLUDE_SIGNED_PUBLIC_KEY :
-          chromeos::attestation::CHALLENGE_OPTION_NONE,
-      challenge,
-      base::Bind(&EPKPChallengeUserKey::SignChallengeCallback, this,
-                 register_key));
+      register_key ? chromeos::attestation::CHALLENGE_INCLUDE_SIGNED_PUBLIC_KEY
+                   : chromeos::attestation::CHALLENGE_OPTION_NONE,
+      challenge, base::Bind(&EPKPChallengeUserKey::SignChallengeCallback, this,
+                            register_key));
 }
 
 void EPKPChallengeUserKey::SignChallengeCallback(bool register_key,
@@ -531,8 +519,7 @@ void EPKPChallengeUserKey::SignChallengeCallback(bool register_key,
   if (register_key) {
     async_caller_->TpmAttestationRegisterKey(
         chromeos::attestation::KEY_USER,
-        GetUserEmail(),
-        kKeyName,
+        cryptohome::Identification(GetAccountId()), kKeyName,
         base::Bind(&EPKPChallengeUserKey::RegisterKeyCallback, this, response));
   } else {
     RegisterKeyCallback(response, true, cryptohome::MOUNT_ERROR_NONE);