Device registration using an enrollment certificate from the PCA.

chrome/browser/chromeos/policy/device_cloud_policy_initializer.h

Index: chrome/browser/chromeos/policy/device_cloud_policy_initializer.h
diff --git a/chrome/browser/chromeos/policy/device_cloud_policy_initializer.h b/chrome/browser/chromeos/policy/device_cloud_policy_initializer.h
index ea018ba46c1b23e95c42fc01f10ba63267ad6a20..6c6ee03ea4850e07edc53d03eb0eeee928337277 100644
--- a/chrome/browser/chromeos/policy/device_cloud_policy_initializer.h
+++ b/chrome/browser/chromeos/policy/device_cloud_policy_initializer.h
@@ -17,6 +17,7 @@
 #include "components/policy/core/common/cloud/cloud_policy_client.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/cloud/cloud_policy_store.h"
+#include "components/policy/core/common/cloud/signing_service.h"
 
 class PrefService;
 
@@ -25,7 +26,9 @@ class SequencedTaskRunner;
 }
 
 namespace chromeos {
-class CryptohomeClient;
+namespace attestation {
+class AttestationFlow;
+}
 }
 
 namespace cryptohome {
@@ -59,8 +62,8 @@ class DeviceCloudPolicyInitializer : public CloudPolicyStore::Observer {
       ServerBackedStateKeysBroker* state_keys_broker,
       DeviceCloudPolicyStoreChromeOS* device_store,
       DeviceCloudPolicyManagerChromeOS* manager,
-      cryptohome::AsyncMethodCaller* async_caller,
-      chromeos::CryptohomeClient* cryptohome_client);
+      cryptohome::AsyncMethodCaller* async_method_caller,
+      std::unique_ptr<chromeos::attestation::AttestationFlow> attestation_flow);
 
   ~DeviceCloudPolicyInitializer() override;
 
@@ -95,6 +98,29 @@ class DeviceCloudPolicyInitializer : public CloudPolicyStore::Observer {
   void OnStoreError(CloudPolicyStore* store) override;
 
  private:
+  // Signing class using the enrollment certificate's TPM-bound key to
+  // sign data.
+  class TpmEnrollmentKeySigningService : public policy::SigningService {
+   public:
+    TpmEnrollmentKeySigningService(
+        cryptohome::AsyncMethodCaller* async_method_caller);
+    ~TpmEnrollmentKeySigningService();
+
+    void SignData(const std::string& data,

[pastarmovj, 2016/08/29 11:51:35]

Please add a comment : policy::SigningService implementation or something like
that for the functions that are implementing the interface.

[The one and only Dr. Crash, 2016/08/29 19:55:32]

That is what the override keyword is for IMO. I improved the comment to mention
the interface. I considered calling the interface
policy::SigningServiceInterface but it would be an odd name considering the
enrollment/login code has plenty of interfaces that are not called *Interface at
all. 

+                  const SigningCallback& callback) override;
+
+   private:
+    void OnDataSigned(const std::string& data,
+                      const SigningCallback& callback,
+                      bool success,
+                      const std::string& signed_data);
+
+    cryptohome::AsyncMethodCaller* async_method_caller_;
+
+    // Used to create tasks which run delayed on the UI thread.
+    base::WeakPtrFactory<TpmEnrollmentKeySigningService> weak_ptr_factory_;
+  };
+
   // Handles completion signaled by |enrollment_handler_|.
   void EnrollmentCompleted(const EnrollmentCallback& enrollment_callback,
                            EnrollmentStatus status);
@@ -113,15 +139,20 @@ class DeviceCloudPolicyInitializer : public CloudPolicyStore::Observer {
   ServerBackedStateKeysBroker* state_keys_broker_;
   DeviceCloudPolicyStoreChromeOS* device_store_;
   DeviceCloudPolicyManagerChromeOS* manager_;
-  cryptohome::AsyncMethodCaller* async_method_caller_;
-  chromeos::CryptohomeClient* cryptohome_client_;
-  bool is_initialized_;
+  std::unique_ptr<chromeos::attestation::AttestationFlow> attestation_flow_;
+  bool is_initialized_ = false;
 
   // Non-NULL if there is an enrollment operation pending.
   std::unique_ptr<EnrollmentHandlerChromeOS> enrollment_handler_;
 
   ServerBackedStateKeysBroker::Subscription state_keys_update_subscription_;
 
+  // Our signing service.
+  TpmEnrollmentKeySigningService signing_service_;
+
+  // Used to create tasks which run delayed on the UI thread.
+  base::WeakPtrFactory<DeviceCloudPolicyInitializer> weak_ptr_factory_;

[pastarmovj, 2016/08/29 11:51:35]

Do you need this weak pointer? I think you only need the one in the inner class?

[The one and only Dr. Crash, 2016/08/29 19:55:32]

You are right, I do not need it anymore. Removed.

+
   DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyInitializer);
 };