Expose signing key from cloud policy stores

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
 
 #include <stddef.h>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 177 matching lines @@
       cryptohome_client_(cryptohome_client),
       session_manager_client_(session_manager_client),
       account_id_(account_id),
       user_policy_key_dir_(user_policy_key_dir),
       legacy_cache_dir_(legacy_token_cache_file.DirName()),
       legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
                                                  legacy_policy_cache_file,
                                                  background_task_runner)),
       legacy_caches_loaded_(false),
       policy_key_loaded_(false),
-      weak_factory_(this) {}
+      weak_factory_(this) {
+  owning_domain_ = ExtractDomain(account_id_.GetUserEmail());
+}
 
 UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
 
 void UserCloudPolicyStoreChromeOS::Store(
     const em::PolicyFetchResponse& policy) {
   // Cancel all pending requests.
   weak_factory_.InvalidateWeakPtrs();
   std::unique_ptr<em::PolicyFetchResponse> response(
       new em::PolicyFetchResponse(policy));
   EnsurePolicyKeyLoaded(
@@ skipping 43 matching lines @@
       cryptohome_client_->BlockingGetSanitizedUsername(
           cryptohome::Identification(account_id_));
   if (sanitized_username.empty()) {
     status_ = STATUS_LOAD_ERROR;
     NotifyStoreError();
     return;
   }
 
   policy_key_path_ = user_policy_key_dir_.Append(
       base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
-  LoadPolicyKey(policy_key_path_, &policy_key_);
+  LoadPolicyKey(policy_key_path_, &public_key_);
   policy_key_loaded_ = true;
 
   std::unique_ptr<UserCloudPolicyValidator> validator =
       CreateValidatorForLoad(std::move(policy));
   validator->RunValidation();
   OnRetrievedPolicyValidated(validator.get());
 }
 
 void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator.
   std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
       std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED);
   validator->ValidateUsername(account_id_.GetUserEmail(), true);
-  if (policy_key_.empty()) {
-    validator->ValidateInitialKey(GetPolicyVerificationKey(),
-                                  ExtractDomain(account_id_.GetUserEmail()));
+  if (public_key_.empty()) {
+    validator->ValidateInitialKey(GetPolicyVerificationKey(), owning_domain_);
   } else {
     const bool allow_rotation = true;
-    validator->ValidateSignature(policy_key_, GetPolicyVerificationKey(),
-                                 ExtractDomain(account_id_.GetUserEmail()),
-                                 allow_rotation);
+    validator->ValidateSignature(public_key_, GetPolicyVerificationKey(),
+                                 owning_domain_, allow_rotation);
   }
 
   // Start validation. The Validator will delete itself once validation is
   // complete.
   validator.release()->StartValidation(
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
                  weak_factory_.GetWeakPtr()));
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated(
@@ skipping 59 matching lines @@
   legacy_loader_.reset();
 
   std::unique_ptr<em::PolicyFetchResponse> policy(
       new em::PolicyFetchResponse());
   if (!policy->ParseFromString(policy_blob)) {
     status_ = STATUS_PARSE_ERROR;
     NotifyStoreError();
     return;
   }
 
-  // Load |policy_key_| to verify the loaded policy.
+  // Load |public_key_| to verify the loaded policy.
   EnsurePolicyKeyLoaded(
       base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
                  weak_factory_.GetWeakPtr(),
                  base::Passed(&policy)));
 }
 
 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator for the loaded policy.
   std::unique_ptr<UserCloudPolicyValidator> validator =
@@ skipping 142 matching lines @@
     LOG(ERROR) << "Failed to read key at " << path.value();
   }
 
   if (key->empty())
     SampleValidationFailure(VALIDATION_FAILURE_LOAD_KEY);
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
     std::string* key,
     const base::Closure& callback) {
-  policy_key_ = *key;
+  public_key_ = *key;
   policy_key_loaded_ = true;
   callback.Run();
 }
 
 void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
     const base::Closure& callback) {
   if (policy_key_loaded_) {
     callback.Run();
   } else {
     // Get the hashed username that's part of the key's path, to determine
@@ skipping 25 matching lines @@
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
       std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE);
   validator->ValidateUsername(account_id_.GetUserEmail(), true);
   const bool allow_rotation = false;
   const std::string empty_key = std::string();
   // The policy loaded from session manager need not be validated using the
   // verification key since it is secure, and since there may be legacy policy
   // data that was stored without a verification key. Hence passing an empty
   // value for the verification key.
-  validator->ValidateSignature(policy_key_, empty_key,
-                               ExtractDomain(account_id_.GetUserEmail()),
+  validator->ValidateSignature(public_key_, empty_key, owning_domain_,
                                allow_rotation);
   return validator;
 }
 }  // namespace policy