| Index: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| index 1f98da2ba9a6f1990ba8cc5be4fcaf014ef7b900..1739a7c83e3a8e0e2e89c07a85017526b895cfec 100644
|
| --- a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| +++ b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| @@ -194,6 +194,7 @@ UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS(
|
| legacy_policy_cache_file,
|
| background_task_runner)),
|
| legacy_caches_loaded_(false),
|
| + owning_domain_(ExtractDomain(account_id_.GetUserEmail())),
|
| policy_key_loaded_(false),
|
| weak_factory_(this) {}
|
|
|
| @@ -259,7 +260,7 @@ void UserCloudPolicyStoreChromeOS::LoadImmediately() {
|
|
|
| policy_key_path_ = user_policy_key_dir_.Append(
|
| base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
|
| - LoadPolicyKey(policy_key_path_, &policy_key_);
|
| + LoadPolicyKey(policy_key_path_, &public_key_);
|
| policy_key_loaded_ = true;
|
|
|
| std::unique_ptr<UserCloudPolicyValidator> validator =
|
| @@ -274,12 +275,11 @@ void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
|
| std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
|
| std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED);
|
| validator->ValidateUsername(account_id_.GetUserEmail(), true);
|
| - if (policy_key_.empty()) {
|
| - validator->ValidateInitialKey(GetPolicyVerificationKey(),
|
| - ExtractDomain(account_id_.GetUserEmail()));
|
| + if (public_key_.empty()) {
|
| + validator->ValidateInitialKey(GetPolicyVerificationKey(), owning_domain_);
|
| } else {
|
| validator->ValidateSignatureAllowingRotation(
|
| - policy_key_, GetPolicyVerificationKey(),
|
| + public_key_, GetPolicyVerificationKey(),
|
| ExtractDomain(account_id_.GetUserEmail()));
|
| }
|
|
|
| @@ -360,7 +360,7 @@ void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
|
| return;
|
| }
|
|
|
| - // Load |policy_key_| to verify the loaded policy.
|
| + // Load |public_key_| to verify the loaded policy.
|
| EnsurePolicyKeyLoaded(
|
| base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
|
| weak_factory_.GetWeakPtr(),
|
| @@ -523,7 +523,7 @@ void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const base::FilePath& path,
|
| void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
|
| std::string* key,
|
| const base::Closure& callback) {
|
| - policy_key_ = *key;
|
| + public_key_ = *key;
|
| policy_key_loaded_ = true;
|
| callback.Run();
|
| }
|
| @@ -566,7 +566,8 @@ UserCloudPolicyStoreChromeOS::CreateValidatorForLoad(
|
| // The policy loaded from session manager need not be validated using the
|
| // verification key since it is secure, and since there may be legacy policy
|
| // data that was stored without a verification key.
|
| - validator->ValidateSignature(policy_key_);
|
| + validator->ValidateSignature(public_key_);
|
| return validator;
|
| }
|
| +
|
| } // namespace policy
|
|
|
Chromium Code Reviews
Issue 2488573003:
Expose signing key from cloud policy stores (Closed)
