[Sync] Persist keystore key across restarts

sync/util/cryptographer.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sync/util/cryptographer.h"
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/logging.h"
@@ skipping 31 matching lines @@
 }
 
 void Cryptographer::Bootstrap(const std::string& restored_bootstrap_token) {
   if (is_initialized()) {
     NOTREACHED();
     return;
   }
 
   scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
   if (nigori.get())
-    AddKeyImpl(nigori.release());
+    AddKeyImpl(nigori.release(), false);
+}
+
+void Cryptographer::BootstrapKeystoreKey(
+    const std::string& restored_bootstrap_token) {
+  if (keystore_nigori_) {
+    NOTREACHED();
+    return;
+  }
+
+  scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
+  if (nigori.get())
+    AddKeyImpl(nigori.release(), true);
 }
 
 bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const {
   return nigoris_.end() != nigoris_.find(data.key_name());
 }
 
 bool Cryptographer::CanDecryptUsingDefaultKey(
     const sync_pb::EncryptedData& data) const {
   return default_nigori_ && (data.key_name() == default_nigori_->first);
 }
@@ skipping 75 matching lines @@
 
 bool Cryptographer::AddKey(const KeyParams& params) {
   // Create the new Nigori and make it the default encryptor.
   scoped_ptr<Nigori> nigori(new Nigori);
   if (!nigori->InitByDerivation(params.hostname,
                                 params.username,
                                 params.password)) {
     NOTREACHED();  // Invalid username or password.
     return false;
   }
-  return AddKeyImpl(nigori.release());
+  return AddKeyImpl(nigori.release(), false);
 }
 
 bool Cryptographer::AddKeyFromBootstrapToken(
     const std::string restored_bootstrap_token) {
   // Create the new Nigori and make it the default encryptor.
   scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
   if (!nigori.get())
     return false;
-  return AddKeyImpl(nigori.release());
+  return AddKeyImpl(nigori.release(), false);
 }
 
-bool Cryptographer::AddKeyImpl(Nigori* initialized_nigori) {
+bool Cryptographer::AddKeyImpl(Nigori* initialized_nigori,
+                               bool is_keystore_key) {
   scoped_ptr<Nigori> nigori(initialized_nigori);
   std::string name;
   if (!nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) {
     NOTREACHED();
     return false;
   }
   nigoris_[name] = make_linked_ptr(nigori.release());
-  default_nigori_ = &*nigoris_.find(name);
+  if (is_keystore_key)
+    keystore_nigori_ = &*nigoris_.find(name);
+  else
+    default_nigori_ = &*nigoris_.find(name);
   return true;
 }
 
 void Cryptographer::InstallKeys(const sync_pb::EncryptedData& encrypted) {
   DCHECK(CanDecrypt(encrypted));
 
   sync_pb::NigoriKeyBag bag;
   if (!Decrypt(encrypted, &bag))
     return;
   InstallKeyBag(bag);
@@ skipping 36 matching lines @@
 }
 
 bool Cryptographer::GetBootstrapToken(std::string* token) const {
   DCHECK(token);
   if (!is_initialized())
     return false;
 
   return PackBootstrapToken(default_nigori_->second.get(), token);
 }
 
+bool Cryptographer::GetKeystoreKeyBootstrapToken(
+    std::string* token) const {
+  DCHECK(token);
+  if (!HasKeystoreKey())
+    return false;
+
+  return PackBootstrapToken(keystore_nigori_->second.get(), token);
+}
+
 bool Cryptographer::PackBootstrapToken(const Nigori* nigori,
                                        std::string* pack_into) const {
   DCHECK(pack_into);
   DCHECK(nigori);
 
   sync_pb::NigoriKey key;
   if (!nigori->ExportKeys(key.mutable_user_key(),
                           key.mutable_encryption_key(),
                           key.mutable_mac_key())) {
     NOTREACHED();
@@ skipping 72 matching lines @@
     }
   }
   return Cryptographer::SUCCESS;
 }
 
 bool Cryptographer::SetKeystoreKey(const std::string& keystore_key) {
   if (keystore_key.empty())
     return false;
   KeyParams params = {"localhost", "dummy", keystore_key};
 
-  // AddKey updates the default nigori, so we save the current default and
-  // make sure the keystore_nigori_ gets updated instead.
-  NigoriMap::value_type* old_default = default_nigori_;
-  if (AddKey(params)) {
-    keystore_nigori_ = default_nigori_;
-    default_nigori_ = old_default;
-    return true;
+  // Create the new Nigori and make it the default keystore encryptor.
+  scoped_ptr<Nigori> nigori(new Nigori);
+  if (!nigori->InitByDerivation(params.hostname,
+                                params.username,
+                                params.password)) {
+    NOTREACHED();  // Invalid username or password.
+    return false;
   }
-  return false;
+
+  return AddKeyImpl(nigori.release(), true);
 }
 
-bool Cryptographer::HasKeystoreKey() {
+bool Cryptographer::HasKeystoreKey() const {
   return keystore_nigori_ != NULL;
 }
 
 // Static
 ModelTypeSet Cryptographer::SensitiveTypes() {
   // Both of these have their own encryption schemes, but we include them
   // anyways.
   ModelTypeSet types;
   types.Put(PASSWORDS);
   types.Put(NIGORI);
@@ skipping 124 matching lines @@
                                     key.mac_key())) {
         NOTREACHED();
         continue;
       }
       nigoris_[key.name()] = make_linked_ptr(new_nigori.release());
     }
   }
 }
 
 }  // namespace syncer