[Sync:USS] Add test for backward-compatible keystore Nigori

New integration test injects backward-compatible keystore Nigori and
tests that client can decrypt password encrypted with the default key.

Backward-compatible keystore Nigori uses some old key (derived from
GAIA passphrase) as the default encryption key. This key is used for
encryption of passwords data and |encryption_keybag| in
NigoriSpecifics. This key also stored in |keystore_decryptor_token|,
which is encrypted with a keystore key, so client should be able to
decrypt everything once it has the keystore keys.

Bug: 922900
Change-Id: Ic76d76a60c89ff4e639ca6f0fda2becc81e939c8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1847271
Commit-Queue: Maksim Moskvitin <mmoskvitin@google.com>
Reviewed-by: Mikel Astiz <mastiz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#704571}

chrome/browser/sync/test/integration/single_client_nigori_sync_test.cc

@@ -152,7 +152,7 @@ IN_PROC_BROWSER_TEST_P(SingleClientNigoriSyncTestWithUssTests,
                        ShouldDecryptWithKeystoreNigori) {
   const std::vector<std::string>& keystore_keys =
       GetFakeServer()->GetKeystoreKeys();
-  ASSERT_TRUE(keystore_keys.size() == 1);
+  ASSERT_EQ(keystore_keys.size(), size_t{1});
   const KeyParams kKeystoreKeyParams = KeystoreKeyParams(keystore_keys.back());
   SetNigoriInFakeServer(GetFakeServer(),
                         BuildKeystoreNigoriSpecifics(
@@ -169,6 +169,33 @@ IN_PROC_BROWSER_TEST_P(SingleClientNigoriSyncTestWithUssTests,
   EXPECT_TRUE(WaitForPasswordForms({password_form}));
 }
 
+// Tests that client can decrypt passwords, encrypted with default key, while
+// Nigori node is in backward-compatible keystore mode (i.e. default key isn't
+// a keystore key, but keystore decryptor token contains this key and encrypted
+// with a keystore key).
+IN_PROC_BROWSER_TEST_P(SingleClientNigoriSyncTestWithUssTests,
+                       ShouldDecryptWithBackwardCompatibleKeystoreNigori) {
+  const std::vector<std::string>& keystore_keys =
+      GetFakeServer()->GetKeystoreKeys();
+  ASSERT_EQ(keystore_keys.size(), size_t{1});
+  const KeyParams kKeystoreKeyParams = KeystoreKeyParams(keystore_keys.back());
+  const KeyParams kDefaultKeyParams = {
+      syncer::KeyDerivationParams::CreateForPbkdf2(), "password"};
+  SetNigoriInFakeServer(
+      GetFakeServer(),
+      BuildKeystoreNigoriSpecifics(
+          /*keybag_keys_params=*/{kDefaultKeyParams, kKeystoreKeyParams},
+          /*keystore_decryptor_params*/ {kDefaultKeyParams},
+          /*keystore_key_params=*/kKeystoreKeyParams));
+  const autofill::PasswordForm password_form =
+      passwords_helper::CreateTestPasswordForm(0);
+  passwords_helper::InjectEncryptedServerPassword(
+      password_form, kDefaultKeyParams.password,
+      kDefaultKeyParams.derivation_params, GetFakeServer());
+  ASSERT_TRUE(SetupSync());
+  EXPECT_TRUE(WaitForPasswordForms({password_form}));
+}
+
 INSTANTIATE_TEST_SUITE_P(USS,
                          SingleClientNigoriSyncTestWithUssTests,
                          ::testing::Values(false, true));