Refactor platform keys service token ID

This CL changes how platform keys service expects token IDs from the
service consumers and makes it clear what to expect in special cases
like empty/unprovided token IDs.

Before this CL, platform keys service was accepting token IDs as strings
which is not as clear as enums especially for the cases of empty
strings.

Bug: 1073512
Change-Id: I4cbdfdc8f22b23ce0297314915e52804b2e495f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2270069
Commit-Queue: Omar Morsi <omorsi@google.com>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Michael Ershov <miersh@google.com>
Cr-Commit-Position: refs/heads/master@{#784448}

chrome/browser/chromeos/cert_provisioning/cert_provisioning_common.cc

@@ -149,12 +149,12 @@ std::string GetVaKeyNameForSpkac(CertScope scope, CertProfileId profile_id) {
   }
 }
 
-const char* GetPlatformKeysTokenId(CertScope scope) {
+platform_keys::TokenId GetPlatformKeysTokenId(CertScope scope) {
   switch (scope) {
     case CertScope::kUser:
-      return platform_keys::kTokenIdUser;
+      return platform_keys::TokenId::kUser;
     case CertScope::kDevice:
-      return platform_keys::kTokenIdSystem;
+      return platform_keys::TokenId::kSystem;
   }
 }
 

chrome/browser/chromeos/cert_provisioning/cert_provisioning_common.h

@@ -11,6 +11,7 @@
 #include "base/callback_forward.h"
 #include "base/optional.h"
 #include "base/values.h"
+#include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 #include "chromeos/dbus/constants/attestation_constants.h"
 #include "components/policy/proto/device_management_backend.pb.h"
 #include "net/cert/x509_certificate.h"
@@ -95,7 +96,7 @@ const char* GetPrefNameForSerialization(CertScope scope);
 std::string GetKeyName(CertProfileId profile_id);
 // Returns the key type for VA API calls for |scope|.
 attestation::AttestationKeyType GetVaKeyType(CertScope scope);
-const char* GetPlatformKeysTokenId(CertScope scope);
+platform_keys::TokenId GetPlatformKeysTokenId(CertScope scope);
 
 // The Verified Access APIs are used to generate key pairs. For user-specific
 // key pairs, it is possible to reuse the key pair that is used for Verified

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler_unittest.cc

@@ -73,7 +73,7 @@ struct CertificateTestHelper {
     DCHECK(cert);
   }
 
-  void GetCertificates(const std::string& token_id,
+  void GetCertificates(chromeos::platform_keys::TokenId token_id,
                        const platform_keys::GetCertificatesCallback& callback) {
     auto result = std::make_unique<net::CertificateList>();
     *result = cert_list;

chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker_unittest.cc

@@ -436,13 +436,13 @@ TEST_F(CertProvisioningWorkerTest, Success) {
     EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
 
     EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
-        platform_keys::kTokenIdUser, GetPublicKey(),
+        platform_keys::TokenId::kUser, GetPublicKey(),
         platform_keys::KeyAttributeType::CertificateProvisioningId,
         kCertProfileId, _));
 
-    EXPECT_SIGN_RSAPKC1_DIGEST_OK(
-        SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
-                           GetPublicKey(), kPkHashAlgo, /*callback=*/_));
+    EXPECT_SIGN_RSAPKC1_DIGEST_OK(SignRSAPKCS1Digest(
+        ::testing::Optional(platform_keys::TokenId::kUser), kDataToSign,
+        GetPublicKey(), kPkHashAlgo, /*callback=*/_));
 
     EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
         kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
@@ -453,7 +453,7 @@ TEST_F(CertProvisioningWorkerTest, Success) {
         /*callback=*/_));
 
     EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
-        platform_keys::kTokenIdUser, /*certificate=*/_, /*callback=*/_));
+        platform_keys::TokenId::kUser, /*certificate=*/_, /*callback=*/_));
 
     EXPECT_CALL(*mock_invalidator, Unregister()).Times(1);
 
@@ -490,9 +490,9 @@ TEST_F(CertProvisioningWorkerTest, NoVaSuccess) {
   {
     testing::InSequence seq;
 
-    EXPECT_CALL(
-        *platform_keys_service_,
-        GenerateRSAKey("user", kNonVaKeyModulusLengthBits, /*callback=*/_))
+    EXPECT_CALL(*platform_keys_service_,
+                GenerateRSAKey(platform_keys::TokenId::kUser,
+                               kNonVaKeyModulusLengthBits, /*callback=*/_))
         .Times(1)
         .WillOnce(RunOnceCallback<2>(GetPublicKey(), ""));
 
@@ -501,13 +501,13 @@ TEST_F(CertProvisioningWorkerTest, NoVaSuccess) {
         /*callback=*/_));
 
     EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
-        platform_keys::kTokenIdUser, GetPublicKey(),
+        platform_keys::TokenId::kUser, GetPublicKey(),
         platform_keys::KeyAttributeType::CertificateProvisioningId,
         kCertProfileId, _));
 
-    EXPECT_SIGN_RSAPKC1_DIGEST_OK(
-        SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
-                           GetPublicKey(), kPkHashAlgo, /*callback=*/_));
+    EXPECT_SIGN_RSAPKC1_DIGEST_OK(SignRSAPKCS1Digest(
+        ::testing::Optional(platform_keys::TokenId::kUser), kDataToSign,
+        GetPublicKey(), kPkHashAlgo, /*callback=*/_));
 
     EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
         kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
@@ -518,7 +518,7 @@ TEST_F(CertProvisioningWorkerTest, NoVaSuccess) {
         /*callback=*/_));
 
     EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
-        platform_keys::kTokenIdUser, /*certificate=*/_, /*callback=*/_));
+        platform_keys::TokenId::kUser, /*certificate=*/_, /*callback=*/_));
 
     EXPECT_CALL(callback_observer_,
                 Callback(cert_profile, CertProvisioningWorkerState::kSucceeded))
@@ -576,7 +576,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
     EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
 
     EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
-        platform_keys::kTokenIdSystem, GetPublicKey(),
+        platform_keys::TokenId::kSystem, GetPublicKey(),
         platform_keys::KeyAttributeType::CertificateProvisioningId,
         kCertProfileId, _));
 
@@ -619,7 +619,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterManualRetry) {
                                            /*callback=*/_));
 
     EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
-        platform_keys::kTokenIdSystem, /*certificate=*/_, /*callback=*/_));
+        platform_keys::TokenId::kSystem, /*certificate=*/_, /*callback=*/_));
 
     EXPECT_CALL(callback_observer_,
                 Callback(cert_profile, CertProvisioningWorkerState::kSucceeded))
@@ -682,13 +682,13 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) {
     EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
 
     EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
-        platform_keys::kTokenIdUser, GetPublicKey(),
+        platform_keys::TokenId::kUser, GetPublicKey(),
         platform_keys::KeyAttributeType::CertificateProvisioningId,
         kCertProfileId, _));
 
-    EXPECT_SIGN_RSAPKC1_DIGEST_OK(
-        SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
-                           GetPublicKey(), kPkHashAlgo, /*callback=*/_));
+    EXPECT_SIGN_RSAPKC1_DIGEST_OK(SignRSAPKCS1Digest(
+        ::testing::Optional(platform_keys::TokenId::kUser), kDataToSign,
+        GetPublicKey(), kPkHashAlgo, /*callback=*/_));
 
     EXPECT_FINISH_CSR_TRY_LATER(
         ClientCertProvisioningFinishCsr(
@@ -724,7 +724,7 @@ TEST_F(CertProvisioningWorkerTest, TryLaterWait) {
     EXPECT_DOWNLOAD_CERT_OK(ClientCertProvisioningDownloadCert);
 
     EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
-        platform_keys::kTokenIdUser, /*certificate=*/_, /*callback=*/_));
+        platform_keys::TokenId::kUser, /*certificate=*/_, /*callback=*/_));
 
     FastForwardBy(small_delay);
     // Check that minimum wait time is not too small even if the server
@@ -957,7 +957,7 @@ TEST_F(CertProvisioningWorkerTest, RemoveRegisteredKey) {
     EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
 
     EXPECT_SET_ATTRIBUTE_FOR_KEY_FAIL(SetAttributeForKey(
-        platform_keys::kTokenIdUser, GetPublicKey(),
+        platform_keys::TokenId::kUser, GetPublicKey(),
         platform_keys::KeyAttributeType::CertificateProvisioningId,
         kCertProfileId, _));
 
@@ -965,7 +965,7 @@ TEST_F(CertProvisioningWorkerTest, RemoveRegisteredKey) {
 
     EXPECT_CALL(
         *platform_keys_service_,
-        RemoveKey(platform_keys::kTokenIdUser,
+        RemoveKey(platform_keys::TokenId::kUser,
                   /*public_key_spki_der=*/GetPublicKey(), /*callback=*/_))
         .Times(1)
         .WillOnce(RunOnceCallback<2>(/*error_message=*/""));
@@ -1104,13 +1104,13 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) {
     EXPECT_REGISTER_KEY_OK(*mock_tpm_challenge_key, StartRegisterKeyStep);
 
     EXPECT_SET_ATTRIBUTE_FOR_KEY_OK(SetAttributeForKey(
-        platform_keys::kTokenIdUser, GetPublicKey(),
+        platform_keys::TokenId::kUser, GetPublicKey(),
         platform_keys::KeyAttributeType::CertificateProvisioningId,
         kCertProfileId, _));
 
-    EXPECT_SIGN_RSAPKC1_DIGEST_OK(
-        SignRSAPKCS1Digest(platform_keys::kTokenIdUser, kDataToSign,
-                           GetPublicKey(), kPkHashAlgo, /*callback=*/_));
+    EXPECT_SIGN_RSAPKC1_DIGEST_OK(SignRSAPKCS1Digest(
+        ::testing::Optional(platform_keys::TokenId::kUser), kDataToSign,
+        GetPublicKey(), kPkHashAlgo, /*callback=*/_));
 
     EXPECT_FINISH_CSR_OK(ClientCertProvisioningFinishCsr(
         kCertScopeStrUser, kCertProfileId, kCertProfileVersion, GetPublicKey(),
@@ -1169,7 +1169,7 @@ TEST_F(CertProvisioningWorkerTest, SerializationSuccess) {
         /*callback=*/_));
 
     EXPECT_IMPORT_CERTIFICATE_OK(ImportCertificate(
-        platform_keys::kTokenIdUser, /*certificate=*/_, /*callback=*/_));
+        platform_keys::TokenId::kUser, /*certificate=*/_, /*callback=*/_));
 
     pref_val = ParseJson("{}");
     EXPECT_CALL(pref_observer, OnPrefValueUpdated(IsJson(pref_val))).Times(1);

chrome/browser/chromeos/platform_keys/extension_platform_keys_service.cc

@@ -58,18 +58,19 @@ bool IsExtensionAllowlisted(const extensions::Extension* extension) {
 #endif  // defined(OS_CHROMEOS)
 
 // Converts |token_ids| (string-based token identifiers used in the
-// platformKeys API) to a vector of KeyPermissions::KeyLocation. Currently only
-// accepts |kTokenIdUser| and |kTokenIdSystem| as |token_ids| elements.
+// platformKeys API) to a vector of KeyPermissions::KeyLocation.
 std::vector<KeyPermissions::KeyLocation> TokenIdsToKeyLocations(
-    const std::vector<std::string>& token_ids) {
+    const std::vector<platform_keys::TokenId>& token_ids) {
   std::vector<KeyPermissions::KeyLocation> key_locations;
   for (const auto& token_id : token_ids) {
-    if (token_id == platform_keys::kTokenIdUser)
-      key_locations.push_back(KeyPermissions::KeyLocation::kUserSlot);
-    else if (token_id == platform_keys::kTokenIdSystem)
-      key_locations.push_back(KeyPermissions::KeyLocation::kSystemSlot);
-    else
-      NOTREACHED() << "Unknown platformKeys API token id " << token_id;
+    switch (token_id) {
+      case platform_keys::TokenId::kUser:
+        key_locations.push_back(KeyPermissions::KeyLocation::kUserSlot);
+        break;
+      case platform_keys::TokenId::kSystem:
+        key_locations.push_back(KeyPermissions::KeyLocation::kSystemSlot);
+        break;
+    }
   }
   return key_locations;
 }
@@ -96,7 +97,7 @@ class ExtensionPlatformKeysService::GenerateKeyTask : public Task {
     DONE,
   };
 
-  GenerateKeyTask(const std::string& token_id,
+  GenerateKeyTask(platform_keys::TokenId token_id,
                   const std::string& extension_id,
                   const GenerateKeyCallback& callback,
                   KeyPermissions* key_permissions,
@@ -119,7 +120,7 @@ class ExtensionPlatformKeysService::GenerateKeyTask : public Task {
  protected:
   virtual void GenerateKey(GenerateKeyCallback callback) = 0;
 
-  const std::string token_id_;
+  platform_keys::TokenId token_id_;
   std::string public_key_spki_der_;
   const std::string extension_id_;
   GenerateKeyCallback callback_;
@@ -201,7 +202,7 @@ class ExtensionPlatformKeysService::GenerateRSAKeyTask
   // This key task generates an RSA key with the parameters |token_id| and
   // |modulus_length| and registers it for the extension with id |extension_id|.
   // The generated key will be passed to |callback|.
-  GenerateRSAKeyTask(const std::string& token_id,
+  GenerateRSAKeyTask(platform_keys::TokenId token_id,
                      unsigned int modulus_length,
                      const std::string& extension_id,
                      const GenerateKeyCallback& callback,
@@ -231,7 +232,7 @@ class ExtensionPlatformKeysService::GenerateECKeyTask : public GenerateKeyTask {
   // This Task generates an EC key with the parameters |token_id| and
   // |named_curve| and registers it for the extension with id |extension_id|.
   // The generated key will be passed to |callback|.
-  GenerateECKeyTask(const std::string& token_id,
+  GenerateECKeyTask(platform_keys::TokenId token_id,
                     const std::string& named_curve,
                     const std::string& extension_id,
                     const GenerateKeyCallback& callback,
@@ -272,7 +273,7 @@ class ExtensionPlatformKeysService::SignTask : public Task {
   // multiple times, also updates the permission to prevent any future signing
   // operation of that extension using that same key. If an error occurs, an
   // error message is passed to |callback| instead.
-  SignTask(const std::string& token_id,
+  SignTask(base::Optional<platform_keys::TokenId> token_id,
            const std::string& data,
            const std::string& public_key_spki_der,
            bool raw_pkcs1,
@@ -358,7 +359,7 @@ class ExtensionPlatformKeysService::SignTask : public Task {
         base::BindRepeating(&SignTask::GotKeyLocation, base::Unretained(this)));
   }
 
-  void GotKeyLocation(const std::vector<std::string>& token_ids,
+  void GotKeyLocation(const std::vector<platform_keys::TokenId>& token_ids,
                       const std::string& error_message) {
     if (!error_message.empty()) {
       next_step_ = Step::DONE;
@@ -408,7 +409,7 @@ class ExtensionPlatformKeysService::SignTask : public Task {
 
   Step next_step_ = Step::GET_EXTENSION_PERMISSIONS;
 
-  const std::string token_id_;
+  base::Optional<platform_keys::TokenId> token_id_;
   const std::string data_;
   const std::string public_key_spki_der_;
 
@@ -602,7 +603,7 @@ class ExtensionPlatformKeysService::SelectTask : public Task {
   }
 
   void GotKeyLocations(const scoped_refptr<net::X509Certificate>& certificate,
-                       const std::vector<std::string>& token_ids,
+                       const std::vector<platform_keys::TokenId>& token_ids,
                        const std::string& error_message) {
     if (!error_message.empty()) {
       next_step_ = Step::DONE;
@@ -779,7 +780,7 @@ void ExtensionPlatformKeysService::SetSelectDelegate(
 }
 
 void ExtensionPlatformKeysService::GenerateRSAKey(
-    const std::string& token_id,
+    platform_keys::TokenId token_id,
     unsigned int modulus_length,
     const std::string& extension_id,
     const GenerateKeyCallback& callback) {
@@ -790,7 +791,7 @@ void ExtensionPlatformKeysService::GenerateRSAKey(
 }
 
 void ExtensionPlatformKeysService::GenerateECKey(
-    const std::string& token_id,
+    platform_keys::TokenId token_id,
     const std::string& named_curve,
     const std::string& extension_id,
     const GenerateKeyCallback& callback) {
@@ -805,7 +806,7 @@ bool ExtensionPlatformKeysService::IsUsingSigninProfile() {
 }
 
 void ExtensionPlatformKeysService::SignDigest(
-    const std::string& token_id,
+    base::Optional<platform_keys::TokenId> token_id,
     const std::string& data,
     const std::string& public_key_spki_der,
     platform_keys::KeyType key_type,
@@ -820,7 +821,7 @@ void ExtensionPlatformKeysService::SignDigest(
 }
 
 void ExtensionPlatformKeysService::SignRSAPKCS1Raw(
-    const std::string& token_id,
+    base::Optional<platform_keys::TokenId> token_id,
     const std::string& data,
     const std::string& public_key_spki_der,
     const std::string& extension_id,

chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h

@@ -102,7 +102,7 @@ class ExtensionPlatformKeysService : public KeyedService {
   // specifies the token to store the key pair on. |callback| will be invoked
   // with the resulting public key or an error. Will only call back during the
   // lifetime of this object.
-  void GenerateRSAKey(const std::string& token_id,
+  void GenerateRSAKey(platform_keys::TokenId token_id,
                       unsigned int modulus_length_bits,
                       const std::string& extension_id,
                       const GenerateKeyCallback& callback);
@@ -112,7 +112,7 @@ class ExtensionPlatformKeysService : public KeyedService {
   // token to store the key pair on. |callback| will be invoked with the
   // resulting public key or an error. Will only call back during the lifetime
   // of this object.
-  void GenerateECKey(const std::string& token_id,
+  void GenerateECKey(platform_keys::TokenId token_id,
                      const std::string& named_curve,
                      const std::string& extension_id,
                      const GenerateKeyCallback& callback);
@@ -130,14 +130,16 @@ class ExtensionPlatformKeysService : public KeyedService {
 
   // Digests |data|, applies PKCS1 padding if specified by |hash_algorithm| and
   // chooses the signature algorithm according to |key_type| and signs the data
-  // with the private key matching |public_key_spki_der|. If a non empty token
-  // id is provided and the key is not found in that token, the operation
-  // aborts. If the extension does not have permissions for signing with this
-  // key, the operation aborts. In case of a one time permission (granted after
+  // with the private key matching |public_key_spki_der|. If a |token_id|
+  // is provided and the key is not found in that token, the operation aborts.
+  // If |token_id| is not provided (nullopt), all tokens available to the caller
+  // will be considered while searching for the key.
+  // If the extension does not have permissions for signing with this key, the
+  // operation aborts. In case of a one time permission (granted after
   // generating the key), this function also removes the permission to prevent
   // future signing attempts. |callback| will be invoked with the signature or
   // an error message. Will only call back during the lifetime of this object.
-  void SignDigest(const std::string& token_id,
+  void SignDigest(base::Optional<platform_keys::TokenId> token_id,
                   const std::string& data,
                   const std::string& public_key_spki_der,
                   platform_keys::KeyType key_type,
@@ -146,18 +148,17 @@ class ExtensionPlatformKeysService : public KeyedService {
                   const SignCallback& callback);
 
   // Applies PKCS1 padding and afterwards signs the data with the private key
-  // matching |public_key_spki_der|. |data| is not digested. If a non empty
-  // token id is provided and the key is not found in that token, the operation
-  // aborts.
-  // The size of |data| (number of octets) must be smaller than k - 11, where k
-  // is the key size in octets.
+  // matching |public_key_spki_der|. |data| is not digested. If a |token_id|
+  // is provided and the key is not found in that token, the operation aborts.
+  // If |token_id| is not provided (nullopt), all available tokens to the caller
+  // will be considered while searching for the key. The size of |data| (number
+  // of octets) must be smaller than k - 11, where k is the key size in octets.
   // If the extension does not have permissions for signing with this key, the
   // operation aborts. In case of a one time permission (granted after
   // generating the key), this function also removes the permission to prevent
-  // future signing attempts.
-  // |callback| will be invoked with the signature or an error message.
-  // Will only call back during the lifetime of this object.
-  void SignRSAPKCS1Raw(const std::string& token_id,
+  // future signing attempts. |callback| will be invoked with the signature or
+  // an error message. Will only call back during the lifetime of this object.
+  void SignRSAPKCS1Raw(base::Optional<platform_keys::TokenId> token_id,
                        const std::string& data,
                        const std::string& public_key_spki_der,
                        const std::string& extension_id,

chrome/browser/chromeos/platform_keys/mock_platform_keys_service.h

@@ -23,21 +23,21 @@ class MockPlatformKeysService : public PlatformKeysService {
 
   MOCK_METHOD(void,
               GenerateRSAKey,
-              (const std::string& token_id,
+              (TokenId token_id,
                unsigned int modulus_length_bits,
                const GenerateKeyCallback& callback),
               (override));
 
   MOCK_METHOD(void,
               GenerateECKey,
-              (const std::string& token_id,
+              (TokenId token_id,
                const std::string& named_curve,
                const GenerateKeyCallback& callback),
               (override));
 
   MOCK_METHOD(void,
               SignRSAPKCS1Digest,
-              (const std::string& token_id,
+              (base::Optional<TokenId> token_id,
                const std::string& data,
                const std::string& public_key_spki_der,
                HashAlgorithm hash_algorithm,
@@ -46,7 +46,7 @@ class MockPlatformKeysService : public PlatformKeysService {
 
   MOCK_METHOD(void,
               SignRSAPKCS1Raw,
-              (const std::string& token_id,
+              (base::Optional<TokenId> token_id,
                const std::string& data,
                const std::string& public_key_spki_der,
                const SignCallback& callback),
@@ -54,7 +54,7 @@ class MockPlatformKeysService : public PlatformKeysService {
 
   MOCK_METHOD(void,
               SignECDSADigest,
-              (const std::string& token_id,
+              (base::Optional<TokenId> token_id,
                const std::string& data,
                const std::string& public_key_spki_der,
                HashAlgorithm hash_algorithm,
@@ -69,32 +69,31 @@ class MockPlatformKeysService : public PlatformKeysService {
 
   MOCK_METHOD(void,
               GetCertificates,
-              (const std::string& token_id,
-               const GetCertificatesCallback& callback),
+              (TokenId token_id, const GetCertificatesCallback& callback),
               (override));
 
   MOCK_METHOD(void,
               GetAllKeys,
-              (const std::string& token_id, GetAllKeysCallback callback),
+              (TokenId token_id, GetAllKeysCallback callback),
               (override));
 
   MOCK_METHOD(void,
               ImportCertificate,
-              (const std::string& token_id,
+              (TokenId token_id,
                const scoped_refptr<net::X509Certificate>& certificate,
                const ImportCertificateCallback& callback),
               (override));
 
   MOCK_METHOD(void,
               RemoveCertificate,
-              (const std::string& token_id,
+              (TokenId token_id,
                const scoped_refptr<net::X509Certificate>& certificate,
                const RemoveCertificateCallback& callback),
               (override));
 
   MOCK_METHOD(void,
               RemoveKey,
-              (const std::string& token_id,
+              (TokenId token_id,
                const std::string& public_key_spki_der,
                RemoveKeyCallback callback),
               (override));
@@ -109,7 +108,7 @@ class MockPlatformKeysService : public PlatformKeysService {
 
   MOCK_METHOD(void,
               SetAttributeForKey,
-              (const std::string& token_id,
+              (TokenId token_id,
                const std::string& public_key_spki_der,
                KeyAttributeType attribute_type,
                const std::string& attribute_value,
@@ -118,7 +117,7 @@ class MockPlatformKeysService : public PlatformKeysService {
 
   MOCK_METHOD(void,
               GetAttributeForKey,
-              (const std::string& token_id,
+              (TokenId token_id,
                const std::string& public_key_spki_der,
                KeyAttributeType attribute_type,
                GetAttributeForKeyCallback callback),

chrome/browser/chromeos/platform_keys/platform_keys_service.cc

@@ -17,9 +17,6 @@
 namespace chromeos {
 namespace platform_keys {
 
-const char kTokenIdUser[] = "user";
-const char kTokenIdSystem[] = "system";
-
 namespace {
 
 void IntersectOnWorkerThread(const net::CertificateList& certs1,

chrome/browser/chromeos/platform_keys/platform_keys_service_browsertest.cc

@@ -15,6 +15,8 @@
 #include "base/location.h"
 #include "base/memory/weak_ptr.h"
 #include "base/run_loop.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/stringprintf.h"
 #include "base/task/post_task.h"
 #include "base/threading/thread_restrictions.h"
 #include "chrome/browser/chromeos/login/test/device_state_mixin.h"
@@ -58,8 +60,6 @@ namespace {
 
 constexpr char kTestUserEmail[] = "test@example.com";
 constexpr char kTestAffiliationId[] = "test_affiliation_id";
-constexpr char kSystemToken[] = "system";
-constexpr char kUserToken[] = "user";
 
 enum class ProfileToUse {
   // A Profile that belongs to a user that is not affiliated with the device (no
@@ -80,7 +80,7 @@ struct TestConfig {
   // The token IDs that are expected to be available. This will be checked by
   // the GetTokens test, and operation for these tokens will be performed by the
   // other tests.
-  std::vector<std::string> token_ids;
+  std::vector<TokenId> token_ids;
 };
 
 // Softoken NSS PKCS11 module (used for testing) allows only predefined key
@@ -177,12 +177,12 @@ class ExecutionWaiter {
 
 // Supports waiting for the result of PlatformKeysService::GetTokens.
 class GetTokensExecutionWaiter
-    : public ExecutionWaiter<std::unique_ptr<std::vector<std::string>>> {
+    : public ExecutionWaiter<std::unique_ptr<std::vector<TokenId>>> {
  public:
   GetTokensExecutionWaiter() = default;
   ~GetTokensExecutionWaiter() = default;
 
-  const std::unique_ptr<std::vector<std::string>>& token_ids() const {
+  const std::unique_ptr<std::vector<TokenId>>& token_ids() const {
     return std::get<0>(result_callback_args());
   }
 };
@@ -330,17 +330,18 @@ class PlatformKeysServiceBrowserTest
   }
 
   // Returns the slot to be used depending on |token_id|.
-  PK11SlotInfo* GetSlot(const std::string& token_id) {
-    if (token_id == kSystemToken) {
-      return system_nss_key_slot_mixin_.slot();
+  PK11SlotInfo* GetSlot(TokenId token_id) {
+    switch (token_id) {
+      case TokenId::kSystem:
+        return system_nss_key_slot_mixin_.slot();
+      case TokenId::kUser:
+        return user_slot_.get();
     }
-    DCHECK_EQ(token_id, kUserToken);
-    return user_slot_.get();
   }
 
   // Generates a key pair in the given |token_id| using platform keys service
   // and returns the SubjectPublicKeyInfo string encoded in DER format.
-  std::string GenerateKeyPair(const std::string& token_id) {
+  std::string GenerateKeyPair(TokenId token_id) {
     const unsigned int kKeySize = 2048;
 
     GenerateKeyExecutionWaiter generate_key_waiter;
@@ -404,7 +405,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, GenerateRsaAndSign) {
   const crypto::SignatureVerifier::SignatureAlgorithm signature_algorithm =
       crypto::SignatureVerifier::RSA_PKCS1_SHA256;
 
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     GenerateKeyExecutionWaiter generate_key_waiter;
     platform_keys_service()->GenerateRSAKey(token_id, kKeySize,
                                             generate_key_waiter.GetCallback());
@@ -438,8 +439,10 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, SetAndGetKeyAttribute) {
   const KeyAttributeType kAttributeType =
       KeyAttributeType::CertificateProvisioningId;
 
-  for (const std::string& token_id : GetParam().token_ids) {
-    const std::string kAttributeValue = "test" + token_id;
+  for (TokenId token_id : GetParam().token_ids) {
+    const int token_id_as_int = static_cast<int>(token_id);
+    const std::string attribute_value =
+        base::StringPrintf("test%d", token_id_as_int);
 
     // Generate key pair.
     const std::string public_key_spki_der = GenerateKeyPair(token_id);
@@ -448,7 +451,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, SetAndGetKeyAttribute) {
     // Set key attribute.
     SetAttributeForKeyExecutionWaiter set_attribute_for_key_execution_waiter;
     platform_keys_service()->SetAttributeForKey(
-        token_id, public_key_spki_der, kAttributeType, kAttributeValue,
+        token_id, public_key_spki_der, kAttributeType, attribute_value,
         set_attribute_for_key_execution_waiter.GetCallback());
     set_attribute_for_key_execution_waiter.Wait();
 
@@ -461,7 +464,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, SetAndGetKeyAttribute) {
 
     EXPECT_TRUE(get_attribute_for_key_execution_waiter.error_message().empty());
     EXPECT_EQ(get_attribute_for_key_execution_waiter.attribute_value(),
-              kAttributeValue);
+              attribute_value);
   }
 }
 
@@ -469,7 +472,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, GetUnsetKeyAttribute) {
   const KeyAttributeType kAttributeType =
       KeyAttributeType::CertificateProvisioningId;
 
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     // Generate key pair.
     const std::string public_key_spki_der = GenerateKeyPair(token_id);
     ASSERT_FALSE(public_key_spki_der.empty());
@@ -493,7 +496,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
       KeyAttributeType::CertificateProvisioningId;
   const std::string kPublicKey = "Non Existing public key";
 
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     // Get key attribute.
     GetAttributeForKeyExecutionWaiter get_attribute_for_key_execution_waiter;
     platform_keys_service()->GetAttributeForKey(
@@ -513,7 +516,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
   const std::string kAttributeValue = "test";
   const std::string kPublicKey = "Non Existing public key";
 
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     // Set key attribute.
     SetAttributeForKeyExecutionWaiter set_attribute_for_key_execution_waiter;
     platform_keys_service()->SetAttributeForKey(
@@ -528,7 +531,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
 
 IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
                        RemoveKeyWithNoMatchingCertificates) {
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     // Generate first key pair.
     const std::string public_key_1 = GenerateKeyPair(token_id);
     ASSERT_FALSE(public_key_1.empty());
@@ -555,7 +558,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
 
 IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
                        RemoveKeyWithMatchingCertificate) {
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     PK11SlotInfo* const slot = GetSlot(token_id);
 
     // Assert that there are no certificates before importing.
@@ -616,15 +619,15 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
 // retrieves them.
 IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, GetAllKeys) {
   // Generate key pair in every token.
-  std::map<std::string, std::string> token_key_map;
-  for (const std::string& token_id : GetParam().token_ids) {
+  std::map<TokenId, std::string> token_key_map;
+  for (TokenId token_id : GetParam().token_ids) {
     const std::string public_key_spki_der = GenerateKeyPair(token_id);
     ASSERT_FALSE(public_key_spki_der.empty());
     token_key_map[token_id] = public_key_spki_der;
   }
 
   // Only keys in the requested token should be retrieved.
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     GetAllKeysExecutionWaiter get_all_keys_waiter;
     platform_keys_service()->GetAllKeys(token_id,
                                         get_all_keys_waiter.GetCallback());
@@ -639,7 +642,7 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest, GetAllKeys) {
 
 IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
                        GetAllKeysWhenNoKeysGenerated) {
-  for (const std::string& token_id : GetParam().token_ids) {
+  for (TokenId token_id : GetParam().token_ids) {
     GetAllKeysExecutionWaiter get_all_keys_waiter;
     platform_keys_service()->GetAllKeys(token_id,
                                         get_all_keys_waiter.GetCallback());
@@ -654,11 +657,11 @@ IN_PROC_BROWSER_TEST_P(PlatformKeysServiceBrowserTest,
 INSTANTIATE_TEST_SUITE_P(
     AllSupportedProfileTypes,
     PlatformKeysServiceBrowserTest,
-    ::testing::Values(TestConfig{ProfileToUse::kSigninProfile, {kSystemToken}},
-                      TestConfig{ProfileToUse::kUnaffiliatedUserProfile,
-                                 {kUserToken}},
-                      TestConfig{ProfileToUse::kAffiliatedUserProfile,
-                                 {kSystemToken, kUserToken}}));
+    ::testing::Values(
+        TestConfig{ProfileToUse::kSigninProfile, {TokenId::kSystem}},
+        TestConfig{ProfileToUse::kUnaffiliatedUserProfile, {TokenId::kUser}},
+        TestConfig{ProfileToUse::kAffiliatedUserProfile,
+                   {TokenId::kSystem, TokenId::kUser}}));
 
 }  // namespace platform_keys
 }  // namespace chromeos

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.cc

@@ -7,6 +7,7 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/optional.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h"
 #include "chrome/browser/chromeos/platform_keys/extension_platform_keys_service_factory.h"
@@ -53,8 +54,9 @@ EnterprisePlatformKeysInternalGenerateKeyFunction::Run() {
       api_epki::GenerateKey::Params::Create(*args_));
 
   EXTENSION_FUNCTION_VALIDATE(params);
-  std::string platform_keys_token_id;
-  if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id))
+  base::Optional<chromeos::platform_keys::TokenId> platform_keys_token_id =
+      platform_keys::ApiIdToPlatformKeysTokenId(params->token_id);
+  if (!platform_keys_token_id)
     return RespondNow(Error(platform_keys::kErrorInvalidToken));
 
   chromeos::ExtensionPlatformKeysService* service =
@@ -67,7 +69,7 @@ EnterprisePlatformKeysInternalGenerateKeyFunction::Run() {
     EXTENSION_FUNCTION_VALIDATE(params->algorithm.modulus_length &&
                                 *(params->algorithm.modulus_length) >= 0);
     service->GenerateRSAKey(
-        platform_keys_token_id, *(params->algorithm.modulus_length),
+        platform_keys_token_id.value(), *(params->algorithm.modulus_length),
         extension_id(),
         base::Bind(
             &EnterprisePlatformKeysInternalGenerateKeyFunction::OnGeneratedKey,
@@ -75,7 +77,7 @@ EnterprisePlatformKeysInternalGenerateKeyFunction::Run() {
   } else if (params->algorithm.name == "ECDSA") {
     EXTENSION_FUNCTION_VALIDATE(params->algorithm.named_curve);
     service->GenerateECKey(
-        platform_keys_token_id, *(params->algorithm.named_curve),
+        platform_keys_token_id.value(), *(params->algorithm.named_curve),
         extension_id(),
         base::Bind(
             &EnterprisePlatformKeysInternalGenerateKeyFunction::OnGeneratedKey,
@@ -107,15 +109,16 @@ EnterprisePlatformKeysGetCertificatesFunction::Run() {
   std::unique_ptr<api_epk::GetCertificates::Params> params(
       api_epk::GetCertificates::Params::Create(*args_));
   EXTENSION_FUNCTION_VALIDATE(params);
-  std::string platform_keys_token_id;
-  if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id))
+  base::Optional<chromeos::platform_keys::TokenId> platform_keys_token_id =
+      platform_keys::ApiIdToPlatformKeysTokenId(params->token_id);
+  if (!platform_keys_token_id)
     return RespondNow(Error(platform_keys::kErrorInvalidToken));
 
   chromeos::platform_keys::PlatformKeysService* platform_keys_service =
       chromeos::platform_keys::PlatformKeysServiceFactory::GetForBrowserContext(
           browser_context());
   platform_keys_service->GetCertificates(
-      platform_keys_token_id,
+      platform_keys_token_id.value(),
       base::Bind(
           &EnterprisePlatformKeysGetCertificatesFunction::OnGotCertificates,
           this));
@@ -153,8 +156,9 @@ EnterprisePlatformKeysImportCertificateFunction::Run() {
   std::unique_ptr<api_epk::ImportCertificate::Params> params(
       api_epk::ImportCertificate::Params::Create(*args_));
   EXTENSION_FUNCTION_VALIDATE(params);
-  std::string platform_keys_token_id;
-  if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id))
+  base::Optional<chromeos::platform_keys::TokenId> platform_keys_token_id =
+      platform_keys::ApiIdToPlatformKeysTokenId(params->token_id);
+  if (!platform_keys_token_id)
     return RespondNow(Error(platform_keys::kErrorInvalidToken));
 
   const std::vector<uint8_t>& cert_der = params->certificate;
@@ -175,7 +179,7 @@ EnterprisePlatformKeysImportCertificateFunction::Run() {
   CHECK(platform_keys_service);
 
   platform_keys_service->ImportCertificate(
-      platform_keys_token_id, cert_x509,
+      platform_keys_token_id.value(), cert_x509,
       base::Bind(&EnterprisePlatformKeysImportCertificateFunction::
                      OnImportedCertificate,
                  this));
@@ -199,8 +203,9 @@ EnterprisePlatformKeysRemoveCertificateFunction::Run() {
   std::unique_ptr<api_epk::RemoveCertificate::Params> params(
       api_epk::RemoveCertificate::Params::Create(*args_));
   EXTENSION_FUNCTION_VALIDATE(params);
-  std::string platform_keys_token_id;
-  if (!platform_keys::ValidateToken(params->token_id, &platform_keys_token_id))
+  base::Optional<chromeos::platform_keys::TokenId> platform_keys_token_id =
+      platform_keys::ApiIdToPlatformKeysTokenId(params->token_id);
+  if (!platform_keys_token_id)
     return RespondNow(Error(platform_keys::kErrorInvalidToken));
 
   const std::vector<uint8_t>& cert_der = params->certificate;
@@ -221,7 +226,7 @@ EnterprisePlatformKeysRemoveCertificateFunction::Run() {
   CHECK(platform_keys_service);
 
   platform_keys_service->RemoveCertificate(
-      platform_keys_token_id, cert_x509,
+      platform_keys_token_id.value(), cert_x509,
       base::Bind(&EnterprisePlatformKeysRemoveCertificateFunction::
                      OnRemovedCertificate,
                  this));
@@ -255,7 +260,8 @@ EnterprisePlatformKeysInternalGetTokensFunction::Run() {
 }
 
 void EnterprisePlatformKeysInternalGetTokensFunction::OnGotTokens(
-    std::unique_ptr<std::vector<std::string>> platform_keys_token_ids,
+    std::unique_ptr<std::vector<chromeos::platform_keys::TokenId>>
+        platform_keys_token_ids,
     const std::string& error_message) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
   if (!error_message.empty()) {
@@ -264,15 +270,14 @@ void EnterprisePlatformKeysInternalGetTokensFunction::OnGotTokens(
   }
 
   std::vector<std::string> token_ids;
-  for (std::vector<std::string>::const_iterator it =
-           platform_keys_token_ids->begin();
-       it != platform_keys_token_ids->end(); ++it) {
-    std::string token_id = platform_keys::PlatformKeysTokenIdToApiId(*it);
-    if (token_id.empty()) {
+  for (auto token_id : *platform_keys_token_ids) {
+    std::string api_token_id =
+        platform_keys::PlatformKeysTokenIdToApiId(token_id);
+    if (api_token_id.empty()) {
       Respond(Error(kEnterprisePlatformErrorInternal));
       return;
     }
-    token_ids.push_back(token_id);
+    token_ids.push_back(api_token_id);
   }
 
   Respond(ArgumentList(api_epki::GetTokens::Results::Create(token_ids)));

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.h

@@ -10,6 +10,7 @@
 #include <vector>
 
 #include "base/memory/ref_counted.h"
+#include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 #include "chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.h"
 #include "extensions/browser/extension_function.h"
 
@@ -85,8 +86,9 @@ class EnterprisePlatformKeysInternalGetTokensFunction
 
   // Called when the list of tokens was determined. If an error occurred,
   // |token_ids| will be NULL and instead |error_message| be set.
-  void OnGotTokens(std::unique_ptr<std::vector<std::string>> token_ids,
-                   const std::string& error_message);
+  void OnGotTokens(
+      std::unique_ptr<std::vector<chromeos::platform_keys::TokenId>> token_ids,
+      const std::string& error_message);
 
   DECLARE_EXTENSION_FUNCTION("enterprise.platformKeysInternal.getTokens",
                              ENTERPRISE_PLATFORMKEYSINTERNAL_GETTOKENS)

chrome/browser/extensions/api/platform_keys/platform_keys_api.cc

@@ -10,6 +10,7 @@
 
 #include "base/bind.h"
 #include "base/logging.h"
+#include "base/optional.h"
 #include "base/stl_util.h"
 #include "base/strings/string_piece.h"
 #include "base/values.h"
@@ -103,29 +104,25 @@ const char kErrorInvalidX509Cert[] =
 const char kTokenIdUser[] = "user";
 const char kTokenIdSystem[] = "system";
 
-// Returns whether |token_id| references a known Token.
-bool ValidateToken(const std::string& token_id,
-                   std::string* platform_keys_token_id) {
-  platform_keys_token_id->clear();
-  if (token_id == kTokenIdUser) {
-    *platform_keys_token_id = chromeos::platform_keys::kTokenIdUser;
-    return true;
-  }
-  if (token_id == kTokenIdSystem) {
-    *platform_keys_token_id = chromeos::platform_keys::kTokenIdSystem;
-    return true;
-  }
-  return false;
+base::Optional<chromeos::platform_keys::TokenId> ApiIdToPlatformKeysTokenId(
+    const std::string& token_id) {
+  if (token_id == kTokenIdUser)
+    return chromeos::platform_keys::TokenId::kUser;
+
+  if (token_id == kTokenIdSystem)
+    return chromeos::platform_keys::TokenId::kSystem;
+
+  return base::nullopt;
 }
 
 std::string PlatformKeysTokenIdToApiId(
-    const std::string& platform_keys_token_id) {
-  if (platform_keys_token_id == chromeos::platform_keys::kTokenIdUser)
-    return kTokenIdUser;
-  if (platform_keys_token_id == chromeos::platform_keys::kTokenIdSystem)
-    return kTokenIdSystem;
-
-  return std::string();
+    chromeos::platform_keys::TokenId platform_keys_token_id) {
+  switch (platform_keys_token_id) {
+    case chromeos::platform_keys::TokenId::kUser:
+      return kTokenIdUser;
+    case chromeos::platform_keys::TokenId::kSystem:
+      return kTokenIdSystem;
+  }
 }
 
 }  // namespace platform_keys
@@ -364,11 +361,16 @@ ExtensionFunction::ResponseAction PlatformKeysInternalSignFunction::Run() {
   std::unique_ptr<api_pki::Sign::Params> params(
       api_pki::Sign::Params::Create(*args_));
   EXTENSION_FUNCTION_VALIDATE(params);
-  std::string platform_keys_token_id;
-  if (!params->token_id.empty() &&
-      !platform_keys::ValidateToken(params->token_id,
-                                    &platform_keys_token_id)) {
-    return RespondNow(Error(platform_keys::kErrorInvalidToken));
+
+  base::Optional<chromeos::platform_keys::TokenId> platform_keys_token_id;
+  // If |params->token_id| is not specified (empty string), the key will be
+  // searched for in all available tokens.
+  if (!params->token_id.empty()) {
+    platform_keys_token_id =
+        platform_keys::ApiIdToPlatformKeysTokenId(params->token_id);
+    if (!platform_keys_token_id) {
+      return RespondNow(Error(platform_keys::kErrorInvalidToken));
+    }
   }
 
   chromeos::ExtensionPlatformKeysService* service =

chrome/browser/extensions/api/platform_keys/platform_keys_api.h

@@ -8,12 +8,14 @@
 #include <string>
 #include <vector>
 
+#include "base/optional.h"
+#include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 #include "extensions/browser/extension_function.h"
 
 namespace net {
 class X509Certificate;
 typedef std::vector<scoped_refptr<X509Certificate>> CertificateList;
-}  // net
+}  // namespace net
 
 namespace extensions {
 namespace platform_keys {
@@ -21,14 +23,15 @@ namespace platform_keys {
 extern const char kErrorInvalidToken[];
 extern const char kErrorInvalidX509Cert[];
 
-// Returns whether |token_id| references a known Token.
-bool ValidateToken(const std::string& token_id,
-                   std::string* platform_keys_token_id);
+// Returns a known token if |token_id| is valid and returns nullopt for both
+// empty or unknown |token_id|.
+base::Optional<chromeos::platform_keys::TokenId> ApiIdToPlatformKeysTokenId(
+    const std::string& token_id);
 
 // Converts a token id from ::chromeos::platform_keys to the platformKeys API
 // token id.
 std::string PlatformKeysTokenIdToApiId(
-    const std::string& platform_keys_token_id);
+    chromeos::platform_keys::TokenId platform_keys_token_id);
 
 }  // namespace platform_keys