[TrustedVault] Implement device registration logic

This CL adds high-level device registration logic for trusted vault
together with required interfaces/skeletons.

Device has to be registered in order to silently follow further key
rotations in the future. Device registration means generation of device
key pair and sending public key to the server. Most recent vault key
must be locally available in order to register the device. Currently,
device registration is supported only for active sync account.

Bug: 1102340
Change-Id: If7f6034db56752622bd108598a80c3e19681ba17
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339484Reviewed-by: Eric Orth <ericorth@chromium.org>
Reviewed-by: Marc Treib <treib@chromium.org>
Commit-Queue: Maksim Moskvitin <mmoskvitin@google.com>
Cr-Commit-Position: refs/heads/master@{#798583}

components/sync/BUILD.gn

@@ -521,6 +521,7 @@ source_set("unit_tests") {
     "protocol/proto_enum_conversions_unittest.cc",
     "protocol/proto_value_conversions_unittest.cc",
     "trusted_vault/securebox_unittest.cc",
+    "trusted_vault/standalone_trusted_vault_backend_unittest.cc",
     "trusted_vault/standalone_trusted_vault_client_unittest.cc",
   ]
 

components/sync/driver/sync_driver_switches.cc

@@ -61,4 +61,9 @@ const base::Feature kSyncDeviceInfoInTransportMode{
 const base::Feature kDecoupleSyncFromAndroidMasterSync{
     "DecoupleSyncFromAndroidMasterSync", base::FEATURE_DISABLED_BY_DEFAULT};
 
+// Allows trusted vault implementation to follow key rotation (including device
+// registration).
+const base::Feature kFollowTrustedVaultKeyRotation{
+    "FollowTrustedVaultKeyRotation", base::FEATURE_DISABLED_BY_DEFAULT};
+
 }  // namespace switches

components/sync/driver/sync_driver_switches.h

@@ -31,6 +31,7 @@ extern const base::Feature
 extern const base::Feature kSyncWifiConfigurations;
 extern const base::Feature kSyncDeviceInfoInTransportMode;
 extern const base::Feature kDecoupleSyncFromAndroidMasterSync;
+extern const base::Feature kFollowTrustedVaultKeyRotation;
 
 }  // namespace switches
 

components/sync/protocol/local_trusted_vault.proto

@@ -13,15 +13,32 @@ message LocalTrustedVaultKey {
   optional bytes key_material = 1;
 }
 
+message LocalDeviceRegistrationInfo {
+  // Private SecureBox key.
+  optional bytes private_key_material = 1;
+
+  // Indicates whether device is registered, i.e. whether its public key is
+  // successfully submitted to the server.
+  optional bool device_registered = 2;
+}
+
 message LocalTrustedVaultPerUser {
   // User identifier.
   optional bytes gaia_id = 1;
 
   // All keys known for a user.
-  repeated LocalTrustedVaultKey key = 2;
+  repeated LocalTrustedVaultKey vault_key = 2;
+
+  // The version corresponding to the last element in |vault_key|.
+  optional int32 last_vault_key_version = 3;
+
+  // Indicates whether |vault_key| is stale, i.e. that the latest locally
+  // available key isn't the latest key in the vault. New keys need to be
+  // fetched through key retrieval procedure or by following key rotation.
+  optional bool keys_are_stale = 4;
 
-  // The version corresponding to the last element in |key|.
-  optional int32 last_key_version = 3;
+  // Device key and corresponding registration metadata.
+  optional LocalDeviceRegistrationInfo local_device_registration_info = 5;
 }
 
 message LocalTrustedVault {

components/sync/trusted_vault/BUILD.gn

@@ -10,6 +10,10 @@ static_library("trusted_vault") {
     "standalone_trusted_vault_backend.h",
     "standalone_trusted_vault_client.cc",
     "standalone_trusted_vault_client.h",
+    "trusted_vault_access_token_fetcher.h",
+    "trusted_vault_connection.h",
+    "trusted_vault_connection_impl.cc",
+    "trusted_vault_connection_impl.h",
   ]
   public_deps = [
     "//base",
@@ -20,6 +24,7 @@ static_library("trusted_vault") {
     "//components/signin/public/identity_manager",
     "//components/sync/protocol",
     "//crypto",
+    "//services/network/public/cpp:cpp",
     "//third_party/boringssl",
   ]
 }

components/sync/trusted_vault/DEPS

@@ -4,5 +4,6 @@ include_rules = [
   "+components/sync/driver",
   "+components/sync/protocol",
   "+crypto",
+  "+services/network/public",
   "+third_party/boringssl",
 ]
\ No newline at end of file

components/sync/trusted_vault/standalone_trusted_vault_backend.cc

@@ -4,12 +4,17 @@
 
 #include "components/sync/trusted_vault/standalone_trusted_vault_backend.h"
 
+#include <memory>
+#include <utility>
+
+#include "base/containers/span.h"
 #include "base/files/file_util.h"
 #include "base/files/important_file_writer.h"
 #include "base/logging.h"
 #include "base/sequence_checker.h"
 #include "components/os_crypt/os_crypt.h"
-#include "components/signin/public/identity_manager/account_info.h"
+#include "components/sync/driver/sync_driver_switches.h"
+#include "components/sync/trusted_vault/securebox.h"
 
 namespace syncer {
 
@@ -44,8 +49,11 @@ void WriteToDisk(const sync_pb::LocalTrustedVault& data,
 }  // namespace
 
 StandaloneTrustedVaultBackend::StandaloneTrustedVaultBackend(
-    const base::FilePath& file_path)
-    : file_path_(file_path) {}
+    const base::FilePath& file_path,
+    std::unique_ptr<TrustedVaultConnection> connection)
+    : file_path_(file_path), connection_(std::move(connection)) {}
+
+StandaloneTrustedVaultBackend::~StandaloneTrustedVaultBackend() = default;
 
 void StandaloneTrustedVaultBackend::ReadDataFromDisk() {
   data_ = ReadEncryptedFile(file_path_);
@@ -58,7 +66,8 @@ std::vector<std::vector<uint8_t>> StandaloneTrustedVaultBackend::FetchKeys(
 
   std::vector<std::vector<uint8_t>> keys;
   if (per_user_vault) {
-    for (const sync_pb::LocalTrustedVaultKey& key : per_user_vault->key()) {
+    for (const sync_pb::LocalTrustedVaultKey& key :
+         per_user_vault->vault_key()) {
       const std::string& key_material = key.key_material();
       keys.emplace_back(key_material.begin(), key_material.end());
     }
@@ -79,18 +88,133 @@ void StandaloneTrustedVaultBackend::StoreKeys(
   }
 
   // Replace all keys.
-  per_user_vault->set_last_key_version(last_key_version);
-  per_user_vault->clear_key();
+  per_user_vault->set_last_vault_key_version(last_key_version);
+  per_user_vault->set_keys_are_stale(false);
+  per_user_vault->clear_vault_key();
   for (const std::vector<uint8_t>& key : keys) {
-    per_user_vault->add_key()->set_key_material(key.data(), key.size());
+    per_user_vault->add_vault_key()->set_key_material(key.data(), key.size());
   }
 
   WriteToDisk(data_, file_path_);
+  MaybeRegisterDevice(gaia_id);
 }
 
 void StandaloneTrustedVaultBackend::RemoveAllStoredKeys() {
   base::DeleteFile(file_path_);
   data_.Clear();
+  weak_factory_for_connection_.InvalidateWeakPtrs();
+}
+
+void StandaloneTrustedVaultBackend::SetSyncingAccount(
+    const base::Optional<CoreAccountInfo>& syncing_account) {
+  if (syncing_account == syncing_account_) {
+    return;
+  }
+  syncing_account_ = syncing_account;
+  weak_factory_for_connection_.InvalidateWeakPtrs();
+  if (syncing_account_.has_value()) {
+    MaybeRegisterDevice(syncing_account_->gaia);
+  }
+}
+
+sync_pb::LocalDeviceRegistrationInfo
+StandaloneTrustedVaultBackend::GetDeviceRegistrationInfoForTesting(
+    const std::string& gaia_id) {
+  sync_pb::LocalTrustedVaultPerUser* per_user_vault = FindUserVault(gaia_id);
+  if (!per_user_vault) {
+    return sync_pb::LocalDeviceRegistrationInfo();
+  }
+  return per_user_vault->local_device_registration_info();
+}
+
+void StandaloneTrustedVaultBackend::MaybeRegisterDevice(
+    const std::string& gaia_id) {
+  if (!base::FeatureList::IsEnabled(switches::kFollowTrustedVaultKeyRotation)) {
+    return;
+  }
+  if (!syncing_account_.has_value() || syncing_account_->gaia != gaia_id) {
+    // Device registration is supported only for |syncing_account_|.
+    return;
+  }
+  sync_pb::LocalTrustedVaultPerUser* per_user_vault = FindUserVault(gaia_id);
+  if (!per_user_vault || per_user_vault->vault_key_size() == 0 ||
+      per_user_vault->keys_are_stale()) {
+    // Fresh vault key is required to register the device.
+    return;
+  }
+  if (per_user_vault->local_device_registration_info().device_registered()) {
+    // Device is already registered.
+    return;
+  }
+  // TODO(crbug.com/1102340): add throttling mechanism.
+
+  std::unique_ptr<SecureBoxKeyPair> key_pair;
+  if (per_user_vault->has_local_device_registration_info()) {
+    key_pair = SecureBoxKeyPair::CreateByPrivateKeyImport(base::as_bytes(
+        base::make_span(per_user_vault->local_device_registration_info()
+                            .private_key_material())));
+    if (!key_pair) {
+      // Device key is corrupted.
+      // TODO(crbug.com/1102340): consider generation of new key in this case.
+      return;
+    }
+  } else {
+    key_pair = SecureBoxKeyPair::GenerateRandom();
+    // It's possible that device will be successfully registered, but the client
+    // won't persist this state (for example response doesn't reach the client
+    // or registration callback is cancelled). To avoid duplicated registrations
+    // device key is stored before sending the registration request, so the same
+    // key will be used for future registration attempts.
+    std::vector<uint8_t> serialized_private_key =
+        key_pair->private_key().ExportToBytes();
+    per_user_vault->mutable_local_device_registration_info()
+        ->set_private_key_material(serialized_private_key.data(),
+                                   serialized_private_key.size());
+    WriteToDisk(data_, file_path_);
+  }
+
+  std::string last_key = per_user_vault->vault_key()
+                             .at(per_user_vault->vault_key_size() - 1)
+                             .key_material();
+  std::vector<uint8_t> last_key_bytes(last_key.begin(), last_key.end());
+
+  // Cancel existing callbacks passed to |connection_| to ensure there is only
+  // one ongoing request.
+  weak_factory_for_connection_.InvalidateWeakPtrs();
+  connection_->RegisterDevice(
+      *syncing_account_, last_key_bytes,
+      per_user_vault->last_vault_key_version(), key_pair->public_key(),
+      base::BindOnce(&StandaloneTrustedVaultBackend::OnDeviceRegistered,
+                     weak_factory_for_connection_.GetWeakPtr(), gaia_id));
+}
+
+void StandaloneTrustedVaultBackend::OnDeviceRegistered(
+    const std::string& gaia_id,
+    TrustedVaultRequestStatus status) {
+  // If |syncing_account_| was changed meanwhile, this callback must be
+  // cancelled.
+  DCHECK(syncing_account_ && syncing_account_->gaia == gaia_id);
+
+  sync_pb::LocalTrustedVaultPerUser* per_user_vault = FindUserVault(gaia_id);
+  DCHECK(per_user_vault);
+
+  switch (status) {
+    case TrustedVaultRequestStatus::kSuccess:
+      // TODO(crbug.com/1102340): we may want to immediately fetch fresh keys
+      // (in case they were marked as stale while the request was in flight).
+      per_user_vault->mutable_local_device_registration_info()
+          ->set_device_registered(true);
+      WriteToDisk(data_, file_path_);
+      return;
+    case TrustedVaultRequestStatus::kLocalDataObsolete:
+      per_user_vault->set_keys_are_stale(true);
+      return;
+    case TrustedVaultRequestStatus::kOtherError:
+      // TODO(crbug.com/1102340): prevent future queries until browser restart?
+      // TODO(crbug.com/1102340): introduce throttling mechanism across browser
+      // restarts?
+      return;
+  }
 }
 
 sync_pb::LocalTrustedVaultPerUser* StandaloneTrustedVaultBackend::FindUserVault(

components/sync/trusted_vault/standalone_trusted_vault_backend.h

@@ -6,14 +6,17 @@
 #define COMPONENTS_SYNC_TRUSTED_VAULT_STANDALONE_TRUSTED_VAULT_BACKEND_H_
 
 #include <cstdint>
+#include <map>
+#include <memory>
 #include <string>
 #include <vector>
 
 #include "base/files/file_path.h"
 #include "base/memory/ref_counted.h"
+#include "base/memory/weak_ptr.h"
+#include "components/signin/public/identity_manager/account_info.h"
 #include "components/sync/protocol/local_trusted_vault.pb.h"
-
-struct CoreAccountInfo;
+#include "components/sync/trusted_vault/trusted_vault_connection.h"
 
 namespace syncer {
 
@@ -24,7 +27,9 @@ namespace syncer {
 class StandaloneTrustedVaultBackend
     : public base::RefCountedThreadSafe<StandaloneTrustedVaultBackend> {
  public:
-  explicit StandaloneTrustedVaultBackend(const base::FilePath& file_path);
+  StandaloneTrustedVaultBackend(
+      const base::FilePath& file_path,
+      std::unique_ptr<TrustedVaultConnection> connection);
   StandaloneTrustedVaultBackend(const StandaloneTrustedVaultBackend& other) =
       delete;
   StandaloneTrustedVaultBackend& operator=(
@@ -46,18 +51,45 @@ class StandaloneTrustedVaultBackend
   // Removes all keys for all accounts from both memory and |file_path_|.
   void RemoveAllStoredKeys();
 
+  // Sets/resets |syncing_account_|.
+  void SetSyncingAccount(
+      const base::Optional<CoreAccountInfo>& syncing_account);
+
+  sync_pb::LocalDeviceRegistrationInfo GetDeviceRegistrationInfoForTesting(
+      const std::string& gaia_id);
+
  private:
   friend class base::RefCountedThreadSafe<StandaloneTrustedVaultBackend>;
 
-  ~StandaloneTrustedVaultBackend() = default;
+  ~StandaloneTrustedVaultBackend();
 
   // Finds the per-user vault in |data_| for |gaia_id|. Returns null if not
   // found.
   sync_pb::LocalTrustedVaultPerUser* FindUserVault(const std::string& gaia_id);
 
+  // Attempts to register device in case it's not yet registered and currently
+  // available local data is sufficient to do it.
+  void MaybeRegisterDevice(const std::string& gaia_id);
+
+  // Called when device registration for |gaia_id| is completed (either
+  // successfully or not).
+  void OnDeviceRegistered(const std::string& gaia_id,
+                          TrustedVaultRequestStatus status);
+
   const base::FilePath file_path_;
 
   sync_pb::LocalTrustedVault data_;
+
+  // Only current |syncing_account_| can be used for communication with trusted
+  // vault server.
+  base::Optional<CoreAccountInfo> syncing_account_;
+
+  // Used for communication with trusted vault server.
+  std::unique_ptr<TrustedVaultConnection> connection_;
+
+  // Used for cancellation of callbacks passed to |connection_|.
+  base::WeakPtrFactory<StandaloneTrustedVaultBackend>
+      weak_factory_for_connection_{this};
 };
 
 }  // namespace syncer

components/sync/trusted_vault/standalone_trusted_vault_backend_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/sync/trusted_vault/standalone_trusted_vault_backend.h"
+
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
+#include "base/test/scoped_feature_list.h"
+#include "components/os_crypt/os_crypt_mocker.h"
+#include "components/sync/driver/sync_driver_switches.h"
+#include "components/sync/trusted_vault/securebox.h"
+#include "components/sync/trusted_vault/trusted_vault_connection.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace syncer {
+
+namespace {
+
+using testing::_;
+using testing::Eq;
+
+base::FilePath CreateUniqueTempDir(base::ScopedTempDir* temp_dir) {
+  EXPECT_TRUE(temp_dir->CreateUniqueTempDir());
+  return temp_dir->GetPath();
+}
+
+class MockTrustedVaultConnection : public TrustedVaultConnection {
+ public:
+  MockTrustedVaultConnection() = default;
+  ~MockTrustedVaultConnection() override = default;
+
+  MOCK_METHOD5(RegisterDevice,
+               void(const CoreAccountInfo&,
+                    const std::vector<uint8_t>&,
+                    int,
+                    const SecureBoxPublicKey&,
+                    RegisterDeviceCallback));
+  MOCK_METHOD5(DownloadKeys,
+               void(const CoreAccountInfo&,
+                    const std::vector<uint8_t>&,
+                    int,
+                    std::unique_ptr<SecureBoxKeyPair>,
+                    DownloadKeysCallback));
+};
+
+class StandaloneTrustedVaultBackendTest : public testing::Test {
+ public:
+  StandaloneTrustedVaultBackendTest()
+      : file_path_(
+            CreateUniqueTempDir(&temp_dir_)
+                .Append(base::FilePath(FILE_PATH_LITERAL("some_file")))) {
+    override_features.InitAndEnableFeature(
+        switches::kFollowTrustedVaultKeyRotation);
+    auto connection =
+        std::make_unique<testing::NiceMock<MockTrustedVaultConnection>>();
+    connection_ = connection.get();
+    backend_ = base::MakeRefCounted<StandaloneTrustedVaultBackend>(
+        file_path_, std::move(connection));
+  }
+
+  ~StandaloneTrustedVaultBackendTest() override = default;
+
+  void SetUp() override { OSCryptMocker::SetUp(); }
+
+  void TearDown() override { OSCryptMocker::TearDown(); }
+
+  MockTrustedVaultConnection* connection() { return connection_; }
+
+  StandaloneTrustedVaultBackend* backend() { return backend_.get(); }
+
+ private:
+  base::test::ScopedFeatureList override_features;
+
+  base::ScopedTempDir temp_dir_;
+  const base::FilePath file_path_;
+  testing::NiceMock<MockTrustedVaultConnection>* connection_;
+  scoped_refptr<StandaloneTrustedVaultBackend> backend_;
+};
+
+TEST_F(StandaloneTrustedVaultBackendTest, ShouldRegisterDevice) {
+  CoreAccountInfo account_info;
+  account_info.gaia = "user";
+
+  const std::vector<uint8_t> kVaultKey = {{1, 2, 3}};
+  const int kLastKeyVersion = 0;
+
+  backend()->StoreKeys(account_info.gaia, {kVaultKey}, kLastKeyVersion);
+
+  TrustedVaultConnection::RegisterDeviceCallback device_registration_callback;
+  std::vector<uint8_t> serialized_public_device_key;
+  EXPECT_CALL(*connection(), RegisterDevice(Eq(account_info), Eq(kVaultKey),
+                                            Eq(kLastKeyVersion), _, _))
+      .WillOnce([&](const CoreAccountInfo&, const std::vector<uint8_t>&, int,
+                    const SecureBoxPublicKey& device_public_key,
+                    TrustedVaultConnection::RegisterDeviceCallback callback) {
+        serialized_public_device_key = device_public_key.ExportToBytes();
+        device_registration_callback = std::move(callback);
+      });
+
+  // Setting the syncing account will trigger device registration.
+  backend()->SetSyncingAccount(account_info);
+  ASSERT_FALSE(device_registration_callback.is_null());
+
+  // Pretend that the registration completed successfully.
+  std::move(device_registration_callback)
+      .Run(TrustedVaultRequestStatus::kSuccess);
+
+  // Now the device should be registered.
+  sync_pb::LocalDeviceRegistrationInfo registration_info =
+      backend()->GetDeviceRegistrationInfoForTesting(account_info.gaia);
+  EXPECT_TRUE(registration_info.device_registered());
+  EXPECT_TRUE(registration_info.has_private_key_material());
+
+  std::unique_ptr<SecureBoxKeyPair> key_pair =
+      SecureBoxKeyPair::CreateByPrivateKeyImport(base::as_bytes(
+          base::make_span(registration_info.private_key_material())));
+  EXPECT_THAT(key_pair->public_key().ExportToBytes(),
+              Eq(serialized_public_device_key));
+}
+
+}  // namespace
+
+}  // namespace syncer

components/sync/trusted_vault/standalone_trusted_vault_client.cc

@@ -14,6 +14,9 @@
 #include "base/task_runner_util.h"
 #include "components/signin/public/identity_manager/account_info.h"
 #include "components/sync/trusted_vault/standalone_trusted_vault_backend.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher.h"
+#include "components/sync/trusted_vault/trusted_vault_connection_impl.h"
+#include "services/network/public/cpp/shared_url_loader_factory.h"
 
 namespace syncer {
 
@@ -96,11 +99,22 @@ void StandaloneTrustedVaultClient::TriggerLazyInitializationIfNeeded() {
     return;
   }
 
-  backend_ = base::MakeRefCounted<StandaloneTrustedVaultBackend>(file_path_);
+  // TODO(crbug.com/1113597): populate TrustedVaultAccessTokenFetcher into
+  // TrustedVaultConnectionImpl ctor.
+  // TODO(crbug.com/1113598): populate URLLoaderFactory into
+  // TrustedVaultConnectionImpl ctor.
+  // TODO(crbug.com/1102340): allow setting custom TrustedVaultConnection for
+  // testing.
+  backend_ = base::MakeRefCounted<StandaloneTrustedVaultBackend>(
+      file_path_,
+      std::make_unique<TrustedVaultConnectionImpl>(
+          /*url_loader_factory=*/nullptr, /*access_token_fetcher=*/nullptr));
   backend_task_runner_->PostTask(
       FROM_HERE,
       base::BindOnce(&StandaloneTrustedVaultBackend::ReadDataFromDisk,
                      backend_));
+  // TODO(crbug.com/1113597): populate current syncing account to |backend_|
+  // here and upon syncing account change.
 }
 
 bool StandaloneTrustedVaultClient::IsInitializationTriggeredForTesting() const {

components/sync/trusted_vault/standalone_trusted_vault_client.h

@@ -28,6 +28,7 @@ class StandaloneTrustedVaultBackend;
 // Reading of the file is done lazily.
 class StandaloneTrustedVaultClient : public TrustedVaultClient {
  public:
+  // TODO(crbug.com/1113597): plumb IdentityManager into ctor.
   explicit StandaloneTrustedVaultClient(const base::FilePath& file_path);
   StandaloneTrustedVaultClient(const StandaloneTrustedVaultClient& other) =
       delete;

components/sync/trusted_vault/standalone_trusted_vault_client_unittest.cc

@@ -114,9 +114,9 @@ TEST_F(StandaloneTrustedVaultClientTest, ShouldFetchNonEmptyKeys) {
   sync_pb::LocalTrustedVaultPerUser* user_data2 = initial_data.add_user();
   user_data1->set_gaia_id(kGaiaId1);
   user_data2->set_gaia_id(kGaiaId2);
-  user_data1->add_key()->set_key_material(kKey1.data(), kKey1.size());
-  user_data2->add_key()->set_key_material(kKey2.data(), kKey2.size());
-  user_data2->add_key()->set_key_material(kKey3.data(), kKey3.size());
+  user_data1->add_vault_key()->set_key_material(kKey1.data(), kKey1.size());
+  user_data2->add_vault_key()->set_key_material(kKey2.data(), kKey2.size());
+  user_data2->add_vault_key()->set_key_material(kKey3.data(), kKey3.size());
 
   std::string encrypted_data;
   ASSERT_TRUE(OSCrypt::EncryptString(initial_data.SerializeAsString(),
@@ -154,11 +154,11 @@ TEST_F(StandaloneTrustedVaultClientTest, ShouldStoreKeys) {
   EXPECT_TRUE(OSCrypt::DecryptString(ciphertext, &decrypted_content));
   EXPECT_TRUE(proto.ParseFromString(decrypted_content));
   ASSERT_THAT(proto.user_size(), Eq(2));
-  EXPECT_THAT(proto.user(0).key(), ElementsAre(KeyMaterialEq(kKey1)));
-  EXPECT_THAT(proto.user(0).last_key_version(), Eq(7));
-  EXPECT_THAT(proto.user(1).key(),
+  EXPECT_THAT(proto.user(0).vault_key(), ElementsAre(KeyMaterialEq(kKey1)));
+  EXPECT_THAT(proto.user(0).last_vault_key_version(), Eq(7));
+  EXPECT_THAT(proto.user(1).vault_key(),
               ElementsAre(KeyMaterialEq(kKey3), KeyMaterialEq(kKey4)));
-  EXPECT_THAT(proto.user(1).last_key_version(), Eq(9));
+  EXPECT_THAT(proto.user(1).last_vault_key_version(), Eq(9));
 }
 
 TEST_F(StandaloneTrustedVaultClientTest, ShouldFetchPreviouslyStoredKeys) {

components/sync/trusted_vault/trusted_vault_access_token_fetcher.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_H_
+#define COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_H_
+
+#include <string>
+
+#include "base/callback.h"
+
+struct CoreAccountId;
+class GoogleServiceAuthError;
+
+namespace signin {
+struct AccessTokenInfo;
+}  // namespace signin
+
+namespace syncer {
+
+// Allows asynchronous OAuth2 access token fetching from sequences other than
+// the UI thread.
+class TrustedVaultAccessTokenFetcher {
+ public:
+  using TokenCallback =
+      base::OnceCallback<void(GoogleServiceAuthError error,
+                              signin::AccessTokenInfo access_token_info)>;
+
+  TrustedVaultAccessTokenFetcher() = default;
+  TrustedVaultAccessTokenFetcher(const TrustedVaultAccessTokenFetcher& other) =
+      delete;
+  TrustedVaultAccessTokenFetcher& operator=(
+      const TrustedVaultAccessTokenFetcher& other) = delete;
+  virtual ~TrustedVaultAccessTokenFetcher() = default;
+
+  // Asynchronously fetches vault service access token for |account_id|. May be
+  // called from arbitrary sequence that owns |this|. |callback| will be called
+  // on the caller sequence.
+  virtual void FetchAccessToken(const CoreAccountId& account_id,
+                                TokenCallback callback) = 0;
+};
+
+}  // namespace syncer
+
+#endif  // COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_ACCESS_TOKEN_FETCHER_H_

components/sync/trusted_vault/trusted_vault_connection.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_CONNECTION_H_
+#define COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_CONNECTION_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "base/callback.h"
+
+struct CoreAccountInfo;
+
+namespace syncer {
+
+class SecureBoxKeyPair;
+class SecureBoxPublicKey;
+
+enum class TrustedVaultRequestStatus {
+  kSuccess,
+  // Used when trusted vault request can't be completed successfully due to
+  // vault key being outdated or device key being not registered.
+  kLocalDataObsolete,
+  // Used for all network, http and protocol errors.
+  kOtherError
+};
+
+// Supports interaction with vault service, all methods must called on trusted
+// vault backend sequence.
+class TrustedVaultConnection {
+ public:
+  using RegisterDeviceCallback =
+      base::OnceCallback<void(TrustedVaultRequestStatus)>;
+  using DownloadKeysCallback =
+      base::OnceCallback<void(TrustedVaultRequestStatus,
+                              const std::vector<std::vector<uint8_t>>& /*keys*/,
+                              int /*last_key_version*/)>;
+
+  TrustedVaultConnection() = default;
+  TrustedVaultConnection(const TrustedVaultConnection& other) = delete;
+  TrustedVaultConnection& operator=(const TrustedVaultConnection& other) =
+      delete;
+  virtual ~TrustedVaultConnection() = default;
+
+  // Asynchronously attempts to register the device on the trusted vault server
+  // to allow further DownloadKeys(). Calls |callback| upon completion.
+  virtual void RegisterDevice(
+      const CoreAccountInfo& account_info,
+      const std::vector<uint8_t>& last_trusted_vault_key,
+      int last_trusted_vault_key_version,
+      const SecureBoxPublicKey& device_public_key,
+      RegisterDeviceCallback callback) = 0;
+
+  // Asynchronously attempts to download new vault keys from the trusted vault
+  // server.
+  virtual void DownloadKeys(const CoreAccountInfo& account_info,
+                            const std::vector<uint8_t>& last_trusted_vault_key,
+                            int last_trusted_vault_key_version,
+                            std::unique_ptr<SecureBoxKeyPair> device_key_pair,
+                            DownloadKeysCallback callback) = 0;
+};
+
+}  // namespace syncer
+
+#endif  // COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_CONNECTION_H_

components/sync/trusted_vault/trusted_vault_connection_impl.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/sync/trusted_vault/trusted_vault_connection_impl.h"
+
+#include "components/sync/trusted_vault/securebox.h"
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher.h"
+#include "services/network/public/cpp/shared_url_loader_factory.h"
+
+namespace syncer {
+
+TrustedVaultConnectionImpl::TrustedVaultConnectionImpl(
+    std::unique_ptr<network::PendingSharedURLLoaderFactory> url_loader_factory,
+    std::unique_ptr<TrustedVaultAccessTokenFetcher> access_token_fetcher) {
+  NOTIMPLEMENTED();
+}
+
+void TrustedVaultConnectionImpl::RegisterDevice(
+    const CoreAccountInfo& account_info,
+    const std::vector<uint8_t>& last_trusted_vault_key,
+    int last_trusted_vault_key_version,
+    const SecureBoxPublicKey& device_key_pair,
+    RegisterDeviceCallback callback) {
+  NOTIMPLEMENTED();
+}
+
+void TrustedVaultConnectionImpl::DownloadKeys(
+    const CoreAccountInfo& account_info,
+    const std::vector<uint8_t>& last_trusted_vault_key,
+    int last_trusted_vault_key_version,
+    std::unique_ptr<SecureBoxKeyPair> device_key_pair,
+    DownloadKeysCallback callback) {
+  NOTIMPLEMENTED();
+}
+
+}  // namespace syncer

components/sync/trusted_vault/trusted_vault_connection_impl.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_CONNECTION_IMPL_H_
+#define COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_CONNECTION_IMPL_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "components/sync/trusted_vault/trusted_vault_access_token_fetcher.h"
+#include "components/sync/trusted_vault/trusted_vault_connection.h"
+
+namespace network {
+class PendingSharedURLLoaderFactory;
+}  // namespace network
+
+namespace syncer {
+
+// This class is created on UI thread and used/destroyed on trusted vault
+// backend thread.
+class TrustedVaultConnectionImpl : public TrustedVaultConnection {
+ public:
+  TrustedVaultConnectionImpl(
+      std::unique_ptr<network::PendingSharedURLLoaderFactory>
+          url_loader_factory,
+      std::unique_ptr<TrustedVaultAccessTokenFetcher> access_token_fetcher);
+
+  TrustedVaultConnectionImpl(const TrustedVaultConnectionImpl& other) = delete;
+  TrustedVaultConnectionImpl& operator=(
+      const TrustedVaultConnectionImpl& other) = delete;
+  ~TrustedVaultConnectionImpl() override = default;
+
+  void RegisterDevice(const CoreAccountInfo& account_info,
+                      const std::vector<uint8_t>& last_trusted_vault_key,
+                      int last_trusted_vault_key_version,
+                      const SecureBoxPublicKey& device_key_pair,
+                      RegisterDeviceCallback callback) override;
+
+  void DownloadKeys(const CoreAccountInfo& account_info,
+                    const std::vector<uint8_t>& last_trusted_vault_key,
+                    int last_trusted_vault_key_version,
+                    std::unique_ptr<SecureBoxKeyPair> device_key_pair,
+                    DownloadKeysCallback callback) override;
+};
+
+}  // namespace syncer
+
+#endif  // COMPONENTS_SYNC_TRUSTED_VAULT_TRUSTED_VAULT_CONNECTION_IMPL_H_