Cert Provisioning: Check public key of certificate

Compare public key inside the certificate and public key from
key pair to make sure that they are the same and certificate
was issued for the expected key pair.

Bug: 1045895
Test: CertProvisioning*
Change-Id: I37a72a8b1c39e424782826f6ba278365af4c4b8a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2246687Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Michael Ershov <miersh@google.com>
Cr-Commit-Position: refs/heads/master@{#779746}

chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.cc

@@ -20,6 +20,8 @@
 #include "components/policy/core/common/cloud/cloud_policy_client.h"
 #include "components/policy/core/common/cloud/device_management_service.h"
 #include "content/public/browser/browser_context.h"
+#include "net/cert/asn1_util.h"
+#include "net/cert/x509_util.h"
 
 namespace em = enterprise_management;
 
@@ -105,6 +107,19 @@ int GetStateOrderedIndex(CertProvisioningWorkerState state) {
   return res;
 }
 
+bool CheckPublicKeyInCertificate(
+    const scoped_refptr<net::X509Certificate>& cert,
+    const std::string& public_key) {
+  base::StringPiece spki_from_cert;
+  if (!net::asn1::ExtractSPKIFromDERCert(
+          net::x509_util::CryptoBufferAsStringPiece(cert->cert_buffer()),
+          &spki_from_cert)) {
+    return false;
+  }
+
+  return (public_key == spki_from_cert);
+}
+
 }  // namespace
 
 // ============= CertProvisioningWorkerFactory =================================
@@ -568,6 +583,12 @@ void CertProvisioningWorkerImpl::ImportCert(
     return;
   }
 
+  if (!CheckPublicKeyInCertificate(cert, public_key_)) {
+    LOG(ERROR) << "Downloaded certificate does not match the expected key pair";
+    UpdateState(CertProvisioningWorkerState::kFailed);
+    return;
+  }
+
   platform_keys_service_->ImportCertificate(
       GetPlatformKeysTokenId(cert_scope_), cert,
       base::BindRepeating(&CertProvisioningWorkerImpl::OnImportCertDone,