Merge cryptohome::RetrievedKeyData with cryptohome::KeyDefinition

cryptohome::RetrievedKeyData and cryptohome::KeyDefinition both represent
subsets of the Key protobuf. This CL merges the two classes and makes the
resulting cryptohome::KeyDefinition contain all of Key's fields.

TBR=pamg (manager_password_service.cc)

BUG=367847
TEST=Updated unit tests

Review URL: https://codereview.chromium.org/526353002

Cr-Commit-Position: refs/heads/master@{#294823}

chrome/browser/chromeos/login/auth/cryptohome_authenticator_unittest.cc

@@ -5,13 +5,13 @@
 #include "chrome/browser/chromeos/login/auth/chrome_cryptohome_authenticator.h"
 
 #include <string>
+#include <vector>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/memory/scoped_ptr.h"
-#include "base/memory/scoped_vector.h"
 #include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
 #include "base/strings/string_util.h"
@@ -258,25 +258,22 @@ class CryptohomeAuthenticatorTest : public testing::Test {
 
   void ExpectGetKeyDataExCall(scoped_ptr<int64> key_type,
                               scoped_ptr<std::string> salt) {
-    key_data_.clear();
-    key_data_.push_back(new cryptohome::RetrievedKeyData(
-       cryptohome::RetrievedKeyData::TYPE_PASSWORD,
-       kCryptohomeGAIAKeyLabel,
-       1));
-    key_data_.front()->privileges = cryptohome::PRIV_DEFAULT;
-    key_data_.front()->authorization_types.push_back(
-        cryptohome::RetrievedKeyData::AUTHORIZATION_TYPE_HMACSHA256);
+    key_definitions_.clear();
+    key_definitions_.push_back(cryptohome::KeyDefinition(
+        std::string() /* secret */,
+        kCryptohomeGAIAKeyLabel,
+        cryptohome::PRIV_DEFAULT));
+    cryptohome::KeyDefinition& key_definition = key_definitions_.back();
+    key_definition.revision = 1;
     if (key_type) {
-      scoped_ptr<cryptohome::RetrievedKeyData::ProviderData> provider_data(
-          new cryptohome::RetrievedKeyData::ProviderData("type"));
-      provider_data->number = key_type.Pass();
-      key_data_.front()->provider_data.push_back(provider_data.release());
+      key_definition.provider_data.push_back(
+          cryptohome::KeyDefinition::ProviderData("type"));
+      key_definition.provider_data.back().number = key_type.Pass();
     }
     if (salt) {
-      scoped_ptr<cryptohome::RetrievedKeyData::ProviderData> provider_data(
-          new cryptohome::RetrievedKeyData::ProviderData("salt"));
-      provider_data->bytes = salt.Pass();
-      key_data_.front()->provider_data.push_back(provider_data.release());
+      key_definition.provider_data.push_back(
+          cryptohome::KeyDefinition::ProviderData("salt"));
+      key_definition.provider_data.back().bytes = salt.Pass();
     }
     EXPECT_CALL(*mock_homedir_methods_, GetKeyDataEx(
         cryptohome::Identification(user_context_.GetUserID()),
@@ -333,7 +330,7 @@ class CryptohomeAuthenticatorTest : public testing::Test {
   UserContext user_context_with_transformed_key_;
   Key transformed_key_;
 
-  ScopedVector<cryptohome::RetrievedKeyData> key_data_;
+  std::vector<cryptohome::KeyDefinition> key_definitions_;
 
   ScopedDeviceSettingsTestHelper device_settings_test_helper_;
   ScopedTestCrosSettings test_cros_settings_;
@@ -359,7 +356,7 @@ class CryptohomeAuthenticatorTest : public testing::Test {
       const cryptohome::HomedirMethods::GetKeyDataCallback& callback) {
     callback.Run(true /* success */,
                  cryptohome::MOUNT_ERROR_NONE,
-                 key_data_.Pass());
+                 key_definitions_);
   }
 };
 

chrome/browser/chromeos/login/supervised/supervised_user_creation_controller_new.cc

@@ -270,10 +270,18 @@ void SupervisedUserCreationControllerNew::OnMountSuccess(
       creation_context_->salted_password,
       kCryptohomeSupervisedUserKeyLabel,
       kCryptohomeSupervisedUserKeyPrivileges);
-  base::Base64Decode(creation_context_->encryption_key,
-                     &password_key.encryption_key);
-  base::Base64Decode(creation_context_->signature_key,
-                     &password_key.signature_key);
+  std::string encryption_key;
+  base::Base64Decode(creation_context_->encryption_key, &encryption_key);
+  password_key.authorization_data.push_back(
+      cryptohome::KeyDefinition::AuthorizationData(true /* encrypt */,
+                                                   false /* sign */,
+                                                   encryption_key));
+  std::string signature_key;
+  base::Base64Decode(creation_context_->signature_key, &signature_key);
+  password_key.authorization_data.push_back(
+      cryptohome::KeyDefinition::AuthorizationData(false /* encrypt */,
+                                                   true /* sign */,
+                                                   signature_key));
 
   Key key(Key::KEY_TYPE_SALTED_PBKDF2_AES256_1234,
           std::string(),  // The salt is stored elsewhere.

chrome/browser/supervised_user/chromeos/manager_password_service.cc

@@ -164,9 +164,14 @@ void ManagerPasswordService::GetSupervisedUsersCallback(
       kCryptohomeSupervisedUserKeyLabel,
       cryptohome::PRIV_AUTHORIZED_UPDATE || cryptohome::PRIV_MOUNT);
   new_key_definition.revision = revision;
-
-  new_key_definition.encryption_key = encryption_key;
-  new_key_definition.signature_key = signature_key;
+  new_key_definition.authorization_data.push_back(
+      cryptohome::KeyDefinition::AuthorizationData(true /* encrypt */,
+                                                   false /* sign */,
+                                                   encryption_key));
+  new_key_definition.authorization_data.push_back(
+      cryptohome::KeyDefinition::AuthorizationData(false /* encrypt */,
+                                                   true /* sign */,
+                                                   signature_key));
 
   authenticator_->AddKey(manager_key,
                          new_key_definition,

chromeos/cryptohome/cryptohome_parameters.cc

@@ -15,25 +15,135 @@ bool Identification::operator==(const Identification& other) const {
   return user_id == other.user_id;
 }
 
-KeyDefinition::KeyDefinition(const std::string& key,
+KeyDefinition::AuthorizationData::Secret::Secret() : encrypt(false),
+                                                     sign(false),
+                                                     wrapped(false) {
+}
+
+KeyDefinition::AuthorizationData::Secret::Secret(
+    bool encrypt,
+    bool sign,
+    const std::string& symmetric_key,
+    const std::string& public_key,
+    bool wrapped)
+    : encrypt(encrypt),
+      sign(sign),
+      symmetric_key(symmetric_key),
+      public_key(public_key),
+      wrapped(wrapped) {
+}
+
+bool KeyDefinition::AuthorizationData::Secret::operator==(
+    const Secret& other) const {
+  return encrypt == other.encrypt &&
+         sign == other.sign &&
+         symmetric_key == other.symmetric_key &&
+         public_key == other.public_key &&
+         wrapped == other.wrapped;
+}
+
+KeyDefinition::AuthorizationData::AuthorizationData() : type(TYPE_HMACSHA256) {
+}
+
+KeyDefinition::AuthorizationData::AuthorizationData(
+    bool encrypt,
+    bool sign,
+    const std::string& symmetric_key) : type(TYPE_HMACSHA256) {
+    secrets.push_back(Secret(encrypt,
+                             sign,
+                             symmetric_key,
+                             std::string() /* public_key */,
+                             false /* wrapped */));
+}
+
+
+KeyDefinition::AuthorizationData::~AuthorizationData() {
+}
+
+bool KeyDefinition::AuthorizationData::operator==(
+    const AuthorizationData& other) const {
+  if (type != other.type || secrets.size() != other.secrets.size())
+    return false;
+  for (size_t i = 0; i < secrets.size(); ++i) {
+    if (!(secrets[i] == other.secrets[i]))
+      return false;
+  }
+  return true;
+}
+
+KeyDefinition::ProviderData::ProviderData() {
+}
+
+KeyDefinition::ProviderData::ProviderData(const std::string& name)
+    : name(name) {
+}
+
+KeyDefinition::ProviderData::ProviderData(const ProviderData& other)
+    : name(other.name) {
+  if (other.number)
+    number.reset(new int64(*other.number));
+  if (other.bytes)
+    bytes.reset(new std::string(*other.bytes));
+}
+
+void KeyDefinition::ProviderData::operator=(const ProviderData& other) {
+  name = other.name;
+  number.reset(other.number ? new int64(*other.number) : NULL);
+  bytes.reset(other.bytes ? new std::string(*other.bytes) : NULL);
+}
+
+KeyDefinition::ProviderData::~ProviderData() {
+}
+
+bool KeyDefinition::ProviderData::operator==(const ProviderData& other) const {
+  const bool has_number = number;
+  const bool other_has_number = other.number;
+  const bool has_bytes = bytes;
+  const bool other_has_bytes = other.bytes;
+  return name == other.name &&
+         has_number == other_has_number &&
+         has_bytes == other_has_bytes &&
+         (!has_number || (*number == *other.number)) &&
+         (!has_bytes || (*bytes == *other.bytes));
+}
+
+KeyDefinition::KeyDefinition() : type(TYPE_PASSWORD),
+                                 privileges(0),
+                                 revision(0) {
+}
+
+KeyDefinition::KeyDefinition(const std::string& secret,
                              const std::string& label,
                              int /*AuthKeyPrivileges*/ privileges)
-    : label(label),
-      revision(1),
-      key(key),
-      privileges(privileges) {
+    : type(TYPE_PASSWORD),
+      label(label),
+      privileges(privileges),
+      revision(0),
+      secret(secret) {
 }
 
 KeyDefinition::~KeyDefinition() {
 }
 
 bool KeyDefinition::operator==(const KeyDefinition& other) const {
-  return label == other.label &&
-         revision == other.revision &&
-         key == other.key &&
-         encryption_key == other.encryption_key &&
-         signature_key == other.signature_key &&
-         privileges == other.privileges;
+  if (type != other.type ||
+      label != other.label ||
+      privileges != other.privileges ||
+      revision != other.revision ||
+      authorization_data.size() != other.authorization_data.size() ||
+      provider_data.size() != other.provider_data.size()) {
+    return false;
+  }
+
+  for (size_t i = 0; i < authorization_data.size(); ++i) {
+    if (!(authorization_data[i] == other.authorization_data[i]))
+      return false;
+  }
+  for (size_t i = 0; i < provider_data.size(); ++i) {
+    if (!(provider_data[i] == other.provider_data[i]))
+      return false;
+  }
+  return true;
 }
 
 Authorization::Authorization(const std::string& key, const std::string& label)
@@ -42,7 +152,7 @@ Authorization::Authorization(const std::string& key, const std::string& label)
 }
 
 Authorization::Authorization(const KeyDefinition& key_def)
-    : key(key_def.key),
+    : key(key_def.secret),
       label(key_def.label) {
 }
 
@@ -50,24 +160,6 @@ bool Authorization::operator==(const Authorization& other) const {
   return key == other.key && label == other.label;
 }
 
-RetrievedKeyData::ProviderData::ProviderData(const std::string& name)
-    : name(name) {
-}
-
-RetrievedKeyData::ProviderData::~ProviderData() {
-}
-
-RetrievedKeyData::RetrievedKeyData(Type type,
-                                   const std::string& label,
-                                   int64 revision) : type(type),
-                                                     label(label),
-                                                     privileges(0),
-                                                     revision(revision) {
-}
-
-RetrievedKeyData::~RetrievedKeyData() {
-}
-
 MountParameters::MountParameters(bool ephemeral) : ephemeral(ephemeral) {
 }
 

chromeos/cryptohome/cryptohome_parameters.h

@@ -10,7 +10,6 @@
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
-#include "base/memory/scoped_vector.h"
 #include "chromeos/chromeos_export.h"
 
 namespace cryptohome {
@@ -34,68 +33,96 @@ struct CHROMEOS_EXPORT Identification {
 };
 
 // Definition of the key (e.g. password) for the cryptohome.
-// It contains authorization data along with extra parameters like perimissions
+// It contains authorization data along with extra parameters like permissions
 // associated with this key.
 struct CHROMEOS_EXPORT KeyDefinition {
-  KeyDefinition(const std::string& key,
-                const std::string& label,
-                int /*AuthKeyPrivileges*/ privileges);
-  ~KeyDefinition();
-
-  bool operator==(const KeyDefinition& other) const;
-
-  std::string label;
-
-  int revision;
-  std::string key;
-
-  std::string encryption_key;
-  std::string signature_key;
-  // Privileges associated with key. Combination of |AuthKeyPrivileges| values.
-  int privileges;
-};
-
-// Authorization attempt data for user.
-struct CHROMEOS_EXPORT Authorization {
-  Authorization(const std::string& key, const std::string& label);
-  explicit Authorization(const KeyDefinition& key);
-
-  bool operator==(const Authorization& other) const;
-
-  std::string key;
-  std::string label;
-};
-
-// Information about keys returned by GetKeyDataEx().
-struct CHROMEOS_EXPORT RetrievedKeyData {
   enum Type {
     TYPE_PASSWORD = 0
   };
 
-  enum AuthorizationType {
-    AUTHORIZATION_TYPE_HMACSHA256 = 0,
-    AUTHORIZATION_TYPE_AES256CBC_HMACSHA256
+  struct AuthorizationData {
+    enum Type {
+      TYPE_HMACSHA256 = 0,
+      TYPE_AES256CBC_HMACSHA256
+    };
+
+    struct Secret {
+      Secret();
+      Secret(bool encrypt,
+             bool sign,
+             const std::string& symmetric_key,
+             const std::string& public_key,
+             bool wrapped);
+
+      bool operator==(const Secret& other) const;
+
+      bool encrypt;
+      bool sign;
+      std::string symmetric_key;
+      std::string public_key;
+      bool wrapped;
+    };
+
+    AuthorizationData();
+    AuthorizationData(bool encrypt,
+                      bool sign,
+                      const std::string& symmetric_key);
+    ~AuthorizationData();
+
+    bool operator==(const AuthorizationData& other) const;
+
+    Type type;
+    std::vector<Secret> secrets;
   };
 
+  // This struct holds metadata that will be stored alongside the key. Each
+  // |ProviderData| entry must have a |name| and may hold either a |number| or a
+  // sequence of |bytes|. The metadata is entirely opaque to cryptohome. It is
+  // stored with the key and returned when requested but is never interpreted by
+  // cryptohome in any way. The metadata can be used to store information such
+  // as the hashing algorithm and the salt used to create the key.
   struct ProviderData {
+    ProviderData();
     explicit ProviderData(const std::string& name);
+    explicit ProviderData(const ProviderData& other);
+    void operator=(const ProviderData& other);
     ~ProviderData();
 
+    bool operator==(const ProviderData& other) const;
+
     std::string name;
     scoped_ptr<int64> number;
     scoped_ptr<std::string> bytes;
   };
 
-  RetrievedKeyData(Type type, const std::string& label, int64 revision);
-  ~RetrievedKeyData();
+  KeyDefinition();
+  KeyDefinition(const std::string& secret,
+                const std::string& label,
+                int privileges);
+  ~KeyDefinition();
+
+  bool operator==(const KeyDefinition& other) const;
 
   Type type;
   std::string label;
   // Privileges associated with key. Combination of |AuthKeyPrivileges| values.
   int privileges;
-  int64 revision;
-  std::vector<AuthorizationType> authorization_types;
-  ScopedVector<ProviderData> provider_data;
+  int revision;
+  std::string secret;
+
+  std::vector<AuthorizationData> authorization_data;
+  std::vector<ProviderData> provider_data;
+};
+
+// Authorization attempt data for user.
+struct CHROMEOS_EXPORT Authorization {
+  Authorization(const std::string& key, const std::string& label);
+  explicit Authorization(const KeyDefinition& key);
+
+  bool operator==(const Authorization& other) const;
+
+  std::string key;
+  std::string label;
 };
 
 // Parameters for Mount call.

chromeos/cryptohome/homedir_methods.cc

@@ -27,8 +27,10 @@ namespace {
 HomedirMethods* g_homedir_methods = NULL;
 
 void FillKeyProtobuf(const KeyDefinition& key_def, Key* key) {
-  key->set_secret(key_def.key);
+  key->set_secret(key_def.secret);
   KeyData* data = key->mutable_data();
+  DCHECK_EQ(KeyDefinition::TYPE_PASSWORD, key_def.type);
+  data->set_type(KeyData::KEY_TYPE_PASSWORD);
   data->set_label(key_def.label);
 
   if (key_def.revision > 0)
@@ -44,20 +46,48 @@ void FillKeyProtobuf(const KeyDefinition& key_def, Key* key) {
                                       PRIV_AUTHORIZED_UPDATE);
   }
 
-  if (key_def.encryption_key.empty() && key_def.signature_key.empty())
-    return;
+  for (std::vector<KeyDefinition::AuthorizationData>::const_iterator auth_it =
+          key_def.authorization_data.begin();
+       auth_it != key_def.authorization_data.end(); ++auth_it) {
+    KeyAuthorizationData* auth_data = data->add_authorization_data();
+    switch (auth_it->type) {
+      case KeyDefinition::AuthorizationData::TYPE_HMACSHA256:
+        auth_data->set_type(
+            KeyAuthorizationData::KEY_AUTHORIZATION_TYPE_HMACSHA256);
+        break;
+      case KeyDefinition::AuthorizationData::TYPE_AES256CBC_HMACSHA256:
+        auth_data->set_type(
+            KeyAuthorizationData::KEY_AUTHORIZATION_TYPE_AES256CBC_HMACSHA256);
+        break;
+      default:
+        NOTREACHED();
+        break;
+    }
 
-  KeyAuthorizationData* auth_data = data->add_authorization_data();
-  auth_data->set_type(KeyAuthorizationData::KEY_AUTHORIZATION_TYPE_HMACSHA256);
-  if (!key_def.encryption_key.empty()) {
-    KeyAuthorizationSecret* secret = auth_data->add_secrets();
-    secret->mutable_usage()->set_encrypt(true);
-    secret->set_symmetric_key(key_def.encryption_key);
+    for (std::vector<KeyDefinition::AuthorizationData::Secret>::const_iterator
+             secret_it = auth_it->secrets.begin();
+         secret_it != auth_it->secrets.end(); ++secret_it) {
+      KeyAuthorizationSecret* secret = auth_data->add_secrets();
+      secret->mutable_usage()->set_encrypt(secret_it->encrypt);
+      secret->mutable_usage()->set_sign(secret_it->sign);
+      if (!secret_it->symmetric_key.empty())
+        secret->set_symmetric_key(secret_it->symmetric_key);
+      if (!secret_it->public_key.empty())
+        secret->set_public_key(secret_it->public_key);
+      secret->set_wrapped(secret_it->wrapped);
+    }
   }
-  if (!key_def.signature_key.empty()) {
-    KeyAuthorizationSecret* secret = auth_data->add_secrets();
-    secret->mutable_usage()->set_sign(true);
-    secret->set_symmetric_key(key_def.signature_key);
+
+  for (std::vector<KeyDefinition::ProviderData>::const_iterator it =
+           key_def.provider_data.begin(); it != key_def.provider_data.end();
+       ++it) {
+    KeyProviderData::Entry* entry =
+        data->mutable_provider_data()->add_entry();
+    entry->set_name(it->name);
+    if (it->number)
+      entry->set_number(*it->number);
+    if (it->bytes)
+      entry->set_bytes(*it->bytes);
   }
 }
 
@@ -77,6 +107,35 @@ void FillAuthorizationProtobuf(const Authorization& auth,
   key->set_secret(auth.key);
 }
 
+void ParseAuthorizationDataProtobuf(
+    const KeyAuthorizationData& authorization_data_proto,
+    KeyDefinition::AuthorizationData* authorization_data) {
+  switch (authorization_data_proto.type()) {
+    case KeyAuthorizationData::KEY_AUTHORIZATION_TYPE_HMACSHA256:
+      authorization_data->type =
+          KeyDefinition::AuthorizationData::TYPE_HMACSHA256;
+      break;
+    case KeyAuthorizationData::KEY_AUTHORIZATION_TYPE_AES256CBC_HMACSHA256:
+      authorization_data->type =
+          KeyDefinition::AuthorizationData::TYPE_AES256CBC_HMACSHA256;
+      break;
+    default:
+      NOTREACHED();
+      return;
+  }
+
+  for (RepeatedPtrField<KeyAuthorizationSecret>::const_iterator it =
+          authorization_data_proto.secrets().begin();
+       it != authorization_data_proto.secrets().end(); ++it) {
+    authorization_data->secrets.push_back(
+        KeyDefinition::AuthorizationData::Secret(it->usage().encrypt(),
+                                                 it->usage().sign(),
+                                                 it->symmetric_key(),
+                                                 it->public_key(),
+                                                 it->wrapped()));
+  }
+}
+
 MountError MapError(CryptohomeErrorCode code) {
   switch (code) {
     case CRYPTOHOME_ERROR_NOT_SET:
@@ -257,69 +316,60 @@ class HomedirMethodsImpl : public HomedirMethods {
                               bool result,
                               const BaseReply& reply) {
     if (call_status != chromeos::DBUS_METHOD_CALL_SUCCESS) {
-      callback.Run(false, MOUNT_ERROR_FATAL, ScopedVector<RetrievedKeyData>());
+      callback.Run(false, MOUNT_ERROR_FATAL, std::vector<KeyDefinition>());
       return;
     }
     if (reply.has_error()) {
       if (reply.error() != CRYPTOHOME_ERROR_NOT_SET) {
         callback.Run(false,
                      MapError(reply.error()),
-                     ScopedVector<RetrievedKeyData>());
+                     std::vector<KeyDefinition>());
         return;
       }
     }
 
     if (!reply.HasExtension(GetKeyDataReply::reply)) {
-      callback.Run(false, MOUNT_ERROR_FATAL, ScopedVector<RetrievedKeyData>());
+      callback.Run(false, MOUNT_ERROR_FATAL, std::vector<KeyDefinition>());
       return;
     }
 
     // Extract the contents of the |KeyData| protos returned.
-    const RepeatedPtrField<KeyData>& key_data_proto =
+    const RepeatedPtrField<KeyData>& key_data =
         reply.GetExtension(GetKeyDataReply::reply).key_data();
-    ScopedVector<RetrievedKeyData> key_data_list;
-    for (RepeatedPtrField<KeyData>::const_iterator it = key_data_proto.begin();
-         it != key_data_proto.end(); ++it) {
+    std::vector<KeyDefinition> key_definitions;
+    for (RepeatedPtrField<KeyData>::const_iterator it = key_data.begin();
+         it != key_data.end(); ++it) {
 
       // Extract |type|, |label| and |revision|.
       DCHECK_EQ(KeyData::KEY_TYPE_PASSWORD, it->type());
-      key_data_list.push_back(new RetrievedKeyData(
-          RetrievedKeyData::TYPE_PASSWORD,
-          it->label(),
-          it->revision()));
-      RetrievedKeyData* key_data = key_data_list.back();
+      key_definitions.push_back(KeyDefinition(std::string() /* secret */,
+                                              it->label(),
+                                              0 /* privileges */));
+      KeyDefinition& key_definition = key_definitions.back();
+      key_definition.revision = it->revision();
 
       // Extract |privileges|.
       const KeyPrivileges& privileges = it->privileges();
       if (privileges.mount())
-        key_data->privileges |= PRIV_MOUNT;
+        key_definition.privileges |= PRIV_MOUNT;
       if (privileges.add())
-        key_data->privileges |= PRIV_ADD;
+        key_definition.privileges |= PRIV_ADD;
       if (privileges.remove())
-        key_data->privileges |= PRIV_REMOVE;
+        key_definition.privileges |= PRIV_REMOVE;
       if (privileges.update())
-        key_data->privileges |= PRIV_MIGRATE;
+        key_definition.privileges |= PRIV_MIGRATE;
       if (privileges.authorized_update())
-        key_data->privileges |= PRIV_AUTHORIZED_UPDATE;
+        key_definition.privileges |= PRIV_AUTHORIZED_UPDATE;
 
       // Extract |authorization_data|.
       for (RepeatedPtrField<KeyAuthorizationData>::const_iterator auth_it =
                it->authorization_data().begin();
            auth_it != it->authorization_data().end(); ++auth_it) {
-        switch (auth_it->type()) {
-          case KeyAuthorizationData::KEY_AUTHORIZATION_TYPE_HMACSHA256:
-            key_data->authorization_types.push_back(
-                RetrievedKeyData::AUTHORIZATION_TYPE_HMACSHA256);
-            break;
-          case KeyAuthorizationData::
-                   KEY_AUTHORIZATION_TYPE_AES256CBC_HMACSHA256:
-            key_data->authorization_types.push_back(
-                RetrievedKeyData::AUTHORIZATION_TYPE_AES256CBC_HMACSHA256);
-            break;
-          default:
-            NOTREACHED();
-            break;
-        }
+        key_definition.authorization_data.push_back(
+            KeyDefinition::AuthorizationData());
+        ParseAuthorizationDataProtobuf(
+            *auth_it,
+            &key_definition.authorization_data.back());
       }
 
       // Extract |provider_data|.
@@ -328,22 +378,22 @@ class HomedirMethodsImpl : public HomedirMethods {
            provider_data_it != it->provider_data().entry().end();
            ++provider_data_it) {
         // Extract |name|.
-        key_data->provider_data.push_back(
-            new RetrievedKeyData::ProviderData(provider_data_it->name()));
-        RetrievedKeyData::ProviderData* provider_data =
-            key_data->provider_data.back();
+        key_definition.provider_data.push_back(
+            KeyDefinition::ProviderData(provider_data_it->name()));
+        KeyDefinition::ProviderData& provider_data =
+            key_definition.provider_data.back();
 
         int data_items = 0;
 
         // Extract |number|.
         if (provider_data_it->has_number()) {
-          provider_data->number.reset(new int64(provider_data_it->number()));
+          provider_data.number.reset(new int64(provider_data_it->number()));
           ++data_items;
         }
 
         // Extract |bytes|.
         if (provider_data_it->has_bytes()) {
-          provider_data->bytes.reset(
+          provider_data.bytes.reset(
               new std::string(provider_data_it->bytes()));
           ++data_items;
         }
@@ -352,7 +402,7 @@ class HomedirMethodsImpl : public HomedirMethods {
       }
     }
 
-    callback.Run(true, MOUNT_ERROR_NONE, key_data_list.Pass());
+    callback.Run(true, MOUNT_ERROR_NONE, key_definitions);
   }
 
   void OnMountExCallback(const MountCallback& callback,

chromeos/cryptohome/homedir_methods.h

@@ -6,10 +6,10 @@
 #define CHROMEOS_CRYPTOHOME_HOMEDIR_METHODS_H_
 
 #include <string>
+#include <vector>
 
 #include "base/basictypes.h"
 #include "base/callback_forward.h"
-#include "base/memory/scoped_vector.h"
 #include "chromeos/chromeos_export.h"
 #include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/dbus/cryptohome_client.h"
@@ -27,7 +27,7 @@ class CHROMEOS_EXPORT HomedirMethods {
   typedef base::Callback<void(
       bool success,
       MountError return_code,
-      ScopedVector<RetrievedKeyData> key_data)> GetKeyDataCallback;
+      const std::vector<KeyDefinition>& key_definitions)> GetKeyDataCallback;
   typedef base::Callback<
       void(bool success, MountError return_code, const std::string& mount_hash)>
       MountCallback;

chromeos/cryptohome/homedir_methods_unittest.cc

@@ -55,9 +55,10 @@ class HomedirMethodsTest : public testing::Test {
   void RunProtobufMethodCallback(
       const chromeos::CryptohomeClient::ProtobufMethodCallback& callback);
 
-  void StoreGetKeyDataExResult(bool success,
-                               MountError return_code,
-                               ScopedVector<RetrievedKeyData> key_data);
+  void StoreGetKeyDataExResult(
+      bool success,
+      MountError return_code,
+      const std::vector<KeyDefinition>& key_definitions);
 
  protected:
   chromeos::MockCryptohomeClient* cryptohome_client_;
@@ -68,7 +69,7 @@ class HomedirMethodsTest : public testing::Test {
   // The results of the most recent |HomedirMethods| method call.
   bool success_;
   MountError return_code_;
-  ScopedVector<RetrievedKeyData> key_data_;
+  std::vector<KeyDefinition> key_definitions_;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(HomedirMethodsTest);
@@ -106,10 +107,10 @@ void HomedirMethodsTest::RunProtobufMethodCallback(
 void HomedirMethodsTest::StoreGetKeyDataExResult(
     bool success,
     MountError return_code,
-    ScopedVector<RetrievedKeyData> key_data) {
+    const std::vector<KeyDefinition>& key_definitions) {
   success_ = success;
   return_code_ = return_code;
-  key_data_.swap(key_data);
+  key_definitions_ = key_definitions;
 }
 
 // Verifies that the result of a GetKeyDataEx() call is correctly parsed.
@@ -158,23 +159,23 @@ TEST_F(HomedirMethodsTest, GetKeyDataEx) {
   // Verify that the call was successful and the result was correctly parsed.
   EXPECT_TRUE(success_);
   EXPECT_EQ(MOUNT_ERROR_NONE, return_code_);
-  ASSERT_EQ(1u, key_data_.size());
-  const RetrievedKeyData* retrieved_key_data = key_data_.front();
-  EXPECT_EQ(RetrievedKeyData::TYPE_PASSWORD, retrieved_key_data->type);
+  ASSERT_EQ(1u, key_definitions_.size());
+  const KeyDefinition& key_definition = key_definitions_.front();
+  EXPECT_EQ(KeyDefinition::TYPE_PASSWORD, key_definition.type);
   EXPECT_EQ(PRIV_MOUNT | PRIV_ADD | PRIV_REMOVE,
-            retrieved_key_data->privileges);
-  EXPECT_EQ(kKeyRevision, retrieved_key_data->revision);
-  ASSERT_EQ(1u, retrieved_key_data->authorization_types.size());
-  EXPECT_EQ(RetrievedKeyData::AUTHORIZATION_TYPE_HMACSHA256,
-            retrieved_key_data->authorization_types.front());
-  ASSERT_EQ(2u, retrieved_key_data->provider_data.size());
-  const RetrievedKeyData::ProviderData* provider_data =
-      retrieved_key_data->provider_data[0];
+            key_definition.privileges);
+  EXPECT_EQ(kKeyRevision, key_definition.revision);
+  ASSERT_EQ(1u, key_definition.authorization_data.size());
+  EXPECT_EQ(KeyDefinition::AuthorizationData::TYPE_HMACSHA256,
+            key_definition.authorization_data.front().type);
+  ASSERT_EQ(2u, key_definition.provider_data.size());
+  const KeyDefinition::ProviderData* provider_data =
+      &key_definition.provider_data[0];
   EXPECT_EQ(kProviderData1Name, provider_data->name);
   ASSERT_TRUE(provider_data->number);
   EXPECT_EQ(kProviderData1Number, *provider_data->number.get());
   EXPECT_FALSE(provider_data->bytes);
-  provider_data = retrieved_key_data->provider_data[1];
+  provider_data = &key_definition.provider_data[1];
   EXPECT_EQ(kProviderData2Name, provider_data->name);
   EXPECT_FALSE(provider_data->number);
   ASSERT_TRUE(provider_data->bytes);

chromeos/cryptohome/mock_homedir_methods.cc

@@ -4,7 +4,8 @@
 
 #include "chromeos/cryptohome/mock_homedir_methods.h"
 
-#include "base/memory/scoped_vector.h"
+#include <vector>
+
 #include "chromeos/cryptohome/cryptohome_parameters.h"
 #include "chromeos/cryptohome/mock_async_method_caller.h"
 
@@ -41,7 +42,7 @@ void MockHomedirMethods::DoCallback(const Callback& callback) {
 }
 
 void MockHomedirMethods::DoGetDataCallback(const GetKeyDataCallback& callback) {
-  callback.Run(success_, return_code_, ScopedVector<RetrievedKeyData>());
+  callback.Run(success_, return_code_, std::vector<KeyDefinition>());
 }
 
 void MockHomedirMethods::DoMountCallback(const MountCallback& callback) {

chromeos/login/auth/cryptohome_authenticator.cc

@@ -4,6 +4,8 @@
 
 #include "chromeos/login/auth/cryptohome_authenticator.h"
 
+#include <vector>
+
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/files/file_path.h"
@@ -175,32 +177,33 @@ void OnGetSystemSalt(AuthAttemptState* attempt,
 //   |attempt->user_context| can be transformed with Chrome's default hashing
 //   algorithm and the system salt.
 // The resulting key is then passed to cryptohome's MountEx().
-void OnGetKeyDataEx(AuthAttemptState* attempt,
-                    scoped_refptr<CryptohomeAuthenticator> resolver,
-                    bool ephemeral,
-                    bool create_if_nonexistent,
-                    bool success,
-                    cryptohome::MountError return_code,
-                    ScopedVector<cryptohome::RetrievedKeyData> key_data) {
+void OnGetKeyDataEx(
+    AuthAttemptState* attempt,
+    scoped_refptr<CryptohomeAuthenticator> resolver,
+    bool ephemeral,
+    bool create_if_nonexistent,
+    bool success,
+    cryptohome::MountError return_code,
+    const std::vector<cryptohome::KeyDefinition>& key_definitions) {
   if (success) {
-    if (key_data.size() == 1) {
-      cryptohome::RetrievedKeyData* key_data_entry = key_data.front();
-      DCHECK_EQ(kCryptohomeGAIAKeyLabel, key_data_entry->label);
+    if (key_definitions.size() == 1) {
+      const cryptohome::KeyDefinition& key_definition = key_definitions.front();
+      DCHECK_EQ(kCryptohomeGAIAKeyLabel, key_definition.label);
 
-      // Extract the key type and salt from |key_data|, if present.
+      // Extract the key type and salt from |key_definition|, if present.
       scoped_ptr<int64> type;
       scoped_ptr<std::string> salt;
-      for (ScopedVector<cryptohome::RetrievedKeyData::ProviderData>::
-               const_iterator it = key_data_entry->provider_data.begin();
-           it != key_data_entry->provider_data.end(); ++it) {
-        if ((*it)->name == kKeyProviderDataTypeName) {
-          if ((*it)->number)
-            type.reset(new int64(*(*it)->number));
+      for (std::vector<cryptohome::KeyDefinition::ProviderData>::
+               const_iterator it = key_definition.provider_data.begin();
+           it != key_definition.provider_data.end(); ++it) {
+        if (it->name == kKeyProviderDataTypeName) {
+          if (it->number)
+            type.reset(new int64(*it->number));
           else
             NOTREACHED();
-        } else if ((*it)->name == kKeyProviderDataSaltName) {
-          if ((*it)->bytes)
-            salt.reset(new std::string(*(*it)->bytes));
+        } else if (it->name == kKeyProviderDataSaltName) {
+          if (it->bytes)
+            salt.reset(new std::string(*it->bytes));
           else
             NOTREACHED();
         }
@@ -226,7 +229,7 @@ void OnGetKeyDataEx(AuthAttemptState* attempt,
         return;
       }
     } else {
-      LOG(ERROR) << "GetKeyDataEx() returned " << key_data.size()
+      LOG(ERROR) << "GetKeyDataEx() returned " << key_definitions.size()
                  << " entries.";
     }
   }

chromeos/login/auth/extended_authenticator.cc

@@ -89,7 +89,7 @@ void ExtendedAuthenticator::CreateMount(
     mount.create_keys.push_back(keys[i]);
   }
   UserContext context(user_id);
-  Key key(keys.front().key);
+  Key key(keys.front().secret);
   key.SetLabel(keys.front().label);
   context.SetKey(key);