3 files changed, 39 insertions, 121 deletions
diff --git a/sync/util/cryptographer.cc b/sync/util/cryptographer.cc
index 92f9795..202480d 100644
--- a/sync/util/cryptographer.cc
+++ b/sync/util/cryptographer.cc
@@ -22,9 +22,7 @@ const char kNigoriTag[] = "google_chrome_nigori";
 const char kNigoriKeyName[] = "nigori-key";
 
 Cryptographer::Cryptographer(Encryptor* encryptor)
-    : encryptor_(encryptor),
-      default_nigori_(NULL),
-      keystore_nigori_(NULL) {
+    : encryptor_(encryptor) {
   DCHECK(encryptor);
 }
 
@@ -39,19 +37,7 @@ void Cryptographer::Bootstrap(const std::string& restored_bootstrap_token) {
 
   scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
   if (nigori.get())
-    AddKeyImpl(nigori.release(), false);
-}
-
-void Cryptographer::BootstrapKeystoreKey(
-    const std::string& restored_bootstrap_token) {
-  if (keystore_nigori_) {
-    NOTREACHED();
-    return;
-  }
-
-  scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
-  if (nigori.get())
-    AddKeyImpl(nigori.release(), true);
+    AddKeyImpl(nigori.Pass());
 }
 
 bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const {
@@ -60,17 +46,24 @@ bool Cryptographer::CanDecrypt(const sync_pb::EncryptedData& data) const {
 
 bool Cryptographer::CanDecryptUsingDefaultKey(
     const sync_pb::EncryptedData& data) const {
-  return default_nigori_ && (data.key_name() == default_nigori_->first);
+  return !default_nigori_name_.empty() &&
+         data.key_name() == default_nigori_name_;
 }
 
 bool Cryptographer::Encrypt(
     const ::google::protobuf::MessageLite& message,
     sync_pb::EncryptedData* encrypted) const {
   DCHECK(encrypted);
-  if (!default_nigori_) {
+  if (default_nigori_name_.empty()) {
     LOG(ERROR) << "Cryptographer not ready, failed to encrypt.";
     return false;
   }
+  NigoriMap::const_iterator default_nigori =
+      nigoris_.find(default_nigori_name_);
+  if (default_nigori == nigoris_.end()) {
+    LOG(ERROR) << "Corrupt default key.";
+    return false;
+  }
 
   std::string serialized;
   if (!message.SerializeToString(&serialized)) {
@@ -86,9 +79,9 @@ bool Cryptographer::Encrypt(
     }
   }
 
-  encrypted->set_key_name(default_nigori_->first);
-  if (!default_nigori_->second->Encrypt(serialized,
-                                        encrypted->mutable_blob())) {
+  encrypted->set_key_name(default_nigori_name_);
+  if (!default_nigori->second->Encrypt(serialized,
+                                       encrypted->mutable_blob())) {
     LOG(ERROR) << "Failed to encrypt data.";
     return false;
   }
@@ -147,7 +140,7 @@ bool Cryptographer::AddKey(const KeyParams& params) {
     NOTREACHED();  // Invalid username or password.
     return false;
   }
-  return AddKeyImpl(nigori.release(), false);
+  return AddKeyImpl(nigori.Pass());
 }
 
 bool Cryptographer::AddKeyFromBootstrapToken(
@@ -156,22 +149,17 @@ bool Cryptographer::AddKeyFromBootstrapToken(
   scoped_ptr<Nigori> nigori(UnpackBootstrapToken(restored_bootstrap_token));
   if (!nigori.get())
     return false;
-  return AddKeyImpl(nigori.release(), false);
+  return AddKeyImpl(nigori.Pass());
 }
 
-bool Cryptographer::AddKeyImpl(Nigori* initialized_nigori,
-                               bool is_keystore_key) {
-  scoped_ptr<Nigori> nigori(initialized_nigori);
+bool Cryptographer::AddKeyImpl(scoped_ptr<Nigori> initialized_nigori) {
   std::string name;
-  if (!nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) {
+  if (!initialized_nigori->Permute(Nigori::Password, kNigoriKeyName, &name)) {
     NOTREACHED();
     return false;
   }
-  nigoris_[name] = make_linked_ptr(nigori.release());
-  if (is_keystore_key)
-    keystore_nigori_ = &*nigoris_.find(name);
-  else
-    default_nigori_ = &*nigoris_.find(name);
+  nigoris_[name] = make_linked_ptr(initialized_nigori.release());
+  default_nigori_name_ = name;
   return true;
 }
 
@@ -186,7 +174,7 @@ void Cryptographer::InstallKeys(const sync_pb::EncryptedData& encrypted) {
 
 void Cryptographer::SetDefaultKey(const std::string& key_name) {
   DCHECK(nigoris_.end() != nigoris_.find(key_name));
-  default_nigori_ = &*nigoris_.find(key_name);
+  default_nigori_name_ = key_name;
 }
 
 void Cryptographer::SetPendingKeys(const sync_pb::EncryptedData& encrypted) {
@@ -220,8 +208,7 @@ bool Cryptographer::DecryptPendingKeys(const KeyParams& params) {
   }
   InstallKeyBag(bag);
   const std::string& new_default_key_name = pending_keys_->key_name();
-  DCHECK(nigoris_.end() != nigoris_.find(new_default_key_name));
-  default_nigori_ = &*nigoris_.find(new_default_key_name);
+  SetDefaultKey(new_default_key_name);
   pending_keys_.reset();
   return true;
 }
@@ -231,16 +218,11 @@ bool Cryptographer::GetBootstrapToken(std::string* token) const {
   if (!is_initialized())
     return false;
 
-  return PackBootstrapToken(default_nigori_->second.get(), token);
-}
-
-bool Cryptographer::GetKeystoreKeyBootstrapToken(
-    std::string* token) const {
-  DCHECK(token);
-  if (!HasKeystoreKey())
+  NigoriMap::const_iterator default_nigori =
+      nigoris_.find(default_nigori_name_);
+  if (default_nigori == nigoris_.end())
     return false;
-
-  return PackBootstrapToken(keystore_nigori_->second.get(), token);
+  return PackBootstrapToken(default_nigori->second.get(), token);
 }
 
 bool Cryptographer::PackBootstrapToken(const Nigori* nigori,
@@ -307,27 +289,6 @@ Nigori* Cryptographer::UnpackBootstrapToken(const std::string& token) const {
   return nigori.release();
 }
 
-bool Cryptographer::SetKeystoreKey(const std::string& keystore_key) {
-  if (keystore_key.empty())
-    return false;
-  KeyParams params = {"localhost", "dummy", keystore_key};
-
-  // Create the new Nigori and make it the default keystore encryptor.
-  scoped_ptr<Nigori> nigori(new Nigori);
-  if (!nigori->InitByDerivation(params.hostname,
-                                params.username,
-                                params.password)) {
-    NOTREACHED();  // Invalid username or password.
-    return false;
-  }
-
-  return AddKeyImpl(nigori.release(), true);
-}
-
-bool Cryptographer::HasKeystoreKey() const {
-  return keystore_nigori_ != NULL;
-}
-
 void Cryptographer::InstallKeyBag(const sync_pb::NigoriKeyBag& bag) {
   int key_size = bag.key_size();
   for (int i = 0; i < key_size; ++i) {
diff --git a/sync/util/cryptographer.h b/sync/util/cryptographer.h
index 77a164f..99ae7d2 100644
--- a/sync/util/cryptographer.h
+++ b/sync/util/cryptographer.h
@@ -63,10 +63,6 @@ class Cryptographer {
   // never call Bootstrap at all.
   void Bootstrap(const std::string& restored_bootstrap_token);
 
-  // Bootstrap the keystore key.
-  void BootstrapKeystoreKey(
-      const std::string& restored_keystore_bootstrap_token);
-
   // Returns whether we can decrypt |encrypted| using the keys we currently know
   // about.
   bool CanDecrypt(const sync_pb::EncryptedData& encrypted) const;
@@ -135,11 +131,14 @@ class Cryptographer {
   // correspond to a nigori that has already been installed into the keybag.
   void SetDefaultKey(const std::string& key_name);
 
-  bool is_initialized() const { return !nigoris_.empty() && default_nigori_; }
+  bool is_initialized() const {
+    return !nigoris_.empty() && !default_nigori_name_.empty();
+  }
 
   // Returns whether this Cryptographer is ready to encrypt and decrypt data.
-  bool is_ready() const { return is_initialized() &&
-                          has_pending_keys() == false; }
+  bool is_ready() const {
+    return is_initialized() && !has_pending_keys();
+  }
 
   // Returns whether there is a pending set of keys that needs to be decrypted.
   bool has_pending_keys() const { return NULL != pending_keys_.get(); }
@@ -149,18 +148,6 @@ class Cryptographer {
   // can't be created (i.e. if this Cryptograhper doesn't have valid keys).
   bool GetBootstrapToken(std::string* token) const;
 
-  // Obtain the bootstrap token based on the keystore encryption key.
-  bool GetKeystoreKeyBootstrapToken(std::string* token) const;
-
-  // Set the keystore-derived nigori from the provided key.
-  // Returns true if we succesfully create the keystore derived nigori from the
-  // provided key, false otherwise.
-  bool SetKeystoreKey(const std::string& keystore_key);
-
-  // Returns true if we currently have a keystore-derived nigori, false
-  // otherwise.
-  bool HasKeystoreKey() const;
-
   Encryptor* encryptor() const { return encryptor_; }
 
  private:
@@ -173,9 +160,8 @@ class Cryptographer {
   // Does not update the default nigori.
   void InstallKeyBag(const sync_pb::NigoriKeyBag& bag);
 
-  // Helper method to add a nigori as either the new default nigori or the new
-  // keystore nigori.
-  bool AddKeyImpl(Nigori* nigori, bool is_keystore_key);
+  // Helper method to add a nigori as the default key.
+  bool AddKeyImpl(scoped_ptr<Nigori> nigori);
 
   // Functions to serialize + encrypt a Nigori object in an opaque format for
   // persistence by sync infrastructure.
@@ -184,9 +170,11 @@ class Cryptographer {
 
   Encryptor* const encryptor_;
 
-  NigoriMap nigoris_;  // The Nigoris we know about, mapped by key name.
-  NigoriMap::value_type* default_nigori_;  // The Nigori used for encryption.
-  NigoriMap::value_type* keystore_nigori_; // Nigori generated from keystore.
+  // The Nigoris we know about, mapped by key name.
+  NigoriMap nigoris_;
+  // The key name associated with the default nigori. If non-empty, must
+  // correspond to a nigori within |nigoris_|.
+  std::string default_nigori_name_;
 
   scoped_ptr<sync_pb::EncryptedData> pending_keys_;
 
diff --git a/sync/util/cryptographer_unittest.cc b/sync/util/cryptographer_unittest.cc
index 09fb63f..1e06b86 100644
--- a/sync/util/cryptographer_unittest.cc
+++ b/sync/util/cryptographer_unittest.cc
@@ -138,19 +138,6 @@ TEST_F(SyncCryptographerTest, AddKeySetsDefault) {
   EXPECT_EQ(encrypted3.key_name(), encrypted4.key_name());
 }
 
-// Ensure setting the keystore key works and doesn't modify the default nigori.
-TEST_F(SyncCryptographerTest, SetKeystore) {
-  EXPECT_FALSE(cryptographer_.is_initialized());
-  EXPECT_FALSE(cryptographer_.HasKeystoreKey());
-
-  EXPECT_FALSE(cryptographer_.SetKeystoreKey(""));
-  EXPECT_FALSE(cryptographer_.HasKeystoreKey());
-
-  EXPECT_TRUE(cryptographer_.SetKeystoreKey("keystore_key"));
-  EXPECT_TRUE(cryptographer_.HasKeystoreKey());
-  EXPECT_FALSE(cryptographer_.is_initialized());
-}
-
 // Crashes, Bug 55178.
 #if defined(OS_WIN)
 #define MAYBE_EncryptExportDecrypt DISABLED_EncryptExportDecrypt
@@ -224,22 +211,4 @@ TEST_F(SyncCryptographerTest, MAYBE_PackUnpack) {
   EXPECT_EQ(expected_mac, mac_key);
 }
 
-// Test that bootstrapping the keystore key works and doesn't affect the default
-// nigori.
-TEST_F(SyncCryptographerTest, BootstrapKeystore) {
-  std::string token;
-  cryptographer_.GetKeystoreKeyBootstrapToken(&token);
-  EXPECT_TRUE(token.empty());
-
-  cryptographer_.SetKeystoreKey("keystore_key");
-  cryptographer_.GetKeystoreKeyBootstrapToken(&token);
-  EXPECT_FALSE(token.empty());
-
-  Cryptographer cryptographer2(&encryptor_);
-  EXPECT_FALSE(cryptographer2.HasKeystoreKey());
-  cryptographer2.BootstrapKeystoreKey(token);
-  EXPECT_TRUE(cryptographer2.HasKeystoreKey());
-  EXPECT_FALSE(cryptographer2.is_initialized());
-}
-
 }  // namespace syncer