[login_manager] Allow new owner keys to be pushed with StorePolicy

To handle initial enrollment and emergency key rotation (the current key has been compromised), we will allow any policy stored before the user has begun her session to clobber the existing key/policy.

To perform normal key rotation, we'll validate the signature on the key blob in the policy with the currently registered key and, iff it checks out, replace the stored key.

TEST=Unit tests, and login_RemoteOwnership (to be landed soon), and login_OwnershipApi

Change-Id: Id4c6e8f3d37224a03ac631ff19bb6daa04ff20eb

Review URL: http://codereview.chromium.org/6793055
10 files changed