[login_manager] Allow new owner keys to be pushed with StorePolicy
To handle initial enrollment and emergency key rotation (the current key has been compromised), we will allow any policy stored before the user has begun her session to clobber the existing key/policy.
To perform normal key rotation, we'll validate the signature on the key blob in the policy with the currently registered key and, iff it checks out, replace the stored key.
TEST=Unit tests, and login_RemoteOwnership (to be landed soon), and login_OwnershipApi
Review URL: http://codereview.chromium.org/6793055
10 files changed