1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef COMPONENTS_CAST_CHANNEL_CAST_AUTH_UTIL_H_ 6 #define COMPONENTS_CAST_CHANNEL_CAST_AUTH_UTIL_H_ 7 8 #include <string> 9 10 #include "base/memory/ref_counted.h" 11 #include "base/time/time.h" 12 #include "third_party/openscreen/src/cast/common/channel/proto/cast_channel.pb.h" 13 14 namespace cast_certificate { 15 enum class CRLPolicy; 16 } 17 18 namespace net { 19 class X509Certificate; 20 class TrustStore; 21 } // namespace net 22 23 namespace cast_channel { 24 25 using ::cast::channel::AuthResponse; 26 using ::cast::channel::CastMessage; 27 28 struct AuthResult { 29 public: 30 enum ErrorType { 31 ERROR_NONE, 32 ERROR_PEER_CERT_EMPTY, 33 ERROR_WRONG_PAYLOAD_TYPE, 34 ERROR_NO_PAYLOAD, 35 ERROR_PAYLOAD_PARSING_FAILED, 36 ERROR_MESSAGE_ERROR, 37 ERROR_NO_RESPONSE, 38 ERROR_FINGERPRINT_NOT_FOUND, 39 ERROR_CERT_PARSING_FAILED, 40 ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, 41 ERROR_CANNOT_EXTRACT_PUBLIC_KEY, 42 ERROR_SIGNED_BLOBS_MISMATCH, 43 ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG, 44 ERROR_TLS_CERT_VALID_START_DATE_IN_FUTURE, 45 ERROR_TLS_CERT_EXPIRED, 46 ERROR_CRL_INVALID, 47 ERROR_CERT_REVOKED, 48 ERROR_SENDER_NONCE_MISMATCH, 49 ERROR_DIGEST_UNSUPPORTED, 50 ERROR_SIGNATURE_EMPTY, 51 }; 52 53 enum PolicyType { POLICY_NONE = 0, POLICY_AUDIO_ONLY = 1 << 0 }; 54 55 // Constructs a AuthResult that corresponds to success. 56 AuthResult(); 57 58 AuthResult(const std::string& error_message, ErrorType error_type); 59 60 ~AuthResult(); 61 62 static AuthResult CreateWithParseError(const std::string& error_message, 63 ErrorType error_type); 64 successAuthResult65 bool success() const { return error_type == ERROR_NONE; } 66 67 std::string error_message; 68 ErrorType error_type; 69 unsigned int channel_policies; 70 }; 71 72 class AuthContext { 73 public: 74 ~AuthContext(); 75 76 // Get an auth challenge context. 77 // The same context must be used in the challenge and reply. 78 static AuthContext Create(); 79 80 // Verifies the nonce received in the response is equivalent to the one sent. 81 // Returns success if |nonce_response| matches nonce_ 82 AuthResult VerifySenderNonce(const std::string& nonce_response) const; 83 84 // The nonce challenge. nonce()85 const std::string& nonce() const { return nonce_; } 86 87 private: 88 explicit AuthContext(const std::string& nonce); 89 90 const std::string nonce_; 91 }; 92 93 // Authenticates the given |challenge_reply|: 94 // 1. Signature contained in the reply is valid. 95 // 2. Certficate used to sign is rooted to a trusted CA. 96 AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, 97 const net::X509Certificate& peer_cert, 98 const AuthContext& auth_context); 99 100 // Performs a quick check of the TLS certificate for time validity requirements. 101 AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert, 102 std::string* peer_cert_der, 103 const base::Time& verification_time); 104 105 // Auth-library specific implementation of cryptographic signature 106 // verification routines. Verifies that |response| contains a 107 // valid signature of |signature_input|. 108 AuthResult VerifyCredentials(const AuthResponse& response, 109 const std::string& signature_input); 110 111 // Exposed for testing only. 112 // 113 // Overloaded version of VerifyCredentials that allows modifying 114 // the crl policy, trust stores, and verification times. 115 AuthResult VerifyCredentialsForTest( 116 const AuthResponse& response, 117 const std::string& signature_input, 118 const cast_certificate::CRLPolicy& crl_policy, 119 net::TrustStore* cast_trust_store, 120 net::TrustStore* crl_trust_store, 121 const base::Time& verification_time); 122 123 } // namespace cast_channel 124 125 #endif // COMPONENTS_CAST_CHANNEL_CAST_AUTH_UTIL_H_ 126