1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef COMPONENTS_CAST_CHANNEL_CAST_AUTH_UTIL_H_
#define COMPONENTS_CAST_CHANNEL_CAST_AUTH_UTIL_H_
#include <string>
#include "base/memory/ref_counted.h"
#include "base/time/time.h"
#include "components/cast_channel/proto/cast_channel.pb.h"
namespace cast_certificate {
enum class CRLPolicy;
}
namespace net {
class X509Certificate;
class TrustStore;
} // namespace net
namespace cast_channel {
class AuthResponse;
class CastMessage;
struct AuthResult {
public:
enum ErrorType {
ERROR_NONE,
ERROR_PEER_CERT_EMPTY,
ERROR_WRONG_PAYLOAD_TYPE,
ERROR_NO_PAYLOAD,
ERROR_PAYLOAD_PARSING_FAILED,
ERROR_MESSAGE_ERROR,
ERROR_NO_RESPONSE,
ERROR_FINGERPRINT_NOT_FOUND,
ERROR_CERT_PARSING_FAILED,
ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA,
ERROR_CANNOT_EXTRACT_PUBLIC_KEY,
ERROR_SIGNED_BLOBS_MISMATCH,
ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG,
ERROR_TLS_CERT_VALID_START_DATE_IN_FUTURE,
ERROR_TLS_CERT_EXPIRED,
ERROR_CRL_INVALID,
ERROR_CERT_REVOKED,
ERROR_SENDER_NONCE_MISMATCH,
};
enum PolicyType { POLICY_NONE = 0, POLICY_AUDIO_ONLY = 1 << 0 };
// Constructs a AuthResult that corresponds to success.
AuthResult();
AuthResult(const std::string& error_message, ErrorType error_type);
~AuthResult();
static AuthResult CreateWithParseError(const std::string& error_message,
ErrorType error_type);
bool success() const { return error_type == ERROR_NONE; }
std::string error_message;
ErrorType error_type;
unsigned int channel_policies;
};
class AuthContext {
public:
~AuthContext();
// Get an auth challenge context.
// The same context must be used in the challenge and reply.
static AuthContext Create();
// Verifies the nonce received in the response is equivalent to the one sent.
// Returns success if |nonce_response| matches nonce_
AuthResult VerifySenderNonce(const std::string& nonce_response) const;
// The nonce challenge.
const std::string& nonce() const { return nonce_; }
private:
explicit AuthContext(const std::string& nonce);
const std::string nonce_;
};
// Authenticates the given |challenge_reply|:
// 1. Signature contained in the reply is valid.
// 2. Certficate used to sign is rooted to a trusted CA.
AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
const net::X509Certificate& peer_cert,
const AuthContext& auth_context);
// Performs a quick check of the TLS certificate for time validity requirements.
AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert,
std::string* peer_cert_der,
const base::Time& verification_time);
// Auth-library specific implementation of cryptographic signature
// verification routines. Verifies that |response| contains a
// valid signature of |signature_input|.
AuthResult VerifyCredentials(const AuthResponse& response,
const std::string& signature_input);
// Exposed for testing only.
//
// Overloaded version of VerifyCredentials that allows modifying
// the crl policy, trust stores, and verification times.
AuthResult VerifyCredentialsForTest(
const AuthResponse& response,
const std::string& signature_input,
const cast_certificate::CRLPolicy& crl_policy,
net::TrustStore* cast_trust_store,
net::TrustStore* crl_trust_store,
const base::Time& verification_time);
} // namespace cast_channel
#endif // COMPONENTS_CAST_CHANNEL_CAST_AUTH_UTIL_H_
|
