1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
#define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
#include <openssl/x509.h>
#include <chrono>
#include <string>
#include <vector>
#include "cast/common/certificate/cast_cert_validator.h"
#include "platform/base/error.h"
namespace cast {
namespace channel {
class AuthResponse;
class CastMessage;
} // namespace channel
} // namespace cast
namespace openscreen {
namespace cast {
enum class CRLPolicy;
struct DateTime;
struct TrustStore;
class AuthContext {
public:
~AuthContext();
// Get an auth challenge context.
// The same context must be used in the challenge and reply.
static AuthContext Create();
// Verifies the nonce received in the response is equivalent to the one sent.
// Returns success if |nonce_response| matches nonce_
Error VerifySenderNonce(const std::string& nonce_response,
bool enforce_nonce_checking = false) const;
// The nonce challenge.
const std::string& nonce() const { return nonce_; }
private:
explicit AuthContext(const std::string& nonce);
const std::string nonce_;
};
// Authenticates the given |challenge_reply|:
// 1. Signature contained in the reply is valid.
// 2. certificate used to sign is rooted to a trusted CA.
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply(
const ::cast::channel::CastMessage& challenge_reply,
X509* peer_cert,
const AuthContext& auth_context);
// Exposed for testing only.
//
// Overloaded version of AuthenticateChallengeReply that allows modifying the
// crl policy, trust stores, and verification times.
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReplyForTest(
const ::cast::channel::CastMessage& challenge_reply,
X509* peer_cert,
const AuthContext& auth_context,
CRLPolicy crl_policy,
TrustStore* cast_trust_store,
TrustStore* crl_trust_store,
const DateTime& verification_time);
// Performs a quick check of the TLS certificate for time validity requirements.
Error VerifyTLSCertificateValidity(X509* peer_cert,
std::chrono::seconds verification_time);
// Auth-library specific implementation of cryptographic signature verification
// routines. Verifies that |response| contains a valid signature of
// |signature_input|.
ErrorOr<CastDeviceCertPolicy> VerifyCredentials(
const ::cast::channel::AuthResponse& response,
const std::vector<uint8_t>& signature_input,
bool enforce_revocation_checking = false,
bool enforce_sha256_checking = false);
// Exposed for testing only.
//
// Overloaded version of VerifyCredentials that allows modifying the crl policy,
// trust stores, and verification times.
ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest(
const ::cast::channel::AuthResponse& response,
const std::vector<uint8_t>& signature_input,
CRLPolicy crl_policy,
TrustStore* cast_trust_store,
TrustStore* crl_trust_store,
const DateTime& verification_time,
bool enforce_sha256_checking = false);
} // namespace cast
} // namespace openscreen
#endif // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
|
