1 // Copyright 2019 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_ 6 #define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_ 7 8 #include <openssl/x509.h> 9 10 #include <chrono> 11 #include <string> 12 #include <vector> 13 14 #include "cast/common/certificate/cast_cert_validator.h" 15 #include "platform/base/error.h" 16 17 namespace cast { 18 namespace channel { 19 class AuthResponse; 20 class CastMessage; 21 } // namespace channel 22 } // namespace cast 23 24 namespace openscreen { 25 namespace cast { 26 27 enum class CRLPolicy; 28 struct DateTime; 29 struct TrustStore; 30 31 class AuthContext { 32 public: 33 ~AuthContext(); 34 35 // Get an auth challenge context. 36 // The same context must be used in the challenge and reply. 37 static AuthContext Create(); 38 39 // Verifies the nonce received in the response is equivalent to the one sent. 40 // Returns success if |nonce_response| matches nonce_ 41 Error VerifySenderNonce(const std::string& nonce_response, 42 bool enforce_nonce_checking = false) const; 43 44 // The nonce challenge. nonce()45 const std::string& nonce() const { return nonce_; } 46 47 private: 48 explicit AuthContext(const std::string& nonce); 49 50 const std::string nonce_; 51 }; 52 53 // Authenticates the given |challenge_reply|: 54 // 1. Signature contained in the reply is valid. 55 // 2. certificate used to sign is rooted to a trusted CA. 56 ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply( 57 const ::cast::channel::CastMessage& challenge_reply, 58 X509* peer_cert, 59 const AuthContext& auth_context); 60 61 // Exposed for testing only. 62 // 63 // Overloaded version of AuthenticateChallengeReply that allows modifying the 64 // crl policy, trust stores, and verification times. 65 ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReplyForTest( 66 const ::cast::channel::CastMessage& challenge_reply, 67 X509* peer_cert, 68 const AuthContext& auth_context, 69 CRLPolicy crl_policy, 70 TrustStore* cast_trust_store, 71 TrustStore* crl_trust_store, 72 const DateTime& verification_time); 73 74 // Performs a quick check of the TLS certificate for time validity requirements. 75 Error VerifyTLSCertificateValidity(X509* peer_cert, 76 std::chrono::seconds verification_time); 77 78 // Auth-library specific implementation of cryptographic signature verification 79 // routines. Verifies that |response| contains a valid signature of 80 // |signature_input|. 81 ErrorOr<CastDeviceCertPolicy> VerifyCredentials( 82 const ::cast::channel::AuthResponse& response, 83 const std::vector<uint8_t>& signature_input, 84 bool enforce_revocation_checking = false, 85 bool enforce_sha256_checking = false); 86 87 // Exposed for testing only. 88 // 89 // Overloaded version of VerifyCredentials that allows modifying the crl policy, 90 // trust stores, and verification times. 91 ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest( 92 const ::cast::channel::AuthResponse& response, 93 const std::vector<uint8_t>& signature_input, 94 CRLPolicy crl_policy, 95 TrustStore* cast_trust_store, 96 TrustStore* crl_trust_store, 97 const DateTime& verification_time, 98 bool enforce_sha256_checking = false); 99 100 } // namespace cast 101 } // namespace openscreen 102 103 #endif // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_ 104