1 // Copyright 2019 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
6 #define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
7 
8 #include <openssl/x509.h>
9 
10 #include <chrono>
11 #include <string>
12 #include <vector>
13 
14 #include "cast/common/certificate/cast_cert_validator.h"
15 #include "platform/base/error.h"
16 
17 namespace cast {
18 namespace channel {
19 class AuthResponse;
20 class CastMessage;
21 }  // namespace channel
22 }  // namespace cast
23 
24 namespace openscreen {
25 namespace cast {
26 
27 enum class CRLPolicy;
28 struct DateTime;
29 struct TrustStore;
30 
31 class AuthContext {
32  public:
33   ~AuthContext();
34 
35   // Get an auth challenge context.
36   // The same context must be used in the challenge and reply.
37   static AuthContext Create();
38 
39   // Verifies the nonce received in the response is equivalent to the one sent.
40   // Returns success if |nonce_response| matches nonce_
41   Error VerifySenderNonce(const std::string& nonce_response,
42                           bool enforce_nonce_checking = false) const;
43 
44   // The nonce challenge.
nonce()45   const std::string& nonce() const { return nonce_; }
46 
47  private:
48   explicit AuthContext(const std::string& nonce);
49 
50   const std::string nonce_;
51 };
52 
53 // Authenticates the given |challenge_reply|:
54 // 1. Signature contained in the reply is valid.
55 // 2. certificate used to sign is rooted to a trusted CA.
56 ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply(
57     const ::cast::channel::CastMessage& challenge_reply,
58     X509* peer_cert,
59     const AuthContext& auth_context);
60 
61 // Exposed for testing only.
62 //
63 // Overloaded version of AuthenticateChallengeReply that allows modifying the
64 // crl policy, trust stores, and verification times.
65 ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReplyForTest(
66     const ::cast::channel::CastMessage& challenge_reply,
67     X509* peer_cert,
68     const AuthContext& auth_context,
69     CRLPolicy crl_policy,
70     TrustStore* cast_trust_store,
71     TrustStore* crl_trust_store,
72     const DateTime& verification_time);
73 
74 // Performs a quick check of the TLS certificate for time validity requirements.
75 Error VerifyTLSCertificateValidity(X509* peer_cert,
76                                    std::chrono::seconds verification_time);
77 
78 // Auth-library specific implementation of cryptographic signature verification
79 // routines. Verifies that |response| contains a valid signature of
80 // |signature_input|.
81 ErrorOr<CastDeviceCertPolicy> VerifyCredentials(
82     const ::cast::channel::AuthResponse& response,
83     const std::vector<uint8_t>& signature_input,
84     bool enforce_revocation_checking = false,
85     bool enforce_sha256_checking = false);
86 
87 // Exposed for testing only.
88 //
89 // Overloaded version of VerifyCredentials that allows modifying the crl policy,
90 // trust stores, and verification times.
91 ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest(
92     const ::cast::channel::AuthResponse& response,
93     const std::vector<uint8_t>& signature_input,
94     CRLPolicy crl_policy,
95     TrustStore* cast_trust_store,
96     TrustStore* crl_trust_store,
97     const DateTime& verification_time,
98     bool enforce_sha256_checking = false);
99 
100 }  // namespace cast
101 }  // namespace openscreen
102 
103 #endif  // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
104