Remove dependencies on openssl from platform/api.

Moves all certificate utilities out of TlsCredentials (in platform/base)
to a new util/crypto/certificate_utilities.* library.

Then, all remaning boringssl dependencies are removed from platform/api
by modifying the TlsConnectionFactory API to provide DER-encoded X509
certificates (i.e., a serialized form) instead of the boringssl X509
struct.

Bug: openscreen:89
Change-Id: Iaaeec687d81770bb8e7e2bab4837880c77a37aa9
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/1932181
Reviewed-by: Yuri Wiitala <miu@chromium.org>
Reviewed-by: Jordan Bayles <jophba@chromium.org>
Commit-Queue: Yuri Wiitala <miu@chromium.org>

3 files changed, 17 insertions, 10 deletions

diff --git a/cast/sender/BUILD.gn b/cast/sender/BUILD.gn
index 86d67ade..31c21215 100644
--- a/cast/sender/BUILD.gn
+++ b/cast/sender/BUILD.gn
@@ -13,12 +13,14 @@ source_set("channel") {
   ]
 
   deps = [
+    "../../util",
     "../common/certificate/proto:certificate_proto",
     "../common/channel/proto:channel_proto",
   ]
 
   public_deps = [
     "../../platform",
+    "../../third_party/boringssl",
   ]
 }
 
diff --git a/cast/sender/channel/sender_socket_factory.cc b/cast/sender/channel/sender_socket_factory.cc
index 811f07df..3e75c977 100644
--- a/cast/sender/channel/sender_socket_factory.cc
+++ b/cast/sender/channel/sender_socket_factory.cc
@@ -7,6 +7,7 @@
 #include "cast/common/channel/cast_socket.h"
 #include "cast/sender/channel/message_util.h"
 #include "platform/base/tls_connect_options.h"
+#include "util/crypto/certificate_utils.h"
 
 namespace cast {
 namespace channel {
@@ -43,14 +44,14 @@ void SenderSocketFactory::Connect(const IPEndpoint& endpoint,
 
 void SenderSocketFactory::OnAccepted(
     TlsConnectionFactory* factory,
-    X509* peer_cert,
+    std::vector<uint8_t> der_x509_peer_cert,
     std::unique_ptr<TlsConnection> connection) {
   OSP_NOTREACHED() << "This factory is connect-only.";
 }
 
 void SenderSocketFactory::OnConnected(
     TlsConnectionFactory* factory,
-    X509* peer_cert,
+    std::vector<uint8_t> der_x509_peer_cert,
     std::unique_ptr<TlsConnection> connection) {
   const IPEndpoint& endpoint = connection->GetRemoteEndpoint();
   auto it = FindPendingConnection(endpoint);
@@ -63,16 +64,18 @@ void SenderSocketFactory::OnConnected(
   CastSocket::Client* client = it->client;
   pending_connections_.erase(it);
 
+  ErrorOr<bssl::UniquePtr<X509>> peer_cert = openscreen::ImportCertificate(
+      der_x509_peer_cert.data(), der_x509_peer_cert.size());
   if (!peer_cert) {
-    client_->OnError(this, endpoint, Error::Code::kErrCertsMissing);
+    client_->OnError(this, endpoint, peer_cert.error());
     return;
   }
 
   auto socket = std::make_unique<CastSocket>(std::move(connection), this,
                                              GetNextSocketId());
-  pending_auth_.emplace_back(new PendingAuth{endpoint, media_policy,
-                                             std::move(socket), client,
-                                             AuthContext::Create(), peer_cert});
+  pending_auth_.emplace_back(
+      new PendingAuth{endpoint, media_policy, std::move(socket), client,
+                      AuthContext::Create(), std::move(peer_cert.value())});
   PendingAuth& pending = *pending_auth_.back();
 
   CastMessage auth_challenge = CreateAuthChallengeMessage(pending.auth_context);
@@ -146,7 +149,7 @@ void SenderSocketFactory::OnMessage(CastSocket* socket, CastMessage message) {
   }
 
   ErrorOr<CastDeviceCertPolicy> policy_or_error = AuthenticateChallengeReply(
-      message, (*it)->peer_cert, (*it)->auth_context);
+      message, (*it)->peer_cert.get(), (*it)->auth_context);
   if (policy_or_error.is_error()) {
     client_->OnError(this, pending->endpoint, policy_or_error.error());
     return;
diff --git a/cast/sender/channel/sender_socket_factory.h b/cast/sender/channel/sender_socket_factory.h
index 62fa6d97..63998674 100644
--- a/cast/sender/channel/sender_socket_factory.h
+++ b/cast/sender/channel/sender_socket_factory.h
@@ -5,6 +5,8 @@
 #ifndef CAST_SENDER_CHANNEL_SENDER_SOCKET_FACTORY_H_
 #define CAST_SENDER_CHANNEL_SENDER_SOCKET_FACTORY_H_
 
+#include <openssl/x509.h>
+
 #include <set>
 #include <utility>
 #include <vector>
@@ -57,10 +59,10 @@ class SenderSocketFactory final : public TlsConnectionFactory::Client,
 
   // TlsConnectionFactory::Client overrides.
   void OnAccepted(TlsConnectionFactory* factory,
-                  X509* peer_cert,
+                  std::vector<uint8_t> der_x509_peer_cert,
                   std::unique_ptr<TlsConnection> connection) override;
   void OnConnected(TlsConnectionFactory* factory,
-                   X509* peer_cert,
+                   std::vector<uint8_t> der_x509_peer_cert,
                    std::unique_ptr<TlsConnection> connection) override;
   void OnConnectionFailed(TlsConnectionFactory* factory,
                           const IPEndpoint& remote_address) override;
@@ -79,7 +81,7 @@ class SenderSocketFactory final : public TlsConnectionFactory::Client,
     std::unique_ptr<CastSocket> socket;
     CastSocket::Client* client;
     AuthContext auth_context;
-    X509* peer_cert;
+    bssl::UniquePtr<X509> peer_cert;
   };
 
   friend bool operator<(const std::unique_ptr<PendingAuth>& a, uint32_t b);