1 files changed, 46 insertions, 17 deletions

diff --git a/cast/sender/channel/cast_auth_util.cc b/cast/sender/channel/cast_auth_util.cc
index cb1ced69..f0e1c36f 100644
--- a/cast/sender/channel/cast_auth_util.cc
+++ b/cast/sender/channel/cast_auth_util.cc
@@ -9,6 +9,7 @@
 #include <algorithm>
 #include <memory>
 
+#include "absl/strings/str_cat.h"
 #include "cast/common/certificate/cast_cert_validator.h"
 #include "cast/common/certificate/cast_cert_validator_internal.h"
 #include "cast/common/certificate/cast_crl.h"
@@ -104,43 +105,56 @@ class CastNonce {
   std::chrono::seconds nonce_generation_time_;
 };
 
-// Maps Error::Code from certificate verification to Error.
-// If crl_required is set to false, all revocation related errors are ignored.
-Error MapToOpenscreenError(Error::Code error, bool crl_required) {
-  switch (error) {
+// Maps an error from certificate verification to an error reported to the
+// library client.  If crl_required is set to false, all revocation related
+// errors are ignored.
+//
+// TODO(https://issuetracker.google.com/issues/193164666): It would be simpler
+// to just pass the underlying verification error directly to the client.
+Error MapToOpenscreenError(Error verify_error, bool crl_required) {
+  switch (verify_error.code()) {
     case Error::Code::kErrCertsMissing:
       return Error(Error::Code::kCastV2PeerCertEmpty,
-                   "Failed to locate certificates.");
+                   absl::StrCat("Failed to locate certificates: ",
+                                verify_error.message()));
     case Error::Code::kErrCertsParse:
       return Error(Error::Code::kErrCertsParse,
-                   "Failed to parse certificates.");
+                   absl::StrCat("Failed to parse certificates: ",
+                                verify_error.message()));
     case Error::Code::kErrCertsDateInvalid:
-      return Error(Error::Code::kCastV2CertNotSignedByTrustedCa,
-                   "Failed date validity check.");
+      return Error(
+          Error::Code::kCastV2CertNotSignedByTrustedCa,
+          absl::StrCat("Failed date validity check: ", verify_error.message()));
     case Error::Code::kErrCertsVerifyGeneric:
-      return Error(Error::Code::kCastV2CertNotSignedByTrustedCa,
-                   "Failed with a generic certificate verification error.");
+      return Error(
+          Error::Code::kCastV2CertNotSignedByTrustedCa,
+          absl::StrCat("Failed with a generic certificate verification error: ",
+                       verify_error.message()));
     case Error::Code::kErrCertsRestrictions:
       return Error(Error::Code::kCastV2CertNotSignedByTrustedCa,
-                   "Failed certificate restrictions.");
+                   absl::StrCat("Failed certificate restrictions: ",
+                                verify_error.message()));
     case Error::Code::kErrCertsVerifyUntrustedCert:
       return Error(Error::Code::kCastV2CertNotSignedByTrustedCa,
-                   "Failed with untrusted certificate.");
+                   absl::StrCat("Failed with untrusted certificate: ",
+                                verify_error.message()));
     case Error::Code::kErrCrlInvalid:
       // This error is only encountered if |crl_required| is true.
       OSP_DCHECK(crl_required);
       return Error(Error::Code::kErrCrlInvalid,
-                   "Failed to provide a valid CRL.");
+                   absl::StrCat("Failed to provide a valid CRL: ",
+                                verify_error.message()));
     case Error::Code::kErrCertsRevoked:
       return Error(Error::Code::kErrCertsRevoked,
-                   "Failed certificate revocation check.");
+                   absl::StrCat("Failed certificate revocation check: ",
+                                verify_error.message()));
     case Error::Code::kNone:
       return Error::None();
     default:
       return Error(Error::Code::kCastV2CertNotSignedByTrustedCa,
-                   "Failed verifying cast device certificate.");
+                   absl::StrCat("Failed verifying cast device certificate: ",
+                                verify_error.message()));
   }
-  return Error::None();
 }
 
 Error VerifyAndMapDigestAlgorithm(HashAlgorithm response_digest_algorithm,
@@ -170,6 +184,21 @@ AuthContext AuthContext::Create() {
   return AuthContext(CastNonce::Get());
 }
 
+// static
+AuthContext AuthContext::CreateForTest(const std::string& nonce_data) {
+  std::string nonce;
+  if (nonce_data.empty()) {
+    nonce = std::string(kNonceSizeInBytes, '0');
+  } else {
+    while (nonce.size() < kNonceSizeInBytes) {
+      nonce += nonce_data;
+    }
+    nonce.erase(kNonceSizeInBytes);
+  }
+  OSP_DCHECK_EQ(nonce.size(), kNonceSizeInBytes);
+  return AuthContext(nonce);
+}
+
 AuthContext::AuthContext(const std::string& nonce) : nonce_(nonce) {}
 
 AuthContext::~AuthContext() {}
@@ -356,7 +385,7 @@ ErrorOr<CastDeviceCertPolicy> VerifyCredentialsImpl(
                        &device_policy, crl.get(), crl_policy, cast_trust_store);
 
   // Handle and report errors.
-  Error result = MapToOpenscreenError(verify_result.code(),
+  Error result = MapToOpenscreenError(verify_result,
                                       crl_policy == CRLPolicy::kCrlRequired);
   if (!result.ok()) {
     return result;