cast/sender/channel/cast_auth_util.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
#define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_

#include <openssl/x509.h>

#include <string>

#include "cast/common/certificate/cast_cert_validator.h"
#include "cast/sender/channel/proto/cast_channel.pb.h"
#include "platform/base/error.h"

namespace cast {
namespace certificate {
enum class CRLPolicy;
struct DateTime;
struct TrustStore;
}  // namespace certificate
}  // namespace cast

namespace cast {
namespace channel {

class AuthResponse;
class CastMessage;

template <typename T>
using ErrorOr = openscreen::ErrorOr<T>;
using CastDeviceCertPolicy = certificate::CastDeviceCertPolicy;

class AuthContext {
 public:
  ~AuthContext();

  // Get an auth challenge context.
  // The same context must be used in the challenge and reply.
  static AuthContext Create();

  // Verifies the nonce received in the response is equivalent to the one sent.
  // Returns success if |nonce_response| matches nonce_
  openscreen::Error VerifySenderNonce(
      const std::string& nonce_response,
      bool enforce_nonce_checking = false) const;

  // The nonce challenge.
  const std::string& nonce() const { return nonce_; }

 private:
  explicit AuthContext(const std::string& nonce);

  const std::string nonce_;
};

// Authenticates the given |challenge_reply|:
// 1. Signature contained in the reply is valid.
// 2. Certficate used to sign is rooted to a trusted CA.
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply(
    const CastMessage& challenge_reply,
    X509* peer_cert,
    const AuthContext& auth_context);

// Performs a quick check of the TLS certificate for time validity requirements.
openscreen::Error VerifyTLSCertificateValidity(
    X509* peer_cert,
    std::chrono::seconds verification_time);

// Auth-library specific implementation of cryptographic signature verification
// routines. Verifies that |response| contains a valid signature of
// |signature_input|.
ErrorOr<CastDeviceCertPolicy> VerifyCredentials(
    const AuthResponse& response,
    const std::string& signature_input,
    bool enforce_revocation_checking = false,
    bool enforce_sha256_checking = false);

// Exposed for testing only.
//
// Overloaded version of VerifyCredentials that allows modifying
// the crl policy, trust stores, and verification times.
ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest(
    const AuthResponse& response,
    const std::string& signature_input,
    certificate::CRLPolicy crl_policy,
    certificate::TrustStore* cast_trust_store,
    certificate::TrustStore* crl_trust_store,
    const certificate::DateTime& verification_time,
    bool enforce_sha256_checking = false);

}  // namespace channel
}  // namespace cast

#endif  // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_