You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
104 lines
3.2 KiB
104 lines
3.2 KiB
// Copyright 2019 The Chromium Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
|
|
#define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <chrono>
|
|
#include <string>
|
|
#include <vector>
|
|
|
|
#include "cast/common/certificate/cast_cert_validator.h"
|
|
#include "platform/base/error.h"
|
|
|
|
namespace cast {
|
|
namespace channel {
|
|
class AuthResponse;
|
|
class CastMessage;
|
|
} // namespace channel
|
|
} // namespace cast
|
|
|
|
namespace openscreen {
|
|
namespace cast {
|
|
|
|
enum class CRLPolicy;
|
|
struct DateTime;
|
|
struct TrustStore;
|
|
|
|
class AuthContext {
|
|
public:
|
|
~AuthContext();
|
|
|
|
// Get an auth challenge context.
|
|
// The same context must be used in the challenge and reply.
|
|
static AuthContext Create();
|
|
|
|
// Verifies the nonce received in the response is equivalent to the one sent.
|
|
// Returns success if |nonce_response| matches nonce_
|
|
Error VerifySenderNonce(const std::string& nonce_response,
|
|
bool enforce_nonce_checking = false) const;
|
|
|
|
// The nonce challenge.
|
|
const std::string& nonce() const { return nonce_; }
|
|
|
|
private:
|
|
explicit AuthContext(const std::string& nonce);
|
|
|
|
const std::string nonce_;
|
|
};
|
|
|
|
// Authenticates the given |challenge_reply|:
|
|
// 1. Signature contained in the reply is valid.
|
|
// 2. certificate used to sign is rooted to a trusted CA.
|
|
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply(
|
|
const ::cast::channel::CastMessage& challenge_reply,
|
|
X509* peer_cert,
|
|
const AuthContext& auth_context);
|
|
|
|
// Exposed for testing only.
|
|
//
|
|
// Overloaded version of AuthenticateChallengeReply that allows modifying the
|
|
// crl policy, trust stores, and verification times.
|
|
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReplyForTest(
|
|
const ::cast::channel::CastMessage& challenge_reply,
|
|
X509* peer_cert,
|
|
const AuthContext& auth_context,
|
|
CRLPolicy crl_policy,
|
|
TrustStore* cast_trust_store,
|
|
TrustStore* crl_trust_store,
|
|
const DateTime& verification_time);
|
|
|
|
// Performs a quick check of the TLS certificate for time validity requirements.
|
|
Error VerifyTLSCertificateValidity(X509* peer_cert,
|
|
std::chrono::seconds verification_time);
|
|
|
|
// Auth-library specific implementation of cryptographic signature verification
|
|
// routines. Verifies that |response| contains a valid signature of
|
|
// |signature_input|.
|
|
ErrorOr<CastDeviceCertPolicy> VerifyCredentials(
|
|
const ::cast::channel::AuthResponse& response,
|
|
const std::vector<uint8_t>& signature_input,
|
|
bool enforce_revocation_checking = false,
|
|
bool enforce_sha256_checking = false);
|
|
|
|
// Exposed for testing only.
|
|
//
|
|
// Overloaded version of VerifyCredentials that allows modifying the crl policy,
|
|
// trust stores, and verification times.
|
|
ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest(
|
|
const ::cast::channel::AuthResponse& response,
|
|
const std::vector<uint8_t>& signature_input,
|
|
CRLPolicy crl_policy,
|
|
TrustStore* cast_trust_store,
|
|
TrustStore* crl_trust_store,
|
|
const DateTime& verification_time,
|
|
bool enforce_sha256_checking = false);
|
|
|
|
} // namespace cast
|
|
} // namespace openscreen
|
|
|
|
#endif // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
|