| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef COMPONENTS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ | 5 #ifndef COMPONENTS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ |
| 6 #define COMPONENTS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ | 6 #define COMPONENTS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ |
| 7 | 7 |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| 11 | 11 |
| 12 #include "base/compiler_specific.h" | 12 #include "base/compiler_specific.h" |
| 13 #include "base/macros.h" | 13 #include "base/macros.h" |
| 14 #include "base/strings/string_piece.h" | 14 #include "base/strings/string_piece.h" |
| 15 #include "base/time/time.h" | 15 #include "base/time/time.h" |
| 16 | 16 |
| 17 namespace cast_certificate { | 17 namespace cast_certificate { |
| 18 | 18 |
| 19 class CastCRL; |
| 20 |
| 19 // Describes the policy for a Device certificate. | 21 // Describes the policy for a Device certificate. |
| 20 enum class CastDeviceCertPolicy { | 22 enum class CastDeviceCertPolicy { |
| 21 // The device certificate is unrestricted. | 23 // The device certificate is unrestricted. |
| 22 NONE, | 24 NONE, |
| 23 | 25 |
| 24 // The device certificate is for an audio-only device. | 26 // The device certificate is for an audio-only device. |
| 25 AUDIO_ONLY, | 27 AUDIO_ONLY, |
| 26 }; | 28 }; |
| 27 | 29 |
| 30 enum class CRLPolicy { |
| 31 // Revocation is only checked if a CRL is provided. |
| 32 CRL_OPTIONAL, |
| 33 |
| 34 // Revocation is always checked. A missing CRL results in failure. |
| 35 CRL_REQUIRED, |
| 36 }; |
| 37 |
| 28 // An object of this type is returned by the VerifyDeviceCert function, and can | 38 // An object of this type is returned by the VerifyDeviceCert function, and can |
| 29 // be used for additional certificate-related operations, using the verified | 39 // be used for additional certificate-related operations, using the verified |
| 30 // certificate. | 40 // certificate. |
| 31 class CertVerificationContext { | 41 class CertVerificationContext { |
| 32 public: | 42 public: |
| 33 CertVerificationContext() {} | 43 CertVerificationContext() {} |
| 34 virtual ~CertVerificationContext() {} | 44 virtual ~CertVerificationContext() {} |
| 35 | 45 |
| 36 // Use the public key from the verified certificate to verify a | 46 // Use the public key from the verified certificate to verify a |
| 37 // sha1WithRSAEncryption |signature| over arbitrary |data|. Both |signature| | 47 // sha1WithRSAEncryption |signature| over arbitrary |data|. Both |signature| |
| (...skipping 13 matching lines...) Expand all Loading... |
| 51 | 61 |
| 52 // Verifies a cast device certficate given a chain of DER-encoded certificates. | 62 // Verifies a cast device certficate given a chain of DER-encoded certificates. |
| 53 // | 63 // |
| 54 // Inputs: | 64 // Inputs: |
| 55 // | 65 // |
| 56 // * |certs| is a chain of DER-encoded certificates: | 66 // * |certs| is a chain of DER-encoded certificates: |
| 57 // * |certs[0]| is the target certificate (i.e. the device certificate). | 67 // * |certs[0]| is the target certificate (i.e. the device certificate). |
| 58 // * |certs[1..n-1]| are intermediates certificates to use in path building. | 68 // * |certs[1..n-1]| are intermediates certificates to use in path building. |
| 59 // Their ordering does not matter. | 69 // Their ordering does not matter. |
| 60 // | 70 // |
| 61 // * |time| is the UTC time to use for determining if the certificate | 71 // * |time| is the unix timestamp to use for determining if the certificate |
| 62 // is expired. | 72 // is expired. |
| 63 // | 73 // |
| 74 // * |crl| is the CRL to check for certificate revocation status. |
| 75 // If this is a nullptr, then revocation checking is currently disabled. |
| 76 // |
| 77 // * |crl_options| is for choosing how to handle the absence of a CRL. |
| 78 // If crl_required is set to true, then an empty |crl| input would result |
| 79 // in a failed verification. Otherwise, |crl| is ignored if it is absent. |
| 80 // |
| 64 // Outputs: | 81 // Outputs: |
| 65 // | 82 // |
| 66 // Returns true on success, false on failure. On success the output | 83 // Returns true on success, false on failure. On success the output |
| 67 // parameters are filled with more details: | 84 // parameters are filled with more details: |
| 68 // | 85 // |
| 69 // * |context| is filled with an object that can be used to verify signatures | 86 // * |context| is filled with an object that can be used to verify signatures |
| 70 // using the device certificate's public key, as well as to extract other | 87 // using the device certificate's public key, as well as to extract other |
| 71 // properties from the device certificate (Common Name). | 88 // properties from the device certificate (Common Name). |
| 72 // * |policy| is filled with an indication of the device certificate's policy | 89 // * |policy| is filled with an indication of the device certificate's policy |
| 73 // (i.e. is it for audio-only devices or is it unrestricted?) | 90 // (i.e. is it for audio-only devices or is it unrestricted?) |
| 74 bool VerifyDeviceCert(const std::vector<std::string>& certs, | 91 bool VerifyDeviceCert(const std::vector<std::string>& certs, |
| 75 const base::Time::Exploded& time, | 92 const base::Time& time, |
| 76 std::unique_ptr<CertVerificationContext>* context, | 93 std::unique_ptr<CertVerificationContext>* context, |
| 77 CastDeviceCertPolicy* policy) WARN_UNUSED_RESULT; | 94 CastDeviceCertPolicy* policy, |
| 95 const CastCRL* crl, |
| 96 CRLPolicy crl_policy) WARN_UNUSED_RESULT; |
| 78 | 97 |
| 79 // Exposed only for unit-tests, not for use in production code. | 98 // Exposed only for unit-tests, not for use in production code. |
| 80 // Production code would get a context from VerifyDeviceCert(). | 99 // Production code would get a context from VerifyDeviceCert(). |
| 81 // | 100 // |
| 82 // Constructs a VerificationContext that uses the provided public key. | 101 // Constructs a VerificationContext that uses the provided public key. |
| 83 // The common name will be hardcoded to some test value. | 102 // The common name will be hardcoded to some test value. |
| 84 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( | 103 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest( |
| 85 const base::StringPiece& spki); | 104 const base::StringPiece& spki); |
| 86 | 105 |
| 87 // Exposed only for testing, not for use in production code. | 106 // Exposed only for testing, not for use in production code. |
| 88 // | 107 // |
| 89 // Injects trusted root certificates into the CastTrustStore. | 108 // Replaces trusted root certificates in the CastTrustStore. |
| 90 // |data| must remain valid and not be mutated throughout the lifetime of | 109 // Returns true if successful, false if nothing is changed. |
| 91 // the program. | 110 bool SetTrustAnchorForTest(const std::string& cert) WARN_UNUSED_RESULT; |
| 92 // Warning: Using this function concurrently with VerifyDeviceCert() | |
| 93 // is not thread safe. | |
| 94 bool AddTrustAnchorForTest(const uint8_t* data, | |
| 95 size_t length) WARN_UNUSED_RESULT; | |
| 96 | 111 |
| 97 } // namespace cast_certificate | 112 } // namespace cast_certificate |
| 98 | 113 |
| 99 #endif // COMPONENTS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ | 114 #endif // COMPONENTS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2050983002:
Cast device revocation checking. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master