| OLD | NEW |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/macros.h" | 10 #include "base/macros.h" |
| 11 #include "base/strings/string_number_conversions.h" | 11 #include "base/strings/string_number_conversions.h" |
| 12 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
| 13 #include "components/cast_certificate/cast_cert_validator.h" | 13 #include "components/cast_certificate/cast_cert_validator.h" |
| 14 #include "components/cast_certificate/cast_crl.h" |
| 14 #include "extensions/browser/api/cast_channel/cast_message_util.h" | 15 #include "extensions/browser/api/cast_channel/cast_message_util.h" |
| 15 #include "extensions/common/api/cast_channel/cast_channel.pb.h" | 16 #include "extensions/common/api/cast_channel/cast_channel.pb.h" |
| 16 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
| 17 #include "net/der/parse_values.h" | 18 #include "net/der/parse_values.h" |
| 18 | 19 |
| 19 namespace extensions { | 20 namespace extensions { |
| 20 namespace api { | 21 namespace api { |
| 21 namespace cast_channel { | 22 namespace cast_channel { |
| 22 namespace { | 23 namespace { |
| 23 | 24 |
| 24 const char* const kParseErrorPrefix = "Failed to parse auth message: "; | 25 const char* const kParseErrorPrefix = "Failed to parse auth message: "; |
| 25 | 26 |
| 26 // The maximum number of days a cert can live for. | 27 // The maximum number of days a cert can live for. |
| 27 const int kMaxSelfSignedCertLifetimeInDays = 4; | 28 const int kMaxSelfSignedCertLifetimeInDays = 4; |
| 28 | 29 |
| 30 // Enforce certificate revocation when set to true. |
| 31 // If set to false, then any revocation failures are ignored. |
| 32 // |
| 33 // This flag tracks the changes necessary to fully enforce revocation. |
| 34 // Flip this flag to true when the Cast certificate revocation feature |
| 35 // is rolled out. |
| 36 const bool kEnforceRevocationCheck = false; |
| 37 |
| 29 namespace cast_crypto = ::cast_certificate; | 38 namespace cast_crypto = ::cast_certificate; |
| 30 | 39 |
| 31 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply | 40 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply |
| 32 // message. | 41 // message. |
| 33 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, | 42 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, |
| 34 DeviceAuthMessage* auth_message) { | 43 DeviceAuthMessage* auth_message) { |
| 35 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { | 44 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { |
| 36 return AuthResult::CreateWithParseError( | 45 return AuthResult::CreateWithParseError( |
| 37 "Wrong payload type in challenge reply", | 46 "Wrong payload type in challenge reply", |
| 38 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); | 47 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 123 } | 132 } |
| 124 | 133 |
| 125 const AuthResponse& response = auth_message.response(); | 134 const AuthResponse& response = auth_message.response(); |
| 126 return VerifyCredentials(response, peer_cert_der); | 135 return VerifyCredentials(response, peer_cert_der); |
| 127 } | 136 } |
| 128 | 137 |
| 129 // This function does the following | 138 // This function does the following |
| 130 // | 139 // |
| 131 // * Verifies that the certificate chain |response.client_auth_certificate| + | 140 // * Verifies that the certificate chain |response.client_auth_certificate| + |
| 132 // |response.intermediate_certificate| is valid and chains to a trusted | 141 // |response.intermediate_certificate| is valid and chains to a trusted |
| 133 // Cast root. | 142 // Cast root. The list of trusted Cast roots can be overrided by providing a |
| 143 // non-nullptr |cast_trust_store|. The certificate is verified at |
| 144 // |cert_verification_time|. |
| 145 // |
| 146 // * Verifies that none of the certificates in the chain are revoked based on |
| 147 // the CRL provided in the response |response.crl|. The CRL is verified to be |
| 148 // valid and its issuer certificate chains to a trusted Cast CRL root. The |
| 149 // list of trusted Cast CRL roots can be overrided by providing a non-nullptr |
| 150 // |crl_trust_store|. If |crl_policy| is CRL_OPTIONAL then the result of |
| 151 // revocation checking is ignored. The CRL is verified at |
| 152 // |crl_verification_time|. |
| 134 // | 153 // |
| 135 // * Verifies that |response.signature| matches the signature | 154 // * Verifies that |response.signature| matches the signature |
| 136 // of |signature_input| by |response.client_auth_certificate|'s public | 155 // of |signature_input| by |response.client_auth_certificate|'s public |
| 137 // key. | 156 // key. |
| 138 AuthResult VerifyCredentials(const AuthResponse& response, | 157 AuthResult VerifyCredentialsImpl(const AuthResponse& response, |
| 139 const std::string& signature_input) { | 158 const std::string& signature_input, |
| 159 const cast_crypto::CRLPolicy& crl_policy, |
| 160 net::TrustStore* cast_trust_store, |
| 161 net::TrustStore* crl_trust_store, |
| 162 const base::Time& cert_verification_time, |
| 163 const base::Time& crl_verification_time) { |
| 140 // Verify the certificate | 164 // Verify the certificate |
| 141 std::unique_ptr<cast_crypto::CertVerificationContext> verification_context; | 165 std::unique_ptr<cast_crypto::CertVerificationContext> verification_context; |
| 142 | 166 |
| 143 // Build a single vector containing the certificate chain. | 167 // Build a single vector containing the certificate chain. |
| 144 std::vector<std::string> cert_chain; | 168 std::vector<std::string> cert_chain; |
| 145 cert_chain.push_back(response.client_auth_certificate()); | 169 cert_chain.push_back(response.client_auth_certificate()); |
| 146 cert_chain.insert(cert_chain.end(), | 170 cert_chain.insert(cert_chain.end(), |
| 147 response.intermediate_certificate().begin(), | 171 response.intermediate_certificate().begin(), |
| 148 response.intermediate_certificate().end()); | 172 response.intermediate_certificate().end()); |
| 149 | 173 |
| 150 // Use the current time when checking certificate validity. | 174 // Parse the CRL. |
| 151 base::Time now = base::Time::Now(); | 175 std::unique_ptr<cast_crypto::CastCRL> crl = |
| 152 | 176 cast_crypto::ParseAndVerifyCRLUsingCustomTrustStore( |
| 153 // CRL should not be enforced until it is served. | 177 response.crl(), crl_verification_time, crl_trust_store); |
| 154 cast_crypto::CastDeviceCertPolicy device_policy; | 178 if (!crl && crl_policy == cast_crypto::CRLPolicy::CRL_REQUIRED) { |
| 155 if (!cast_crypto::VerifyDeviceCert( | 179 // CRL is invalid. |
| 156 cert_chain, now, &verification_context, &device_policy, nullptr, | 180 return AuthResult("Failed verifying Cast CRL.", |
| 157 cast_certificate::CRLPolicy::CRL_OPTIONAL)) { | 181 AuthResult::ERROR_CRL_INVALID); |
| 158 // TODO(eroman): The error information was lost; this error is ambiguous. | |
| 159 return AuthResult("Failed verifying cast device certificate", | |
| 160 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); | |
| 161 } | 182 } |
| 162 | 183 |
| 184 cast_crypto::CastDeviceCertPolicy device_policy; |
| 185 bool verification_success = |
| 186 cast_crypto::VerifyDeviceCertUsingCustomTrustStore( |
| 187 cert_chain, cert_verification_time, &verification_context, |
| 188 &device_policy, crl.get(), crl_policy, cast_trust_store); |
| 189 if (!verification_success) { |
| 190 // TODO(ryanchung): Once this feature is completely rolled-out, remove the |
| 191 // reverification step and use error reporting to get verification errors |
| 192 // for metrics. |
| 193 bool verification_no_crl_success = |
| 194 cast_crypto::VerifyDeviceCertUsingCustomTrustStore( |
| 195 cert_chain, cert_verification_time, &verification_context, |
| 196 &device_policy, nullptr, cast_crypto::CRLPolicy::CRL_OPTIONAL, |
| 197 cast_trust_store); |
| 198 if (!verification_no_crl_success) { |
| 199 // TODO(eroman): The error information was lost; this error is ambiguous. |
| 200 return AuthResult("Failed verifying cast device certificate", |
| 201 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); |
| 202 } |
| 203 if (crl_policy == cast_crypto::CRLPolicy::CRL_REQUIRED) { |
| 204 // Device is revoked. |
| 205 return AuthResult("Failed certificate revocation check.", |
| 206 AuthResult::ERROR_CERT_REVOKED); |
| 207 } |
| 208 } |
| 163 if (!verification_context->VerifySignatureOverData(response.signature(), | 209 if (!verification_context->VerifySignatureOverData(response.signature(), |
| 164 signature_input)) { | 210 signature_input)) { |
| 165 return AuthResult("Failed verifying signature over data", | 211 return AuthResult("Failed verifying signature over data", |
| 166 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH); | 212 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH); |
| 167 } | 213 } |
| 168 | 214 |
| 169 AuthResult success; | 215 AuthResult success; |
| 170 | 216 |
| 171 // Set the policy into the result. | 217 // Set the policy into the result. |
| 172 switch (device_policy) { | 218 switch (device_policy) { |
| 173 case cast_crypto::CastDeviceCertPolicy::AUDIO_ONLY: | 219 case cast_crypto::CastDeviceCertPolicy::AUDIO_ONLY: |
| 174 success.channel_policies = AuthResult::POLICY_AUDIO_ONLY; | 220 success.channel_policies = AuthResult::POLICY_AUDIO_ONLY; |
| 175 break; | 221 break; |
| 176 case cast_crypto::CastDeviceCertPolicy::NONE: | 222 case cast_crypto::CastDeviceCertPolicy::NONE: |
| 177 success.channel_policies = AuthResult::POLICY_NONE; | 223 success.channel_policies = AuthResult::POLICY_NONE; |
| 178 break; | 224 break; |
| 179 } | 225 } |
| 180 | 226 |
| 181 return success; | 227 return success; |
| 182 } | 228 } |
| 183 | 229 |
| 230 AuthResult VerifyCredentials(const AuthResponse& response, |
| 231 const std::string& signature_input) { |
| 232 base::Time now = base::Time::Now(); |
| 233 cast_crypto::CRLPolicy policy = cast_crypto::CRLPolicy::CRL_REQUIRED; |
| 234 if (!kEnforceRevocationCheck) { |
| 235 policy = cast_crypto::CRLPolicy::CRL_OPTIONAL; |
| 236 } |
| 237 return VerifyCredentialsImpl(response, signature_input, policy, nullptr, |
| 238 nullptr, now, now); |
| 239 } |
| 240 |
| 241 AuthResult VerifyCredentialsForTest(const AuthResponse& response, |
| 242 const std::string& signature_input, |
| 243 const cast_crypto::CRLPolicy& crl_policy, |
| 244 net::TrustStore* cast_trust_store, |
| 245 net::TrustStore* crl_trust_store, |
| 246 const base::Time& cert_verification_time, |
| 247 const base::Time& crl_verification_time) { |
| 248 return VerifyCredentialsImpl(response, signature_input, crl_policy, |
| 249 cast_trust_store, crl_trust_store, |
| 250 cert_verification_time, crl_verification_time); |
| 251 } |
| 252 |
| 184 } // namespace cast_channel | 253 } // namespace cast_channel |
| 185 } // namespace api | 254 } // namespace api |
| 186 } // namespace extensions | 255 } // namespace extensions |
| OLD | NEW |