Chromium Code Reviews Chromium Code Reviews
Issue 2709523008:
[Cast Channel] Add support for nonce challenge to Cast channel authentication. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/feature_list.h" | 9 #include "base/feature_list.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 31 | 31 |
| 32 // Enforce certificate revocation when enabled. | 32 // Enforce certificate revocation when enabled. |
| 33 // If disabled, any revocation failures are ignored. | 33 // If disabled, any revocation failures are ignored. |
| 34 // | 34 // |
| 35 // This flags only controls the enforcement. Revocation is checked regardless. | 35 // This flags only controls the enforcement. Revocation is checked regardless. |
| 36 // | 36 // |
| 37 // This flag tracks the changes necessary to fully enforce revocation. | 37 // This flag tracks the changes necessary to fully enforce revocation. |
| 38 const base::Feature kEnforceRevocationChecking{ | 38 const base::Feature kEnforceRevocationChecking{ |
| 39 "CastCertificateRevocation", base::FEATURE_DISABLED_BY_DEFAULT}; | 39 "CastCertificateRevocation", base::FEATURE_DISABLED_BY_DEFAULT}; |
| 40 | 40 |
| 41 // Enforce nonce checking when enabled. | |
| 42 // If disabled, the nonce value returned from the device is not checked against | |
| 43 // the one sent to the device. As a result, the nonce can be empty and omitted | |
| 44 // from the signature. This allows backwards compatibility with legacy Cast | |
| 45 // receivers. | |
| 46 | |
| 47 const base::Feature kEnforceNonceChecking{"CastNonceEnforced", | |
| 48 base::FEATURE_DISABLED_BY_DEFAULT}; | |
| 49 | |
| 41 namespace cast_crypto = ::cast_certificate; | 50 namespace cast_crypto = ::cast_certificate; |
| 42 | 51 |
| 43 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply | 52 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply |
| 44 // message. | 53 // message. |
| 45 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, | 54 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, |
| 46 DeviceAuthMessage* auth_message) { | 55 DeviceAuthMessage* auth_message) { |
| 47 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { | 56 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { |
| 48 return AuthResult::CreateWithParseError( | 57 return AuthResult::CreateWithParseError( |
| 49 "Wrong payload type in challenge reply", | 58 "Wrong payload type in challenge reply", |
| 50 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); | 59 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 78 // Must match with histogram enum CastCertificateStatus. | 87 // Must match with histogram enum CastCertificateStatus. |
| 79 // This should never be reordered. | 88 // This should never be reordered. |
| 80 enum CertVerificationStatus { | 89 enum CertVerificationStatus { |
| 81 CERT_STATUS_OK, | 90 CERT_STATUS_OK, |
| 82 CERT_STATUS_INVALID_CRL, | 91 CERT_STATUS_INVALID_CRL, |
| 83 CERT_STATUS_VERIFICATION_FAILED, | 92 CERT_STATUS_VERIFICATION_FAILED, |
| 84 CERT_STATUS_REVOKED, | 93 CERT_STATUS_REVOKED, |
| 85 CERT_STATUS_COUNT, | 94 CERT_STATUS_COUNT, |
| 86 }; | 95 }; |
| 87 | 96 |
| 97 enum NonceVerificationStatus { | |
| 98 NONCE_MATCH, | |
| 99 NONCE_MISMATCH, | |
| 100 NONCE_MISSING, | |
| 101 NONCE_COUNT, | |
| 102 }; | |
| 103 | |
| 88 } // namespace | 104 } // namespace |
| 89 | 105 |
| 90 AuthResult::AuthResult() | 106 AuthResult::AuthResult() |
| 91 : error_type(ERROR_NONE), channel_policies(POLICY_NONE) {} | 107 : error_type(ERROR_NONE), channel_policies(POLICY_NONE) {} |
| 92 | 108 |
| 93 AuthResult::AuthResult(const std::string& error_message, ErrorType error_type) | 109 AuthResult::AuthResult(const std::string& error_message, ErrorType error_type) |
| 94 : error_message(error_message), error_type(error_type) {} | 110 : error_message(error_message), error_type(error_type) {} |
| 95 | 111 |
| 96 AuthResult::~AuthResult() { | 112 AuthResult::~AuthResult() { |
| 97 } | 113 } |
| 98 | 114 |
| 99 // static | 115 // static |
| 100 AuthResult AuthResult::CreateWithParseError(const std::string& error_message, | 116 AuthResult AuthResult::CreateWithParseError(const std::string& error_message, |
| 101 ErrorType error_type) { | 117 ErrorType error_type) { |
| 102 return AuthResult(kParseErrorPrefix + error_message, error_type); | 118 return AuthResult(kParseErrorPrefix + error_message, error_type); |
| 103 } | 119 } |
| 104 | 120 |
| 105 AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, | 121 AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, |
| 106 const net::X509Certificate& peer_cert) { | 122 const net::X509Certificate& peer_cert, |
| 123 const std::string& nonce) { | |
| 107 DeviceAuthMessage auth_message; | 124 DeviceAuthMessage auth_message; |
| 108 AuthResult result = ParseAuthMessage(challenge_reply, &auth_message); | 125 AuthResult result = ParseAuthMessage(challenge_reply, &auth_message); |
| 109 if (!result.success()) { | 126 if (!result.success()) { |
| 110 return result; | 127 return result; |
| 111 } | 128 } |
| 112 | 129 |
| 113 // Get the DER-encoded form of the certificate. | 130 // Get the DER-encoded form of the certificate. |
| 114 std::string peer_cert_der; | 131 std::string peer_cert_der; |
| 115 if (!net::X509Certificate::GetDEREncoded(peer_cert.os_cert_handle(), | 132 if (!net::X509Certificate::GetDEREncoded(peer_cert.os_cert_handle(), |
| 116 &peer_cert_der) || | 133 &peer_cert_der) || |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 138 return AuthResult::CreateWithParseError("Certificate has expired.", | 155 return AuthResult::CreateWithParseError("Certificate has expired.", |
| 139 AuthResult::ERROR_TLS_CERT_EXPIRED); | 156 AuthResult::ERROR_TLS_CERT_EXPIRED); |
| 140 } | 157 } |
| 141 if (expiry > lifetime_limit) { | 158 if (expiry > lifetime_limit) { |
| 142 return AuthResult::CreateWithParseError( | 159 return AuthResult::CreateWithParseError( |
| 143 "Peer cert lifetime is too long.", | 160 "Peer cert lifetime is too long.", |
| 144 AuthResult::ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG); | 161 AuthResult::ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG); |
| 145 } | 162 } |
| 146 | 163 |
| 147 const AuthResponse& response = auth_message.response(); | 164 const AuthResponse& response = auth_message.response(); |
| 148 return VerifyCredentials(response, peer_cert_der); | 165 |
| 166 if (nonce != response.sender_nonce()) { | |
| 167 if (response.sender_nonce().empty()) { | |
|
mark a. foltz
2017/02/27 23:04:31
It seems like you should only be collecting metric
ryanchung
2017/03/01 20:09:47
We want to be able to see the impact on the user e
| |
| 168 UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MISSING, | |
| 169 NONCE_COUNT); | |
| 170 } else { | |
| 171 UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MISMATCH, | |
| 172 NONCE_COUNT); | |
| 173 } | |
| 174 if (base::FeatureList::IsEnabled(kEnforceNonceChecking)) { | |
| 175 return AuthResult("Sender nonce mismatched.", | |
| 176 AuthResult::ERROR_SENDER_NONCE_MISMATCH); | |
| 177 } | |
| 178 } else { | |
| 179 UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MATCH, NONCE_COUNT); | |
| 180 } | |
| 181 | |
| 182 return VerifyCredentials(response, nonce + peer_cert_der); | |
|
mark a. foltz
2017/02/27 23:04:31
Don't you want to conditionally include |nonce| in
ryanchung
2017/03/01 20:09:47
I should be using response.sender_nonce() here ins
| |
| 149 } | 183 } |
| 150 | 184 |
| 151 // This function does the following | 185 // This function does the following |
| 152 // | 186 // |
| 153 // * Verifies that the certificate chain |response.client_auth_certificate| + | 187 // * Verifies that the certificate chain |response.client_auth_certificate| + |
| 154 // |response.intermediate_certificate| is valid and chains to a trusted | 188 // |response.intermediate_certificate| is valid and chains to a trusted |
| 155 // Cast root. The list of trusted Cast roots can be overrided by providing a | 189 // Cast root. The list of trusted Cast roots can be overrided by providing a |
| 156 // non-nullptr |cast_trust_store|. The certificate is verified at | 190 // non-nullptr |cast_trust_store|. The certificate is verified at |
| 157 // |verification_time|. | 191 // |verification_time|. |
| 158 // | 192 // |
| (...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 272 net::TrustStore* crl_trust_store, | 306 net::TrustStore* crl_trust_store, |
| 273 const base::Time& verification_time) { | 307 const base::Time& verification_time) { |
| 274 return VerifyCredentialsImpl(response, signature_input, crl_policy, | 308 return VerifyCredentialsImpl(response, signature_input, crl_policy, |
| 275 cast_trust_store, crl_trust_store, | 309 cast_trust_store, crl_trust_store, |
| 276 verification_time); | 310 verification_time); |
| 277 } | 311 } |
| 278 | 312 |
| 279 } // namespace cast_channel | 313 } // namespace cast_channel |
| 280 } // namespace api | 314 } // namespace api |
| 281 } // namespace extensions | 315 } // namespace extensions |
| OLD | NEW |
