[Cast Channel] Add support for nonce challenge to Cast channel authentication.

extensions/browser/api/cast_channel/cast_auth_util.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
 
 #include <vector>
 
 #include "base/feature_list.h"
 #include "base/logging.h"
@@ skipping 20 matching lines @@
 
 // Enforce certificate revocation when enabled.
 // If disabled, any revocation failures are ignored.
 //
 // This flags only controls the enforcement. Revocation is checked regardless.
 //
 // This flag tracks the changes necessary to fully enforce revocation.
 const base::Feature kEnforceRevocationChecking{
     "CastCertificateRevocation", base::FEATURE_DISABLED_BY_DEFAULT};
 
+// Enforce nonce checking when enabled.
+// If disabled, the nonce value returned from the device is not checked against
+// the one sent to the device. As a result, the nonce can be empty and omitted
+// from the signature. This allows backwards compatibility with legacy Cast
+// receivers.
+
+const base::Feature kEnforceNonceChecking{"CastNonceEnforced",
+                                          base::FEATURE_DISABLED_BY_DEFAULT};
+
 namespace cast_crypto = ::cast_certificate;
 
 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply
 // message.
 AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
                             DeviceAuthMessage* auth_message) {
   if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) {
     return AuthResult::CreateWithParseError(
         "Wrong payload type in challenge reply",
         AuthResult::ERROR_WRONG_PAYLOAD_TYPE);
@@ skipping 27 matching lines @@
 // Must match with histogram enum CastCertificateStatus.
 // This should never be reordered.
 enum CertVerificationStatus {
   CERT_STATUS_OK,
   CERT_STATUS_INVALID_CRL,
   CERT_STATUS_VERIFICATION_FAILED,
   CERT_STATUS_REVOKED,
   CERT_STATUS_COUNT,
 };
 
+enum NonceVerificationStatus {
+  NONCE_MATCH,
+  NONCE_MISMATCH,
+  NONCE_MISSING,
+  NONCE_COUNT,
+};
+
 }  // namespace
 
 AuthResult::AuthResult()
     : error_type(ERROR_NONE), channel_policies(POLICY_NONE) {}
 
 AuthResult::AuthResult(const std::string& error_message, ErrorType error_type)
     : error_message(error_message), error_type(error_type) {}
 
 AuthResult::~AuthResult() {
 }
 
 // static
 AuthResult AuthResult::CreateWithParseError(const std::string& error_message,
                                             ErrorType error_type) {
   return AuthResult(kParseErrorPrefix + error_message, error_type);
 }
 
-AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
-                                      const net::X509Certificate& peer_cert) {
-  DeviceAuthMessage auth_message;
-  AuthResult result = ParseAuthMessage(challenge_reply, &auth_message);
-  if (!result.success()) {
-    return result;
-  }
-
+// Verifies the peer certificate and populates |peer_cert_der| with the DER
+// encoded certificate.
+AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert,
+                                std::string* peer_cert_der,
+                                const base::Time& verification_time) {
   // Get the DER-encoded form of the certificate.
-  std::string peer_cert_der;
   if (!net::X509Certificate::GetDEREncoded(peer_cert.os_cert_handle(),
-                                           &peer_cert_der) ||
-      peer_cert_der.empty()) {
+                                           peer_cert_der) ||
+      peer_cert_der->empty()) {
     return AuthResult::CreateWithParseError(
         "Could not create DER-encoded peer cert.",
         AuthResult::ERROR_CERT_PARSING_FAILED);
   }
 
   // Ensure the peer cert is valid and doesn't have an excessive remaining
   // lifetime. Although it is not verified as an X.509 certificate, the entire
   // structure is signed by the AuthResponse, so the validity field from X.509
   // is repurposed as this signature's expiration.
   base::Time expiry = peer_cert.valid_expiry();
   base::Time lifetime_limit =
-      base::Time::Now() +
+      verification_time +
       base::TimeDelta::FromDays(kMaxSelfSignedCertLifetimeInDays);
   if (peer_cert.valid_start().is_null() ||
-      peer_cert.valid_start() > base::Time::Now()) {
+      peer_cert.valid_start() > verification_time) {
     return AuthResult::CreateWithParseError(
         "Certificate's valid start date is in the future.",
         AuthResult::ERROR_TLS_CERT_VALID_START_DATE_IN_FUTURE);
   }
-  if (expiry.is_null() || peer_cert.HasExpired()) {
+  if (expiry.is_null() || peer_cert.valid_expiry() < verification_time) {
     return AuthResult::CreateWithParseError("Certificate has expired.",
                                             AuthResult::ERROR_TLS_CERT_EXPIRED);
   }
   if (expiry > lifetime_limit) {
     return AuthResult::CreateWithParseError(
         "Peer cert lifetime is too long.",
         AuthResult::ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG);
   }
+  return AuthResult();
+}
+
+// Verifies the nonce received in the response is equivalent to the one sent.
+AuthResult VerifySenderNonce(const std::string& nonce,
+                             const std::string& nonce_response) {
+  if (nonce != nonce_response) {
+    if (nonce_response.empty()) {
+      UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MISSING,
+                                NONCE_COUNT);
+    } else {
+      UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MISMATCH,
+                                NONCE_COUNT);
+    }
+    if (base::FeatureList::IsEnabled(kEnforceNonceChecking)) {
+      return AuthResult("Sender nonce mismatched.",
+                        AuthResult::ERROR_SENDER_NONCE_MISMATCH);
+    }
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MATCH, NONCE_COUNT);
+  }
+  return AuthResult();
+}
+
+AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
+                                      const net::X509Certificate& peer_cert,
+                                      const std::string& nonce) {
+  DeviceAuthMessage auth_message;
+  AuthResult result = ParseAuthMessage(challenge_reply, &auth_message);
+  if (!result.success()) {
+    return result;
+  }
+
+  std::string peer_cert_der;
+  result = VerifyTLSCertificate(peer_cert, &peer_cert_der, base::Time::Now());
+  if (!result.success()) {
+    return result;
+  }
 
   const AuthResponse& response = auth_message.response();
-  return VerifyCredentials(response, peer_cert_der);
+  const std::string& nonce_response = response.sender_nonce();
+
+  result = VerifySenderNonce(nonce, nonce_response);
+  if (!result.success()) {
+    return result;
+  }
+
+  return VerifyCredentials(response, nonce_response + peer_cert_der);
 }
 
 // This function does the following
 //
 // * Verifies that the certificate chain |response.client_auth_certificate| +
 //   |response.intermediate_certificate| is valid and chains to a trusted
 //   Cast root. The list of trusted Cast roots can be overrided by providing a
 //   non-nullptr |cast_trust_store|. The certificate is verified at
 //   |verification_time|.
 //
@@ skipping 113 matching lines @@
                                     net::TrustStore* crl_trust_store,
                                     const base::Time& verification_time) {
   return VerifyCredentialsImpl(response, signature_input, crl_policy,
                                cast_trust_store, crl_trust_store,
                                verification_time);
 }
 
 }  // namespace cast_channel
 }  // namespace api
 }  // namespace extensions