[Cast Channel] Add support for nonce challenge to Cast channel authentication.

extensions/browser/api/cast_channel/cast_auth_util.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
 
 #include <vector>
 
 #include "base/feature_list.h"
 #include "base/logging.h"
 #include "base/macros.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "components/cast_certificate/cast_cert_validator.h"
 #include "components/cast_certificate/cast_crl.h"
+#include "crypto/random.h"
 #include "extensions/browser/api/cast_channel/cast_message_util.h"
 #include "extensions/common/api/cast_channel/cast_channel.pb.h"
 #include "net/cert/x509_certificate.h"
 #include "net/der/parse_values.h"
 
 namespace extensions {
 namespace api {
 namespace cast_channel {
 namespace {
 
 const char kParseErrorPrefix[] = "Failed to parse auth message: ";
 
 // The maximum number of days a cert can live for.
 const int kMaxSelfSignedCertLifetimeInDays = 4;
 
+// The size of the nonce challenge in bytes.
+const int kNonceSizeInBytes = 16;
+
+// The number of hours after which a nonce is regenerated.
+long kNonceExpirationTimeInHours = 24;
+
 // Enforce certificate revocation when enabled.
 // If disabled, any revocation failures are ignored.
 //
 // This flags only controls the enforcement. Revocation is checked regardless.
 //
 // This flag tracks the changes necessary to fully enforce revocation.
 const base::Feature kEnforceRevocationChecking{
     "CastCertificateRevocation", base::FEATURE_DISABLED_BY_DEFAULT};
 
+// Enforce nonce checking when enabled.
+// If disabled, the nonce value returned from the device is not checked against
+// the one sent to the device. As a result, the nonce can be empty and omitted
+// from the signature. This allows backwards compatibility with legacy Cast
+// receivers.
+
+const base::Feature kEnforceNonceChecking{"CastNonceEnforced",
+                                          base::FEATURE_DISABLED_BY_DEFAULT};
+
 namespace cast_crypto = ::cast_certificate;
 
 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply
 // message.
 AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
                             DeviceAuthMessage* auth_message) {
   if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) {
     return AuthResult::CreateWithParseError(
         "Wrong payload type in challenge reply",
         AuthResult::ERROR_WRONG_PAYLOAD_TYPE);
@@ skipping 17 matching lines @@
             base::IntToString(auth_message->error().error_type()),
         AuthResult::ERROR_MESSAGE_ERROR);
   }
   if (!auth_message->has_response()) {
     return AuthResult::CreateWithParseError(
         "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE);
   }
   return AuthResult();
 }
 
+class CastNonce {
+ public:
+  static CastNonce* GetInstance() {
+    return base::Singleton<CastNonce,
+                           base::LeakySingletonTraits<CastNonce>>::get();
+  }
+
+  static const std::string& Get() {

[mark a. foltz, 2017/03/16 23:23:01]

static AuthContext

[ryanchung, 2017/03/17 02:46:06]

I want to keep CastNonce has a simple singleton for generating the nonce and
tracking its refresh. I'll move the GetChallengeContext to AuthContext::Create()
which should make it cleaner.

+    GetInstance()->EnsureNonceTimely();
+    return GetInstance()->nonce_;
+  }
+
+ private:
+  friend struct base::DefaultSingletonTraits<CastNonce>;
+
+  CastNonce() { GenerateNonce(); }
+  void GenerateNonce() {
+    // Create a cryptographically secure nonce.
+    crypto::RandBytes(base::WriteInto(&nonce_, kNonceSizeInBytes + 1),
+                      kNonceSizeInBytes);
+    nonce_generation_time_ = base::Time::Now();
+  }
+
+  void EnsureNonceTimely() {
+    if (base::Time::Now() >
+        (nonce_generation_time_ +
+         base::TimeDelta::FromHours(kNonceExpirationTimeInHours))) {
+      GenerateNonce();
+    }
+  }
+
+  // The nonce challenge to send to the Cast receiver.
+  // The nonce is updated daily.
+  std::string nonce_;
+  base::Time nonce_generation_time_;
+};
+
 // Must match with histogram enum CastCertificateStatus.
 // This should never be reordered.
 enum CertVerificationStatus {
   CERT_STATUS_OK,
   CERT_STATUS_INVALID_CRL,
   CERT_STATUS_VERIFICATION_FAILED,
   CERT_STATUS_REVOKED,
   CERT_STATUS_COUNT,
 };
 
+enum NonceVerificationStatus {
+  NONCE_MATCH,
+  NONCE_MISMATCH,
+  NONCE_MISSING,
+  NONCE_COUNT,
+};
+
 }  // namespace
 
 AuthResult::AuthResult()
     : error_type(ERROR_NONE), channel_policies(POLICY_NONE) {}
 
 AuthResult::AuthResult(const std::string& error_message, ErrorType error_type)
     : error_message(error_message), error_type(error_type) {}
 
 AuthResult::~AuthResult() {
 }
 
 // static
 AuthResult AuthResult::CreateWithParseError(const std::string& error_message,
                                             ErrorType error_type) {
   return AuthResult(kParseErrorPrefix + error_message, error_type);
 }
 
-AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
-                                      const net::X509Certificate& peer_cert) {
-  DeviceAuthMessage auth_message;
-  AuthResult result = ParseAuthMessage(challenge_reply, &auth_message);
-  if (!result.success()) {
-    return result;
-  }
+AuthContext::AuthContext(const std::string& nonce) : nonce_(nonce) {}
 
+AuthContext::~AuthContext() {}
+
+// Verifies the peer certificate and populates |peer_cert_der| with the DER
+// encoded certificate.
+AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert,
+                                std::string* peer_cert_der,
+                                const base::Time& verification_time) {
   // Get the DER-encoded form of the certificate.
-  std::string peer_cert_der;
   if (!net::X509Certificate::GetDEREncoded(peer_cert.os_cert_handle(),
-                                           &peer_cert_der) ||
-      peer_cert_der.empty()) {
+                                           peer_cert_der) ||
+      peer_cert_der->empty()) {
     return AuthResult::CreateWithParseError(
         "Could not create DER-encoded peer cert.",
         AuthResult::ERROR_CERT_PARSING_FAILED);
   }
 
   // Ensure the peer cert is valid and doesn't have an excessive remaining
   // lifetime. Although it is not verified as an X.509 certificate, the entire
   // structure is signed by the AuthResponse, so the validity field from X.509
   // is repurposed as this signature's expiration.
   base::Time expiry = peer_cert.valid_expiry();
   base::Time lifetime_limit =
-      base::Time::Now() +
+      verification_time +
       base::TimeDelta::FromDays(kMaxSelfSignedCertLifetimeInDays);
   if (peer_cert.valid_start().is_null() ||
-      peer_cert.valid_start() > base::Time::Now()) {
+      peer_cert.valid_start() > verification_time) {
     return AuthResult::CreateWithParseError(
         "Certificate's valid start date is in the future.",
         AuthResult::ERROR_TLS_CERT_VALID_START_DATE_IN_FUTURE);
   }
-  if (expiry.is_null() || peer_cert.HasExpired()) {
+  if (expiry.is_null() || peer_cert.valid_expiry() < verification_time) {
     return AuthResult::CreateWithParseError("Certificate has expired.",
                                             AuthResult::ERROR_TLS_CERT_EXPIRED);
   }
   if (expiry > lifetime_limit) {
     return AuthResult::CreateWithParseError(
         "Peer cert lifetime is too long.",
         AuthResult::ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG);
   }
+  return AuthResult();
+}
+
+// Verifies the nonce received in the response is equivalent to the one sent.
+AuthResult VerifySenderNonce(const std::string& nonce,
+                             const std::string& nonce_response) {
+  if (nonce != nonce_response) {
+    if (nonce_response.empty()) {
+      UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MISSING,
+                                NONCE_COUNT);
+    } else {
+      UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MISMATCH,
+                                NONCE_COUNT);
+    }
+    if (base::FeatureList::IsEnabled(kEnforceNonceChecking)) {
+      return AuthResult("Sender nonce mismatched.",
+                        AuthResult::ERROR_SENDER_NONCE_MISMATCH);
+    }
+  } else {
+    UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", NONCE_MATCH, NONCE_COUNT);
+  }
+  return AuthResult();
+}
+
+AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
+                                      const net::X509Certificate& peer_cert,
+                                      const AuthContext& auth_context) {
+  DeviceAuthMessage auth_message;
+  AuthResult result = ParseAuthMessage(challenge_reply, &auth_message);
+  if (!result.success()) {
+    return result;
+  }
+
+  std::string peer_cert_der;
+  result = VerifyTLSCertificate(peer_cert, &peer_cert_der, base::Time::Now());
+  if (!result.success()) {
+    return result;
+  }
 
   const AuthResponse& response = auth_message.response();
-  return VerifyCredentials(response, peer_cert_der);
+  const std::string& nonce_response = response.sender_nonce();
+
+  result = VerifySenderNonce(auth_context.nonce(), nonce_response);

[mark a. foltz, 2017/03/16 23:23:01]

auth_context.VerifySenderNonce(nonce_response)

[ryanchung, 2017/03/17 02:46:06]

Done.

+  if (!result.success()) {
+    return result;
+  }
+
+  return VerifyCredentials(response, nonce_response + peer_cert_der);
 }
 
 // This function does the following
 //
 // * Verifies that the certificate chain |response.client_auth_certificate| +
 //   |response.intermediate_certificate| is valid and chains to a trusted
 //   Cast root. The list of trusted Cast roots can be overrided by providing a
 //   non-nullptr |cast_trust_store|. The certificate is verified at
 //   |verification_time|.
 //
@@ skipping 110 matching lines @@
                                     const std::string& signature_input,
                                     const cast_crypto::CRLPolicy& crl_policy,
                                     net::TrustStore* cast_trust_store,
                                     net::TrustStore* crl_trust_store,
                                     const base::Time& verification_time) {
   return VerifyCredentialsImpl(response, signature_input, crl_policy,
                                cast_trust_store, crl_trust_store,
                                verification_time);
 }
 
+AuthContext GetChallengeContext() {
+  return AuthContext(CastNonce::Get());
+}
+
 }  // namespace cast_channel
 }  // namespace api
 }  // namespace extensions