extensions/browser/api/cast_channel/cast_auth_util.h - Issue 2709523008: [Cast Channel] Add support for nonce challenge to Cast channel authentication.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: extensions/browser/api/cast_channel/cast_auth_util.h

Issue 2709523008: [Cast Channel] Add support for nonce challenge to Cast channel authentication. (Closed)

Patch Set: Addresses comments Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « components/test/data/cast_certificate/certificates/test_tls_cert.pem ('k') | extensions/browser/api/cast_channel/cast_auth_util.cc » ('j') | extensions/browser/api/cast_channel/cast_auth_util.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: extensions/browser/api/cast_channel/cast_auth_util.h

diff --git a/extensions/browser/api/cast_channel/cast_auth_util.h b/extensions/browser/api/cast_channel/cast_auth_util.h

index 1f66395413963a1ea21c95dc40503927dcaf36da..8fd0099797efc7836460ecfc97aa88c06945eef3 100644

--- a/extensions/browser/api/cast_channel/cast_auth_util.h

+++ b/extensions/browser/api/cast_channel/cast_auth_util.h

@@ -46,6 +46,7 @@ struct AuthResult {

ERROR_TLS_CERT_EXPIRED,

ERROR_CRL_INVALID,

ERROR_CERT_REVOKED,

+ ERROR_SENDER_NONCE_MISMATCH,

};

enum PolicyType { POLICY_NONE = 0, POLICY_AUDIO_ONLY = 1 << 0 };

@@ -67,11 +68,34 @@ struct AuthResult {

unsigned int channel_policies;

};

+class AuthContext {

+ public:

+ explicit AuthContext(const std::string& nonce);

+ ~AuthContext();

+ const std::string& nonce() const { return nonce_; }

+ private:

+ const std::string nonce_;

+ DISALLOW_COPY_AND_ASSIGN(AuthContext);

+};

// Authenticates the given |challenge_reply|:

// 1. Signature contained in the reply is valid.

// 2. Certficate used to sign is rooted to a trusted CA.

AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,

- const net::X509Certificate& peer_cert);

+ const net::X509Certificate& peer_cert,

+ const AuthContext* auth_context);

+// Performs a quick check of the TLS certificate for time validity requirements.

+AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert,

+ std::string* peer_cert_der,

+ const base::Time& verification_time);

+// Performs a check of the nonce challenge. Returns success if |nonce_response|

+// matches |nonce|.

+AuthResult VerifySenderNonce(const std::string& nonce,

+ const std::string& nonce_response);

// Auth-library specific implementation of cryptographic signature

// verification routines. Verifies that |response| contains a

@@ -91,6 +115,10 @@ AuthResult VerifyCredentialsForTest(

net::TrustStore* crl_trust_store,

const base::Time& verification_time);

+// Get an auth challenge context.

+// The same context must be used in the challenge and reply.

+std::unique_ptr<AuthContext> GetChallengeContext();

} // namespace cast_channel

} // namespace api

} // namespace extensions