[Cast Channel] Add support for nonce challenge to Cast channel authentication.

extensions/browser/api/cast_channel/cast_auth_util.h

Index: extensions/browser/api/cast_channel/cast_auth_util.h
diff --git a/extensions/browser/api/cast_channel/cast_auth_util.h b/extensions/browser/api/cast_channel/cast_auth_util.h
index 1f66395413963a1ea21c95dc40503927dcaf36da..991862ccaac44b6a0b5f21afe97bf81bc373a250 100644
--- a/extensions/browser/api/cast_channel/cast_auth_util.h
+++ b/extensions/browser/api/cast_channel/cast_auth_util.h
@@ -46,6 +46,7 @@ struct AuthResult {
     ERROR_TLS_CERT_EXPIRED,
     ERROR_CRL_INVALID,
     ERROR_CERT_REVOKED,
+    ERROR_SENDER_NONCE_MISMATCH,
   };
 
   enum PolicyType { POLICY_NONE = 0, POLICY_AUDIO_ONLY = 1 << 0 };
@@ -67,11 +68,34 @@ struct AuthResult {
   unsigned int channel_policies;
 };
 
+class AuthContext {
+ public:
+  explicit AuthContext(const std::string& nonce);
+  ~AuthContext();
+
+  // The nonce challenge.
+  const std::string& nonce() const { return nonce_; }
+
+ private:
+  const std::string nonce_;
+};
+
 // Authenticates the given |challenge_reply|:
 // 1. Signature contained in the reply is valid.
 // 2. Certficate used to sign is rooted to a trusted CA.
 AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
-                                      const net::X509Certificate& peer_cert);
+                                      const net::X509Certificate& peer_cert,
+                                      const AuthContext& auth_context);
+
+// Performs a quick check of the TLS certificate for time validity requirements.
+AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert,
+                                std::string* peer_cert_der,
+                                const base::Time& verification_time);
+
+// Performs a check of the nonce challenge. Returns success if |nonce_response|
+// matches |nonce|.
+AuthResult VerifySenderNonce(const std::string& nonce,

[mark a. foltz, 2017/03/16 23:23:01]

It would make more sense for this to be a method on AuthContext.

[ryanchung, 2017/03/17 02:46:06]

Done. Good idea.

+                             const std::string& nonce_response);
 
 // Auth-library specific implementation of cryptographic signature
 // verification routines. Verifies that |response| contains a
@@ -91,6 +115,10 @@ AuthResult VerifyCredentialsForTest(
     net::TrustStore* crl_trust_store,
     const base::Time& verification_time);
 
+// Get an auth challenge context.
+// The same context must be used in the challenge and reply.
+AuthContext GetChallengeContext();

[mark a. foltz, 2017/03/16 23:23:01]

With the suggested change below, this could just be CastNonce::Get().  If you
feel CastNonce shouldn't be exposed, I don't feel strongly though.

[ryanchung, 2017/03/17 02:46:06]

I want to keep CastNonce simple just for tracking the nonce refresh. I'll move
GetChallengeContext to AuthContext::Create() which should be cleaner. 

+
 }  // namespace cast_channel
 }  // namespace api
 }  // namespace extensions