Enable passing cast channel certificate authority keys.

extensions/browser/api/cast_channel/cast_auth_util.h

Index: extensions/browser/api/cast_channel/cast_auth_util.h
diff --git a/extensions/browser/api/cast_channel/cast_auth_util.h b/extensions/browser/api/cast_channel/cast_auth_util.h
index 560f698d2b57430d7071dcae8d5b218426a094d9..7d2bfb354738526a0a77483a68e258b4fc196c90 100644
--- a/extensions/browser/api/cast_channel/cast_auth_util.h
+++ b/extensions/browser/api/cast_channel/cast_auth_util.h
@@ -5,8 +5,13 @@
 #ifndef EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_
 #define EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_
 
+#include <map>
 #include <string>
 
+#include "base/memory/scoped_ptr.h"
+#include "base/strings/string_piece.h"
+#include "net/base/hash_value.h"
+
 namespace extensions {
 namespace core_api {
 namespace cast_channel {
@@ -52,12 +57,58 @@ struct AuthResult {
              int nss_error_code);
 };
 
+typedef std::map<net::SHA256HashValue,
+                 base::StringPiece,
+                 net::SHA256HashValueLessThan> AuthorityKeysMap;
+
+namespace proto {
+
+// Forward declaration to avoid including generated protobuf header.
+class AuthorityKeys;
+}

[Ryan Sleevi, 2014/10/21 22:38:03]

}  // namespace proto (with newline between 67/68

[vadimgo, 2014/10/21 23:35:58]

Done.

+
+// AuthorityKeysStore is a helper class that is used to store and manipulate
+// intermediate CAs (ICAs) information used to authenticate cast devices.
+// A static list of ICAs is hardcoded and may optionally be replaced during
+// runtime by an extension supplying a protobuf of ICAs information signed with
+// known key.
+class AuthorityKeysStore {
+ public:
+  AuthorityKeysStore();
+  ~AuthorityKeysStore();
+
+  // Returns the public key of the ICA whose fingerprint matches |fingerprint|.
+  // Returns NULL if no such ICA is found.
+  const base::StringPiece* GetICAPublicKeyFromFingerprint(

[Ryan Sleevi, 2014/10/21 22:38:03]

Why are you returning a pointer to this? This creates danger if someone does
Load() while such a pointer is still hanging out there. You can instead just
return a base::StringPiece - no pointer.

[vadimgo, 2014/10/21 23:35:57]

Done.

+      const net::SHA256HashValue& fingerprint);
+
+  // Returns the public key of the default / original cast ICA.
+  // Returns NULL if the default cast ICA is not found.
+  const base::StringPiece* GetDefaultICAPublicKey();
+
+  // Loads authority keys from a serialized protobuf.
+  bool Load(const std::string& keys);
+
+ private:
+  // The map of trusted certificate authorities - fingerprints to public keys.
+  AuthorityKeysMap certificate_authorities_;
+
+  // Trusted certificate authorities data passed from the extension.
+  scoped_ptr<proto::AuthorityKeys> authority_keys_;
+
+  DISALLOW_COPY_AND_ASSIGN(AuthorityKeysStore);
+};
+
 // Authenticates the given |challenge_reply|:
 // 1. Signature contained in the reply is valid.
 // 2. Certficate used to sign is rooted to a trusted CA.
 AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
                                       const std::string& peer_cert);
 
+// Sets trusted certificate authorities.
+bool SetTrustedCertificateAuthorities(const std::string& keys,
+                                      const std::string& signature);
+
 }  // namespace cast_channel
 }  // namespace core_api
 }  // namespace extensions