Chromium Code Reviews Chromium Code Reviews
Issue 627573002:
Enable passing cast channel certificate authority keys. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: extensions/browser/api/cast_channel/cast_auth_util.h |
| diff --git a/extensions/browser/api/cast_channel/cast_auth_util.h b/extensions/browser/api/cast_channel/cast_auth_util.h |
| index 560f698d2b57430d7071dcae8d5b218426a094d9..7a045ddd5f450e32a2c120067e94848ecc3f134a 100644 |
| --- a/extensions/browser/api/cast_channel/cast_auth_util.h |
| +++ b/extensions/browser/api/cast_channel/cast_auth_util.h |
| @@ -5,8 +5,13 @@ |
| #ifndef EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_ |
| #define EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_ |
| +#include <map> |
| #include <string> |
| +#include "base/memory/scoped_ptr.h" |
| +#include "base/strings/string_piece.h" |
| +#include "net/base/hash_value.h" |
| + |
| namespace extensions { |
| namespace core_api { |
| namespace cast_channel { |
| @@ -52,12 +57,59 @@ struct AuthResult { |
| int nss_error_code); |
| }; |
| +typedef std::map<net::SHA256HashValue, |
| + base::StringPiece, |
| + net::SHA256HashValueLessThan> AuthorityKeysMap; |
| + |
| +namespace proto { |
| + |
| +// Forward declaration to avoid including generated protobuf header. |
| +class AuthorityKeys; |
| + |
| +} // namespace proto |
|
Ryan Sleevi
2014/10/22 22:07:10
Realized this isn't right anymore.
This should mo
vadimgo
2014/10/23 18:03:25
This is right, because the protobuf is also namesp
|
| + |
| +// AuthorityKeysStore is a helper class that is used to store and manipulate |
| +// intermediate CAs (ICAs) information used to authenticate cast devices. |
| +// A static list of ICAs is hardcoded and may optionally be replaced during |
| +// runtime by an extension supplying a protobuf of ICAs information signed with |
| +// known key. |
| +class AuthorityKeysStore { |
|
Ryan Sleevi
2014/10/22 22:07:10
naming wise, does this make sense singular? Author
vadimgo
2014/10/23 18:03:25
Done.
|
| + public: |
| + AuthorityKeysStore(); |
| + ~AuthorityKeysStore(); |
| + |
| + // Returns the public key of the ICA whose fingerprint matches |fingerprint|. |
| + // Returns an empty StringPiece if no such ICA is found. |
| + base::StringPiece GetICAPublicKeyFromFingerprint( |
| + const net::SHA256HashValue& fingerprint); |
| + |
| + // Returns the public key of the default / original cast ICA. |
| + // Returns an empty StringPiece if the default cast ICA is not found. |
| + base::StringPiece GetDefaultICAPublicKey(); |
| + |
| + // Loads authority keys from a serialized protobuf. |
|
Ryan Sleevi
2014/10/22 22:07:10
Documentation: This invalidates all previously ret
vadimgo
2014/10/23 18:03:25
Done.
Ryan Sleevi
2014/10/24 19:42:14
Not really. It doesn't document the 'surprising' p
|
| + bool Load(const std::string& keys); |
| + |
| + private: |
| + // The map of trusted certificate authorities - fingerprints to public keys. |
| + AuthorityKeysMap certificate_authorities_; |
| + |
| + // Trusted certificate authorities data passed from the extension. |
| + scoped_ptr<proto::AuthorityKeys> authority_keys_; |
| + |
| + DISALLOW_COPY_AND_ASSIGN(AuthorityKeysStore); |
| +}; |
| + |
| // Authenticates the given |challenge_reply|: |
| // 1. Signature contained in the reply is valid. |
| // 2. Certficate used to sign is rooted to a trusted CA. |
| AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, |
| const std::string& peer_cert); |
| +// Sets trusted certificate authorities. |
| +bool SetTrustedCertificateAuthorities(const std::string& keys, |
| + const std::string& signature); |
| + |
| } // namespace cast_channel |
| } // namespace core_api |
| } // namespace extensions |
