Implement crypto signature verification routines using OpenSSL.

extensions/browser/api/cast_channel/cast_auth_util.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_
 #define EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_
 
 #include <string>
+#include <vector>
 
 namespace extensions {
 namespace core_api {
 namespace cast_channel {
 
+class AuthResponse;
 class CastMessage;
 class DeviceAuthMessage;
 
 struct AuthResult {
  public:
   enum ErrorType {
     ERROR_NONE,
     ERROR_PEER_CERT_EMPTY,
     ERROR_WRONG_PAYLOAD_TYPE,
     ERROR_NO_PAYLOAD,
     ERROR_PAYLOAD_PARSING_FAILED,
     ERROR_MESSAGE_ERROR,
     ERROR_NO_RESPONSE,
     ERROR_FINGERPRINT_NOT_FOUND,
-    ERROR_NSS_CERT_PARSING_FAILED,
-    ERROR_NSS_CERT_NOT_SIGNED_BY_TRUSTED_CA,
-    ERROR_NSS_CANNOT_EXTRACT_PUBLIC_KEY,
-    ERROR_NSS_SIGNED_BLOBS_MISMATCH
+    ERROR_CERT_PARSING_FAILED,
+    ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA,
+    ERROR_CANNOT_EXTRACT_PUBLIC_KEY,
+    ERROR_SIGNED_BLOBS_MISMATCH,
+    ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT,
   };
 
   // Constructs a AuthResult that corresponds to success.
   AuthResult();
   ~AuthResult();
 
+  AuthResult(const AuthResult& rvalue);
+
   static AuthResult CreateWithParseError(const std::string& error_message,
                                          ErrorType error_type);
+  static AuthResult CreateWithOpenSSLErrors(
+      const std::string& error_message,
+      ErrorType error_type,
+      const std::vector<std::pair<std::string, int>>& openssl_errors);
   static AuthResult CreateWithNSSError(const std::string& error_message,
                                        ErrorType error_type,
                                        int nss_error_code);
 
   bool success() const { return error_type == ERROR_NONE; }
 
   std::string error_message;
   ErrorType error_type;
   int nss_error_code;
 
+  // Vector of filename, line number pairs that comprise the stack
+  // of OpenSSL errors.

[mark a. foltz, 2014/10/31 22:29:25]

So each entry is just part of a stack trace for a single error?  Are the entries
of the form:

file.cc:XXX

Is there an error code or other explanation of the error condition?

[Kevin M, 2014/11/01 00:03:05]

It's a stack of errors.
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boring...

"The typical behaviour is that an error will occur deep in a call queue and that
code will push an error onto the error queue. As the error queue unwinds, other
functions will push their own errors. Thus, the "least recent" error is the most
specific and the other errors will provide a backtrace of sorts."

There is an error code, but davidben advised against sending them over the wire.
He recommended we send filename/line pairs instead.

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boring...

[davidben, 2014/11/01 00:19:34]

Including the error values is fine as long as it's clearly documented they
should not be used for anything but manual debugging. (Neither should
file/line.) The values are not stable and will change from Chrome release to
release. If you're not including the version number in these, they wouldn't be
very useful.

Really file + line is also not stable either, so the same caveat applies to that
too.

(Honestly, just including the top one is probably fine. X509_verify is going to
push a silly ERR_R_EVP_LIB to mask the actual crypto failure, but I can probably
just go and remove that if agl agrees. I've never understood the point...)

[Kevin M, 2014/11/03 18:31:46]

Done in a separate Git branch.

+  std::vector<std::pair<std::string, int>> openssl_errors;

[mark a. foltz, 2014/10/31 22:29:25]

Slight preference for declaring a struct to hold these entries, so that code
accessing them is more readable.  E.g.,

struct OpenSslStackElement {
  std::string filename;
  int line_number;
};

[Kevin M, 2014/11/01 00:03:05]

How's this?

+
  private:
   AuthResult(const std::string& error_message,
              ErrorType error_type,
-             int nss_error_code);
+             int nss_error_code,
+             const std::vector<std::pair<std::string, int>>& openssl_errors);

[mark a. foltz, 2014/10/31 22:29:25]

Maybe this should be openssl_error_stack?

[Kevin M, 2014/11/01 00:03:05]

Done.

 };
 
 // Authenticates the given |challenge_reply|:
 // 1. Signature contained in the reply is valid.
 // 2. Certficate used to sign is rooted to a trusted CA.
-AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
-                                      const std::string& peer_cert);
+AuthResult AuthenticateChallengeReply(
+    const CastMessage& challenge_reply,
+    const std::string& peer_cert);
 
-// Parses a DeviceAuthMessage payload from a challenge reply.
-// Returns an AuthResult to indicate success or failure.
-AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
-                            DeviceAuthMessage* auth_message);
+// Auth-library specific implementation of cryptographic signature
+// verification routines. Verifies that |response| contains a
+// valid signed form of |peer_cert|.
+AuthResult VerifyCredentials(const AuthResponse& response,
+                             const std::string& peer_cert);
 
 }  // namespace cast_channel
 }  // namespace core_api
 }  // namespace extensions
 
 #endif  // EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_AUTH_UTIL_H_