| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <vector> |
| 8 |
| 7 #include "base/logging.h" | 9 #include "base/logging.h" |
| 8 #include "base/strings/string_number_conversions.h" | 10 #include "base/strings/string_number_conversions.h" |
| 9 #include "base/strings/stringprintf.h" | 11 #include "base/strings/stringprintf.h" |
| 10 #include "extensions/browser/api/cast_channel/cast_message_util.h" | 12 #include "extensions/browser/api/cast_channel/cast_message_util.h" |
| 11 #include "extensions/common/api/cast_channel/cast_channel.pb.h" | 13 #include "extensions/common/api/cast_channel/cast_channel.pb.h" |
| 14 #include "extensions/common/cast/cast_cert_validator.h" |
| 12 | 15 |
| 13 namespace extensions { | 16 namespace extensions { |
| 14 namespace core_api { | 17 namespace core_api { |
| 15 namespace cast_channel { | 18 namespace cast_channel { |
| 16 namespace { | 19 namespace { |
| 17 | 20 |
| 18 const char* const kParseErrorPrefix = "Failed to parse auth message: "; | 21 const char* const kParseErrorPrefix = "Failed to parse auth message: "; |
| 19 | 22 |
| 23 namespace cast_crypto = ::extensions::core_api::cast_crypto; |
| 24 |
| 20 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply | 25 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply |
| 21 // message. | 26 // message. |
| 22 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, | 27 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, |
| 23 DeviceAuthMessage* auth_message) { | 28 DeviceAuthMessage* auth_message) { |
| 24 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { | 29 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { |
| 25 return AuthResult::CreateWithParseError( | 30 return AuthResult::CreateWithParseError( |
| 26 "Wrong payload type in challenge reply", | 31 "Wrong payload type in challenge reply", |
| 27 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); | 32 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); |
| 28 } | 33 } |
| 29 if (!challenge_reply.has_payload_binary()) { | 34 if (!challenge_reply.has_payload_binary()) { |
| (...skipping 15 matching lines...) Expand all Loading... |
| 45 base::IntToString(auth_message->error().error_type()), | 50 base::IntToString(auth_message->error().error_type()), |
| 46 AuthResult::ERROR_MESSAGE_ERROR); | 51 AuthResult::ERROR_MESSAGE_ERROR); |
| 47 } | 52 } |
| 48 if (!auth_message->has_response()) { | 53 if (!auth_message->has_response()) { |
| 49 return AuthResult::CreateWithParseError( | 54 return AuthResult::CreateWithParseError( |
| 50 "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE); | 55 "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE); |
| 51 } | 56 } |
| 52 return AuthResult(); | 57 return AuthResult(); |
| 53 } | 58 } |
| 54 | 59 |
| 60 AuthResult TranslateVerificationError(cast_crypto::VerificationResult error) { |
| 61 static AuthResult::ErrorType error_type_map[] = { |
| 62 AuthResult::ERROR_NONE, |
| 63 AuthResult::ERROR_CERT_PARSING_FAILED, |
| 64 AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA, |
| 65 AuthResult::ERROR_CANNOT_EXTRACT_PUBLIC_KEY, |
| 66 AuthResult::ERROR_SIGNED_BLOBS_MISMATCH, |
| 67 AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT}; |
| 68 |
| 69 AuthResult result; |
| 70 result.error_message = error.error_message; |
| 71 |
| 72 int idx = static_cast<int>(error.error_type); |
| 73 result.error_type = |
| 74 (idx < 0 || idx > cast_crypto::VerificationResult::ERROR_TYPE_MAX) |
| 75 ? AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT |
| 76 : error_type_map[idx]; |
| 77 |
| 78 return result; |
| 79 } |
| 80 |
| 55 } // namespace | 81 } // namespace |
| 56 | 82 |
| 57 AuthResult::AuthResult() : error_type(ERROR_NONE), nss_error_code(0) { | 83 AuthResult::AuthResult() : error_type(ERROR_NONE), nss_error_code(0) { |
| 58 } | 84 } |
| 59 | 85 |
| 60 AuthResult::~AuthResult() { | 86 AuthResult::~AuthResult() { |
| 61 } | 87 } |
| 62 | 88 |
| 63 // static | 89 // static |
| 64 AuthResult AuthResult::CreateWithParseError(const std::string& error_message, | 90 AuthResult AuthResult::CreateWithParseError(const std::string& error_message, |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 97 | 123 |
| 98 const AuthResponse& response = auth_message.response(); | 124 const AuthResponse& response = auth_message.response(); |
| 99 result = VerifyCredentials(response, peer_cert); | 125 result = VerifyCredentials(response, peer_cert); |
| 100 if (!result.success()) { | 126 if (!result.success()) { |
| 101 return result; | 127 return result; |
| 102 } | 128 } |
| 103 | 129 |
| 104 return AuthResult(); | 130 return AuthResult(); |
| 105 } | 131 } |
| 106 | 132 |
| 133 // This function does the following |
| 134 // * Verifies that the trusted CA |response.intermediate_certificate| is |
| 135 // whitelisted for use. |
| 136 // * Verifies that |response.client_auth_certificate| is signed |
| 137 // by the trusted CA certificate. |
| 138 // * Verifies that |response.signature| matches the signature |
| 139 // of |peer_cert| by |response.client_auth_certificate|'s public |
| 140 // key. |
| 141 AuthResult VerifyCredentials(const AuthResponse& response, |
| 142 const std::string& peer_cert) { |
| 143 // Verify the certificate |
| 144 cast_crypto::CertVerificationContext* verification_context = NULL; |
| 145 cast_crypto::VerificationResult ret = cast_crypto::VerifyCert( |
| 146 response.client_auth_certificate(), |
| 147 std::vector<std::string>(response.intermediate_certificate().begin(), |
| 148 response.intermediate_certificate().end()), |
| 149 &verification_context); |
| 150 |
| 151 if (ret.Success()) { |
| 152 ret = verification_context->VerifySignatureOverData(response.signature(), |
| 153 peer_cert); |
| 154 } |
| 155 |
| 156 delete verification_context; |
| 157 return TranslateVerificationError(ret); |
| 158 } |
| 159 |
| 107 } // namespace cast_channel | 160 } // namespace cast_channel |
| 108 } // namespace core_api | 161 } // namespace core_api |
| 109 } // namespace extensions | 162 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 792353002:
Refactoring of Cast-related crypto code (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master