Refactoring of Cast-related crypto code

extensions/browser/api/cast_channel/cast_auth_util.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
 
+#include <vector>
+
 #include "base/logging.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "extensions/browser/api/cast_channel/cast_message_util.h"
 #include "extensions/common/api/cast_channel/cast_channel.pb.h"
+#include "extensions/common/cast/cast_cert_validator.h"
 
 namespace extensions {
 namespace core_api {
 namespace cast_channel {
 namespace {
 
 const char* const kParseErrorPrefix = "Failed to parse auth message: ";
 
+namespace cast_crypto = ::extensions::core_api::cast_crypto;
+
 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply
 // message.
 AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
                             DeviceAuthMessage* auth_message) {
   if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) {
     return AuthResult::CreateWithParseError(
         "Wrong payload type in challenge reply",
         AuthResult::ERROR_WRONG_PAYLOAD_TYPE);
   }
   if (!challenge_reply.has_payload_binary()) {
@@ skipping 15 matching lines @@
             base::IntToString(auth_message->error().error_type()),
         AuthResult::ERROR_MESSAGE_ERROR);
   }
   if (!auth_message->has_response()) {
     return AuthResult::CreateWithParseError(
         "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE);
   }
   return AuthResult();
 }
 
+AuthResult TranslateVerificationError(cast_crypto::VerificationResult error) {

[mark a. foltz, 2014/12/18 00:43:41]

Better named TranslateVerificationResult since it's called with all results (not
just errors).

[sheretov, 2015/01/03 03:18:02]

Done.

+  AuthResult result;
+  result.error_message = error.error_message;
+
+  static AuthResult::ErrorType error_type_map[] = {

[mark a. foltz, 2014/12/18 00:43:41]

We generally use switch statements for this type of mapping.  This seems less
readable (since I don't know what I'm mapping from).

[sheretov, 2015/01/03 03:18:02]

Done.

+      AuthResult::ERROR_NONE,
+      AuthResult::ERROR_CERT_PARSING_FAILED,
+      AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA,
+      AuthResult::ERROR_SIGNED_BLOBS_MISMATCH,
+      AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT};
+  int idx = static_cast<int>(error.error_type);
+  result.error_type =
+      (idx < 0 || idx > cast_crypto::VerificationResult::ERROR_TYPE_MAX)
+          ? AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT

[mark a. foltz, 2014/12/18 00:43:41]

How will AuthResult::ErrorType and error.error_type be kept up to date?  Can you
add a comment in the appropriate place in cast_crypto::VerificationResult to
keep AuthResult::ErrorType in sync?

[sheretov, 2015/01/03 03:18:02]

Done in cast_cert_validator.h, but I think the compiler is more likely to help
catch breaking changes than the comment. Converting from an index-based mapping
to explicit switch above will help.

+          : error_type_map[idx];
+
+  result.nss_error_code = error.library_error_code;
+
+  return result;
+}
+
 }  // namespace
 
 AuthResult::AuthResult() : error_type(ERROR_NONE), nss_error_code(0) {
 }
 
 AuthResult::~AuthResult() {
 }
 
 // static
 AuthResult AuthResult::CreateWithParseError(const std::string& error_message,
@@ skipping 32 matching lines @@
 
   const AuthResponse& response = auth_message.response();
   result = VerifyCredentials(response, peer_cert);
   if (!result.success()) {
     return result;
   }
 
   return AuthResult();
 }
 
+// This function does the following
+// * Verifies that the trusted CA |response.intermediate_certificate| is
+//   whitelisted for use.
+// * Verifies that |response.client_auth_certificate| is signed
+//   by the trusted CA certificate.
+// * Verifies that |response.signature| matches the signature
+//   of |peer_cert| by |response.client_auth_certificate|'s public
+//   key.
+AuthResult VerifyCredentials(const AuthResponse& response,
+                             const std::string& peer_cert) {
+  // Verify the certificate
+  scoped_ptr<cast_crypto::CertVerificationContext> verification_context;
+  cast_crypto::VerificationResult ret = cast_crypto::VerifyDeviceCert(
+      response.client_auth_certificate(),
+      std::vector<std::string>(response.intermediate_certificate().begin(),
+                               response.intermediate_certificate().end()),
+      &verification_context);
+
+  if (ret.Success())
+    ret = verification_context->VerifySignatureOverData(response.signature(),
+                                                        peer_cert);
+
+  return TranslateVerificationError(ret);
+}
+
 }  // namespace cast_channel
 }  // namespace core_api
 }  // namespace extensions