Refactoring of Cast-related crypto code

extensions/browser/api/cast_channel/cast_auth_util.cc

Index: extensions/browser/api/cast_channel/cast_auth_util.cc
diff --git a/extensions/browser/api/cast_channel/cast_auth_util.cc b/extensions/browser/api/cast_channel/cast_auth_util.cc
index 68cb9f321fccacae26cb9724966405155d1c8735..97fff647066b357cf3f8ca4c010df3e1d26dfa78 100644
--- a/extensions/browser/api/cast_channel/cast_auth_util.cc
+++ b/extensions/browser/api/cast_channel/cast_auth_util.cc
@@ -4,11 +4,14 @@
 
 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
 
+#include <vector>
+
 #include "base/logging.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "extensions/browser/api/cast_channel/cast_message_util.h"
 #include "extensions/common/api/cast_channel/cast_channel.pb.h"
+#include "extensions/common/cast/cast_cert_validator.h"
 
 namespace extensions {
 namespace core_api {
@@ -17,6 +20,8 @@ namespace {
 
 const char* const kParseErrorPrefix = "Failed to parse auth message: ";
 
+namespace cast_crypto = ::extensions::core_api::cast_crypto;
+
 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply
 // message.
 AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
@@ -52,6 +57,27 @@ AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
   return AuthResult();
 }
 
+AuthResult TranslateVerificationError(cast_crypto::VerificationResult error) {

[mark a. foltz, 2014/12/18 00:43:41]

Better named TranslateVerificationResult since it's called with all results (not
just errors).

[sheretov, 2015/01/03 03:18:02]

Done.

+  AuthResult result;
+  result.error_message = error.error_message;
+
+  static AuthResult::ErrorType error_type_map[] = {

[mark a. foltz, 2014/12/18 00:43:41]

We generally use switch statements for this type of mapping.  This seems less
readable (since I don't know what I'm mapping from).

[sheretov, 2015/01/03 03:18:02]

Done.

+      AuthResult::ERROR_NONE,
+      AuthResult::ERROR_CERT_PARSING_FAILED,
+      AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA,
+      AuthResult::ERROR_SIGNED_BLOBS_MISMATCH,
+      AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT};
+  int idx = static_cast<int>(error.error_type);
+  result.error_type =
+      (idx < 0 || idx > cast_crypto::VerificationResult::ERROR_TYPE_MAX)
+          ? AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT

[mark a. foltz, 2014/12/18 00:43:41]

How will AuthResult::ErrorType and error.error_type be kept up to date?  Can you
add a comment in the appropriate place in cast_crypto::VerificationResult to
keep AuthResult::ErrorType in sync?

[sheretov, 2015/01/03 03:18:02]

Done in cast_cert_validator.h, but I think the compiler is more likely to help
catch breaking changes than the comment. Converting from an index-based mapping
to explicit switch above will help.

+          : error_type_map[idx];
+
+  result.nss_error_code = error.library_error_code;
+
+  return result;
+}
+
 }  // namespace
 
 AuthResult::AuthResult() : error_type(ERROR_NONE), nss_error_code(0) {
@@ -104,6 +130,31 @@ AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
   return AuthResult();
 }
 
+// This function does the following
+// * Verifies that the trusted CA |response.intermediate_certificate| is
+//   whitelisted for use.
+// * Verifies that |response.client_auth_certificate| is signed
+//   by the trusted CA certificate.
+// * Verifies that |response.signature| matches the signature
+//   of |peer_cert| by |response.client_auth_certificate|'s public
+//   key.
+AuthResult VerifyCredentials(const AuthResponse& response,
+                             const std::string& peer_cert) {
+  // Verify the certificate
+  scoped_ptr<cast_crypto::CertVerificationContext> verification_context;
+  cast_crypto::VerificationResult ret = cast_crypto::VerifyDeviceCert(
+      response.client_auth_certificate(),
+      std::vector<std::string>(response.intermediate_certificate().begin(),
+                               response.intermediate_certificate().end()),
+      &verification_context);
+
+  if (ret.Success())
+    ret = verification_context->VerifySignatureOverData(response.signature(),
+                                                        peer_cert);
+
+  return TranslateVerificationError(ret);
+}
+
 }  // namespace cast_channel
 }  // namespace core_api
 }  // namespace extensions