Refactoring of Cast-related crypto code

extensions/browser/api/cast_channel/cast_auth_util.cc

Index: extensions/browser/api/cast_channel/cast_auth_util.cc
diff --git a/extensions/browser/api/cast_channel/cast_auth_util.cc b/extensions/browser/api/cast_channel/cast_auth_util.cc
index 68cb9f321fccacae26cb9724966405155d1c8735..6055de9f7b991009f370f92f0b3c5a1ae7664f1b 100644
--- a/extensions/browser/api/cast_channel/cast_auth_util.cc
+++ b/extensions/browser/api/cast_channel/cast_auth_util.cc
@@ -4,11 +4,14 @@
 
 #include "extensions/browser/api/cast_channel/cast_auth_util.h"
 
+#include <vector>
+
 #include "base/logging.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "extensions/browser/api/cast_channel/cast_message_util.h"
 #include "extensions/common/api/cast_channel/cast_channel.pb.h"
+#include "extensions/common/cast/cast_cert_validator.h"
 
 namespace extensions {
 namespace core_api {
@@ -17,6 +20,8 @@ namespace {
 
 const char* const kParseErrorPrefix = "Failed to parse auth message: ";
 
+namespace cast_crypto = ::extensions::core_api::cast_crypto;
+
 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply
 // message.
 AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
@@ -52,6 +57,33 @@ AuthResult ParseAuthMessage(const CastMessage& challenge_reply,
   return AuthResult();
 }
 
+AuthResult TranslateVerificationResult(
+    const cast_crypto::VerificationResult& result) {
+  AuthResult translated;
+  translated.error_message = result.error_message;
+  translated.nss_error_code = result.library_error_code;
+  switch (result.error_type) {
+    case cast_crypto::VerificationResult::ERROR_NONE:
+      translated.error_type = AuthResult::ERROR_NONE;
+      break;
+    case cast_crypto::VerificationResult::ERROR_CERT_INVALID:
+      translated.error_type = AuthResult::ERROR_CERT_PARSING_FAILED;
+      break;
+    case cast_crypto::VerificationResult::ERROR_CERT_UNTRUSTED:
+      translated.error_type = AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA;
+      break;
+    case cast_crypto::VerificationResult::ERROR_SIGNATURE_INVALID:
+      translated.error_type = AuthResult::ERROR_SIGNED_BLOBS_MISMATCH;
+      break;
+    case cast_crypto::VerificationResult::ERROR_INTERNAL:
+      translated.error_type = AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT;
+      break;
+    default:
+      translated.error_type = AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA;
+  };
+  return translated;
+}
+
 }  // namespace
 
 AuthResult::AuthResult() : error_type(ERROR_NONE), nss_error_code(0) {
@@ -104,6 +136,31 @@ AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply,
   return AuthResult();
 }
 
+// This function does the following
+// * Verifies that the trusted CA |response.intermediate_certificate| is
+//   whitelisted for use.
+// * Verifies that |response.client_auth_certificate| is signed
+//   by the trusted CA certificate.
+// * Verifies that |response.signature| matches the signature
+//   of |peer_cert| by |response.client_auth_certificate|'s public
+//   key.
+AuthResult VerifyCredentials(const AuthResponse& response,
+                             const std::string& peer_cert) {
+  // Verify the certificate
+  scoped_ptr<cast_crypto::CertVerificationContext> verification_context;
+  cast_crypto::VerificationResult ret = cast_crypto::VerifyDeviceCert(
+      response.client_auth_certificate(),
+      std::vector<std::string>(response.intermediate_certificate().begin(),
+                               response.intermediate_certificate().end()),
+      &verification_context);
+
+  if (ret.Success())
+    ret = verification_context->VerifySignatureOverData(response.signature(),
+                                                        peer_cert);
+
+  return TranslateVerificationResult(ret);
+}
+
 }  // namespace cast_channel
 }  // namespace core_api
 }  // namespace extensions