| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" | 5 #include "extensions/browser/api/cast_channel/cast_auth_util.h" |
| 6 | 6 |
| 7 #include <vector> | |
| 8 | |
| 9 #include "base/logging.h" | 7 #include "base/logging.h" |
| 10 #include "base/strings/string_number_conversions.h" | 8 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/stringprintf.h" | 9 #include "base/strings/stringprintf.h" |
| 12 #include "extensions/browser/api/cast_channel/cast_message_util.h" | 10 #include "extensions/browser/api/cast_channel/cast_message_util.h" |
| 13 #include "extensions/common/api/cast_channel/cast_channel.pb.h" | 11 #include "extensions/common/api/cast_channel/cast_channel.pb.h" |
| 14 #include "extensions/common/cast/cast_cert_validator.h" | |
| 15 | 12 |
| 16 namespace extensions { | 13 namespace extensions { |
| 17 namespace core_api { | 14 namespace core_api { |
| 18 namespace cast_channel { | 15 namespace cast_channel { |
| 19 namespace { | 16 namespace { |
| 20 | 17 |
| 21 const char* const kParseErrorPrefix = "Failed to parse auth message: "; | 18 const char* const kParseErrorPrefix = "Failed to parse auth message: "; |
| 22 | 19 |
| 23 const unsigned char kAudioOnlyPolicy[] = | 20 const unsigned char kAudioOnlyPolicy[] = |
| 24 {0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xD6, 0x79, 0x02, 0x05, 0x02}; | 21 {0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xD6, 0x79, 0x02, 0x05, 0x02}; |
| 25 | 22 |
| 26 namespace cast_crypto = ::extensions::core_api::cast_crypto; | |
| 27 | |
| 28 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply | 23 // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply |
| 29 // message. | 24 // message. |
| 30 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, | 25 AuthResult ParseAuthMessage(const CastMessage& challenge_reply, |
| 31 DeviceAuthMessage* auth_message) { | 26 DeviceAuthMessage* auth_message) { |
| 32 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { | 27 if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { |
| 33 return AuthResult::CreateWithParseError( | 28 return AuthResult::CreateWithParseError( |
| 34 "Wrong payload type in challenge reply", | 29 "Wrong payload type in challenge reply", |
| 35 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); | 30 AuthResult::ERROR_WRONG_PAYLOAD_TYPE); |
| 36 } | 31 } |
| 37 if (!challenge_reply.has_payload_binary()) { | 32 if (!challenge_reply.has_payload_binary()) { |
| (...skipping 15 matching lines...) Expand all Loading... |
| 53 base::IntToString(auth_message->error().error_type()), | 48 base::IntToString(auth_message->error().error_type()), |
| 54 AuthResult::ERROR_MESSAGE_ERROR); | 49 AuthResult::ERROR_MESSAGE_ERROR); |
| 55 } | 50 } |
| 56 if (!auth_message->has_response()) { | 51 if (!auth_message->has_response()) { |
| 57 return AuthResult::CreateWithParseError( | 52 return AuthResult::CreateWithParseError( |
| 58 "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE); | 53 "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE); |
| 59 } | 54 } |
| 60 return AuthResult(); | 55 return AuthResult(); |
| 61 } | 56 } |
| 62 | 57 |
| 63 AuthResult TranslateVerificationResult( | |
| 64 const cast_crypto::VerificationResult& result) { | |
| 65 AuthResult translated; | |
| 66 translated.error_message = result.error_message; | |
| 67 translated.nss_error_code = result.library_error_code; | |
| 68 switch (result.error_type) { | |
| 69 case cast_crypto::VerificationResult::ERROR_NONE: | |
| 70 translated.error_type = AuthResult::ERROR_NONE; | |
| 71 break; | |
| 72 case cast_crypto::VerificationResult::ERROR_CERT_INVALID: | |
| 73 translated.error_type = AuthResult::ERROR_CERT_PARSING_FAILED; | |
| 74 break; | |
| 75 case cast_crypto::VerificationResult::ERROR_CERT_UNTRUSTED: | |
| 76 translated.error_type = AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA; | |
| 77 break; | |
| 78 case cast_crypto::VerificationResult::ERROR_SIGNATURE_INVALID: | |
| 79 translated.error_type = AuthResult::ERROR_SIGNED_BLOBS_MISMATCH; | |
| 80 break; | |
| 81 case cast_crypto::VerificationResult::ERROR_INTERNAL: | |
| 82 translated.error_type = AuthResult::ERROR_UNEXPECTED_AUTH_LIBRARY_RESULT; | |
| 83 break; | |
| 84 default: | |
| 85 translated.error_type = AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA; | |
| 86 }; | |
| 87 return translated; | |
| 88 } | |
| 89 | |
| 90 } // namespace | 58 } // namespace |
| 91 | 59 |
| 92 AuthResult::AuthResult() | 60 AuthResult::AuthResult() |
| 93 : error_type(ERROR_NONE), nss_error_code(0), channel_policies(POLICY_NONE) { | 61 : error_type(ERROR_NONE), nss_error_code(0), channel_policies(POLICY_NONE) { |
| 94 } | 62 } |
| 95 | 63 |
| 96 AuthResult::~AuthResult() { | 64 AuthResult::~AuthResult() { |
| 97 } | 65 } |
| 98 | 66 |
| 99 // static | 67 // static |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 138 } | 106 } |
| 139 | 107 |
| 140 if (response.client_auth_certificate().find(reinterpret_cast<const char*>( | 108 if (response.client_auth_certificate().find(reinterpret_cast<const char*>( |
| 141 kAudioOnlyPolicy)) != std::string::npos) { | 109 kAudioOnlyPolicy)) != std::string::npos) { |
| 142 result.channel_policies |= AuthResult::POLICY_AUDIO_ONLY; | 110 result.channel_policies |= AuthResult::POLICY_AUDIO_ONLY; |
| 143 } | 111 } |
| 144 | 112 |
| 145 return result; | 113 return result; |
| 146 } | 114 } |
| 147 | 115 |
| 148 // This function does the following | |
| 149 // * Verifies that the trusted CA |response.intermediate_certificate| is | |
| 150 // whitelisted for use. | |
| 151 // * Verifies that |response.client_auth_certificate| is signed | |
| 152 // by the trusted CA certificate. | |
| 153 // * Verifies that |response.signature| matches the signature | |
| 154 // of |peer_cert| by |response.client_auth_certificate|'s public | |
| 155 // key. | |
| 156 AuthResult VerifyCredentials(const AuthResponse& response, | |
| 157 const std::string& peer_cert) { | |
| 158 // Verify the certificate | |
| 159 scoped_ptr<cast_crypto::CertVerificationContext> verification_context; | |
| 160 cast_crypto::VerificationResult ret = cast_crypto::VerifyDeviceCert( | |
| 161 response.client_auth_certificate(), | |
| 162 std::vector<std::string>(response.intermediate_certificate().begin(), | |
| 163 response.intermediate_certificate().end()), | |
| 164 &verification_context); | |
| 165 | |
| 166 if (ret.Success()) | |
| 167 ret = verification_context->VerifySignatureOverData(response.signature(), | |
| 168 peer_cert); | |
| 169 | |
| 170 return TranslateVerificationResult(ret); | |
| 171 } | |
| 172 | |
| 173 } // namespace cast_channel | 116 } // namespace cast_channel |
| 174 } // namespace core_api | 117 } // namespace core_api |
| 175 } // namespace extensions | 118 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 853663003:
Revert of Refactoring of Cast-related crypto code (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master