xref: /aosp_15_r20/external/openscreen/cast/sender/channel/cast_auth_util.h (revision 3f982cf4871df8771c9d4abe6e9a6f8d829b2736) 
1 // Copyright 2019 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
6 #define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
7 
8 #include <openssl/x509.h>
9 
10 #include <chrono>
11 #include <string>
12 #include <vector>
13 
14 #include "cast/common/certificate/cast_cert_validator.h"
15 #include "platform/base/error.h"
16 
17 namespace cast {
18 namespace channel {
19 class AuthResponse;
20 class CastMessage;
21 }  // namespace channel
22 }  // namespace cast
23 
24 namespace openscreen {
25 namespace cast {
26 
27 enum class CRLPolicy;
28 struct DateTime;
29 struct TrustStore;
30 
31 class AuthContext {
32  public:
33   ~AuthContext();
34 
35   // Get an auth challenge context.
36   // The same context must be used in the challenge and reply.
37   static AuthContext Create();
38 
39   // Create a context with some seed nonce data for testing.
40   static AuthContext CreateForTest(const std::string& nonce_data);
41 
42   // Verifies the nonce received in the response is equivalent to the one sent.
43   // Returns success if |nonce_response| matches nonce_
44   Error VerifySenderNonce(const std::string& nonce_response,
45                           bool enforce_nonce_checking = false) const;
46 
47   // The nonce challenge.
nonce()48   const std::string& nonce() const { return nonce_; }
49 
50  private:
51   explicit AuthContext(const std::string& nonce);
52 
53   const std::string nonce_;
54 };
55 
56 // Authenticates the given |challenge_reply|:
57 // 1. Signature contained in the reply is valid.
58 // 2. certificate used to sign is rooted to a trusted CA.
59 ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply(
60     const ::cast::channel::CastMessage& challenge_reply,
61     X509* peer_cert,
62     const AuthContext& auth_context);
63 
64 // Exposed for testing only.
65 //
66 // Overloaded version of AuthenticateChallengeReply that allows modifying the
67 // crl policy, trust stores, and verification times.
68 ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReplyForTest(
69     const ::cast::channel::CastMessage& challenge_reply,
70     X509* peer_cert,
71     const AuthContext& auth_context,
72     CRLPolicy crl_policy,
73     TrustStore* cast_trust_store,
74     TrustStore* crl_trust_store,
75     const DateTime& verification_time);
76 
77 // Performs a quick check of the TLS certificate for time validity requirements.
78 Error VerifyTLSCertificateValidity(X509* peer_cert,
79                                    std::chrono::seconds verification_time);
80 
81 // Auth-library specific implementation of cryptographic signature verification
82 // routines. Verifies that |response| contains a valid signature of
83 // |signature_input|.
84 ErrorOr<CastDeviceCertPolicy> VerifyCredentials(
85     const ::cast::channel::AuthResponse& response,
86     const std::vector<uint8_t>& signature_input,
87     bool enforce_revocation_checking = false,
88     bool enforce_sha256_checking = false);
89 
90 // Exposed for testing only.
91 //
92 // Overloaded version of VerifyCredentials that allows modifying the crl policy,
93 // trust stores, and verification times.
94 ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest(
95     const ::cast::channel::AuthResponse& response,
96     const std::vector<uint8_t>& signature_input,
97     CRLPolicy crl_policy,
98     TrustStore* cast_trust_store,
99     TrustStore* crl_trust_store,
100     const DateTime& verification_time,
101     bool enforce_sha256_checking = false);
102 
103 }  // namespace cast
104 }  // namespace openscreen
105 
106 #endif  // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
107