// Copyright 2014 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef COMPONENTS_MEDIA_ROUTER_COMMON_PROVIDERS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ #define COMPONENTS_MEDIA_ROUTER_COMMON_PROVIDERS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_ #include <atomic> #include <memory> #include <string> #include <string_view> #include <vector> #include "base/files/file_path.h" #include "base/time/time.h" namespace bssl { class TrustStore; enum class DigestAlgorithm; } // namespace bssl namespace cast_certificate { class CastCRL; // Describes the policy for a Device certificate. enum class CastDeviceCertPolicy { … }; enum class CRLPolicy { … }; enum class CastCertError { … }; // The digest algorithms supported with CertVerificationContext. enum class CastDigestAlgorithm { … }; // An object of this type is returned by the VerifyDeviceCert function, and can // be used for additional certificate-related operations, using the verified // certificate. class CertVerificationContext { … }; // These provide access for tests to change the CastTrustStoreSingleton. void CastTrustStoreAddDefaultCertificatesForTesting(); void CastTrustStoreAddBuiltInCertificatesForTesting(); void CastTrustStoreAddCertificateFromPathForTesting(base::FilePath cert_path); void CastTrustStoreClearForTesting(); // Verifies a cast device certificate given a chain of DER-encoded certificates, // using the built-in Cast trust anchors. // // Inputs: // // * |certs| is a chain of DER-encoded certificates: // * |certs[0]| is the target certificate (i.e. the device certificate). // * |certs[1..n-1]| are intermediates certificates to use in path building. // Their ordering does not matter. // // * |time| is the unix timestamp to use for determining if the certificate // is expired. // // * |crl| is the CRL to check for certificate revocation status. // If this is a nullptr, then revocation checking is currently disabled. // // * |crl_policy| is for choosing how to handle the absence of a CRL. // If CRL_REQUIRED is passed, then an empty |crl| input would result // in a failed verification. Otherwise, |crl| is ignored if it is absent. // // Outputs: // // Returns CastCertError::OK on success. Otherwise, the corresponding // CastCertError. On success, the output parameters are filled with more // details: // // * |context| is filled with an object that can be used to verify signatures // using the device certificate's public key, as well as to extract other // properties from the device certificate (Common Name). // * |policy| is filled with an indication of the device certificate's policy // (i.e. is it for audio-only devices or is it unrestricted?) [[nodiscard]] CastCertError VerifyDeviceCert( const std::vector<std::string>& certs, const base::Time& time, std::unique_ptr<CertVerificationContext>* context, CastDeviceCertPolicy* policy, const CastCRL* crl, const CastCRL* fallback_crl, CRLPolicy crl_policy); // This is an overloaded version of VerifyDeviceCert that allows // the input of a custom TrustStore. // // For production use pass |trust_store| as nullptr to use the production trust // store. [[nodiscard]] CastCertError VerifyDeviceCertUsingCustomTrustStore( const std::vector<std::string>& certs, const base::Time& time, std::unique_ptr<CertVerificationContext>* context, CastDeviceCertPolicy* policy, const CastCRL* crl, const CastCRL* fallback_crl, CRLPolicy crl_policy, bssl::TrustStore* trust_store); // Returns a string status messages for the CastCertError provided. std::string CastCertErrorToString(CastCertError error); } // namespace cast_certificate #endif // COMPONENTS_MEDIA_ROUTER_COMMON_PROVIDERS_CAST_CERTIFICATE_CAST_CERT_VALIDATOR_H_
Codebase Browser
chromium