// Copyright 2022 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifdef UNSAFE_BUFFERS_BUILD // TODO(crbug.com/40285824): Remove this and convert code to safer constructs. #pragma allow_unsafe_buffers #endif #include "components/media_router/common/providers/cast/certificate/net_trust_store.h" #include <string_view> #include "base/check.h" #include "base/files/file_path.h" #include "base/files/file_util.h" #include "base/logging.h" #include "base/notreached.h" #include "components/media_router/common/providers/cast/certificate/net_parsed_certificate.h" #include "net/cert/x509_util.h" #include "third_party/boringssl/src/pki/cert_issuer_source_static.h" #include "third_party/boringssl/src/pki/common_cert_errors.h" #include "third_party/boringssl/src/pki/parsed_certificate.h" #include "third_party/boringssl/src/pki/path_builder.h" #include "third_party/boringssl/src/pki/pem.h" #include "third_party/boringssl/src/pki/simple_path_builder_delegate.h" #include "third_party/openscreen/src/cast/common/public/trust_store.h" namespace { // ------------------------------------------------------------------------- // Cast trust anchors. // ------------------------------------------------------------------------- // There are two trusted roots for Cast certificate chains: // // (1) CN=Cast Root CA (kCastRootCaDer) // (2) CN=Eureka Root CA (kEurekaRootCaDer) // // These constants are defined by the files included next: #include "components/media_router/common/providers/cast/certificate/cast_root_ca_cert_der-inc.h" #include "components/media_router/common/providers/cast/certificate/eureka_root_ca_der-inc.h" // ------------------------------------------------------------------------- // Cast CRL trust anchors. // ------------------------------------------------------------------------- // There is one trusted root for Cast CRL certificate chains: // // (1) CN=Cast CRL Root CA (kCastCRLRootCaDer) // // These constants are defined by the file included next: #include "components/media_router/common/providers/cast/certificate/cast_crl_root_ca_cert_der-inc.h" } // namespace namespace openscreen::cast { // static std::unique_ptr<openscreen::cast::TrustStore> TrustStore::CreateInstanceForTest( const std::vector<uint8_t>& trust_anchor_der) { … } // static std::unique_ptr<openscreen::cast::TrustStore> TrustStore::CreateInstanceFromPemFile(std::string_view file_path) { … } // static std::unique_ptr<openscreen::cast::TrustStore> CastTrustStore::Create() { … } // static std::unique_ptr<openscreen::cast::TrustStore> CastCRLTrustStore::Create() { … } } // namespace openscreen::cast namespace cast_certificate { namespace { // Cast certificates rely on RSASSA-PKCS#1 v1.5 with SHA-1 for signatures. // // The following delegate will allow signature algorithms of: // // * ECDSA, RSA-SSA, and RSA-PSS // * Supported EC curves: P-256, P-384, P-521. // * Hashes: All SHA hashes including SHA-1 (despite being known weak). // // It will also require RSA keys have a modulus at least 2048-bits long. class CastPathBuilderDelegate : public bssl::SimplePathBuilderDelegate { … }; // Returns the CastCertError for the failed path building. // This function must only be called if path building failed. openscreen::Error::Code MapToCastError( const bssl::CertPathBuilder::Result& result) { … } } // namespace NetTrustStore::NetTrustStore() = default; NetTrustStore::~NetTrustStore() = default; void NetTrustStore::AddAnchor(base::span<const uint8_t> data) { … } openscreen::ErrorOr<NetTrustStore::CertificatePathResult> NetTrustStore::FindCertificatePath(const std::vector<std::string>& der_certs, const openscreen::cast::DateTime& time) { … } } // namespace cast_certificate
Codebase Browser
chromium