cast_auth_util.h | Explore in Territory

// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
#define CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_

#include <chrono>
#include <string>
#include <vector>

#include "cast/common/certificate/cast_cert_validator.h"
#include "platform/base/error.h"

namespace openscreen::cast {
namespace proto {
class AuthResponse;
class CastMessage;
}  // namespace proto

enum class CRLPolicy;
struct DateTime;
class TrustStore;
class ParsedCertificate;

class AuthContext { … };

// Authenticates the given |challenge_reply|:
// 1. Signature contained in the reply is valid.
// 2. certificate used to sign is rooted to a trusted CA.
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReply(
    const proto::CastMessage& challenge_reply,
    const ParsedCertificate& peer_cert,
    const AuthContext& auth_context,
    TrustStore* cast_trust_store,
    TrustStore* crl_trust_store);

// Exposed for testing only.
//
// Overloaded version of AuthenticateChallengeReply that allows modifying the
// crl policy and verification times.
ErrorOr<CastDeviceCertPolicy> AuthenticateChallengeReplyForTest(
    const proto::CastMessage& challenge_reply,
    const ParsedCertificate& peer_cert,
    const AuthContext& auth_context,
    CRLPolicy crl_policy,
    TrustStore* cast_trust_store,
    TrustStore* crl_trust_store,
    const DateTime& verification_time);

// Performs a quick check of the TLS certificate for time validity requirements.
Error VerifyTLSCertificateValidity(const ParsedCertificate& peer_cert,
                                   std::chrono::seconds verification_time);

// Auth-library specific implementation of cryptographic signature verification
// routines. Verifies that |response| contains a valid signature of
// |signature_input|.
ErrorOr<CastDeviceCertPolicy> VerifyCredentials(
    const proto::AuthResponse& response,
    const std::vector<uint8_t>& signature_input,
    TrustStore* cast_trust_store,
    TrustStore* crl_trust_store,
    bool enforce_revocation_checking = false,
    bool enforce_sha256_checking = false);

// Exposed for testing only.
//
// Overloaded version of VerifyCredentials that allows modifying the crl policy
// and verification times.
ErrorOr<CastDeviceCertPolicy> VerifyCredentialsForTest(
    const proto::AuthResponse& response,
    const std::vector<uint8_t>& signature_input,
    CRLPolicy crl_policy,
    TrustStore* cast_trust_store,
    TrustStore* crl_trust_store,
    const DateTime& verification_time,
    bool enforce_sha256_checking = false);

}  // namespace openscreen::cast

#endif  // CAST_SENDER_CHANNEL_CAST_AUTH_UTIL_H_
chromium/third_party/openscreen/src/cast/sender/channel/cast_auth_util.h
