blob: ecf9f013c2b41f8471c6e0a0897c4cbb94b4528c [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <memory>
#include <string>
#include <vector>
#include "base/compiler_specific.h"
#include "base/macros.h"
#include "base/strings/string_piece.h"
#include "base/time/time.h"
namespace net {
class TrustStore;
enum class DigestAlgorithm;
namespace cast_certificate {
class CastCRL;
// Describes the policy for a Device certificate.
enum class CastDeviceCertPolicy {
// The device certificate is unrestricted.
// The device certificate is for an audio-only device.
enum class CRLPolicy {
// Revocation is only checked if a CRL is provided.
// Revocation is always checked. A missing CRL results in failure.
enum class CastCertError {
// Certificates were not provided for verification.
// The certificates provided could not be parsed.
// Key usage is missing or is not set to Digital Signature.
// This error could also be thrown if the CN is missing.
// The current date is before the notBefore date or after the notAfter date.
// The certificate failed to chain to a trusted root.
// The CRL is missing or failed to verify.
// One of the certificates in the chain is revoked.
// An internal coding error.
// An object of this type is returned by the VerifyDeviceCert function, and can
// be used for additional certificate-related operations, using the verified
// certificate.
class CertVerificationContext {
CertVerificationContext() {}
virtual ~CertVerificationContext() {}
// Use the public key from the verified certificate to verify a
// |digest_algorithm|WithRSAEncryption |signature| over arbitrary |data|.
// Both |signature| and |data| hold raw binary data. Returns true if the
// signature was correct.
virtual bool VerifySignatureOverData(
const base::StringPiece& signature,
const base::StringPiece& data,
net::DigestAlgorithm digest_algorithm) const = 0;
// Retrieve the Common Name attribute of the subject's distinguished name from
// the verified certificate, if present. Returns an empty string if no Common
// Name is found.
virtual std::string GetCommonName() const = 0;
// Verifies a cast device certficate given a chain of DER-encoded certificates,
// using the built-in Cast trust anchors.
// Inputs:
// * |certs| is a chain of DER-encoded certificates:
// * |certs[0]| is the target certificate (i.e. the device certificate).
// * |certs[1..n-1]| are intermediates certificates to use in path building.
// Their ordering does not matter.
// * |time| is the unix timestamp to use for determining if the certificate
// is expired.
// * |crl| is the CRL to check for certificate revocation status.
// If this is a nullptr, then revocation checking is currently disabled.
// * |crl_policy| is for choosing how to handle the absence of a CRL.
// If CRL_REQUIRED is passed, then an empty |crl| input would result
// in a failed verification. Otherwise, |crl| is ignored if it is absent.
// Outputs:
// Returns CastCertError::OK on success. Otherwise, the corresponding
// CastCertError. On success, the output parameters are filled with more
// details:
// * |context| is filled with an object that can be used to verify signatures
// using the device certificate's public key, as well as to extract other
// properties from the device certificate (Common Name).
// * |policy| is filled with an indication of the device certificate's policy
// (i.e. is it for audio-only devices or is it unrestricted?)
CastCertError VerifyDeviceCert(
const std::vector<std::string>& certs,
const base::Time& time,
std::unique_ptr<CertVerificationContext>* context,
CastDeviceCertPolicy* policy,
const CastCRL* crl,
CRLPolicy crl_policy) WARN_UNUSED_RESULT;
// This is an overloaded version of VerifyDeviceCert that allows
// the input of a custom TrustStore.
// For production use pass |trust_store| as nullptr to use the production trust
// store.
CastCertError VerifyDeviceCertUsingCustomTrustStore(
const std::vector<std::string>& certs,
const base::Time& time,
std::unique_ptr<CertVerificationContext>* context,
CastDeviceCertPolicy* policy,
const CastCRL* crl,
CRLPolicy crl_policy,
net::TrustStore* trust_store) WARN_UNUSED_RESULT;
// Exposed only for unit-tests, not for use in production code.
// Production code would get a context from VerifyDeviceCert().
// Constructs a VerificationContext that uses the provided public key.
// The common name will be hardcoded to some test value.
std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
const base::StringPiece& spki);
// Returns a string status messages for the CastCertError provided.
std::string CastCertErrorToString(CastCertError error);
} // namespace cast_certificate