// Copyright 2019 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_ #define CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_ #include #include #include #include "cast/common/certificate/types.h" #include "platform/base/error.h" #include "platform/base/macros.h" namespace openscreen { namespace cast { class CastCRL; // Describes the policy for a Device certificate. enum class CastDeviceCertPolicy { // The device certificate is unrestricted. kUnrestricted, // The device certificate is for an audio-only device. kAudioOnly, }; enum class CRLPolicy { // Revocation is only checked if a CRL is provided. kCrlOptional, // Revocation is always checked. A missing CRL results in failure. kCrlRequired, }; enum class DigestAlgorithm { kSha1, kSha256, kSha384, kSha512, }; struct TrustStore; // An object of this type is returned by the VerifyDeviceCert function, and can // be used for additional certificate-related operations, using the verified // certificate. class CertVerificationContext { public: CertVerificationContext() = default; virtual ~CertVerificationContext() = default; // Use the public key from the verified certificate to verify a // |digest_algorithm|WithRSAEncryption |signature| over arbitrary |data|. // Both |signature| and |data| hold raw binary data. Returns true if the // signature was correct. virtual bool VerifySignatureOverData( const ConstDataSpan& signature, const ConstDataSpan& data, DigestAlgorithm digest_algorithm) const = 0; // Retrieve the Common Name attribute of the subject's distinguished name from // the verified certificate, if present. Returns an empty string if no Common // Name is found. virtual const std::string& GetCommonName() const = 0; private: OSP_DISALLOW_COPY_AND_ASSIGN(CertVerificationContext); }; // Verifies a cast device certificate given a chain of DER-encoded certificates. // // Inputs: // // * |der_certs| is a chain of DER-encoded certificates: // * |der_certs[0]| is the target certificate (i.e. the device certificate). // * |der_certs[1..n-1]| are intermediates certificates to use in path // building. Their ordering does not matter. // // * |time| is the timestamp to use for determining if the certificate is // expired. // // * |crl| is the CRL to check for certificate revocation status. // If this is a nullptr, then revocation checking is currently disabled. // // * |crl_policy| is for choosing how to handle the absence of a CRL. // If CRL_REQUIRED is passed, then an empty |crl| input would result // in a failed verification. Otherwise, |crl| is ignored if it is absent. // // * |trust_store| is an optional set of trusted certificates that may act as // root CAs during chain verification. If this is nullptr, the built-in Cast // root certificates will be used. // // Outputs: // // Returns Error::Code::kNone on success. Otherwise, the corresponding // Error::Code. On success, the output parameters are filled with more details: // // * |context| is filled with an object that can be used to verify signatures // using the device certificate's public key, as well as to extract other // properties from the device certificate (Common Name). // * |policy| is filled with an indication of the device certificate's policy // (i.e. is it for audio-only devices or is it unrestricted?) [[nodiscard]] Error VerifyDeviceCert( const std::vector& der_certs, const DateTime& time, std::unique_ptr* context, CastDeviceCertPolicy* policy, const CastCRL* crl, CRLPolicy crl_policy, TrustStore* trust_store = nullptr); } // namespace cast } // namespace openscreen #endif // CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_