cast/common/certificate/cast_cert_validator.h - platform/external/openscreen - Git at Google

 // Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_
 #define CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_

 #include <memory>
 #include <string>
 #include <vector>

 #include "cast/common/certificate/types.h"
 #include "platform/base/error.h"
 #include "platform/base/macros.h"

 namespace openscreen {
 namespace cast {

 class CastCRL;

 // Describes the policy for a Device certificate.
 enum class CastDeviceCertPolicy {
   // The device certificate is unrestricted.
   kUnrestricted,

   // The device certificate is for an audio-only device.
   kAudioOnly,
 };

 enum class CRLPolicy {
   // Revocation is only checked if a CRL is provided.
   kCrlOptional,

   // Revocation is always checked. A missing CRL results in failure.
   kCrlRequired,
 };

 enum class DigestAlgorithm {
   kSha1,
   kSha256,
   kSha384,
   kSha512,
 };

 struct TrustStore;

 // An object of this type is returned by the VerifyDeviceCert function, and can
 // be used for additional certificate-related operations, using the verified
 // certificate.
 class CertVerificationContext {
  public:
   CertVerificationContext() = default;
   virtual ~CertVerificationContext() = default;

   // Use the public key from the verified certificate to verify a
   // |digest_algorithm|WithRSAEncryption |signature| over arbitrary |data|.
   // Both |signature| and |data| hold raw binary data. Returns true if the
   // signature was correct.
   virtual bool VerifySignatureOverData(
       const ConstDataSpan& signature,
       const ConstDataSpan& data,
       DigestAlgorithm digest_algorithm) const = 0;

   // Retrieve the Common Name attribute of the subject's distinguished name from
   // the verified certificate, if present.  Returns an empty string if no Common
   // Name is found.
   virtual const std::string& GetCommonName() const = 0;

  private:
   OSP_DISALLOW_COPY_AND_ASSIGN(CertVerificationContext);
 };

 // Verifies a cast device certificate given a chain of DER-encoded certificates.
 //
 // Inputs:
 //
 // * |der_certs| is a chain of DER-encoded certificates:
 //   * |der_certs[0]| is the target certificate (i.e. the device certificate).
 //   * |der_certs[1..n-1]| are intermediates certificates to use in path
 //     building.  Their ordering does not matter.
 //
 // * |time| is the timestamp to use for determining if the certificate is
 //   expired.
 //
 // * |crl| is the CRL to check for certificate revocation status.
 //   If this is a nullptr, then revocation checking is currently disabled.
 //
 // * |crl_policy| is for choosing how to handle the absence of a CRL.
 //   If CRL_REQUIRED is passed, then an empty |crl| input would result
 //   in a failed verification. Otherwise, |crl| is ignored if it is absent.
 //
 // * |trust_store| is an optional set of trusted certificates that may act as
 //   root CAs during chain verification.  If this is nullptr, the built-in Cast
 //   root certificates will be used.
 //
 // Outputs:
 //
 // Returns Error::Code::kNone on success.  Otherwise, the corresponding
 // Error::Code.  On success, the output parameters are filled with more details:
 //
 //   * |context| is filled with an object that can be used to verify signatures
 //     using the device certificate's public key, as well as to extract other
 //     properties from the device certificate (Common Name).
 //   * |policy| is filled with an indication of the device certificate's policy
 //     (i.e. is it for audio-only devices or is it unrestricted?)
 [[nodiscard]] Error VerifyDeviceCert(
     const std::vector<std::string>& der_certs,
     const DateTime& time,
     std::unique_ptr<CertVerificationContext>* context,
     CastDeviceCertPolicy* policy,
     const CastCRL* crl,
     CRLPolicy crl_policy,
     TrustStore* trust_store = nullptr);

 }  // namespace cast
 }  // namespace openscreen

 #endif  // CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_
	// Copyright 2019 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_
	#define CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_

	#include <memory>
	#include <string>
	#include <vector>

	#include "cast/common/certificate/types.h"
	#include "platform/base/error.h"
	#include "platform/base/macros.h"

	namespace openscreen {
	namespace cast {

	class CastCRL;

	// Describes the policy for a Device certificate.
	enum class CastDeviceCertPolicy {
	// The device certificate is unrestricted.
	kUnrestricted,

	// The device certificate is for an audio-only device.
	kAudioOnly,
	};

	enum class CRLPolicy {
	// Revocation is only checked if a CRL is provided.
	kCrlOptional,

	// Revocation is always checked. A missing CRL results in failure.
	kCrlRequired,
	};

	enum class DigestAlgorithm {
	kSha1,
	kSha256,
	kSha384,
	kSha512,
	};

	struct TrustStore;

	// An object of this type is returned by the VerifyDeviceCert function, and can
	// be used for additional certificate-related operations, using the verified
	// certificate.
	class CertVerificationContext {
	public:
	CertVerificationContext() = default;
	virtual ~CertVerificationContext() = default;

	// Use the public key from the verified certificate to verify a
	// \|digest_algorithm\|WithRSAEncryption \|signature\| over arbitrary \|data\|.
	// Both \|signature\| and \|data\| hold raw binary data. Returns true if the
	// signature was correct.
	virtual bool VerifySignatureOverData(
	const ConstDataSpan& signature,
	const ConstDataSpan& data,
	DigestAlgorithm digest_algorithm) const = 0;

	// Retrieve the Common Name attribute of the subject's distinguished name from
	// the verified certificate, if present. Returns an empty string if no Common
	// Name is found.
	virtual const std::string& GetCommonName() const = 0;

	private:
	OSP_DISALLOW_COPY_AND_ASSIGN(CertVerificationContext);
	};

	// Verifies a cast device certificate given a chain of DER-encoded certificates.
	//
	// Inputs:
	//
	// * \|der_certs\| is a chain of DER-encoded certificates:
	// * \|der_certs[0]\| is the target certificate (i.e. the device certificate).
	// * \|der_certs[1..n-1]\| are intermediates certificates to use in path
	// building. Their ordering does not matter.
	//
	// * \|time\| is the timestamp to use for determining if the certificate is
	// expired.
	//
	// * \|crl\| is the CRL to check for certificate revocation status.
	// If this is a nullptr, then revocation checking is currently disabled.
	//
	// * \|crl_policy\| is for choosing how to handle the absence of a CRL.
	// If CRL_REQUIRED is passed, then an empty \|crl\| input would result
	// in a failed verification. Otherwise, \|crl\| is ignored if it is absent.
	//
	// * \|trust_store\| is an optional set of trusted certificates that may act as
	// root CAs during chain verification. If this is nullptr, the built-in Cast
	// root certificates will be used.
	//
	// Outputs:
	//
	// Returns Error::Code::kNone on success. Otherwise, the corresponding
	// Error::Code. On success, the output parameters are filled with more details:
	//
	// * \|context\| is filled with an object that can be used to verify signatures
	// using the device certificate's public key, as well as to extract other
	// properties from the device certificate (Common Name).
	// * \|policy\| is filled with an indication of the device certificate's policy
	// (i.e. is it for audio-only devices or is it unrestricted?)
	[[nodiscard]] Error VerifyDeviceCert(
	const std::vector<std::string>& der_certs,
	const DateTime& time,
	std::unique_ptr<CertVerificationContext>* context,
	CastDeviceCertPolicy* policy,
	const CastCRL* crl,
	CRLPolicy crl_policy,
	TrustStore* trust_store = nullptr);

	} // namespace cast
	} // namespace openscreen

	#endif // CAST_COMMON_CERTIFICATE_CAST_CERT_VALIDATOR_H_