// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "components/cast_channel/cast_auth_util.h" #include #include "base/feature_list.h" #include "base/logging.h" #include "base/macros.h" #include "base/memory/singleton.h" #include "base/metrics/histogram_macros.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "components/cast_certificate/cast_cert_validator.h" #include "components/cast_certificate/cast_crl.h" #include "components/cast_channel/cast_channel_enum.h" #include "components/cast_channel/cast_message_util.h" #include "crypto/random.h" #include "net/cert/internal/signature_algorithm.h" #include "net/cert/x509_certificate.h" #include "net/cert/x509_util.h" #include "net/der/parse_values.h" namespace cast_channel { namespace { const char kParseErrorPrefix[] = "Failed to parse auth message: "; // The maximum number of days a cert can live for. const int kMaxSelfSignedCertLifetimeInDays = 4; // The size of the nonce challenge in bytes. const int kNonceSizeInBytes = 16; // The number of hours after which a nonce is regenerated. long kNonceExpirationTimeInHours = 24; // Enforce certificate revocation when enabled. // If disabled, any revocation failures are ignored. // // This flags only controls the enforcement. Revocation is checked regardless. // // This flag tracks the changes necessary to fully enforce revocation. const base::Feature kEnforceRevocationChecking{ "CastCertificateRevocation", base::FEATURE_DISABLED_BY_DEFAULT}; // Enforce nonce checking when enabled. // If disabled, the nonce value returned from the device is not checked against // the one sent to the device. As a result, the nonce can be empty and omitted // from the signature. This allows backwards compatibility with legacy Cast // receivers. const base::Feature kEnforceNonceChecking{"CastNonceEnforced", base::FEATURE_DISABLED_BY_DEFAULT}; // Enforce the use of SHA256 digest for signatures. // If disabled, the device may respond with a signature with SHA1 digest even // though a signature with SHA256 digest was requested in the challenge. This // allows for backwards compatibility with legacy Cast receivers. const base::Feature kEnforceSHA256Checking{"CastSHA256Enforced", base::FEATURE_DISABLED_BY_DEFAULT}; namespace cast_crypto = ::cast_certificate; // Extracts an embedded DeviceAuthMessage payload from an auth challenge reply // message. AuthResult ParseAuthMessage(const CastMessage& challenge_reply, DeviceAuthMessage* auth_message) { if (challenge_reply.payload_type() != CastMessage_PayloadType_BINARY) { return AuthResult::CreateWithParseError( "Wrong payload type in challenge reply", AuthResult::ERROR_WRONG_PAYLOAD_TYPE); } if (!challenge_reply.has_payload_binary()) { return AuthResult::CreateWithParseError( "Payload type is binary but payload_binary field not set", AuthResult::ERROR_NO_PAYLOAD); } if (!auth_message->ParseFromString(challenge_reply.payload_binary())) { return AuthResult::CreateWithParseError( "Cannot parse binary payload into DeviceAuthMessage", AuthResult::ERROR_PAYLOAD_PARSING_FAILED); } VLOG(1) << "Auth message: " << AuthMessageToString(*auth_message); if (auth_message->has_error()) { return AuthResult::CreateWithParseError( "Auth message error: " + base::IntToString(auth_message->error().error_type()), AuthResult::ERROR_MESSAGE_ERROR); } if (!auth_message->has_response()) { return AuthResult::CreateWithParseError( "Auth message has no response field", AuthResult::ERROR_NO_RESPONSE); } return AuthResult(); } class CastNonce { public: static CastNonce* GetInstance() { return base::Singleton>::get(); } static const std::string& Get() { GetInstance()->EnsureNonceTimely(); return GetInstance()->nonce_; } private: friend struct base::DefaultSingletonTraits; CastNonce() { GenerateNonce(); } void GenerateNonce() { // Create a cryptographically secure nonce. crypto::RandBytes(base::WriteInto(&nonce_, kNonceSizeInBytes + 1), kNonceSizeInBytes); nonce_generation_time_ = base::Time::Now(); } void EnsureNonceTimely() { if (base::Time::Now() > (nonce_generation_time_ + base::TimeDelta::FromHours(kNonceExpirationTimeInHours))) { GenerateNonce(); } } // The nonce challenge to send to the Cast receiver. // The nonce is updated daily. std::string nonce_; base::Time nonce_generation_time_; }; // Must match with histogram enum CastCertificateStatus. // This should never be reordered. enum CertVerificationStatus { CERT_STATUS_OK, CERT_STATUS_INVALID_CRL, CERT_STATUS_VERIFICATION_FAILED, CERT_STATUS_REVOKED, CERT_STATUS_MISSING_CRL, CERT_STATUS_PARSE_FAILED, CERT_STATUS_DATE_INVALID, CERT_STATUS_RESTRICTIONS_FAILED, CERT_STATUS_MISSING_CERTS, CERT_STATUS_UNEXPECTED_FAILED, CERT_STATUS_COUNT, }; // Must match with histogram enum CastNonce. // This should never be reordered. enum NonceVerificationStatus { NONCE_MATCH, NONCE_MISMATCH, NONCE_MISSING, NONCE_COUNT, }; // Must match with the histogram enum CastSignature. // This should never be reordered. enum SignatureStatus { SIGNATURE_OK, SIGNATURE_EMPTY, SIGNATURE_VERIFY_FAILED, SIGNATURE_ALGORITHM_UNSUPPORTED, SIGNATURE_COUNT, }; // Record certificate verification histogram events. void RecordCertificateEvent(CertVerificationStatus event) { UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Certificate", event, CERT_STATUS_COUNT); } // Record nonce verification histogram events. void RecordNonceEvent(NonceVerificationStatus event) { UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Nonce", event, NONCE_COUNT); } // Record signature verification histogram events. void RecordSignatureEvent(SignatureStatus event) { UMA_HISTOGRAM_ENUMERATION("Cast.Channel.Signature", event, SIGNATURE_COUNT); } // Maps CastCertError to AuthResult. // If crl_required is set to false, all revocation related errors are ignored. AuthResult MapToAuthResult(cast_certificate::CastCertError error, bool crl_required) { switch (error) { case cast_certificate::CastCertError::ERR_CERTS_MISSING: RecordCertificateEvent(CERT_STATUS_MISSING_CERTS); return AuthResult("Failed to locate certificates.", AuthResult::ERROR_PEER_CERT_EMPTY); case cast_certificate::CastCertError::ERR_CERTS_PARSE: RecordCertificateEvent(CERT_STATUS_PARSE_FAILED); return AuthResult("Failed to parse certificates.", AuthResult::ERROR_CERT_PARSING_FAILED); case cast_certificate::CastCertError::ERR_CERTS_DATE_INVALID: RecordCertificateEvent(CERT_STATUS_DATE_INVALID); return AuthResult("Failed date validity check.", AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); case cast_certificate::CastCertError::ERR_CERTS_VERIFY_GENERIC: RecordCertificateEvent(CERT_STATUS_VERIFICATION_FAILED); return AuthResult("Failed with a generic certificate verification error.", AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); case cast_certificate::CastCertError::ERR_CERTS_RESTRICTIONS: RecordCertificateEvent(CERT_STATUS_RESTRICTIONS_FAILED); return AuthResult("Failed certificate restrictions.", AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); case cast_certificate::CastCertError::ERR_CRL_INVALID: // Histogram events are recorded during CRL verification. // This error is only encountered if |crl_required| is true. DCHECK(crl_required); return AuthResult("Failed to provide a valid CRL.", AuthResult::ERROR_CRL_INVALID); case cast_certificate::CastCertError::ERR_CERTS_REVOKED: RecordCertificateEvent(CERT_STATUS_REVOKED); // Revocation check is the last step of Cast certificate verification. // If this error is encountered, the rest of certificate verification has // succeeded. if (!crl_required) return AuthResult(); return AuthResult("Failed certificate revocation check.", AuthResult::ERROR_CERT_REVOKED); case cast_certificate::CastCertError::ERR_UNEXPECTED: RecordCertificateEvent(CERT_STATUS_UNEXPECTED_FAILED); return AuthResult("Failed verifying cast device certificate.", AuthResult::ERROR_CERT_NOT_SIGNED_BY_TRUSTED_CA); case cast_certificate::CastCertError::OK: return AuthResult(); } return AuthResult(); } } // namespace AuthResult::AuthResult() : error_type(ERROR_NONE), channel_policies(POLICY_NONE) {} AuthResult::AuthResult(const std::string& error_message, ErrorType error_type) : error_message(error_message), error_type(error_type) {} AuthResult::~AuthResult() {} // static AuthResult AuthResult::CreateWithParseError(const std::string& error_message, ErrorType error_type) { return AuthResult(kParseErrorPrefix + error_message, error_type); } // static AuthContext AuthContext::Create() { return AuthContext(CastNonce::Get()); } AuthContext::AuthContext(const std::string& nonce) : nonce_(nonce) {} AuthContext::~AuthContext() {} AuthResult AuthContext::VerifySenderNonce( const std::string& nonce_response) const { if (nonce_ != nonce_response) { if (nonce_response.empty()) { RecordNonceEvent(NONCE_MISSING); } else { RecordNonceEvent(NONCE_MISMATCH); } if (base::FeatureList::IsEnabled(kEnforceNonceChecking)) { return AuthResult("Sender nonce mismatched.", AuthResult::ERROR_SENDER_NONCE_MISMATCH); } } else { RecordNonceEvent(NONCE_MATCH); } return AuthResult(); } AuthResult VerifyAndMapDigestAlgorithm(HashAlgorithm response_digest_algorithm, net::DigestAlgorithm* digest_algorithm) { switch (response_digest_algorithm) { case SHA1: RecordSignatureEvent(SIGNATURE_ALGORITHM_UNSUPPORTED); *digest_algorithm = net::DigestAlgorithm::Sha1; if (base::FeatureList::IsEnabled(kEnforceSHA256Checking)) { return AuthResult("Unsupported digest algorithm.", AuthResult::ERROR_DIGEST_UNSUPPORTED); } break; case SHA256: *digest_algorithm = net::DigestAlgorithm::Sha256; break; } return AuthResult(); } // Verifies the peer certificate and populates |peer_cert_der| with the DER // encoded certificate. AuthResult VerifyTLSCertificate(const net::X509Certificate& peer_cert, std::string* peer_cert_der, const base::Time& verification_time) { // Get the DER-encoded form of the certificate. *peer_cert_der = std::string( net::x509_util::CryptoBufferAsStringPiece(peer_cert.cert_buffer())); // Ensure the peer cert is valid and doesn't have an excessive remaining // lifetime. Although it is not verified as an X.509 certificate, the entire // structure is signed by the AuthResponse, so the validity field from X.509 // is repurposed as this signature's expiration. base::Time expiry = peer_cert.valid_expiry(); base::Time lifetime_limit = verification_time + base::TimeDelta::FromDays(kMaxSelfSignedCertLifetimeInDays); if (peer_cert.valid_start().is_null() || peer_cert.valid_start() > verification_time) { return AuthResult::CreateWithParseError( "Certificate's valid start date is in the future.", AuthResult::ERROR_TLS_CERT_VALID_START_DATE_IN_FUTURE); } if (expiry.is_null() || peer_cert.valid_expiry() < verification_time) { return AuthResult::CreateWithParseError("Certificate has expired.", AuthResult::ERROR_TLS_CERT_EXPIRED); } if (expiry > lifetime_limit) { return AuthResult::CreateWithParseError( "Peer cert lifetime is too long.", AuthResult::ERROR_TLS_CERT_VALIDITY_PERIOD_TOO_LONG); } return AuthResult(); } AuthResult AuthenticateChallengeReply(const CastMessage& challenge_reply, const net::X509Certificate& peer_cert, const AuthContext& auth_context) { DeviceAuthMessage auth_message; AuthResult result = ParseAuthMessage(challenge_reply, &auth_message); if (!result.success()) { return result; } std::string peer_cert_der; result = VerifyTLSCertificate(peer_cert, &peer_cert_der, base::Time::Now()); if (!result.success()) { return result; } const AuthResponse& response = auth_message.response(); const std::string& nonce_response = response.sender_nonce(); result = auth_context.VerifySenderNonce(nonce_response); if (!result.success()) { return result; } return VerifyCredentials(response, nonce_response + peer_cert_der); } // This function does the following // // * Verifies that the certificate chain |response.client_auth_certificate| + // |response.intermediate_certificate| is valid and chains to a trusted // Cast root. The list of trusted Cast roots can be overrided by providing a // non-nullptr |cast_trust_store|. The certificate is verified at // |verification_time|. // // * Verifies that none of the certificates in the chain are revoked based on // the CRL provided in the response |response.crl|. The CRL is verified to be // valid and its issuer certificate chains to a trusted Cast CRL root. The // list of trusted Cast CRL roots can be overrided by providing a non-nullptr // |crl_trust_store|. If |crl_policy| is CRL_OPTIONAL then the result of // revocation checking is ignored. The CRL is verified at // |verification_time|. // // * Verifies that |response.signature| matches the signature // of |signature_input| by |response.client_auth_certificate|'s public // key. AuthResult VerifyCredentialsImpl(const AuthResponse& response, const std::string& signature_input, const cast_crypto::CRLPolicy& crl_policy, net::TrustStore* cast_trust_store, net::TrustStore* crl_trust_store, const base::Time& verification_time) { // Verify the certificate std::unique_ptr verification_context; // Build a single vector containing the certificate chain. std::vector cert_chain; cert_chain.push_back(response.client_auth_certificate()); cert_chain.insert(cert_chain.end(), response.intermediate_certificate().begin(), response.intermediate_certificate().end()); // Parse the CRL. std::unique_ptr crl; if (response.crl().empty()) { RecordCertificateEvent(CERT_STATUS_MISSING_CRL); } else { crl = cast_crypto::ParseAndVerifyCRLUsingCustomTrustStore( response.crl(), verification_time, crl_trust_store); if (!crl) { RecordCertificateEvent(CERT_STATUS_INVALID_CRL); } } // Perform certificate verification. cast_crypto::CastDeviceCertPolicy device_policy; cast_crypto::CastCertError verify_result = cast_crypto::VerifyDeviceCertUsingCustomTrustStore( cert_chain, verification_time, &verification_context, &device_policy, crl.get(), crl_policy, cast_trust_store); // Handle and report errors. AuthResult result = MapToAuthResult( verify_result, crl_policy == cast_crypto::CRLPolicy::CRL_REQUIRED); if (!result.success()) return result; // The certificate is verified at this point. RecordCertificateEvent(CERT_STATUS_OK); if (response.signature().empty() && !signature_input.empty()) { RecordSignatureEvent(SIGNATURE_EMPTY); return AuthResult("Signature is empty.", AuthResult::ERROR_SIGNATURE_EMPTY); } net::DigestAlgorithm digest_algorithm; AuthResult digest_result = VerifyAndMapDigestAlgorithm(response.hash_algorithm(), &digest_algorithm); if (!digest_result.success()) return digest_result; if (!verification_context->VerifySignatureOverData( response.signature(), signature_input, digest_algorithm)) { RecordSignatureEvent(SIGNATURE_VERIFY_FAILED); return AuthResult("Failed verifying signature over data.", AuthResult::ERROR_SIGNED_BLOBS_MISMATCH); } RecordSignatureEvent(SIGNATURE_OK); AuthResult success; // Set the policy into the result. switch (device_policy) { case cast_crypto::CastDeviceCertPolicy::AUDIO_ONLY: success.channel_policies = AuthResult::POLICY_AUDIO_ONLY; break; case cast_crypto::CastDeviceCertPolicy::NONE: success.channel_policies = AuthResult::POLICY_NONE; break; } return success; } AuthResult VerifyCredentials(const AuthResponse& response, const std::string& signature_input) { base::Time now = base::Time::Now(); cast_crypto::CRLPolicy policy = cast_crypto::CRLPolicy::CRL_REQUIRED; if (!base::FeatureList::IsEnabled(kEnforceRevocationChecking)) { policy = cast_crypto::CRLPolicy::CRL_OPTIONAL; } return VerifyCredentialsImpl(response, signature_input, policy, nullptr, nullptr, now); } AuthResult VerifyCredentialsForTest(const AuthResponse& response, const std::string& signature_input, const cast_crypto::CRLPolicy& crl_policy, net::TrustStore* cast_trust_store, net::TrustStore* crl_trust_store, const base::Time& verification_time) { return VerifyCredentialsImpl(response, signature_input, crl_policy, cast_trust_store, crl_trust_store, verification_time); } } // namespace cast_channel