Implement key verification for incoming connection.

Implements the key verification module that to verify remote device
before requesting introduction and beginning the transfer flow.

Bug: 1085068
Change-Id: I4bb75dce474042ef43ca86199db3456d63406874
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2346325
Commit-Queue: Himanshu Jaju <himanshujaju@chromium.org>
Reviewed-by: Alex Chau <alexchau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#797868}

chrome/browser/BUILD.gn

@@ -3393,6 +3393,8 @@ static_library("browser") {
       "nearby_sharing/nearby_sharing_service_impl.h",
       "nearby_sharing/outgoing_share_target_info.cc",
       "nearby_sharing/outgoing_share_target_info.h",
+      "nearby_sharing/paired_key_verification_runner.cc",
+      "nearby_sharing/paired_key_verification_runner.h",
       "nearby_sharing/share_target.cc",
       "nearby_sharing/share_target.h",
       "nearby_sharing/share_target_discovered_callback.h",

chrome/browser/nearby_sharing/certificates/common.cc

@@ -5,9 +5,11 @@
 #include "chrome/browser/nearby_sharing/certificates/common.h"
 
 #include "base/logging.h"
+#include "base/rand_util.h"
 #include "chrome/browser/nearby_sharing/certificates/constants.h"
 #include "crypto/encryptor.h"
 #include "crypto/hkdf.h"
+#include "crypto/random.h"
 #include "crypto/sha2.h"
 #include "crypto/symmetric_key.h"
 
@@ -53,6 +55,13 @@ std::vector<uint8_t> ComputeAuthenticationTokenHash(
                             kNearbyShareNumBytesAuthenticationTokenHash);
 }
 
+std::vector<uint8_t> GenerateRandomBytes(size_t num_bytes) {
+  std::vector<uint8_t> bytes(num_bytes);
+  crypto::RandBytes(bytes);
+
+  return bytes;
+}
+
 std::unique_ptr<crypto::Encryptor> CreateNearbyShareCtrEncryptor(
     const crypto::SymmetricKey* secret_key,
     base::span<const uint8_t> salt) {

chrome/browser/nearby_sharing/certificates/common.h

@@ -44,6 +44,9 @@ std::vector<uint8_t> ComputeAuthenticationTokenHash(
 std::vector<uint8_t> DeriveNearbyShareKey(base::span<const uint8_t> key,
                                           size_t new_num_bytes);
 
+// Generates a random byte array with size |num_bytes|.
+std::vector<uint8_t> GenerateRandomBytes(size_t num_bytes);
+
 // Creates a CTR encryptor used for metadata key encryption/decryption.
 std::unique_ptr<crypto::Encryptor> CreateNearbyShareCtrEncryptor(
     const crypto::SymmetricKey* secret_key,

chrome/browser/nearby_sharing/certificates/nearby_share_private_certificate.cc

@@ -20,7 +20,6 @@
 #include "crypto/ec_signature_creator.h"
 #include "crypto/encryptor.h"
 #include "crypto/hmac.h"
-#include "crypto/random.h"
 #include "crypto/sha2.h"
 #include "crypto/symmetric_key.h"
 
@@ -37,13 +36,6 @@ const char kId[] = "id";
 const char kUnencryptedMetadata[] = "unencrypted_metadata";
 const char kConsumedSalts[] = "consumed_salts";
 
-std::vector<uint8_t> GenerateRandomBytes(size_t num_bytes) {
-  std::vector<uint8_t> bytes(num_bytes);
-  crypto::RandBytes(bytes);
-
-  return bytes;
-}
-
 // Generates a random validity bound offset in the interval
 // [0, kNearbyShareMaxPrivateCertificateValidityBoundOffset).
 base::TimeDelta GenerateRandomOffset() {

chrome/browser/nearby_sharing/incoming_frames_reader.h

@@ -34,7 +34,7 @@ class IncomingFramesReader : public NearbyProcessManager::Observer {
   //
   // Note: Callers are expected wait for |callback| to be run before scheduling
   // subsequent calls to ReadFrame(..).
-  void ReadFrame(
+  virtual void ReadFrame(
       base::OnceCallback<void(base::Optional<sharing::mojom::V1FramePtr>)>
           callback);
 
@@ -44,7 +44,7 @@ class IncomingFramesReader : public NearbyProcessManager::Observer {
   //
   // Note: Callers are expected wait for |callback| to be run before scheduling
   // subsequent calls to ReadFrame(..).
-  void ReadFrame(
+  virtual void ReadFrame(
       sharing::mojom::V1Frame::Tag frame_type,
       base::OnceCallback<void(base::Optional<sharing::mojom::V1FramePtr>)>
           callback,

chrome/browser/nearby_sharing/paired_key_verification_runner.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_NEARBY_SHARING_PAIRED_KEY_VERIFICATION_RUNNER_H_
+#define CHROME_BROWSER_NEARBY_SHARING_PAIRED_KEY_VERIFICATION_RUNNER_H_
+
+#include <string>
+#include <vector>
+
+#include "base/callback.h"
+#include "base/memory/weak_ptr.h"
+#include "base/optional.h"
+#include "base/time/time.h"
+#include "chrome/browser/nearby_sharing/certificates/nearby_share_certificate_manager.h"
+#include "chrome/browser/nearby_sharing/certificates/nearby_share_decrypted_public_certificate.h"
+#include "chrome/browser/nearby_sharing/incoming_frames_reader.h"
+#include "chrome/browser/nearby_sharing/nearby_connection.h"
+#include "chrome/browser/nearby_sharing/share_target.h"
+#include "chrome/browser/ui/webui/nearby_share/public/mojom/nearby_share_settings.mojom.h"
+#include "chrome/services/sharing/public/mojom/nearby_decoder_types.mojom.h"
+
+class PairedKeyVerificationRunner {
+ public:
+  enum class PairedKeyVerificationResult {
+    // Default value for verification result.
+    kUnknown,
+    // Succeeded with verification.
+    kSuccess,
+    // Failed to verify.
+    kFail,
+    // Unable to verify. Occurs when missing proper certificates.
+    kUnable,
+  };
+
+  PairedKeyVerificationRunner(
+      const ShareTarget& share_target,
+      const std::string& endpoint_id,
+      const std::vector<uint8_t>& token,
+      NearbyConnection* connection,
+      const base::Optional<NearbyShareDecryptedPublicCertificate>& certificate,
+      NearbyShareCertificateManager* certificate_manager,
+      nearby_share::mojom::Visibility visibility,
+      bool restrict_to_contacts,
+      IncomingFramesReader* frames_reader,
+      base::TimeDelta read_frame_timeout);
+
+  ~PairedKeyVerificationRunner();
+
+  void Run(base::OnceCallback<void(PairedKeyVerificationResult)> callback);
+
+ private:
+  void SendPairedKeyEncryptionFrame();
+  void OnReadPairedKeyEncryptionFrame(
+      base::Optional<sharing::mojom::V1FramePtr> frame);
+  void OnReadPairedKeyResultFrame(
+      std::vector<PairedKeyVerificationResult> verification_results,
+      base::Optional<sharing::mojom::V1FramePtr> frame);
+  void SendPairedKeyResultFrame(PairedKeyVerificationResult result);
+  PairedKeyVerificationResult VerifyRemotePublicCertificate(
+      const sharing::mojom::V1FramePtr& frame);
+  PairedKeyVerificationResult VerifyPairedKeyEncryptionFrame(
+      const sharing::mojom::V1FramePtr& frame);
+  PairedKeyVerificationResult MergeResults(
+      const std::vector<PairedKeyVerificationResult>& results);
+  void SendCertificateInfo();
+
+  ShareTarget share_target_;
+  std::string endpoint_id_;
+  std::vector<uint8_t> raw_token_;
+  NearbyConnection* connection_;
+  base::Optional<NearbyShareDecryptedPublicCertificate> certificate_;
+  NearbyShareCertificateManager* certificate_manager_;
+  nearby_share::mojom::Visibility visibility_;
+  bool restrict_to_contacts_;
+  IncomingFramesReader* frames_reader_;
+  const base::TimeDelta read_frame_timeout_;
+  base::OnceCallback<void(PairedKeyVerificationResult)> callback_;
+
+  char local_prefix_;
+  char remote_prefix_;
+
+  base::WeakPtrFactory<PairedKeyVerificationRunner> weak_ptr_factory_{this};
+};
+
+#endif  // CHROME_BROWSER_NEARBY_SHARING_PAIRED_KEY_VERIFICATION_RUNNER_H_

chrome/test/BUILD.gn

@@ -3725,6 +3725,7 @@ test("unit_tests") {
       "../browser/nearby_sharing/nearby_process_manager_unittest.cc",
       "../browser/nearby_sharing/nearby_share_settings_unittest.cc",
       "../browser/nearby_sharing/nearby_sharing_service_impl_unittest.cc",
+      "../browser/nearby_sharing/paired_key_verification_runner_unittest.cc",
       "../browser/nearby_sharing/webrtc_signaling_messenger_unittest.cc",
       "../browser/password_manager/generated_password_leak_detection_pref_unittest.cc",
       "../browser/performance_manager/test_support/page_discarding_utils.cc",