Enable passing cast channel certificate authority keys.

BUG=417090

Review URL: https://codereview.chromium.org/627573002

Cr-Commit-Position: refs/heads/master@{#302141}

extensions/browser/api/cast_channel/cast_auth_ica.h

@@ -7,12 +7,67 @@
 
 #include <stddef.h>
 
+#include <map>
+#include <string>
+
+#include "base/memory/scoped_ptr.h"
 #include "base/strings/string_piece.h"
+#include "net/base/hash_value.h"
 
 namespace extensions {
 namespace core_api {
 namespace cast_channel {
 
+typedef std::map<net::SHA256HashValue,
+                 base::StringPiece,
+                 net::SHA256HashValueLessThan> AuthorityKeysMap;
+
+namespace proto {
+
+// Forward declaration to avoid including generated protobuf header.
+class AuthorityKeys;
+
+}  // namespace proto
+
+// AuthorityKeyStore is a helper class that is used to store and manipulate
+// intermediate CAs (ICAs) information used to authenticate cast devices.
+// A static list of ICAs is hardcoded and may optionally be replaced during
+// runtime by an extension supplying a protobuf of ICAs information signed with
+// known key.
+class AuthorityKeyStore {
+ public:
+  AuthorityKeyStore();
+  ~AuthorityKeyStore();
+
+  // Returns the public key of the ICA whose fingerprint matches |fingerprint|.
+  // Returns an empty StringPiece if no such ICA is found.
+  // Note: the returned StringPiece is invalidated if Load() is called.
+  base::StringPiece GetICAPublicKeyFromFingerprint(
+      const net::SHA256HashValue& fingerprint);
+
+  // Returns the public key of the default / original cast ICA.
+  // Returns an empty StringPiece if the default cast ICA is not found.
+  // Note: the returned StringPiece is invalidated if Load() is called.
+  base::StringPiece GetDefaultICAPublicKey();
+
+  // Replaces stored authority keys with the keys loaded from a serialized
+  // protobuf.
+  bool Load(const std::string& keys);
+
+ private:
+  // The map of trusted certificate authorities - fingerprints to public keys.
+  AuthorityKeysMap certificate_authorities_;
+
+  // Trusted certificate authorities data passed from the extension.
+  scoped_ptr<proto::AuthorityKeys> authority_keys_;
+
+  DISALLOW_COPY_AND_ASSIGN(AuthorityKeyStore);
+};
+
+// Sets trusted certificate authorities.
+bool SetTrustedCertificateAuthorities(const std::string& keys,
+                                      const std::string& signature);
+
 // Gets the trusted ICA entry for the cert represented by |data|.
 // Returns the serialized certificate as bytes if the ICA was found.
 // Returns an empty-length StringPiece if the ICA was not found.

extensions/browser/api/cast_channel/cast_auth_ica_unittest.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "extensions/browser/api/cast_channel/cast_auth_ica.h"
+
+#include <string>
+
+#include "base/base64.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace extensions {
+
+namespace core_api {
+
+namespace cast_channel {
+
+namespace {
+
+static const net::SHA256HashValue kFingerprintValid1 = {{
+    0x52, 0x9D, 0x9C, 0xD6, 0x7F, 0xE5, 0xEB, 0x69, 0x8E, 0x70, 0xDD, 0x26,
+    0xD7, 0xD8, 0xF1, 0x26, 0x59, 0xF1, 0xE6, 0xE5, 0x23, 0x48, 0xBF, 0x6A,
+    0x5C, 0xF7, 0x16, 0xE1, 0x3F, 0x41, 0x0E, 0x73
+}};
+
+static const net::SHA256HashValue kFingerprintValid2 = {{
+    0xA2, 0x48, 0xC2, 0xE8, 0x54, 0xE6, 0x56, 0xA5, 0x6D, 0xE8, 0x23, 0x1F,
+    0x1E, 0xE1, 0x75, 0x6F, 0xDB, 0xE4, 0x07, 0xF9, 0xFE, 0xD4, 0x65, 0x0D,
+    0x60, 0xCC, 0x5A, 0xCB, 0x65, 0x11, 0xC7, 0x20
+}};
+
+static const net::SHA256HashValue kFingerprintInvalid = {{
+    0x00, 0x9D, 0x9C, 0xD6, 0x7F, 0xE5, 0xEB, 0x69, 0x8E, 0x70, 0xDD, 0x26,
+    0xD7, 0xD8, 0xF1, 0x26, 0x59, 0xF1, 0xE6, 0xE5, 0x23, 0x48, 0xBF, 0x6A,
+    0x5C, 0xF7, 0x16, 0xE1, 0x3F, 0x41, 0x0E, 0x73
+}};
+
+}  // namespace
+
+class CastChannelAuthorityKeysTest : public testing::Test {
+ public:
+  CastChannelAuthorityKeysTest() {}
+  virtual ~CastChannelAuthorityKeysTest() {}
+
+ protected:
+  void ExpectKeysLoaded();
+  AuthorityKeyStore authority_keys_store_;
+};
+
+void CastChannelAuthorityKeysTest::ExpectKeysLoaded() {
+  base::StringPiece key = authority_keys_store_.GetDefaultICAPublicKey();
+  EXPECT_FALSE(key.empty());
+
+  key =
+      authority_keys_store_.GetICAPublicKeyFromFingerprint(kFingerprintValid1);
+  EXPECT_FALSE(key.empty());
+
+  key =
+      authority_keys_store_.GetICAPublicKeyFromFingerprint(kFingerprintInvalid);
+  EXPECT_TRUE(key.empty());
+}
+
+TEST_F(CastChannelAuthorityKeysTest, TestDefaultKeys) {
+  ExpectKeysLoaded();
+}
+
+TEST_F(CastChannelAuthorityKeysTest, TestInvalidProtobuf) {
+  std::string keys = "test";
+  EXPECT_EQ(authority_keys_store_.Load(keys), false);
+
+  base::StringPiece key = authority_keys_store_.GetDefaultICAPublicKey();
+  EXPECT_TRUE(key.empty());
+}
+
+TEST_F(CastChannelAuthorityKeysTest, TestValidProtobuf) {
+  std::string keys =
+      "CrMCCiBSnZzWf+XraY5w3SbX2PEmWfHm5SNIv2pc9xbhP0EOcxKOAjCCAQoCggEBALwigL"
+      "2A9johADuudl41fz3DZFxVlIY0LwWHKM33aYwXs1CnuIL638dDLdZ+q6BvtxNygKRHFcEg"
+      "mVDN7BRiCVukmM3SQbY2Tv/oLjIwSoGoQqNsmzNuyrL1U2bgJ1OGGoUepzk/SneO+1RmZv"
+      "tYVMBeOcf1UAYL4IrUzuFqVR+LFwDmaaMn5gglaTwSnY0FLNYuojHetFJQ1iBJ3nGg+a0g"
+      "QBLx3SXr1ea4NvTWj3/KQ9zXEFvmP1GKhbPz//YDLcsjT5ytGOeTBYysUpr3TOmZer5ufk"
+      "0K48YcqZP6OqWRXRy9ZuvMYNyGdMrP+JIcmH1X+mFHnquAt+RIgCqSxRsCAwEAAQqzAgog"
+      "okjC6FTmVqVt6CMfHuF1b9vkB/n+1GUNYMxay2URxyASjgIwggEKAoIBAQCwDl4HOt+kX2"
+      "j3Icdk27Z27+6Lk/j2G4jhk7cX8BUeflJVdzwCjXtKbNO91sGccsizFc8RwfVGxNUgR/sw"
+      "9ORhDGjwXqs3jpvhvIHDcIp41oM0MpwZYuvknO3jZGxBHZzSi0hMI5CVs+dS6gVXzGCzuh"
+      "TkugA55EZVdM5ajnpnI9poCvrEhB60xaGianMfbsguL5qeqLEO/Yemj009SwXVNVp0TbyO"
+      "gkSW9LWVYE6l3yc9QVwHo7Q1WrOe8gUkys0xWg0mTNTT/VDhNOlMgVgwssd63YGJptQ6OI"
+      "QDtzSedz//eAdbmcGyHzVWbjo8DCXhV/aKfknAzIMRNeeRbS5lAgMBAAE=";
+
+  std::string decoded_keys;
+  EXPECT_EQ(base::Base64Decode(keys, &decoded_keys), true);
+  EXPECT_EQ(authority_keys_store_.Load(decoded_keys), true);
+
+  ExpectKeysLoaded();
+
+  base::StringPiece key =
+      authority_keys_store_.GetICAPublicKeyFromFingerprint(kFingerprintValid2);
+  EXPECT_FALSE(key.empty());
+}
+
+TEST_F(CastChannelAuthorityKeysTest, TestSetTrustedCertificateAuthorities) {
+  std::string keys =
+      "CrMCCiBSnZzWf+XraY5w3SbX2PEmWfHm5SNIv2pc9xbhP0EOcxKOAjCCAQoCggEBALwigL"
+      "2A9johADuudl41fz3DZFxVlIY0LwWHKM33aYwXs1CnuIL638dDLdZ+q6BvtxNygKRHFcEg"
+      "mVDN7BRiCVukmM3SQbY2Tv/oLjIwSoGoQqNsmzNuyrL1U2bgJ1OGGoUepzk/SneO+1RmZv"
+      "tYVMBeOcf1UAYL4IrUzuFqVR+LFwDmaaMn5gglaTwSnY0FLNYuojHetFJQ1iBJ3nGg+a0g"
+      "QBLx3SXr1ea4NvTWj3/KQ9zXEFvmP1GKhbPz//YDLcsjT5ytGOeTBYysUpr3TOmZer5ufk"
+      "0K48YcqZP6OqWRXRy9ZuvMYNyGdMrP+JIcmH1X+mFHnquAt+RIgCqSxRsCAwEAAQ==";
+  std::string signature =
+      "chCUHZKkykcwU8HzU+hm027fUTBL0dqPMtrzppwExQwK9+"
+      "XlmCjJswfce2sUUfhR1OL1tyW4hWFwu4JnuQCJ+CvmSmAh2bzRpnuSKzBfgvIDjNOAGUs7"
+      "ADaNSSWPLxp+6ko++2Dn4S9HpOt8N1v6gMWqj3Ru5IqFSQPZSvGH2ois6uE50CFayPcjQE"
+      "OVZt41noQdFd15RmKTvocoCC5tHNlaikeQ52yi0IScOlad1B1lMhoplW3rWophQaqxMumr"
+      "OcHIZ+Y+p858x5f8Pny/kuqUClmFh9B/vF07NsUHwoSL9tA5t5jCY3L5iUc/v7o3oFcW/T"
+      "gojKkX2Kg7KQ86QA==";
+  EXPECT_FALSE(SetTrustedCertificateAuthorities(keys, "signature"));
+  EXPECT_FALSE(SetTrustedCertificateAuthorities("keys", signature));
+  EXPECT_FALSE(SetTrustedCertificateAuthorities(keys, signature));
+  EXPECT_FALSE(SetTrustedCertificateAuthorities(std::string(), std::string()));
+
+  keys =
+      "CrMCCiBSnZzWf+XraY5w3SbX2PEmWfHm5SNIv2pc9xbhP0EOcxKOAjCCAQoCggEBALwigL"
+      "2A9johADuudl41fz3DZFxVlIY0LwWHKM33aYwXs1CnuIL638dDLdZ+q6BvtxNygKRHFcEg"
+      "mVDN7BRiCVukmM3SQbY2Tv/oLjIwSoGoQqNsmzNuyrL1U2bgJ1OGGoUepzk/SneO+1RmZv"
+      "tYVMBeOcf1UAYL4IrUzuFqVR+LFwDmaaMn5gglaTwSnY0FLNYuojHetFJQ1iBJ3nGg+a0g"
+      "QBLx3SXr1ea4NvTWj3/KQ9zXEFvmP1GKhbPz//YDLcsjT5ytGOeTBYysUpr3TOmZer5ufk"
+      "0K48YcqZP6OqWRXRy9ZuvMYNyGdMrP+JIcmH1X+mFHnquAt+RIgCqSxRsCAwEAAQqzAgog"
+      "okjC6FTmVqVt6CMfHuF1b9vkB/n+1GUNYMxay2URxyASjgIwggEKAoIBAQCwDl4HOt+kX2"
+      "j3Icdk27Z27+6Lk/j2G4jhk7cX8BUeflJVdzwCjXtKbNO91sGccsizFc8RwfVGxNUgR/sw"
+      "9ORhDGjwXqs3jpvhvIHDcIp41oM0MpwZYuvknO3jZGxBHZzSi0hMI5CVs+dS6gVXzGCzuh"
+      "TkugA55EZVdM5ajnpnI9poCvrEhB60xaGianMfbsguL5qeqLEO/Yemj009SwXVNVp0TbyO"
+      "gkSW9LWVYE6l3yc9QVwHo7Q1WrOe8gUkys0xWg0mTNTT/VDhNOlMgVgwssd63YGJptQ6OI"
+      "QDtzSedz//eAdbmcGyHzVWbjo8DCXhV/aKfknAzIMRNeeRbS5lAgMBAAE=";
+  signature =
+      "o83oku3jP+xjTysNBalqp/ZfJRPLt8R+IUhZMepbARFSRVizLoeFW5XyUwe6lQaC+PFFQH"
+      "SZeGZyeeGRpwCJ/lef0xh6SWJlVMWNTk5+z0U84GQdizJP/CTCeHpIwMobN+kyDajgOyfD"
+      "DLhktc6LHmSlFGG6J7B8W67oziS8ZFEdrcT9WSXFrjLVyURHjvidZD5iFtuImI6k9R9OoX"
+      "LR6SyAwpjdrL+vlHMk3Gol6KQ98YpF0ghHnN3/FFW4ibvIwjmRbp+tUV3h8TRcCOjlXVGp"
+      "bzPtNRRlTqfv7Rxm5YXkZMLmJJMZiTs5+o8FMRMTQZT4hRR3DQ+A/jofViyTGA==";
+  EXPECT_TRUE(SetTrustedCertificateAuthorities(keys, signature));
+
+  base::StringPiece result = GetDefaultTrustedICAPublicKey();
+  EXPECT_FALSE(result.empty());
+}
+
+}  // namespace cast_channel
+
+}  // namespace core_api
+
+}  // namespace extensions

extensions/browser/api/cast_channel/cast_channel_api.cc

@@ -14,6 +14,7 @@
 #include "base/time/default_tick_clock.h"
 #include "base/values.h"
 #include "content/public/browser/browser_thread.h"
+#include "extensions/browser/api/cast_channel/cast_auth_ica.h"
 #include "extensions/browser/api/cast_channel/cast_socket.h"
 #include "extensions/browser/api/cast_channel/logger.h"
 #include "extensions/browser/event_router.h"
@@ -510,4 +511,27 @@ void CastChannelGetLogsFunction::AsyncWorkStart() {
   AsyncWorkCompleted();
 }
 
+CastChannelSetAuthorityKeysFunction::CastChannelSetAuthorityKeysFunction() {
+}
+
+CastChannelSetAuthorityKeysFunction::~CastChannelSetAuthorityKeysFunction() {
+}
+
+bool CastChannelSetAuthorityKeysFunction::Prepare() {
+  params_ = cast_channel::SetAuthorityKeys::Params::Create(*args_);
+  EXTENSION_FUNCTION_VALIDATE(params_.get());
+  return true;
+}
+
+void CastChannelSetAuthorityKeysFunction::AsyncWorkStart() {
+  std::string& keys = params_->keys;
+  std::string& signature = params_->signature;
+  if (signature.empty() || keys.empty() ||
+      !cast_channel::SetTrustedCertificateAuthorities(keys, signature)) {
+    SetError("Unable to set authority keys.");
+  }
+
+  AsyncWorkCompleted();
+}
+
 }  // namespace extensions

extensions/browser/api/cast_channel/cast_channel_api.h

@@ -232,13 +232,31 @@ class CastChannelGetLogsFunction : public CastChannelAsyncApiFunction {
  private:
   DECLARE_EXTENSION_FUNCTION("cast.channel.getLogs", CAST_CHANNEL_GETLOGS)
 
-  void OnClose(int result);
-
   CastChannelAPI* api_;
 
   DISALLOW_COPY_AND_ASSIGN(CastChannelGetLogsFunction);
 };
 
+class CastChannelSetAuthorityKeysFunction : public CastChannelAsyncApiFunction {
+ public:
+  CastChannelSetAuthorityKeysFunction();
+
+ protected:
+  virtual ~CastChannelSetAuthorityKeysFunction();
+
+  // AsyncApiFunction:
+  virtual bool Prepare() override;
+  virtual void AsyncWorkStart() override;
+
+ private:
+  DECLARE_EXTENSION_FUNCTION("cast.channel.setAuthorityKeys",
+                             CAST_CHANNEL_SETAUTHORITYKEYS)
+
+  scoped_ptr<cast_channel::SetAuthorityKeys::Params> params_;
+
+  DISALLOW_COPY_AND_ASSIGN(CastChannelSetAuthorityKeysFunction);
+};
+
 }  // namespace extensions
 
 #endif  // EXTENSIONS_BROWSER_API_CAST_CHANNEL_CAST_CHANNEL_API_H_

extensions/browser/api/cast_channel/cast_channel_apitest.cc

@@ -183,6 +183,15 @@ class CastChannelAPITest : public ExtensionApiTest {
     return cast_channel_send_function;
   }
 
+  extensions::CastChannelSetAuthorityKeysFunction*
+  CreateSetAuthorityKeysFunction(scoped_refptr<Extension> extension) {
+    extensions::CastChannelSetAuthorityKeysFunction*
+        cast_channel_set_authority_keys_function =
+            new extensions::CastChannelSetAuthorityKeysFunction;
+    cast_channel_set_authority_keys_function->set_extension(extension.get());
+    return cast_channel_set_authority_keys_function;
+  }
+
   MockCastSocket* mock_cast_socket_;
   net::CapturingNetLog capturing_net_log_;
 };
@@ -396,3 +405,100 @@ IN_PROC_BROWSER_TEST_F(CastChannelAPITest, TestSendInvalidMessageInfo) {
       browser());
   EXPECT_EQ(error, "message_info.destination_id is required");
 }
+
+IN_PROC_BROWSER_TEST_F(CastChannelAPITest, TestSetAuthorityKeysInvalid) {
+  scoped_refptr<Extension> empty_extension(
+      extensions::test_util::CreateEmptyExtension());
+  scoped_refptr<extensions::CastChannelSetAuthorityKeysFunction>
+      cast_channel_set_authority_keys_function;
+  std::string errorResult = "Unable to set authority keys.";
+
+  cast_channel_set_authority_keys_function =
+      CreateSetAuthorityKeysFunction(empty_extension);
+  std::string error = utils::RunFunctionAndReturnError(
+      cast_channel_set_authority_keys_function.get(),
+      "[\"\", \"signature\"]",
+      browser());
+  EXPECT_EQ(error, errorResult);
+
+  cast_channel_set_authority_keys_function =
+      CreateSetAuthorityKeysFunction(empty_extension);
+  error = utils::RunFunctionAndReturnError(
+      cast_channel_set_authority_keys_function.get(),
+      "[\"keys\", \"\"]",
+      browser());
+  EXPECT_EQ(error, errorResult);
+
+  std::string keys =
+      "CrMCCiBSnZzWf+XraY5w3SbX2PEmWfHm5SNIv2pc9xbhP0EOcxKOAjCCAQoCggEBALwigL"
+      "2A9johADuudl41fz3DZFxVlIY0LwWHKM33aYwXs1CnuIL638dDLdZ+q6BvtxNygKRHFcEg"
+      "mVDN7BRiCVukmM3SQbY2Tv/oLjIwSoGoQqNsmzNuyrL1U2bgJ1OGGoUepzk/SneO+1RmZv"
+      "tYVMBeOcf1UAYL4IrUzuFqVR+LFwDmaaMn5gglaTwSnY0FLNYuojHetFJQ1iBJ3nGg+a0g"
+      "QBLx3SXr1ea4NvTWj3/KQ9zXEFvmP1GKhbPz//YDLcsjT5ytGOeTBYysUpr3TOmZer5ufk"
+      "0K48YcqZP6OqWRXRy9ZuvMYNyGdMrP+JIcmH1X+mFHnquAt+RIgCqSxRsCAwEAAQ==";
+  std::string signature =
+      "chCUHZKkykcwU8HzU+hm027fUTBL0dqPMtrzppwExQwK9+"
+      "XlmCjJswfce2sUUfhR1OL1tyW4hWFwu4JnuQCJ+CvmSmAh2bzRpnuSKzBfgvIDjNOAGUs7"
+      "ADaNSSWPLxp+6ko++2Dn4S9HpOt8N1v6gMWqj3Ru5IqFSQPZSvGH2ois6uE50CFayPcjQE"
+      "OVZt41noQdFd15RmKTvocoCC5tHNlaikeQ52yi0IScOlad1B1lMhoplW3rWophQaqxMumr"
+      "OcHIZ+Y+p858x5f8Pny/kuqUClmFh9B/vF07NsUHwoSL9tA5t5jCY3L5iUc/v7o3oFcW/T"
+      "gojKkX2Kg7KQ86QA==";
+
+  cast_channel_set_authority_keys_function =
+      CreateSetAuthorityKeysFunction(empty_extension);
+  error = utils::RunFunctionAndReturnError(
+      cast_channel_set_authority_keys_function.get(),
+      "[\"" + keys + "\", \"signature\"]",
+      browser());
+  EXPECT_EQ(error, errorResult);
+
+  cast_channel_set_authority_keys_function =
+      CreateSetAuthorityKeysFunction(empty_extension);
+  error = utils::RunFunctionAndReturnError(
+      cast_channel_set_authority_keys_function.get(),
+      "[\"keys\", \"" + signature + "\"]",
+      browser());
+  EXPECT_EQ(error, errorResult);
+
+  cast_channel_set_authority_keys_function =
+      CreateSetAuthorityKeysFunction(empty_extension);
+  error = utils::RunFunctionAndReturnError(
+      cast_channel_set_authority_keys_function.get(),
+      "[\"" + keys + "\", \"" + signature + "\"]",
+      browser());
+  EXPECT_EQ(error, errorResult);
+}
+
+IN_PROC_BROWSER_TEST_F(CastChannelAPITest, TestSetAuthorityKeysValid) {
+  scoped_refptr<Extension> empty_extension(
+      extensions::test_util::CreateEmptyExtension());
+  scoped_refptr<extensions::CastChannelSetAuthorityKeysFunction>
+      cast_channel_set_authority_keys_function;
+
+  cast_channel_set_authority_keys_function =
+      CreateSetAuthorityKeysFunction(empty_extension);
+  std::string keys =
+      "CrMCCiBSnZzWf+XraY5w3SbX2PEmWfHm5SNIv2pc9xbhP0EOcxKOAjCCAQoCggEBALwigL"
+      "2A9johADuudl41fz3DZFxVlIY0LwWHKM33aYwXs1CnuIL638dDLdZ+q6BvtxNygKRHFcEg"
+      "mVDN7BRiCVukmM3SQbY2Tv/oLjIwSoGoQqNsmzNuyrL1U2bgJ1OGGoUepzk/SneO+1RmZv"
+      "tYVMBeOcf1UAYL4IrUzuFqVR+LFwDmaaMn5gglaTwSnY0FLNYuojHetFJQ1iBJ3nGg+a0g"
+      "QBLx3SXr1ea4NvTWj3/KQ9zXEFvmP1GKhbPz//YDLcsjT5ytGOeTBYysUpr3TOmZer5ufk"
+      "0K48YcqZP6OqWRXRy9ZuvMYNyGdMrP+JIcmH1X+mFHnquAt+RIgCqSxRsCAwEAAQqzAgog"
+      "okjC6FTmVqVt6CMfHuF1b9vkB/n+1GUNYMxay2URxyASjgIwggEKAoIBAQCwDl4HOt+kX2"
+      "j3Icdk27Z27+6Lk/j2G4jhk7cX8BUeflJVdzwCjXtKbNO91sGccsizFc8RwfVGxNUgR/sw"
+      "9ORhDGjwXqs3jpvhvIHDcIp41oM0MpwZYuvknO3jZGxBHZzSi0hMI5CVs+dS6gVXzGCzuh"
+      "TkugA55EZVdM5ajnpnI9poCvrEhB60xaGianMfbsguL5qeqLEO/Yemj009SwXVNVp0TbyO"
+      "gkSW9LWVYE6l3yc9QVwHo7Q1WrOe8gUkys0xWg0mTNTT/VDhNOlMgVgwssd63YGJptQ6OI"
+      "QDtzSedz//eAdbmcGyHzVWbjo8DCXhV/aKfknAzIMRNeeRbS5lAgMBAAE=";
+  std::string signature =
+      "o83oku3jP+xjTysNBalqp/ZfJRPLt8R+IUhZMepbARFSRVizLoeFW5XyUwe6lQaC+PFFQH"
+      "SZeGZyeeGRpwCJ/lef0xh6SWJlVMWNTk5+z0U84GQdizJP/CTCeHpIwMobN+kyDajgOyfD"
+      "DLhktc6LHmSlFGG6J7B8W67oziS8ZFEdrcT9WSXFrjLVyURHjvidZD5iFtuImI6k9R9OoX"
+      "LR6SyAwpjdrL+vlHMk3Gol6KQ98YpF0ghHnN3/FFW4ibvIwjmRbp+tUV3h8TRcCOjlXVGp"
+      "bzPtNRRlTqfv7Rxm5YXkZMLmJJMZiTs5+o8FMRMTQZT4hRR3DQ+A/jofViyTGA==";
+
+  std::string args = "[\"" + keys + "\", \"" + signature + "\"]";
+  std::string error = utils::RunFunctionAndReturnError(
+      cast_channel_set_authority_keys_function.get(), args, browser());
+  EXPECT_EQ(error, std::string());
+}

extensions/browser/extension_function_histogram_value.h

@@ -969,6 +969,7 @@ enum HistogramValue {
   INPUTMETHODPRIVATE_GETINPUTMETHODCONFIG,
   WALLPAPERPRIVATE_GETSYNCSETTING,
   COPRESENCE_SETAUTHTOKEN,
+  CAST_CHANNEL_SETAUTHORITYKEYS,
   // Last entry: Add new entries above and ensure to update
   // tools/metrics/histograms/histograms.xml.
   ENUM_BOUNDARY

extensions/common/api/api.gyp

@@ -22,8 +22,9 @@
       'target_name': 'cast_channel_proto',
       'type': 'static_library',
       'sources': [
+          'cast_channel/authority_keys.proto',
           'cast_channel/cast_channel.proto',
-          'cast_channel/logging.proto'
+          'cast_channel/logging.proto',
       ],
       'variables': {
           'proto_in_dir': 'cast_channel',

extensions/common/api/cast_channel.idl

@@ -90,7 +90,7 @@ namespace cast.channel {
 
     // The current state of the channel.
     ReadyState readyState;
-      
+
     // If set, the last error condition encountered by the channel.
     ChannelError? errorState;
   };
@@ -114,7 +114,7 @@ namespace cast.channel {
     //
     // For messages to or from the sender or receiver platform, the special ids
     // 'sender-0' and 'receiver-0' can be used.
-    // 
+    //
     // For messages intended for all endpoints using a given channel, the
     // wildcard destination_id '*' can be used.
     DOMString sourceId;
@@ -157,7 +157,10 @@ namespace cast.channel {
   // See extensions/browser/api/cast_channel/logging.proto for definition.
   // Compression is in gzip format.
   callback GetLogsCallback = void (ArrayBuffer log);
-  
+
+  // Callback from <code>setAuthorityKeys</code> method.
+  callback SetAuthorityKeysCallback = void ();
+
   interface Functions {
     // Opens a new channel to the Cast receiver specified by connectInfo.  Only
     // one channel may be connected to same receiver from the same extension at
@@ -188,12 +191,19 @@ namespace cast.channel {
     // and channel.errorState will be set to the error condition.
     static void close(ChannelInfo channel,
                       ChannelInfoCallback callback);
-      
+
     // Get logs in compressed serialized format. See GetLogsCallback for
-    // details.  
+    // details.
     // |callback|: If successful, |callback| is invoked with data. Otherwise,
-    // an error will be raised.                
+    // an error will be raised.
     static void getLogs(GetLogsCallback callback);
+
+    // Sets trusted certificate authorities where |signature| is a base64
+    // encoded RSA-PSS signature and |keys| is base64 encoded AuthorityKeys
+    // protobuf.
+    static void setAuthorityKeys(DOMString keys,
+                                 DOMString signature,
+                                 SetAuthorityKeysCallback callback);
   };
 
   // Events on the channel.

extensions/common/api/cast_channel/BUILD.gn

@@ -7,6 +7,7 @@ import("//third_party/protobuf/proto_library.gni")
 # GYP version: extensions/common/api/api.gyp:cast_channel_proto
 proto_library("cast_channel_proto") {
   sources = [
+    "authority_keys.proto",
     "cast_channel.proto",
     "logging.proto",
   ]

extensions/common/api/cast_channel/authority_keys.proto

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto2";
+
+option optimize_for = LITE_RUNTIME;
+
+package extensions.core_api.cast_channel.proto;
+
+message AuthorityKeys {
+  message Key {
+    required bytes fingerprint = 1;
+    required bytes public_key = 2;
+  }
+  repeated Key keys = 1;
+}

extensions/extensions.gyp

@@ -1142,6 +1142,7 @@
       'sources': [
         'browser/api/api_resource_manager_unittest.cc',
         'browser/api/bluetooth/bluetooth_event_router_unittest.cc',
+        'browser/api/cast_channel/cast_auth_ica_unittest.cc',
         'browser/api/cast_channel/cast_channel_api_unittest.cc',
         'browser/api/cast_channel/cast_framer_unittest.cc',
         'browser/api/cast_channel/cast_socket_unittest.cc',

tools/metrics/histograms/histograms.xml

@@ -43445,6 +43445,7 @@ Therefore, the affected-histogram name has to have at least one dot in it.
   <int value="908" label="INPUTMETHODPRIVATE_GETINPUTMETHODCONFIG"/>
   <int value="909" label="WALLPAPERPRIVATE_GETSYNCSETTING"/>
   <int value="910" label="COPRESENCE_SETAUTHTOKEN"/>
+  <int value="911" label="CAST_CHANNEL_SETAUTHORITYKEYS"/>
 </enum>
 
 <enum name="ExtensionInstallCause" type="int">