Hash OEM Certificate
(This is a merge of wvgerrit/25582) Provisioning 3.0 devices that do not use SPOIDs have been returning their full OEM Public Certificate as their device ID. While this is not a security concern, (it is a PUBLIC cert) the cert is many times larger than applications are likely expecting. (several kilobytes vs. just a few bytes) This patch hashes the OEM Public Certificate to produce a smaller value, but only when it is being provided out of the CDM to a caller. Bug: 34716264 Test: run_all_unit_tests.sh Change-Id: Ib82cf7a174a8bf02ff606edd0394ada13842224c
This commit is contained in:
John W. Bruce
@@ -43,7 +43,8 @@ class CryptoSession {
|
|||||||
return pre_provision_token_type_;
|
return pre_provision_token_type_;
|
||||||
}
|
}
|
||||||
virtual CdmSecurityLevel GetSecurityLevel();
|
virtual CdmSecurityLevel GetSecurityLevel();
|
||||||
virtual bool GetDeviceUniqueId(std::string* device_id);
|
virtual bool GetInternalDeviceUniqueId(std::string* device_id);
|
||||||
|
virtual bool GetExternalDeviceUniqueId(std::string* device_id);
|
||||||
virtual bool GetApiVersion(uint32_t* version);
|
virtual bool GetApiVersion(uint32_t* version);
|
||||||
virtual bool GetSystemId(uint32_t* system_id);
|
virtual bool GetSystemId(uint32_t* system_id);
|
||||||
virtual bool GetProvisioningId(std::string* provisioning_id);
|
virtual bool GetProvisioningId(std::string* provisioning_id);
|
||||||
|
|||||||
@@ -540,7 +540,7 @@ CdmResponseType CdmEngine::QueryStatus(SecurityLevel security_level,
|
|||||||
std::string deviceId;
|
std::string deviceId;
|
||||||
bool got_id;
|
bool got_id;
|
||||||
M_TIME(
|
M_TIME(
|
||||||
got_id = crypto_session.GetDeviceUniqueId(
|
got_id = crypto_session.GetExternalDeviceUniqueId(
|
||||||
&deviceId),
|
&deviceId),
|
||||||
&metrics_,
|
&metrics_,
|
||||||
crypto_session_get_device_unique_id_,
|
crypto_session_get_device_unique_id_,
|
||||||
|
|||||||
@@ -97,7 +97,7 @@ bool CertificateProvisioning::FillStableIdField(
|
|||||||
} else if (origin != EMPTY_ORIGIN) {
|
} else if (origin != EMPTY_ORIGIN) {
|
||||||
// Legacy behavior - Concatenate Unique ID with Origin
|
// Legacy behavior - Concatenate Unique ID with Origin
|
||||||
std::string device_unique_id;
|
std::string device_unique_id;
|
||||||
if (!crypto_session_.GetDeviceUniqueId(&device_unique_id)) {
|
if (!crypto_session_.GetInternalDeviceUniqueId(&device_unique_id)) {
|
||||||
LOGE("CryptoSession::GetStableIdField: Failure to get device unique ID");
|
LOGE("CryptoSession::GetStableIdField: Failure to get device unique ID");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -13,6 +13,7 @@
|
|||||||
#include "crypto_key.h"
|
#include "crypto_key.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "metrics_front_end.h"
|
#include "metrics_front_end.h"
|
||||||
|
#include "openssl/sha.h"
|
||||||
#include "properties.h"
|
#include "properties.h"
|
||||||
#include "pst_report.h"
|
#include "pst_report.h"
|
||||||
#include "string_conversions.h"
|
#include "string_conversions.h"
|
||||||
@@ -242,13 +243,14 @@ CdmSecurityLevel CryptoSession::GetSecurityLevel() {
|
|||||||
return kSecurityLevelUnknown;
|
return kSecurityLevelUnknown;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool CryptoSession::GetDeviceUniqueId(std::string* device_id) {
|
bool CryptoSession::GetInternalDeviceUniqueId(std::string* device_id) {
|
||||||
if (!device_id) {
|
if (!device_id) {
|
||||||
LOGE("CryptoSession::GetDeviceUniqueId : No buffer passed to method.");
|
LOGE("CryptoSession::GetInternalDeviceUniqueId : No buffer passed to "
|
||||||
|
"method.");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
LOGV("CryptoSession::GetDeviceUniqueId: Lock");
|
LOGV("CryptoSession::GetInternalDeviceUniqueId: Lock");
|
||||||
AutoLock auto_lock(crypto_lock_);
|
AutoLock auto_lock(crypto_lock_);
|
||||||
if (!initialized_) {
|
if (!initialized_) {
|
||||||
return false;
|
return false;
|
||||||
@@ -281,6 +283,26 @@ bool CryptoSession::GetDeviceUniqueId(std::string* device_id) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool CryptoSession::GetExternalDeviceUniqueId(std::string* device_id) {
|
||||||
|
std::string temp;
|
||||||
|
if (!GetInternalDeviceUniqueId(&temp)) return false;
|
||||||
|
|
||||||
|
if (pre_provision_token_type_ == kClientTokenOemCert) {
|
||||||
|
// To keep the size of the value passed back to the application down, hash
|
||||||
|
// the large OEM Public Cert to a smaller value.
|
||||||
|
uint8_t hash[SHA256_DIGEST_LENGTH];
|
||||||
|
SHA256_CTX ctx;
|
||||||
|
SHA256_Init(&ctx);
|
||||||
|
SHA256_Update(&ctx, temp.data(), temp.length());
|
||||||
|
SHA256_Final(hash, &ctx);
|
||||||
|
|
||||||
|
temp.assign(reinterpret_cast<char*>(hash), SHA256_DIGEST_LENGTH);
|
||||||
|
}
|
||||||
|
|
||||||
|
*device_id = temp;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
bool CryptoSession::GetApiVersion(uint32_t* version) {
|
bool CryptoSession::GetApiVersion(uint32_t* version) {
|
||||||
if (!version) {
|
if (!version) {
|
||||||
LOGE("CryptoSession::GetApiVersion: No buffer passed to method.");
|
LOGE("CryptoSession::GetApiVersion: No buffer passed to method.");
|
||||||
|
|||||||
@@ -918,7 +918,7 @@ CdmResponseType CdmLicense::PrepareClientId(
|
|||||||
client_info->set_name(kBuildInfoKey);
|
client_info->set_name(kBuildInfoKey);
|
||||||
client_info->set_value(value);
|
client_info->set_value(value);
|
||||||
}
|
}
|
||||||
if (crypto_session_->GetDeviceUniqueId(&value)) {
|
if (crypto_session_->GetInternalDeviceUniqueId(&value)) {
|
||||||
client_info = client_id->add_client_info();
|
client_info = client_id->add_client_info();
|
||||||
client_info->set_name(kDeviceIdKey);
|
client_info->set_name(kDeviceIdKey);
|
||||||
client_info->set_value(value);
|
client_info->set_value(value);
|
||||||
|
|||||||
Reference in New Issue
Block a user