widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructed reference root of trust (3/3 OEM Cert)

Browse Source 
[ Merge of http://go/wvgerrit/116944 ]

This change is the last part of a three part change for restructing
the root of trust used by the reference implementation.

OEM Certificates are now managed by the root of trust of the crypto
engine.  Previously, OEM certs where handled separately on a session
by session basis.

Bug: 135283522
Test: oemcrypto_unittests ce_cdm_tests
Change-Id: I6cf1fa3fade28baad85b5fce57a8eab6f2ed17c1
This commit is contained in:
Alex Dale
2021-02-18 20:00:15 -08:00
parent f6f5099604
commit 9f7e2c4413
7 changed files with 120 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp
View File

@@ -177,9 +177,6 @@ static const uint8_t kTestRSAPKCS8PrivateKeyInfo2_2048[] = {
0x72, 0x2c, 0xf7, 0xc1, 0x22, 0x36, 0xd9, 0x18,
0x56, 0xfe, 0x39, 0x28, 0x33, 0xe0, 0xdb, 0x03
};
// Filler for returning vector references.
const std::vector<uint8_t> kEmptyVector;
} // namespace
bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
@@ -187,10 +184,12 @@ bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
// If provisioning method is something other than ProvisioningError
// indicates it has already been initialized before. Must
// existing data.
rsa_key_.reset();
test_rsa_key_.reset();
drm_cert_key_.reset();
test_drm_cert_key_.reset();
keybox_.reset();
test_keybox_.reset();
oem_cert_.reset();
oem_cert_key_.reset();
}
prov_method_ = method;
switch (method) {
@@ -198,7 +197,7 @@ bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
std::unique_ptr<RsaPrivateKey> key =
RsaPrivateKey::Load(kPrivateKey, kPrivateKeySize);
if (key) {
rsa_key_ = std::move(key);
drm_cert_key_ = std::move(key);
} else {
// This error message is OK in unit tests which use test certificate.
LOGE(
@@ -230,8 +229,7 @@ bool AuthenticationRoot::IsValid() const {
return HasDeviceKey();
}
case OEMCrypto_OEMCertificate: {
// TODO(sigquit): Add OEM Certificate validation.
return true;
return HasOemCertKey() && HasDeviceKey();
}
default: {
LOGE("Root of trust is not properly initialized");
@@ -251,8 +249,11 @@ OEMCryptoResult AuthenticationRoot::IsKeyboxOrOemCertValid() const {
return kb->IsKeyboxValid();
}
case OEMCrypto_OEMCertificate: {
LOGW("OEM certificate validation is not implemented");
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
if (!oem_cert_) {
LOGW("OEM cert is not installed");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
return oem_cert_->IsCertificateValid();
}
case OEMCrypto_DrmCertificate: {
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
@@ -300,7 +301,7 @@ std::vector<uint8_t> AuthenticationRoot::DeviceId() const {
}
if (prov_method_ == OEMCrypto_Keybox) {
LOGE("Expected keybox to be set for a device ID");
return kEmptyVector;
return std::vector<uint8_t>();
}
return std::vector<uint8_t>(kFakeDeviceId.begin(), kFakeDeviceId.end());
}
@@ -311,7 +312,7 @@ std::vector<uint8_t> AuthenticationRoot::DeviceKey() const {
return kb->DeviceKey();
}
LOGE("No device key has been set");
return kEmptyVector;
return std::vector<uint8_t>();
}
bool AuthenticationRoot::HasDeviceKey() const { return keybox() != nullptr; }
@@ -326,7 +327,7 @@ OEMCryptoResult AuthenticationRoot::LoadTestRsaKey() {
LOGE("System does not support DRM certificates");
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
}
if (test_rsa_key_) {
if (test_drm_cert_key_) {
LOGE("Test RSA key is already loaded");
return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES;
}
@@ -337,7 +338,7 @@ OEMCryptoResult AuthenticationRoot::LoadTestRsaKey() {
LOGE("Failed to load test RSA key");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
test_rsa_key_ = std::move(key);
test_drm_cert_key_ = std::move(key);
return OEMCrypto_SUCCESS;
}
@@ -399,22 +400,48 @@ OEMCryptoResult AuthenticationRoot::GetKeyData(uint8_t* key_data,
return kb->GetKeyData(key_data, key_data_length);
}
OEMCryptoResult AuthenticationRoot::InstallOemCertificate(
const uint8_t* private_key, size_t private_key_size,
const uint8_t* public_cert, size_t public_cert_size) {
if (prov_method_ != OEMCrypto_OEMCertificate) {
LOGE("System does not support OEM certificates");
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
}
if (oem_cert_ || oem_cert_key_) {
LOGE("OEM certificate is already installed");
return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES;
}
std::unique_ptr<OemCertificate> oem_cert = OemCertificate::Create(
private_key, private_key_size, public_cert, public_cert_size);
if (!oem_cert) {
LOGE("Failed to install OEM certificate as root of trust");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
if (oem_cert->key_type() != OemCertificate::kRsa) {
LOGE("Only RSA-based OEM certificates supported");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
std::unique_ptr<RsaPrivateKey> oem_cert_key =
RsaPrivateKey::Load(oem_cert->GetPrivateKey());
if (!oem_cert_key) {
LOGE("Failed to parse OEM certificate private key");
return OEMCrypto_ERROR_INVALID_RSA_KEY;
}
oem_cert_ = std::move(oem_cert);
oem_cert_key_ = std::move(oem_cert_key);
return OEMCrypto_SUCCESS;
}
OEMCryptoResult AuthenticationRoot::GetOemPublicCertificate(
uint8_t* public_cert, size_t* public_cert_length) const {
if (prov_method_ != OEMCrypto_OEMCertificate) {
LOGE("System does not support OEM certificates");
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
}
LOGE("OEM certificates have not been implemented on auth root");
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
}
const std::vector<uint8_t>& AuthenticationRoot::GetOemPrivateKey() const {
if (prov_method_ != OEMCrypto_OEMCertificate) {
LOGE("System does not support OEM certificates");
return kEmptyVector;
if (!oem_cert_) {
LOGE("OEM certificate is not installed");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
LOGE("OEM certificates have not been implemented on auth root");
return kEmptyVector;
return oem_cert_->GetPublicCertificate(public_cert, public_cert_length);
}
} // namespace wvoec_ref