Restructed reference root of trust (3/3 OEM Cert)

[ Merge of http://go/wvgerrit/116944 ]

This change is the last part of a three part change for restructing
the root of trust used by the reference implementation.

OEM Certificates are now managed by the root of trust of the crypto
engine.  Previously, OEM certs where handled separately on a session
by session basis.

Bug: 135283522
Test: oemcrypto_unittests ce_cdm_tests
Change-Id: I6cf1fa3fade28baad85b5fce57a8eab6f2ed17c1

libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.h

@@ -15,6 +15,7 @@
 #include "OEMCryptoCENC.h"  // Needed for enums only.
 #include "disallow_copy_and_assign.h"
 #include "oemcrypto_keybox_ref.h"
+#include "oemcrypto_oem_cert.h"
 #include "oemcrypto_rsa_key.h"
 
 namespace wvoec_ref {
@@ -67,12 +68,12 @@ class AuthenticationRoot {
   // Returns the shared RSA private key from the built-in DRM
   // Certificate.
   std::shared_ptr<RsaPrivateKey> ShareDrmCertKey() {
-    return test_rsa_key_ ? test_rsa_key_ : rsa_key_;
+    return test_drm_cert_key_ ? test_drm_cert_key_ : drm_cert_key_;
   }
   RsaPrivateKey* DrmCertKey() const {
-    return test_rsa_key_ ? test_rsa_key_.get() : rsa_key_.get();
+    return test_drm_cert_key_ ? test_drm_cert_key_.get() : drm_cert_key_.get();
   }
-  bool HasDrmCertKey() const { return test_rsa_key_ || rsa_key_; }
+  bool HasDrmCertKey() const { return test_drm_cert_key_ || drm_cert_key_; }
 
   // Loads the system's built-in RSA key.  Only implemented for
   // devices that are that pre-provisioned with a built-in DRM
@@ -82,7 +83,7 @@ class AuthenticationRoot {
   OEMCryptoResult LoadTestRsaKey();
 
   // Removes any installed test RSA key.
-  void RemoveTestRsaKey() { test_rsa_key_.reset(); }
+  void RemoveTestRsaKey() { test_drm_cert_key_.reset(); }
 
   // Keybox-based root of trust API.
 
@@ -124,6 +125,14 @@ class AuthenticationRoot {
 
   // OEM Certificate-base root of trust API.
 
+  // Installs an OEM certificate as the root of trust.  The provided
+  // private key and public cert are parsed, but not validated. The
+  // private key will be made available for sessions to load.
+  OEMCryptoResult InstallOemCertificate(const uint8_t* private_key,
+                                        size_t private_key_size,
+                                        const uint8_t* public_cert,
+                                        size_t public_cert_size);
+
   // For OEM Cert-based devices, returns the OEM Public Certificate
   // component of the OEM Certificate.
   // This method implements the expected behavior of
@@ -135,7 +144,9 @@ class AuthenticationRoot {
   // the OEM private key into a session.
   // Should only be called for devices that use OEM Certificates
   // for provisioning.
-  const std::vector<uint8_t>& GetOemPrivateKey() const;
+  std::shared_ptr<RsaPrivateKey> ShareOemCertKey() { return oem_cert_key_; }
+  RsaPrivateKey* OemCertKey() const { return oem_cert_key_.get(); }
+  bool HasOemCertKey() const { return static_cast<bool>(oem_cert_key_); }
 
  private:
   OEMCrypto_ProvisioningMethod prov_method_ = OEMCrypto_ProvisioningError;
@@ -143,13 +154,17 @@ class AuthenticationRoot {
   // DRM certificate.
   // If no keybox, this is the private key of the baked-in DRM
   // Certificate.
-  std::shared_ptr<RsaPrivateKey> rsa_key_;
-  std::shared_ptr<RsaPrivateKey> test_rsa_key_;
+  std::shared_ptr<RsaPrivateKey> drm_cert_key_;
+  std::shared_ptr<RsaPrivateKey> test_drm_cert_key_;
 
   // Keybox data.
   std::unique_ptr<WvKeybox> keybox_;
   std::unique_ptr<WvKeybox> test_keybox_;
 
+  // OEM certificate.
+  std::unique_ptr<OemCertificate> oem_cert_;
+  std::shared_ptr<RsaPrivateKey> oem_cert_key_;
+
   CORE_DISALLOW_COPY_AND_ASSIGN(AuthenticationRoot);
 };
 }  // namespace wvoec_ref