[DO NOT MERGE] Revert "Restructed reference root of trust (1/3 Keybox)"

This reverts commit e4ee4eb404. Reason for revert: Feature missed deadline Bug: 135283522 Change-Id: I4ee2caac2dadfcc3e145b9c9b977d216d4edd929
2021-06-02 19:59:55 +00:00
parent 06b637ed95
commit ad0d66c7e6
8 changed files with 199 additions and 524 deletions
--- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp
+++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp
@@ -6,20 +6,14 @@
 //
 #include "oemcrypto_auth_ref.h"

-#include <string.h>
-
-#include <string>
 #include <vector>

 #include "keys.h"
 #include "log.h"
+#include "oemcrypto_rsa_key_shared.h"

-namespace wvoec_ref {
 namespace {

-// Fake device ID which is to be returned inplace of a real ID.
-const std::string kFakeDeviceId = "device_with_no_keybox";
-
 // A 2048 bit RSA key in PKCS#8 PrivateKeyInfo format
 // This is the RSA Test Key. This key is not derived
 // from any Widevine authentication root.
@@ -178,240 +172,32 @@ static const uint8_t kTestRSAPKCS8PrivateKeyInfo2_2048[] = {
  0x56, 0xfe, 0x39, 0x28, 0x33, 0xe0, 0xdb, 0x03
 };

-// Filler for returning vector references.
-const std::vector<uint8_t> kEmptyVector;
 }  // namespace

-bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
-  if (prov_method_ != OEMCrypto_ProvisioningError) {
-    // If provisioning method is something other than ProvisioningError
-    // indicates it has already been initialized before.  Must
-    // existing data.
-    rsa_key_set_ = false;
-    rsa_key_.reset();
-    test_rsa_key_.reset();
-    keybox_.reset();
-    test_keybox_.reset();
-  }
-  prov_method_ = method;
-  switch (method) {
-    case OEMCrypto_DrmCertificate: {
-      rsa_key_set_ = rsa_key_.LoadPkcs8RsaKey(kPrivateKey, kPrivateKeySize);
-      if (!rsa_key_set_) {
-        // This error message is OK in unit tests which use test certificate.
-        LOGE(
-            "FATAL ERROR: Platform uses a baked-in certificate instead of a "
-            "keybox, but the certificate could not be loaded.");
-      }
-      return true;
-    }
-    case OEMCrypto_Keybox:
-    case OEMCrypto_OEMCertificate:
-      // Nothing to do yet.
-      return true;
-    case OEMCrypto_ProvisioningError:
-    default: {
-      LOGE("Invalid provisioning method: method = %d",
-           static_cast<int>(method));
-      prov_method_ = OEMCrypto_ProvisioningError;
-      return false;
-    }
+namespace wvoec_ref {
+
+AuthenticationRoot::AuthenticationRoot(OEMCrypto_ProvisioningMethod method) :
+    provisioning_method_(method),
+    use_test_keybox_(false) {
+  if ((provisioning_method_ == OEMCrypto_DrmCertificate) &&
+      !rsa_key_.LoadPkcs8RsaKey(kPrivateKey, kPrivateKeySize)) {
+    // This error message is OK in unit tests which use test certificate.
+    LOGE("FATAL ERROR: Platform uses a baked-in certificate instead of a "
+         "keybox, but the certificate could not be loaded.");
  }
 }

-bool AuthenticationRoot::IsValid() const {
-  switch (prov_method_) {
-    case OEMCrypto_DrmCertificate: {
-      return rsa_key_set_ && HasDeviceKey();
-    }
-    case OEMCrypto_Keybox: {
-      return HasDeviceKey();
-    }
-    case OEMCrypto_OEMCertificate: {
-      // TODO(sigquit): Add OEM Certificate validation.
-      return true;
-    }
-    default: {
-      LOGE("Root of trust is not properly initialized");
-      return false;
-    }
-  }
+KeyboxError AuthenticationRoot::ValidateKeybox() {
+  return keybox().Validate();
 }

-OEMCryptoResult AuthenticationRoot::IsKeyboxOrOemCertValid() const {
-  switch (prov_method_) {
-    case OEMCrypto_Keybox: {
-      WvKeybox* kb = keybox();
-      if (kb == nullptr) {
-        LOGW("Null keybox cannot be validated");
-        return OEMCrypto_ERROR_KEYBOX_INVALID;
-      }
-      return kb->IsKeyboxValid();
-    }
-    case OEMCrypto_OEMCertificate: {
-      LOGW("OEM certificate validation is not implemented");
-      return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-    }
-    case OEMCrypto_DrmCertificate: {
-      return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-    }
-    default:
-      LOGE("Root of trust is not properly initialized");
-      return OEMCrypto_ERROR_SYSTEM_INVALIDATED;
-  }
+bool AuthenticationRoot::LoadTestRsaKey() {
+  return rsa_key_.LoadPkcs8RsaKey(kTestRSAPKCS8PrivateKeyInfo2_2048,
+                                  sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048));
 }

-OEMCryptoResult AuthenticationRoot::GetDeviceId(
-    uint8_t* device_id, size_t* device_id_length) const {
-  WvKeybox* kb = keybox();
-  if (kb != nullptr) {
-    return kb->GetDeviceId(device_id, device_id_length);
-  }
-  if (prov_method_ == OEMCrypto_Keybox) {
-    // Keybox devices must have keybox for the source of the device
-    // ID.
-    LOGE("Expected keybox to be set for a device ID");
-    return OEMCrypto_ERROR_NO_DEVICEID;
-  }
-  // For non-Keybox devices use fake device ID.
-  if (device_id_length == nullptr) {
-    LOGE("Output device ID length is null");
-    return OEMCrypto_ERROR_INVALID_CONTEXT;
-  }
-  if (device_id == nullptr && *device_id_length > 0) {
-    LOGE("Output device ID buffer is null");
-    return OEMCrypto_ERROR_INVALID_CONTEXT;
-  }
-  if (*device_id_length < kFakeDeviceId.size()) {
-    *device_id_length = kFakeDeviceId.size();
-    return OEMCrypto_ERROR_SHORT_BUFFER;
-  }
-  *device_id_length = kFakeDeviceId.size();
-  memcpy(device_id, kFakeDeviceId.data(), kFakeDeviceId.size());
-  return OEMCrypto_SUCCESS;
+bool AuthenticationRoot::Validate() {
+  return NO_ERROR == ValidateKeybox();
 }

-std::vector<uint8_t> AuthenticationRoot::DeviceId() const {
-  WvKeybox* kb = keybox();
-  if (kb != nullptr) {
-    return kb->DeviceId();
-  }
-  if (prov_method_ == OEMCrypto_Keybox) {
-    LOGE("Expected keybox to be set for a device ID");
-    return kEmptyVector;
-  }
-  return std::vector<uint8_t>(kFakeDeviceId.begin(), kFakeDeviceId.end());
-}
-
-std::vector<uint8_t> AuthenticationRoot::DeviceKey() const {
-  WvKeybox* kb = keybox();
-  if (kb != nullptr) {
-    return kb->DeviceKey();
-  }
-  LOGE("No device key has been set");
-  return kEmptyVector;
-}
-
-bool AuthenticationRoot::HasDeviceKey() const { return keybox() != nullptr; }
-
-void AuthenticationRoot::Clear() {
-  RemoveTestRsaKey();
-  RemoveTestKeybox();
-}
-
-OEMCryptoResult AuthenticationRoot::LoadTestRsaKey() {
-  if (prov_method_ != OEMCrypto_DrmCertificate) {
-    LOGE("System does not support DRM certificates");
-    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-  }
-  if (test_rsa_key_.get() != nullptr) {
-    LOGE("Test RSA key is already loaded");
-    return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES;
-  }
-  if (!test_rsa_key_.LoadPkcs8RsaKey(
-          kTestRSAPKCS8PrivateKeyInfo2_2048,
-          sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048))) {
-    LOGE("Failed to load test RSA key");
-    return OEMCrypto_ERROR_UNKNOWN_FAILURE;
-  }
-  rsa_key_set_ = true;
-  return OEMCrypto_SUCCESS;
-}
-
-OEMCryptoResult AuthenticationRoot::IsKeyboxValid() const {
-  WvKeybox* kb = keybox();
-  if (kb == nullptr) {
-    return OEMCrypto_ERROR_KEYBOX_INVALID;
-  }
-  return kb->IsKeyboxValid();
-}
-
-OEMCryptoResult AuthenticationRoot::InstallKeybox(const uint8_t* keybox_data,
-                                                  size_t keybox_length) {
-  if (keybox_) {
-    LOGE("Keybox already installed");
-    return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES;
-  }
-  const OEMCryptoResult result =
-      WvKeybox::ValidateData(keybox_data, keybox_length);
-  if (result != OEMCrypto_SUCCESS) {
-    LOGE("Cannot install an invalid keybox");
-    return result;
-  }
-  keybox_ = WvKeybox::Create(keybox_data, keybox_length);
-  return OEMCrypto_SUCCESS;
-}
-
-OEMCryptoResult AuthenticationRoot::InstallTestKeybox(
-    const uint8_t* keybox_data, size_t keybox_length) {
-  if (prov_method_ != OEMCrypto_Keybox) {
-    LOGE("System does not support keybox");
-    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-  }
-  if (test_keybox_) {
-    LOGE("Test keybox already installed");
-    return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES;
-  }
-  const OEMCryptoResult result =
-      WvKeybox::ValidateData(keybox_data, keybox_length);
-  if (result != OEMCrypto_SUCCESS) {
-    LOGE("Cannot install an invalid test keybox");
-    return result;
-  }
-  test_keybox_ = WvKeybox::Create(keybox_data, keybox_length);
-  return OEMCrypto_SUCCESS;
-}
-
-OEMCryptoResult AuthenticationRoot::GetKeyData(uint8_t* key_data,
-                                               size_t* key_data_length) const {
-  if (prov_method_ != OEMCrypto_Keybox) {
-    LOGE("System does not support keybox");
-    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-  }
-  WvKeybox* kb = keybox();
-  if (kb == nullptr) {
-    LOGE("No keybox to be set for source of key data");
-    return OEMCrypto_ERROR_NO_KEYDATA;
-  }
-  return kb->GetKeyData(key_data, key_data_length);
-}
-
-OEMCryptoResult AuthenticationRoot::GetOemPublicCertificate(
-    uint8_t* public_cert, size_t* public_cert_length) const {
-  if (prov_method_ != OEMCrypto_OEMCertificate) {
-    LOGE("System does not support OEM certificates");
-    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-  }
-  LOGE("OEM certificates have not been implemented on auth root");
-  return OEMCrypto_ERROR_NOT_IMPLEMENTED;
-}
-
-const std::vector<uint8_t>& AuthenticationRoot::GetOemPrivateKey() const {
-  if (prov_method_ != OEMCrypto_OEMCertificate) {
-    LOGE("System does not support OEM certificates");
-    return kEmptyVector;
-  }
-  LOGE("OEM certificates have not been implemented on auth root");
-  return kEmptyVector;
-}
 }  // namespace wvoec_ref