[DO NOT MERGE] Revert "Restructed reference root of trust (1/3 Keybox)"
This reverts commit e4ee4eb404.
Reason for revert: Feature missed deadline
Bug: 135283522
Change-Id: I4ee2caac2dadfcc3e145b9c9b977d216d4edd929
This commit is contained in:
Alex Dale
@@ -21,141 +21,61 @@
|
||||
#include "oemcrypto_types.h"
|
||||
|
||||
namespace wvoec_ref {
|
||||
// The AuthenticationRoot class contains the OEMCrypto information
|
||||
// which makes up the "root of trust" of a device.
|
||||
|
||||
class AuthenticationRoot {
|
||||
public:
|
||||
AuthenticationRoot() {}
|
||||
explicit AuthenticationRoot(OEMCrypto_ProvisioningMethod method);
|
||||
~AuthenticationRoot() {}
|
||||
|
||||
// Initializes the root of authentication for the provided
|
||||
// |method|. This will clear any previously initialied data.
|
||||
bool Initialize(OEMCrypto_ProvisioningMethod method);
|
||||
bool Validate();
|
||||
|
||||
// General root of trust API.
|
||||
KeyboxError ValidateKeybox();
|
||||
|
||||
// Checks that the auth root has been properly initialized and can
|
||||
// be used by the rest of OEMCrypto for the current provisioning
|
||||
// method.
|
||||
bool IsValid() const;
|
||||
|
||||
// Checks the validity of the underlying Keybox or OEM Certificate
|
||||
// depending on the provisioning method.
|
||||
// Similar to the expected behavior of OEMCrypto_IsKeyboxOrOEMCertValid().
|
||||
OEMCryptoResult IsKeyboxOrOemCertValid() const;
|
||||
|
||||
// Gets the device ID from the root of trust.
|
||||
// Similar to the expected behavior of OEMCrypto_GetDeviceID().
|
||||
OEMCryptoResult GetDeviceId(uint8_t* device_id,
|
||||
size_t* device_id_length) const;
|
||||
|
||||
// Returns the device ID from the root of trust. Intended to be used
|
||||
// for core message generation.
|
||||
std::vector<uint8_t> DeviceId() const;
|
||||
|
||||
// Returns the device key from the root of trust. For keybox-based
|
||||
// devices, this is the device key from the keybox (or test keybox
|
||||
// if installed). For devices that use a non-keybox provisioning
|
||||
// method, this will be a device specific key.
|
||||
std::vector<uint8_t> DeviceKey() const;
|
||||
|
||||
// Check for the existence of a device key.
|
||||
bool HasDeviceKey() const;
|
||||
|
||||
// Clears any test data inside this root of trust.
|
||||
void Clear();
|
||||
|
||||
// DRM Certificate-based root of trust API.
|
||||
|
||||
// Returns the shared RSA private key from the built-in DRM
|
||||
// Certificate.
|
||||
RSA_shared_ptr& SharedRsaKey() {
|
||||
return test_rsa_key_.get() != nullptr ? test_rsa_key_ : rsa_key_;
|
||||
}
|
||||
RSA* rsa_key() {
|
||||
return test_rsa_key_.get() != nullptr ? test_rsa_key_.get()
|
||||
: rsa_key_.get();
|
||||
bool InstallKeybox(const uint8_t* keybox_data, size_t keybox_length) {
|
||||
return keybox().InstallKeybox(keybox_data, keybox_length);
|
||||
}
|
||||
|
||||
// Loads the system's built-in RSA key. Only implemented for
|
||||
// devices that are that pre-provisioned with a built-in DRM
|
||||
// Certificate,
|
||||
// This method implements the expected behavior of
|
||||
// OEMCrypto_LoadTestRSAKey().
|
||||
OEMCryptoResult LoadTestRsaKey();
|
||||
|
||||
// Removes any installed test RSA key.
|
||||
void RemoveTestRsaKey() { test_rsa_key_.reset(); }
|
||||
|
||||
// Keybox-based root of trust API.
|
||||
|
||||
// Returns the currently installed keybox (or test keybox) if any
|
||||
// present. The test keybox takes priority over the standard.
|
||||
WvKeybox* keybox() const {
|
||||
return test_keybox_ ? test_keybox_.get() : keybox_.get();
|
||||
const std::vector<uint8_t>& DeviceKey(bool use_real_keybox = false) {
|
||||
return use_real_keybox ? real_keybox().device_key() :
|
||||
keybox().device_key();
|
||||
}
|
||||
|
||||
// Checks the validity of the keybox regardless of the provisioning
|
||||
// method.
|
||||
OEMCryptoResult IsKeyboxValid() const;
|
||||
const std::vector<uint8_t>& DeviceId() {
|
||||
return keybox().device_id();
|
||||
}
|
||||
|
||||
// Installs a clear WV keybox as the root of trust.
|
||||
// A keybox can only be installed once, however, the provisioning
|
||||
// method stated at initialization remains the same.
|
||||
//
|
||||
// This method is similar to the expected behavior of
|
||||
// OEMCrypto_InstallKeyboxOrOEMCert() for keybox devices except
|
||||
// that the keybox provided here must be decrypted before installing.
|
||||
OEMCryptoResult InstallKeybox(const uint8_t* keybox_data,
|
||||
size_t keybox_length);
|
||||
size_t DeviceTokenLength() {
|
||||
return keybox().key_data_length();
|
||||
}
|
||||
|
||||
// Installs a clear test WV keybox. Only settable for devices that
|
||||
// uses a keybox for provisioning.
|
||||
//
|
||||
// This method is similar to the expected behavior of
|
||||
// OEMCrypto_LoadTestKeybox() for keybox devices except that
|
||||
// the keybox provided here must be decrypted before installing.
|
||||
OEMCryptoResult InstallTestKeybox(const uint8_t* keybox_data,
|
||||
size_t keybox_length);
|
||||
const uint8_t* DeviceToken() {
|
||||
return keybox().key_data();
|
||||
}
|
||||
|
||||
// Removes any installed test keybox.
|
||||
void RemoveTestKeybox() { test_keybox_.reset(); }
|
||||
WvKeybox& keybox() { return use_test_keybox_ ? test_keybox_ : keybox_; }
|
||||
bool UseTestKeybox(const uint8_t* keybox_data, size_t keybox_length) {
|
||||
use_test_keybox_ = true;
|
||||
return test_keybox_.InstallKeybox(keybox_data, keybox_length);
|
||||
}
|
||||
|
||||
// Gets the keybox key data.
|
||||
// Implements the expected behavior of OEMCrypto_GetKeyData().
|
||||
OEMCryptoResult GetKeyData(uint8_t* key_data, size_t* key_data_length) const;
|
||||
|
||||
// OEM Certificate-base root of trust API.
|
||||
|
||||
// For OEM Cert-based devices, returns the OEM Public Certificate
|
||||
// component of the OEM Certificate.
|
||||
// This method implements the expected behavior of
|
||||
// OEMCrypto_GetOEMPublicCertificate().
|
||||
OEMCryptoResult GetOemPublicCertificate(uint8_t* public_cert,
|
||||
size_t* public_cert_length) const;
|
||||
|
||||
// Returns the OEM private key. Intended to be used when loading
|
||||
// the OEM private key into a session.
|
||||
// Should only be called for devices that use OEM Certificates
|
||||
// for provisioning.
|
||||
const std::vector<uint8_t>& GetOemPrivateKey() const;
|
||||
RSA_shared_ptr& SharedRsaKey() { return rsa_key_; }
|
||||
RSA* rsa_key() { return rsa_key_.get(); }
|
||||
bool LoadTestRsaKey();
|
||||
void Clear() { use_test_keybox_ = false; }
|
||||
|
||||
private:
|
||||
OEMCrypto_ProvisioningMethod prov_method_ = OEMCrypto_ProvisioningError;
|
||||
OEMCrypto_ProvisioningMethod provisioning_method_;
|
||||
WvKeybox& real_keybox() { return keybox_; }
|
||||
|
||||
WvKeybox keybox_;
|
||||
WvKeybox test_keybox_;
|
||||
bool use_test_keybox_;
|
||||
|
||||
// DRM certificate.
|
||||
// TODO(b/168544740): Remove |rsa_key_set_| when RSA_shared_ptr has
|
||||
// been replaced with scoped RsaPrivateKey.
|
||||
bool rsa_key_set_ = false;
|
||||
RSA_shared_ptr rsa_key_; // If no keybox, this is baked in certificate.
|
||||
RSA_shared_ptr test_rsa_key_;
|
||||
|
||||
// Keybox data.
|
||||
std::unique_ptr<WvKeybox> keybox_;
|
||||
std::unique_ptr<WvKeybox> test_keybox_;
|
||||
|
||||
CORE_DISALLOW_COPY_AND_ASSIGN(AuthenticationRoot);
|
||||
};
|
||||
|
||||
} // namespace wvoec_ref
|
||||
|
||||
#endif // OEMCRYPTO_AUTH_REF_H_
|
||||
|
||||
Reference in New Issue
Block a user