widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Snap for 7219695 from a99a6146c4 to tm-release

Browse Source 
Change-Id: Ie6ad3c5130ea50f66dfec57743fc5183f2ab51d6
This commit is contained in:
android-build-team Robot
2021-03-19 03:17:32 +00:00
parent 3cff6fe8da a99a6146c4
commit dea89f20e6
9 changed files with 487 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
libwvdrmengine/cdm/core/include/certificate_provisioning.h
View File

@@ -64,6 +64,12 @@ class CertificateProvisioning {
const std::string& provisioning_response, std::string* result);
private:
CdmResponseType GetProvisioningRequestInternal(
SecurityLevel requested_security_level, CdmCertificateType cert_type,
const std::string& cert_authority, const std::string& origin,
const std::string& spoid, CdmProvisioningRequest* request,
std::string* default_url);
CdmResponseType SetSpoidParameter(
const std::string& origin, const std::string& spoid,
video_widevine::ProvisioningRequest* request);
@@ -71,6 +77,15 @@ class CertificateProvisioning {
video_widevine::SignedProvisioningMessage::ProvisioningType
GetProvisioningType();
// Closes crypto session if one is open. Avoid calling this method when
// processing a response. Multiple provisioning responses might be
// simultaneously in flight. Only the response associated with the last
// provisioning request can be processed. All the other responses will
// fail. If the session is closed when these responses fail, even the one
// associated with the last provisioning request may fail.
CdmResponseType CloseSessionOnError(CdmResponseType status);
void CloseSession();
std::unique_ptr<CryptoSession> crypto_session_;
CdmCertificateType cert_type_;
std::unique_ptr<ServiceCertificate> service_certificate_;

11
libwvdrmengine/cdm/core/src/cdm_engine.cpp
View File

@@ -304,6 +304,12 @@ CdmResponseType CdmEngine::GenerateKeyRequest(
OnKeyReleaseEvent(key_set_id);
}
LOGD(
"key request: (%zu) %s", key_request->message.size(),
wvcdm::Base64SafeEncode(std::vector<uint8_t>(key_request->message.begin(),
key_request->message.end()))
.c_str());
return KEY_MESSAGE;
}
@@ -339,6 +345,11 @@ CdmResponseType CdmEngine::AddKey(const CdmSessionId& session_id,
}
id = iter->second.first;
} else {
LOGD("key data: (%zu) %s", key_data.size(),
wvcdm::Base64SafeEncode(
std::vector<uint8_t>(key_data.begin(), key_data.end()))
.c_str());
}
std::shared_ptr<CdmSession> session;

24
libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
View File

@@ -194,6 +194,16 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
const std::string& cert_authority, const std::string& origin,
const std::string& spoid, CdmProvisioningRequest* request,
std::string* default_url) {
return CloseSessionOnError(GetProvisioningRequestInternal(
requested_security_level, cert_type, cert_authority, origin, spoid,
request, default_url));
}
CdmResponseType CertificateProvisioning::GetProvisioningRequestInternal(
SecurityLevel requested_security_level, CdmCertificateType cert_type,
const std::string& cert_authority, const std::string& origin,
const std::string& spoid, CdmProvisioningRequest* request,
std::string* default_url) {
if (!request || !default_url) {
LOGE("Output parameter |%s| is not provided",
request ? "default_url" : "request");
@@ -202,7 +212,7 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
default_url->assign(kProvisioningServerUrl);
if (crypto_session_->IsOpen()) crypto_session_->Close();
CloseSession();
CdmResponseType status = crypto_session_->Open(requested_security_level);
if (NO_ERROR != status) {
LOGE("Failed to create a crypto session: status = %d",
@@ -423,7 +433,7 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
}
const CdmSecurityLevel security_level = crypto_session_->GetSecurityLevel();
crypto_session_->Close();
CloseSession();
// This is the entire certificate (SignedDrmCertificate).
const std::string& device_cert_data =
@@ -520,4 +530,14 @@ bool CertificateProvisioning::ExtractDeviceInfo(
return true;
}
void CertificateProvisioning::CloseSession() {
if (crypto_session_->IsOpen()) crypto_session_->Close();
}
CdmResponseType CertificateProvisioning::CloseSessionOnError(
CdmResponseType status) {
if (status != NO_ERROR) CloseSession();
return status;
}
} // namespace wvcdm

26
libwvdrmengine/cdm/core/src/device_files.proto
View File

@@ -28,6 +28,15 @@ message DeviceCertificate {
optional bytes certificate = 1;
optional bytes wrapped_private_key = 2;
optional PrivateKeyType key_type = 3 [default = RSA];
// Used by DRM certificates with an expiry time. Set by the client when
// the certificate is received. Aids expiration calculation at the
// client when provisioning server and client clocks are not aligned
optional int64 acquisition_time_seconds = 4;
// Used by DRM certificates without an expiration time. This is for
// upgrading devices with pre-existing DRM certificates. The client will
// calculate an expiration time 6 months into the future with a randomized
// +/-2 month window
optional int64 expiration_time_seconds = 5;
}
message License {
@@ -56,6 +65,7 @@ message License {
optional int64 grace_period_end_time = 11 [default = 0];
optional bytes usage_entry = 12;
optional int64 usage_entry_number = 13;
optional DeviceCertificate drm_certificate = 14;
}
message UsageInfo {
@@ -68,9 +78,19 @@ message UsageInfo {
optional bytes key_set_id = 4;
optional bytes usage_entry = 5;
optional int64 usage_entry_number = 6;
// If not present, use the legacy DRM certificate rather than
// one in DrmDeviceCertificate
optional int32 drm_certificate_entry_number = 7;
}
// A cache of DeviceCertificates associated with usage entries
message DrmDeviceCertificate {
optional int32 drm_certificate_entry_number = 1;
optional DeviceCertificate drm_certificate = 2;
}
repeated ProviderSession sessions = 1;
repeated DrmDeviceCertificate drm_device_certificates = 2;
}
message HlsAttributes {
@@ -92,7 +112,7 @@ message UsageTableInfo {
optional UsageEntryStorage storage = 1;
optional bytes key_set_id = 2;
optional bytes usage_info_file_name = 3; // hash of the app_id
optional bytes usage_info_file_name = 3; // hash of the app_id
// LRU table replacement data.
optional int64 last_use_time = 4 [default = 0];
@@ -114,9 +134,7 @@ message File {
USAGE_TABLE_INFO = 5;
}
enum FileVersion {
VERSION_1 = 1;
}
enum FileVersion { VERSION_1 = 1; }
optional FileType type = 1;
optional FileVersion version = 2 [default = VERSION_1];

4
libwvdrmengine/cdm/util/src/log.cpp
View File

@@ -19,7 +19,7 @@
#endif
#define LOG_TAG "WVCdm"
#define LOG_BUF_SIZE 1024
#define LOG_BUF_SIZE 5120
#include "log.h"
#include <hwbinder/IPCThreadState.h>
@@ -83,7 +83,7 @@ void Log(const char* file, const char* function, int line, LogPriority level,
const char* filename = strrchr(file, '/');
filename = filename == nullptr ? file : filename + 1;
char buf[LOG_BUF_SIZE];
static thread_local char buf[LOG_BUF_SIZE];
int len =
snprintf(buf, LOG_BUF_SIZE, "[%s(%d):%s] ", filename, line, function);
if (len < 0) len = 0;

96
libwvdrmengine/cdm/util/test/file_store_unittest.cpp
View File

@@ -28,51 +28,51 @@ class FileTest : public testing::Test {
void TearDown() override { RemoveTestDir(); }
void RemoveTestDir() {
EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir));
}
FileSystem file_system;
FileSystem file_system_;
};
TEST_F(FileTest, FileExists) {
EXPECT_TRUE(file_system.Exists(test_vectors::kExistentFile));
EXPECT_TRUE(file_system.Exists(test_vectors::kExistentDir));
EXPECT_FALSE(file_system.Exists(test_vectors::kNonExistentFile));
EXPECT_FALSE(file_system.Exists(test_vectors::kNonExistentDir));
EXPECT_TRUE(file_system_.Exists(test_vectors::kExistentFile));
EXPECT_TRUE(file_system_.Exists(test_vectors::kExistentDir));
EXPECT_FALSE(file_system_.Exists(test_vectors::kNonExistentFile));
EXPECT_FALSE(file_system_.Exists(test_vectors::kNonExistentDir));
}
TEST_F(FileTest, RemoveDir) {
EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir));
EXPECT_FALSE(file_system.Exists(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir));
EXPECT_FALSE(file_system_.Exists(test_vectors::kTestDir));
}
TEST_F(FileTest, OpenFile) {
std::string path = test_vectors::kTestDir + kTestFileName;
EXPECT_TRUE(file_system.Remove(path));
EXPECT_TRUE(file_system_.Remove(path));
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
}
TEST_F(FileTest, RemoveDirAndFile) {
std::string path = test_vectors::kTestDir + kTestFileName;
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system.Remove(path));
EXPECT_FALSE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
EXPECT_TRUE(file_system_.Remove(path));
EXPECT_FALSE(file_system_.Exists(path));
file = file_system.Open(path, FileSystem::kCreate);
file = file_system_.Open(path, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
RemoveTestDir();
EXPECT_FALSE(file_system.Exists(test_vectors::kTestDir));
EXPECT_FALSE(file_system.Exists(path));
EXPECT_FALSE(file_system_.Exists(test_vectors::kTestDir));
EXPECT_FALSE(file_system_.Exists(path));
}
TEST_F(FileTest, RemoveWildcardFiles) {
@@ -81,47 +81,47 @@ TEST_F(FileTest, RemoveWildcardFiles) {
std::string wildcard_path =
test_vectors::kTestDir + kWildcard + kTestFileNameExt;
std::unique_ptr<File> file = file_system.Open(path1, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path1, FileSystem::kCreate);
ASSERT_TRUE(file);
file = file_system.Open(path2, FileSystem::kCreate);
file = file_system_.Open(path2, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path1));
EXPECT_TRUE(file_system.Exists(path2));
EXPECT_TRUE(file_system.Remove(wildcard_path));
EXPECT_FALSE(file_system.Exists(path1));
EXPECT_FALSE(file_system.Exists(path2));
EXPECT_TRUE(file_system_.Exists(path1));
EXPECT_TRUE(file_system_.Exists(path2));
EXPECT_TRUE(file_system_.Remove(wildcard_path));
EXPECT_FALSE(file_system_.Exists(path1));
EXPECT_FALSE(file_system_.Exists(path2));
}
TEST_F(FileTest, FileSize) {
std::string path = test_vectors::kTestDir + kTestFileName;
file_system.Remove(path);
file_system_.Remove(path);
std::string write_data = CdmRandom::RandomData(600);
size_t write_data_size = write_data.size();
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
EXPECT_EQ(static_cast<ssize_t>(write_data_size), file_system.FileSize(path));
EXPECT_EQ(static_cast<ssize_t>(write_data_size), file_system_.FileSize(path));
}
TEST_F(FileTest, WriteReadBinaryFile) {
std::string path = test_vectors::kTestDir + kTestFileName;
file_system.Remove(path);
file_system_.Remove(path);
std::string write_data = CdmRandom::RandomData(600);
size_t write_data_size = write_data.size();
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
std::string read_data;
read_data.resize(file_system.FileSize(path));
read_data.resize(file_system_.FileSize(path));
size_t read_data_size = read_data.size();
file = file_system.Open(path, FileSystem::kReadOnly);
file = file_system_.Open(path, FileSystem::kReadOnly);
ASSERT_TRUE(file);
EXPECT_EQ(file->Read(&read_data[0], read_data_size), read_data_size);
EXPECT_EQ(write_data, read_data);
@@ -136,25 +136,25 @@ TEST_F(FileTest, ListFiles) {
std::string path3 = test_vectors::kTestDir + kTestFileName3;
std::string path_dir = test_vectors::kTestDir;
std::unique_ptr<File> file = file_system.Open(path1, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path1, FileSystem::kCreate);
ASSERT_TRUE(file);
file = file_system.Open(path2, FileSystem::kCreate);
file = file_system_.Open(path2, FileSystem::kCreate);
ASSERT_TRUE(file);
file = file_system.Open(path3, FileSystem::kCreate);
file = file_system_.Open(path3, FileSystem::kCreate);
ASSERT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path1));
EXPECT_TRUE(file_system.Exists(path2));
EXPECT_TRUE(file_system.Exists(path3));
EXPECT_TRUE(file_system_.Exists(path1));
EXPECT_TRUE(file_system_.Exists(path2));
EXPECT_TRUE(file_system_.Exists(path3));
// Ask for non-existent path.
EXPECT_FALSE(file_system.List(not_path, &names));
EXPECT_FALSE(file_system_.List(not_path, &names));
// Valid path, but no way to return names.
EXPECT_FALSE(file_system.List(path_dir, nullptr));
EXPECT_FALSE(file_system_.List(path_dir, nullptr));
// Valid path, valid return.
EXPECT_TRUE(file_system.List(path_dir, &names));
EXPECT_TRUE(file_system_.List(path_dir, &names));
// Should find three files. Order not important.
EXPECT_EQ(3u, names.size());
@@ -162,15 +162,15 @@ TEST_F(FileTest, ListFiles) {
kTestFileName, kTestFileName2, kTestFileName3));
std::string wild_card_path = path_dir + kWildcard + kTestFileNameExt;
EXPECT_TRUE(file_system.Remove(wild_card_path));
EXPECT_TRUE(file_system.List(path_dir, &names));
EXPECT_TRUE(file_system_.Remove(wild_card_path));
EXPECT_TRUE(file_system_.List(path_dir, &names));
EXPECT_EQ(1u, names.size());
EXPECT_TRUE(names[0].compare(kTestFileName3) == 0);
std::string wild_card_path2 = path_dir + kWildcard + kTestFileNameExt3;
EXPECT_TRUE(file_system.Remove(wild_card_path2));
EXPECT_TRUE(file_system.List(path_dir, &names));
EXPECT_TRUE(file_system_.Remove(wild_card_path2));
EXPECT_TRUE(file_system_.List(path_dir, &names));
EXPECT_EQ(0u, names.size());
}

60
libwvdrmengine/cdm/util/test/file_utils_unittest.cpp
View File

@@ -31,24 +31,24 @@ class FileUtilsTest : public testing::Test {
virtual void TearDown() { RemoveTestDir(); }
void CreateTestDir() {
if (!file_system.Exists(test_vectors::kTestDir)) {
if (!file_system_.Exists(test_vectors::kTestDir)) {
EXPECT_TRUE(FileUtils::CreateDirectory(test_vectors::kTestDir));
}
EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir));
}
void RemoveTestDir() {
EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir));
}
void CreateTestFile(const std::string file_path) {
std::string write_data = GenerateRandomData(600);
size_t write_data_size = write_data.size();
std::unique_ptr<File> file =
file_system.Open(file_path, FileSystem::kCreate);
file_system_.Open(file_path, FileSystem::kCreate);
EXPECT_TRUE(file);
EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size);
EXPECT_TRUE(file_system.Exists(file_path));
EXPECT_TRUE(file_system_.Exists(file_path));
}
std::string GenerateRandomData(uint32_t len) {
@@ -59,70 +59,70 @@ class FileUtilsTest : public testing::Test {
return data;
}
FileSystem file_system;
FileSystem file_system_;
};
TEST_F(FileUtilsTest, CreateDirectory) {
std::string dir_wo_delimiter =
test_vectors::kTestDir.substr(0, test_vectors::kTestDir.size() - 1);
if (file_system.Exists(dir_wo_delimiter))
EXPECT_TRUE(file_system.Remove(dir_wo_delimiter));
EXPECT_FALSE(file_system.Exists(dir_wo_delimiter));
if (file_system_.Exists(dir_wo_delimiter))
EXPECT_TRUE(file_system_.Remove(dir_wo_delimiter));
EXPECT_FALSE(file_system_.Exists(dir_wo_delimiter));
EXPECT_TRUE(FileUtils::CreateDirectory(dir_wo_delimiter));
EXPECT_TRUE(file_system.Exists(dir_wo_delimiter));
EXPECT_TRUE(file_system.Remove(dir_wo_delimiter));
EXPECT_TRUE(file_system_.Exists(dir_wo_delimiter));
EXPECT_TRUE(file_system_.Remove(dir_wo_delimiter));
EXPECT_TRUE(FileUtils::CreateDirectory(test_vectors::kTestDir));
EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir));
EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir));
}
TEST_F(FileUtilsTest, IsDir) {
std::string path = test_vectors::kTestDir + kTestFileName;
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
EXPECT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Exists(path));
EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir));
EXPECT_FALSE(FileUtils::IsDirectory(path));
EXPECT_TRUE(FileUtils::IsDirectory(test_vectors::kTestDir));
}
TEST_F(FileUtilsTest, IsRegularFile) {
std::string path = test_vectors::kTestDir + kTestFileName;
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
EXPECT_TRUE(file);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir));
EXPECT_TRUE(file_system_.Exists(path));
EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir));
EXPECT_TRUE(FileUtils::IsRegularFile(path));
EXPECT_FALSE(FileUtils::IsRegularFile(test_vectors::kTestDir));
}
TEST_F(FileUtilsTest, CopyFile) {
std::string path = test_vectors::kTestDir + kTestFileName;
file_system.Remove(path);
file_system_.Remove(path);
std::string write_data = GenerateRandomData(600);
size_t write_data_size = write_data.size();
std::unique_ptr<File> wr_file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> wr_file = file_system_.Open(path, FileSystem::kCreate);
EXPECT_TRUE(wr_file);
EXPECT_EQ(wr_file->Write(write_data.data(), write_data_size),
write_data_size);
ASSERT_TRUE(file_system.Exists(path));
ASSERT_TRUE(file_system_.Exists(path));
std::string path_copy = test_vectors::kTestDir + kTestFileName2;
EXPECT_FALSE(file_system.Exists(path_copy));
EXPECT_FALSE(file_system_.Exists(path_copy));
EXPECT_TRUE(FileUtils::Copy(path, path_copy));
std::string read_data;
read_data.resize(file_system.FileSize(path_copy));
read_data.resize(file_system_.FileSize(path_copy));
size_t read_data_size = read_data.size();
std::unique_ptr<File> rd_file =
file_system.Open(path_copy, FileSystem::kReadOnly);
file_system_.Open(path_copy, FileSystem::kReadOnly);
EXPECT_TRUE(rd_file);
EXPECT_EQ(rd_file->Read(&read_data[0], read_data_size), read_data_size);
EXPECT_EQ(write_data, read_data);
EXPECT_EQ(file_system.FileSize(path), file_system.FileSize(path_copy));
EXPECT_EQ(file_system_.FileSize(path), file_system_.FileSize(path_copy));
}
TEST_F(FileUtilsTest, ListEmptyDirectory) {
@@ -138,18 +138,18 @@ TEST_F(FileUtilsTest, ListFiles) {
path = test_vectors::kTestDir + kTestFileName;
std::string write_data = GenerateRandomData(600);
size_t write_data_size = write_data.size();
std::unique_ptr<File> file = file_system.Open(path, FileSystem::kCreate);
std::unique_ptr<File> file = file_system_.Open(path, FileSystem::kCreate);
EXPECT_TRUE(file);
EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
path = test_vectors::kTestDir + kTestFileName2;
write_data = GenerateRandomData(600);
write_data_size = write_data.size();
file = file_system.Open(path, FileSystem::kCreate);
file = file_system_.Open(path, FileSystem::kCreate);
EXPECT_TRUE(file);
EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size);
EXPECT_TRUE(file_system.Exists(path));
EXPECT_TRUE(file_system_.Exists(path));
std::vector<std::string> files;
EXPECT_TRUE(FileUtils::List(test_vectors::kTestDir, &files));

233
libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.cpp Normal file
View File

@@ -0,0 +1,233 @@
// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine License
// Agreement.
//
// Reference implementation of OEMCrypto APIs
//
#include "oemcrypto_oem_cert.h"
#include <string.h>
#include <openssl/pkcs7.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include "log.h"
#include "oemcrypto_rsa_key.h"
#include "scoped_object.h"
namespace wvoec_ref {
namespace {
using ScopedCertificate = ScopedObject<X509, X509_free>;
using ScopedEvpKey = ScopedObject<EVP_PKEY, EVP_PKEY_free>;
using ScopedPkcs7 = ScopedObject<PKCS7, PKCS7_free>;
constexpr size_t kExpectedCertCount = 2; // Leaf and intermediate.
constexpr int kDeviceCertIndex = 0;
// Checks that the |public_key| from an X.509 certificate is the
// correct public key of the serialized |private_key_data|.
OEMCryptoResult VerifyRsaKey(const RSA* public_key,
const std::vector<uint8_t>& private_key_data) {
if (public_key == nullptr) {
LOGE("RSA key is null");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
std::unique_ptr<RsaPrivateKey> private_key =
RsaPrivateKey::Load(private_key_data);
if (!private_key) {
LOGE("Failed to parse provided RSA private key");
return OEMCrypto_ERROR_INVALID_RSA_KEY;
}
if (!RsaKeysAreMatchingPair(public_key, private_key->GetRsaKey())) {
LOGE("OEM certificate keys do not match");
return OEMCrypto_ERROR_INVALID_RSA_KEY;
}
return OEMCrypto_SUCCESS;
}
} // namespace
// This utility class encapsulates the minimum functionality of an
// OEM Public Certificate required to verify a device's OEM Public
// Certificate.
class OemPublicCertificate {
public:
// Loads a PKCS #7 signedData message with certificate chain.
// Minimum validation is performed. Only checks that the
// device's public key is of a known type (RSA).
static std::unique_ptr<OemPublicCertificate> Load(const uint8_t* public_cert,
size_t public_cert_size) {
std::unique_ptr<OemPublicCertificate> oem_public_cert;
if (public_cert == nullptr) {
LOGE("Public cert buffer is null");
return oem_public_cert;
}
if (public_cert_size == 0) {
LOGE("Public cert buffer is empty");
return oem_public_cert;
}
oem_public_cert.reset(new OemPublicCertificate());
if (!oem_public_cert->InitFromBuffer(public_cert, public_cert_size)) {
oem_public_cert.reset();
}
return oem_public_cert;
}
OemCertificate::KeyType key_type() const { return key_type_; }
const std::vector<uint8_t>& cert_data() const { return cert_data_; }
const RSA* GetPublicRsaKey() const {
return EVP_PKEY_get0_RSA(device_public_key_.get());
}
~OemPublicCertificate() = default;
OemPublicCertificate(const OemPublicCertificate&) = delete;
OemPublicCertificate(OemPublicCertificate&&) = delete;
const OemPublicCertificate& operator=(const OemPublicCertificate&) = delete;
OemPublicCertificate& operator=(OemPublicCertificate&&) = delete;
private:
OemPublicCertificate() {}
bool InitFromBuffer(const uint8_t* public_cert, size_t public_cert_size) {
// Step 1: Parse the PKCS7 certificate chain as signedData.
const uint8_t* public_cert_ptr = public_cert;
pkcs7_.reset(d2i_PKCS7(nullptr, &public_cert_ptr, public_cert_size));
if (!pkcs7_) {
LOGE("Failed to parse PKCS#7 certificate chain");
return false;
}
if (!PKCS7_type_is_signed(pkcs7_.get())) {
LOGE("OEM Public Certificate is not PKCS#7 signed data");
return false;
}
PKCS7_SIGNED* signed_data = pkcs7_->d.sign;
// Step 2: Get the leaf certificate.
const size_t cert_count =
static_cast<size_t>(sk_X509_num(signed_data->cert));
if (cert_count != kExpectedCertCount) {
LOGE("Unexpected number of certificates: expected = %zu, actual = %zu",
kExpectedCertCount, cert_count);
return false;
}
X509* leaf_cert = sk_X509_value(signed_data->cert, kDeviceCertIndex);
// Step 3a: Get the device's public key.
device_public_key_.reset(X509_get_pubkey(leaf_cert));
if (!device_public_key_) {
LOGE("Device X.509 certificate is missing a public key");
return false;
}
// Step 3b: Check key type.
if (EVP_PKEY_get0_RSA(device_public_key_.get()) == nullptr) {
LOGE("Device public key is not RSA");
return false;
}
key_type_ = OemCertificate::kRsa;
cert_data_.assign(public_cert, public_cert + public_cert_size);
return true;
}
OemCertificate::KeyType key_type_ = OemCertificate::kNone;
// OpenSSL/BoringSSL's implementation of PKCS7 objects.
ScopedPkcs7 pkcs7_;
ScopedEvpKey device_public_key_;
std::vector<uint8_t> cert_data_;
};
// ===== ===== ===== OEM Certificate ===== ===== =====
// static
std::unique_ptr<OemCertificate> OemCertificate::Create(
const uint8_t* private_key_data, size_t private_key_size,
const uint8_t* public_cert_data, size_t public_cert_size) {
std::unique_ptr<OemCertificate> oem_cert;
// Step 1: Verify public cert is well-formed.
std::unique_ptr<OemPublicCertificate> oem_public_cert =
OemPublicCertificate::Load(public_cert_data, public_cert_size);
if (!oem_public_cert) {
LOGE("Invalid OEM Public Certificate");
return oem_cert;
}
// Step 2: Verify private key is well-formed.
switch (oem_public_cert->key_type()) {
case kRsa: {
std::unique_ptr<RsaPrivateKey> oem_private_key =
RsaPrivateKey::Load(private_key_data, private_key_size);
if (!oem_private_key) {
LOGE("Invalid OEM Private Key");
return oem_cert;
}
} break;
case kNone: // Suppress compiler warnings.
return oem_cert;
}
// Step 3: Copy over data.
oem_cert.reset(new OemCertificate());
oem_cert->private_key_.assign(private_key_data,
private_key_data + private_key_size);
oem_cert->public_cert_ = std::move(oem_public_cert);
return oem_cert;
}
// static
std::unique_ptr<OemCertificate> OemCertificate::Create(
const std::vector<uint8_t>& private_key,
const std::vector<uint8_t>& public_cert) {
if (private_key.empty()) {
LOGE("Private key buffer is empty");
return std::unique_ptr<OemCertificate>();
}
if (public_cert.empty()) {
LOGE("Public cert buffer is empty");
return std::unique_ptr<OemCertificate>();
}
return Create(private_key.data(), private_key.size(), public_cert.data(),
public_cert.size());
}
OemCertificate::KeyType OemCertificate::key_type() const {
return public_cert_->key_type();
}
OEMCryptoResult OemCertificate::GetPublicCertificate(
uint8_t* public_cert, size_t* public_cert_length) const {
if (public_cert_length == nullptr) {
LOGE("Output |public_cert_length| is null");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
if (public_cert == nullptr && *public_cert_length > 0) {
LOGE("Output |public_cert| is null");
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
const std::vector<uint8_t>& cert_data = public_cert_->cert_data();
if (*public_cert_length < cert_data.size()) {
*public_cert_length = cert_data.size();
return OEMCrypto_ERROR_SHORT_BUFFER;
}
*public_cert_length = cert_data.size();
memcpy(public_cert, cert_data.data(), cert_data.size());
return OEMCrypto_SUCCESS;
}
const std::vector<uint8_t>& OemCertificate::GetPublicCertificate() const {
return public_cert_->cert_data();
}
OEMCryptoResult OemCertificate::IsCertificateValid() const {
switch (key_type()) {
case kRsa:
return VerifyRsaKey(public_cert_->GetPublicRsaKey(), private_key_);
case kNone: // Suppress compiler warnings.
break;
}
LOGE("Unexpected error key type: type = %d", static_cast<int>(key_type()));
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
// Constructor and destructor do not perform anything special, but
// must be declared within a scope which defines OemPublicCertificate.
OemCertificate::OemCertificate() {}
OemCertificate::~OemCertificate() {}
} // namespace wvoec_ref

104
libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.h Normal file
View File

@@ -0,0 +1,104 @@
// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine License
// Agreement.
//
// Reference implementation of OEMCrypto APIs
//
#ifndef OEMCRYPTO_OEM_CERT_H_
#define OEMCRYPTO_OEM_CERT_H_
#include <memory>
#include <vector>
#include "OEMCryptoCENCCommon.h"
namespace wvoec_ref {
class OemPublicCertificate;
// An OEM Certificate is a factory provisioned root of trust
// certificate which consists of a public certificate and its
// matching private key.
// The public certificate must be an ASN.1 DER encoded PKCS #7
// ContentInfo of type signedData (RFC2315). The device's X.509
// certificate must be the first certificate in the chain of
// SignedContent |certificates|.
// The certificates are X.509 Certificate as defined in RFC 5280
// signed by the device manufacturers certificate which is signed
// by Google.
// The OEM Public Cert should only contain the device's certificate
// and the OEM's intermediate certificate.
// The private key storage format is at the discretion of the OEM;
// the reference implementation uses PKCS8 PrivateKeyInfo.
class OemCertificate {
public:
enum KeyType {
kNone = 0,
// Private key is an ASN.1 DER encoded PrivateKeyInfo specifying
// an RSA encryption key.
kRsa = 1
};
// Creates a new OEM Certificate and performs basic validation
// to ensure that the private key and public cert are well-formed.
// The |public_cert| provided is parsed as an X.509 Certificate
// and the public key is verified against the private key.
// The |private_key| is parsed depending on the key type.
// If any error occurs or if the provided data is malformed, an
// empty pointer is returned.
static std::unique_ptr<OemCertificate> Create(const uint8_t* private_key,
size_t private_key_size,
const uint8_t* public_cert,
size_t public_cert_size);
static std::unique_ptr<OemCertificate> Create(
const std::vector<uint8_t>& private_key,
const std::vector<uint8_t>& public_cert);
// Returns the key type of the OEM Public key and private key.
// As of OEMCrypto v16, the only supported key type is RSA.
KeyType key_type() const;
// Returns the private key data. Intended to be used for calls
// to OEMCrypto_LoadOEMPrivateKey().
const std::vector<uint8_t>& GetPrivateKey() const { return private_key_; }
// Returns a copy of the ASN.1 DER encoded PKCS #7 certificate chain.
// If |*public_cert_length| is large enough, the complete
// certificate is copied to the buffer specified by |public_cert|,
// |*public_cert_length| is adjusted to the actual size of the
// certificate data, and SUCCESS is returned.
// If |*public_cert_length| is not large enough, then it is
// set to size of the certificate and ERROR_SHORT_BUFFER is
// returned.
OEMCryptoResult GetPublicCertificate(uint8_t* public_cert,
size_t* public_cert_length) const;
// Returns the certificate directly. Intended to be used for
// testing.
const std::vector<uint8_t>& GetPublicCertificate() const;
// Verifies that the RSA key included in the OEM Cert is valid.
// The existence of an OemCertificate already ensures that the
// OEM Public Certificate and private key data are well-formed.
// This takes the check another step further and ensures that
// the private key matches the public key in the public cert
// (ie, same modulos and public exponent).
OEMCryptoResult IsCertificateValid() const;
~OemCertificate();
OemCertificate(const OemCertificate&) = delete;
OemCertificate(OemCertificate&&) = delete;
const OemCertificate& operator=(const OemCertificate&) = delete;
OemCertificate& operator=(OemCertificate&&) = delete;
private:
OemCertificate();
// Serialized private key matching the OEM certificate.
std::vector<uint8_t> private_key_;
// Serialized OEM Certificate.
std::unique_ptr<OemPublicCertificate> public_cert_;
};
} // namespace wvoec_ref
#endif // OEMCRYPTO_OEM_CERT_H_