diff --git a/libwvdrmengine/cdm/core/include/certificate_provisioning.h b/libwvdrmengine/cdm/core/include/certificate_provisioning.h index 6159fafe..8766de81 100644 --- a/libwvdrmengine/cdm/core/include/certificate_provisioning.h +++ b/libwvdrmengine/cdm/core/include/certificate_provisioning.h @@ -64,6 +64,12 @@ class CertificateProvisioning { const std::string& provisioning_response, std::string* result); private: + CdmResponseType GetProvisioningRequestInternal( + SecurityLevel requested_security_level, CdmCertificateType cert_type, + const std::string& cert_authority, const std::string& origin, + const std::string& spoid, CdmProvisioningRequest* request, + std::string* default_url); + CdmResponseType SetSpoidParameter( const std::string& origin, const std::string& spoid, video_widevine::ProvisioningRequest* request); @@ -71,6 +77,15 @@ class CertificateProvisioning { video_widevine::SignedProvisioningMessage::ProvisioningType GetProvisioningType(); + // Closes crypto session if one is open. Avoid calling this method when + // processing a response. Multiple provisioning responses might be + // simultaneously in flight. Only the response associated with the last + // provisioning request can be processed. All the other responses will + // fail. If the session is closed when these responses fail, even the one + // associated with the last provisioning request may fail. + CdmResponseType CloseSessionOnError(CdmResponseType status); + void CloseSession(); + std::unique_ptr crypto_session_; CdmCertificateType cert_type_; std::unique_ptr service_certificate_; diff --git a/libwvdrmengine/cdm/core/src/cdm_engine.cpp b/libwvdrmengine/cdm/core/src/cdm_engine.cpp index 2a71f0d2..aab679e9 100644 --- a/libwvdrmengine/cdm/core/src/cdm_engine.cpp +++ b/libwvdrmengine/cdm/core/src/cdm_engine.cpp @@ -304,6 +304,12 @@ CdmResponseType CdmEngine::GenerateKeyRequest( OnKeyReleaseEvent(key_set_id); } + LOGD( + "key request: (%zu) %s", key_request->message.size(), + wvcdm::Base64SafeEncode(std::vector(key_request->message.begin(), + key_request->message.end())) + .c_str()); + return KEY_MESSAGE; } @@ -339,6 +345,11 @@ CdmResponseType CdmEngine::AddKey(const CdmSessionId& session_id, } id = iter->second.first; + } else { + LOGD("key data: (%zu) %s", key_data.size(), + wvcdm::Base64SafeEncode( + std::vector(key_data.begin(), key_data.end())) + .c_str()); } std::shared_ptr session; diff --git a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp index fbff6d49..8357232a 100644 --- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp +++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp @@ -194,6 +194,16 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest( const std::string& cert_authority, const std::string& origin, const std::string& spoid, CdmProvisioningRequest* request, std::string* default_url) { + return CloseSessionOnError(GetProvisioningRequestInternal( + requested_security_level, cert_type, cert_authority, origin, spoid, + request, default_url)); +} + +CdmResponseType CertificateProvisioning::GetProvisioningRequestInternal( + SecurityLevel requested_security_level, CdmCertificateType cert_type, + const std::string& cert_authority, const std::string& origin, + const std::string& spoid, CdmProvisioningRequest* request, + std::string* default_url) { if (!request || !default_url) { LOGE("Output parameter |%s| is not provided", request ? "default_url" : "request"); @@ -202,7 +212,7 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest( default_url->assign(kProvisioningServerUrl); - if (crypto_session_->IsOpen()) crypto_session_->Close(); + CloseSession(); CdmResponseType status = crypto_session_->Open(requested_security_level); if (NO_ERROR != status) { LOGE("Failed to create a crypto session: status = %d", @@ -423,7 +433,7 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse( } const CdmSecurityLevel security_level = crypto_session_->GetSecurityLevel(); - crypto_session_->Close(); + CloseSession(); // This is the entire certificate (SignedDrmCertificate). const std::string& device_cert_data = @@ -520,4 +530,14 @@ bool CertificateProvisioning::ExtractDeviceInfo( return true; } +void CertificateProvisioning::CloseSession() { + if (crypto_session_->IsOpen()) crypto_session_->Close(); +} + +CdmResponseType CertificateProvisioning::CloseSessionOnError( + CdmResponseType status) { + if (status != NO_ERROR) CloseSession(); + return status; +} + } // namespace wvcdm diff --git a/libwvdrmengine/cdm/core/src/device_files.proto b/libwvdrmengine/cdm/core/src/device_files.proto index 3d743525..25956ee0 100644 --- a/libwvdrmengine/cdm/core/src/device_files.proto +++ b/libwvdrmengine/cdm/core/src/device_files.proto @@ -28,6 +28,15 @@ message DeviceCertificate { optional bytes certificate = 1; optional bytes wrapped_private_key = 2; optional PrivateKeyType key_type = 3 [default = RSA]; + // Used by DRM certificates with an expiry time. Set by the client when + // the certificate is received. Aids expiration calculation at the + // client when provisioning server and client clocks are not aligned + optional int64 acquisition_time_seconds = 4; + // Used by DRM certificates without an expiration time. This is for + // upgrading devices with pre-existing DRM certificates. The client will + // calculate an expiration time 6 months into the future with a randomized + // +/-2 month window + optional int64 expiration_time_seconds = 5; } message License { @@ -56,6 +65,7 @@ message License { optional int64 grace_period_end_time = 11 [default = 0]; optional bytes usage_entry = 12; optional int64 usage_entry_number = 13; + optional DeviceCertificate drm_certificate = 14; } message UsageInfo { @@ -68,9 +78,19 @@ message UsageInfo { optional bytes key_set_id = 4; optional bytes usage_entry = 5; optional int64 usage_entry_number = 6; + // If not present, use the legacy DRM certificate rather than + // one in DrmDeviceCertificate + optional int32 drm_certificate_entry_number = 7; + } + + // A cache of DeviceCertificates associated with usage entries + message DrmDeviceCertificate { + optional int32 drm_certificate_entry_number = 1; + optional DeviceCertificate drm_certificate = 2; } repeated ProviderSession sessions = 1; + repeated DrmDeviceCertificate drm_device_certificates = 2; } message HlsAttributes { @@ -92,7 +112,7 @@ message UsageTableInfo { optional UsageEntryStorage storage = 1; optional bytes key_set_id = 2; - optional bytes usage_info_file_name = 3; // hash of the app_id + optional bytes usage_info_file_name = 3; // hash of the app_id // LRU table replacement data. optional int64 last_use_time = 4 [default = 0]; @@ -114,9 +134,7 @@ message File { USAGE_TABLE_INFO = 5; } - enum FileVersion { - VERSION_1 = 1; - } + enum FileVersion { VERSION_1 = 1; } optional FileType type = 1; optional FileVersion version = 2 [default = VERSION_1]; diff --git a/libwvdrmengine/cdm/util/src/log.cpp b/libwvdrmengine/cdm/util/src/log.cpp index 830a4dad..fd3c888c 100644 --- a/libwvdrmengine/cdm/util/src/log.cpp +++ b/libwvdrmengine/cdm/util/src/log.cpp @@ -19,7 +19,7 @@ #endif #define LOG_TAG "WVCdm" -#define LOG_BUF_SIZE 1024 +#define LOG_BUF_SIZE 5120 #include "log.h" #include @@ -83,7 +83,7 @@ void Log(const char* file, const char* function, int line, LogPriority level, const char* filename = strrchr(file, '/'); filename = filename == nullptr ? file : filename + 1; - char buf[LOG_BUF_SIZE]; + static thread_local char buf[LOG_BUF_SIZE]; int len = snprintf(buf, LOG_BUF_SIZE, "[%s(%d):%s] ", filename, line, function); if (len < 0) len = 0; diff --git a/libwvdrmengine/cdm/util/test/file_store_unittest.cpp b/libwvdrmengine/cdm/util/test/file_store_unittest.cpp index c89fe6e0..bae0aea0 100644 --- a/libwvdrmengine/cdm/util/test/file_store_unittest.cpp +++ b/libwvdrmengine/cdm/util/test/file_store_unittest.cpp @@ -28,51 +28,51 @@ class FileTest : public testing::Test { void TearDown() override { RemoveTestDir(); } void RemoveTestDir() { - EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir)); } - FileSystem file_system; + FileSystem file_system_; }; TEST_F(FileTest, FileExists) { - EXPECT_TRUE(file_system.Exists(test_vectors::kExistentFile)); - EXPECT_TRUE(file_system.Exists(test_vectors::kExistentDir)); - EXPECT_FALSE(file_system.Exists(test_vectors::kNonExistentFile)); - EXPECT_FALSE(file_system.Exists(test_vectors::kNonExistentDir)); + EXPECT_TRUE(file_system_.Exists(test_vectors::kExistentFile)); + EXPECT_TRUE(file_system_.Exists(test_vectors::kExistentDir)); + EXPECT_FALSE(file_system_.Exists(test_vectors::kNonExistentFile)); + EXPECT_FALSE(file_system_.Exists(test_vectors::kNonExistentDir)); } TEST_F(FileTest, RemoveDir) { - EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir)); - EXPECT_FALSE(file_system.Exists(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir)); + EXPECT_FALSE(file_system_.Exists(test_vectors::kTestDir)); } TEST_F(FileTest, OpenFile) { std::string path = test_vectors::kTestDir + kTestFileName; - EXPECT_TRUE(file_system.Remove(path)); + EXPECT_TRUE(file_system_.Remove(path)); - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); ASSERT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); } TEST_F(FileTest, RemoveDirAndFile) { std::string path = test_vectors::kTestDir + kTestFileName; - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); ASSERT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path)); - EXPECT_TRUE(file_system.Remove(path)); - EXPECT_FALSE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); + EXPECT_TRUE(file_system_.Remove(path)); + EXPECT_FALSE(file_system_.Exists(path)); - file = file_system.Open(path, FileSystem::kCreate); + file = file_system_.Open(path, FileSystem::kCreate); ASSERT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); RemoveTestDir(); - EXPECT_FALSE(file_system.Exists(test_vectors::kTestDir)); - EXPECT_FALSE(file_system.Exists(path)); + EXPECT_FALSE(file_system_.Exists(test_vectors::kTestDir)); + EXPECT_FALSE(file_system_.Exists(path)); } TEST_F(FileTest, RemoveWildcardFiles) { @@ -81,47 +81,47 @@ TEST_F(FileTest, RemoveWildcardFiles) { std::string wildcard_path = test_vectors::kTestDir + kWildcard + kTestFileNameExt; - std::unique_ptr file = file_system.Open(path1, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path1, FileSystem::kCreate); ASSERT_TRUE(file); - file = file_system.Open(path2, FileSystem::kCreate); + file = file_system_.Open(path2, FileSystem::kCreate); ASSERT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path1)); - EXPECT_TRUE(file_system.Exists(path2)); - EXPECT_TRUE(file_system.Remove(wildcard_path)); - EXPECT_FALSE(file_system.Exists(path1)); - EXPECT_FALSE(file_system.Exists(path2)); + EXPECT_TRUE(file_system_.Exists(path1)); + EXPECT_TRUE(file_system_.Exists(path2)); + EXPECT_TRUE(file_system_.Remove(wildcard_path)); + EXPECT_FALSE(file_system_.Exists(path1)); + EXPECT_FALSE(file_system_.Exists(path2)); } TEST_F(FileTest, FileSize) { std::string path = test_vectors::kTestDir + kTestFileName; - file_system.Remove(path); + file_system_.Remove(path); std::string write_data = CdmRandom::RandomData(600); size_t write_data_size = write_data.size(); - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); ASSERT_TRUE(file); EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size); - EXPECT_TRUE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); - EXPECT_EQ(static_cast(write_data_size), file_system.FileSize(path)); + EXPECT_EQ(static_cast(write_data_size), file_system_.FileSize(path)); } TEST_F(FileTest, WriteReadBinaryFile) { std::string path = test_vectors::kTestDir + kTestFileName; - file_system.Remove(path); + file_system_.Remove(path); std::string write_data = CdmRandom::RandomData(600); size_t write_data_size = write_data.size(); - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); ASSERT_TRUE(file); EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size); - EXPECT_TRUE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); std::string read_data; - read_data.resize(file_system.FileSize(path)); + read_data.resize(file_system_.FileSize(path)); size_t read_data_size = read_data.size(); - file = file_system.Open(path, FileSystem::kReadOnly); + file = file_system_.Open(path, FileSystem::kReadOnly); ASSERT_TRUE(file); EXPECT_EQ(file->Read(&read_data[0], read_data_size), read_data_size); EXPECT_EQ(write_data, read_data); @@ -136,25 +136,25 @@ TEST_F(FileTest, ListFiles) { std::string path3 = test_vectors::kTestDir + kTestFileName3; std::string path_dir = test_vectors::kTestDir; - std::unique_ptr file = file_system.Open(path1, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path1, FileSystem::kCreate); ASSERT_TRUE(file); - file = file_system.Open(path2, FileSystem::kCreate); + file = file_system_.Open(path2, FileSystem::kCreate); ASSERT_TRUE(file); - file = file_system.Open(path3, FileSystem::kCreate); + file = file_system_.Open(path3, FileSystem::kCreate); ASSERT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path1)); - EXPECT_TRUE(file_system.Exists(path2)); - EXPECT_TRUE(file_system.Exists(path3)); + EXPECT_TRUE(file_system_.Exists(path1)); + EXPECT_TRUE(file_system_.Exists(path2)); + EXPECT_TRUE(file_system_.Exists(path3)); // Ask for non-existent path. - EXPECT_FALSE(file_system.List(not_path, &names)); + EXPECT_FALSE(file_system_.List(not_path, &names)); // Valid path, but no way to return names. - EXPECT_FALSE(file_system.List(path_dir, nullptr)); + EXPECT_FALSE(file_system_.List(path_dir, nullptr)); // Valid path, valid return. - EXPECT_TRUE(file_system.List(path_dir, &names)); + EXPECT_TRUE(file_system_.List(path_dir, &names)); // Should find three files. Order not important. EXPECT_EQ(3u, names.size()); @@ -162,15 +162,15 @@ TEST_F(FileTest, ListFiles) { kTestFileName, kTestFileName2, kTestFileName3)); std::string wild_card_path = path_dir + kWildcard + kTestFileNameExt; - EXPECT_TRUE(file_system.Remove(wild_card_path)); - EXPECT_TRUE(file_system.List(path_dir, &names)); + EXPECT_TRUE(file_system_.Remove(wild_card_path)); + EXPECT_TRUE(file_system_.List(path_dir, &names)); EXPECT_EQ(1u, names.size()); EXPECT_TRUE(names[0].compare(kTestFileName3) == 0); std::string wild_card_path2 = path_dir + kWildcard + kTestFileNameExt3; - EXPECT_TRUE(file_system.Remove(wild_card_path2)); - EXPECT_TRUE(file_system.List(path_dir, &names)); + EXPECT_TRUE(file_system_.Remove(wild_card_path2)); + EXPECT_TRUE(file_system_.List(path_dir, &names)); EXPECT_EQ(0u, names.size()); } diff --git a/libwvdrmengine/cdm/util/test/file_utils_unittest.cpp b/libwvdrmengine/cdm/util/test/file_utils_unittest.cpp index ce73bd70..39a08c3a 100644 --- a/libwvdrmengine/cdm/util/test/file_utils_unittest.cpp +++ b/libwvdrmengine/cdm/util/test/file_utils_unittest.cpp @@ -31,24 +31,24 @@ class FileUtilsTest : public testing::Test { virtual void TearDown() { RemoveTestDir(); } void CreateTestDir() { - if (!file_system.Exists(test_vectors::kTestDir)) { + if (!file_system_.Exists(test_vectors::kTestDir)) { EXPECT_TRUE(FileUtils::CreateDirectory(test_vectors::kTestDir)); } - EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir)); } void RemoveTestDir() { - EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir)); } void CreateTestFile(const std::string file_path) { std::string write_data = GenerateRandomData(600); size_t write_data_size = write_data.size(); std::unique_ptr file = - file_system.Open(file_path, FileSystem::kCreate); + file_system_.Open(file_path, FileSystem::kCreate); EXPECT_TRUE(file); EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size); - EXPECT_TRUE(file_system.Exists(file_path)); + EXPECT_TRUE(file_system_.Exists(file_path)); } std::string GenerateRandomData(uint32_t len) { @@ -59,70 +59,70 @@ class FileUtilsTest : public testing::Test { return data; } - FileSystem file_system; + FileSystem file_system_; }; TEST_F(FileUtilsTest, CreateDirectory) { std::string dir_wo_delimiter = test_vectors::kTestDir.substr(0, test_vectors::kTestDir.size() - 1); - if (file_system.Exists(dir_wo_delimiter)) - EXPECT_TRUE(file_system.Remove(dir_wo_delimiter)); - EXPECT_FALSE(file_system.Exists(dir_wo_delimiter)); + if (file_system_.Exists(dir_wo_delimiter)) + EXPECT_TRUE(file_system_.Remove(dir_wo_delimiter)); + EXPECT_FALSE(file_system_.Exists(dir_wo_delimiter)); EXPECT_TRUE(FileUtils::CreateDirectory(dir_wo_delimiter)); - EXPECT_TRUE(file_system.Exists(dir_wo_delimiter)); - EXPECT_TRUE(file_system.Remove(dir_wo_delimiter)); + EXPECT_TRUE(file_system_.Exists(dir_wo_delimiter)); + EXPECT_TRUE(file_system_.Remove(dir_wo_delimiter)); EXPECT_TRUE(FileUtils::CreateDirectory(test_vectors::kTestDir)); - EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir)); - EXPECT_TRUE(file_system.Remove(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Remove(test_vectors::kTestDir)); } TEST_F(FileUtilsTest, IsDir) { std::string path = test_vectors::kTestDir + kTestFileName; - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); EXPECT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path)); - EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Exists(path)); + EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir)); EXPECT_FALSE(FileUtils::IsDirectory(path)); EXPECT_TRUE(FileUtils::IsDirectory(test_vectors::kTestDir)); } TEST_F(FileUtilsTest, IsRegularFile) { std::string path = test_vectors::kTestDir + kTestFileName; - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); EXPECT_TRUE(file); - EXPECT_TRUE(file_system.Exists(path)); - EXPECT_TRUE(file_system.Exists(test_vectors::kTestDir)); + EXPECT_TRUE(file_system_.Exists(path)); + EXPECT_TRUE(file_system_.Exists(test_vectors::kTestDir)); EXPECT_TRUE(FileUtils::IsRegularFile(path)); EXPECT_FALSE(FileUtils::IsRegularFile(test_vectors::kTestDir)); } TEST_F(FileUtilsTest, CopyFile) { std::string path = test_vectors::kTestDir + kTestFileName; - file_system.Remove(path); + file_system_.Remove(path); std::string write_data = GenerateRandomData(600); size_t write_data_size = write_data.size(); - std::unique_ptr wr_file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr wr_file = file_system_.Open(path, FileSystem::kCreate); EXPECT_TRUE(wr_file); EXPECT_EQ(wr_file->Write(write_data.data(), write_data_size), write_data_size); - ASSERT_TRUE(file_system.Exists(path)); + ASSERT_TRUE(file_system_.Exists(path)); std::string path_copy = test_vectors::kTestDir + kTestFileName2; - EXPECT_FALSE(file_system.Exists(path_copy)); + EXPECT_FALSE(file_system_.Exists(path_copy)); EXPECT_TRUE(FileUtils::Copy(path, path_copy)); std::string read_data; - read_data.resize(file_system.FileSize(path_copy)); + read_data.resize(file_system_.FileSize(path_copy)); size_t read_data_size = read_data.size(); std::unique_ptr rd_file = - file_system.Open(path_copy, FileSystem::kReadOnly); + file_system_.Open(path_copy, FileSystem::kReadOnly); EXPECT_TRUE(rd_file); EXPECT_EQ(rd_file->Read(&read_data[0], read_data_size), read_data_size); EXPECT_EQ(write_data, read_data); - EXPECT_EQ(file_system.FileSize(path), file_system.FileSize(path_copy)); + EXPECT_EQ(file_system_.FileSize(path), file_system_.FileSize(path_copy)); } TEST_F(FileUtilsTest, ListEmptyDirectory) { @@ -138,18 +138,18 @@ TEST_F(FileUtilsTest, ListFiles) { path = test_vectors::kTestDir + kTestFileName; std::string write_data = GenerateRandomData(600); size_t write_data_size = write_data.size(); - std::unique_ptr file = file_system.Open(path, FileSystem::kCreate); + std::unique_ptr file = file_system_.Open(path, FileSystem::kCreate); EXPECT_TRUE(file); EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size); - EXPECT_TRUE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); path = test_vectors::kTestDir + kTestFileName2; write_data = GenerateRandomData(600); write_data_size = write_data.size(); - file = file_system.Open(path, FileSystem::kCreate); + file = file_system_.Open(path, FileSystem::kCreate); EXPECT_TRUE(file); EXPECT_EQ(file->Write(write_data.data(), write_data_size), write_data_size); - EXPECT_TRUE(file_system.Exists(path)); + EXPECT_TRUE(file_system_.Exists(path)); std::vector files; EXPECT_TRUE(FileUtils::List(test_vectors::kTestDir, &files)); diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.cpp new file mode 100644 index 00000000..21b2e0b8 --- /dev/null +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.cpp @@ -0,0 +1,233 @@ +// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary +// source code may only be used and distributed under the Widevine License +// Agreement. +// +// Reference implementation of OEMCrypto APIs +// +#include "oemcrypto_oem_cert.h" + +#include + +#include +#include +#include + +#include "log.h" +#include "oemcrypto_rsa_key.h" +#include "scoped_object.h" + +namespace wvoec_ref { +namespace { +using ScopedCertificate = ScopedObject; +using ScopedEvpKey = ScopedObject; +using ScopedPkcs7 = ScopedObject; + +constexpr size_t kExpectedCertCount = 2; // Leaf and intermediate. +constexpr int kDeviceCertIndex = 0; + +// Checks that the |public_key| from an X.509 certificate is the +// correct public key of the serialized |private_key_data|. +OEMCryptoResult VerifyRsaKey(const RSA* public_key, + const std::vector& private_key_data) { + if (public_key == nullptr) { + LOGE("RSA key is null"); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + std::unique_ptr private_key = + RsaPrivateKey::Load(private_key_data); + if (!private_key) { + LOGE("Failed to parse provided RSA private key"); + return OEMCrypto_ERROR_INVALID_RSA_KEY; + } + if (!RsaKeysAreMatchingPair(public_key, private_key->GetRsaKey())) { + LOGE("OEM certificate keys do not match"); + return OEMCrypto_ERROR_INVALID_RSA_KEY; + } + return OEMCrypto_SUCCESS; +} +} // namespace + +// This utility class encapsulates the minimum functionality of an +// OEM Public Certificate required to verify a device's OEM Public +// Certificate. +class OemPublicCertificate { + public: + // Loads a PKCS #7 signedData message with certificate chain. + // Minimum validation is performed. Only checks that the + // device's public key is of a known type (RSA). + static std::unique_ptr Load(const uint8_t* public_cert, + size_t public_cert_size) { + std::unique_ptr oem_public_cert; + if (public_cert == nullptr) { + LOGE("Public cert buffer is null"); + return oem_public_cert; + } + if (public_cert_size == 0) { + LOGE("Public cert buffer is empty"); + return oem_public_cert; + } + oem_public_cert.reset(new OemPublicCertificate()); + if (!oem_public_cert->InitFromBuffer(public_cert, public_cert_size)) { + oem_public_cert.reset(); + } + return oem_public_cert; + } + + OemCertificate::KeyType key_type() const { return key_type_; } + const std::vector& cert_data() const { return cert_data_; } + + const RSA* GetPublicRsaKey() const { + return EVP_PKEY_get0_RSA(device_public_key_.get()); + } + + ~OemPublicCertificate() = default; + + OemPublicCertificate(const OemPublicCertificate&) = delete; + OemPublicCertificate(OemPublicCertificate&&) = delete; + const OemPublicCertificate& operator=(const OemPublicCertificate&) = delete; + OemPublicCertificate& operator=(OemPublicCertificate&&) = delete; + + private: + OemPublicCertificate() {} + + bool InitFromBuffer(const uint8_t* public_cert, size_t public_cert_size) { + // Step 1: Parse the PKCS7 certificate chain as signedData. + const uint8_t* public_cert_ptr = public_cert; + pkcs7_.reset(d2i_PKCS7(nullptr, &public_cert_ptr, public_cert_size)); + if (!pkcs7_) { + LOGE("Failed to parse PKCS#7 certificate chain"); + return false; + } + if (!PKCS7_type_is_signed(pkcs7_.get())) { + LOGE("OEM Public Certificate is not PKCS#7 signed data"); + return false; + } + PKCS7_SIGNED* signed_data = pkcs7_->d.sign; + // Step 2: Get the leaf certificate. + const size_t cert_count = + static_cast(sk_X509_num(signed_data->cert)); + if (cert_count != kExpectedCertCount) { + LOGE("Unexpected number of certificates: expected = %zu, actual = %zu", + kExpectedCertCount, cert_count); + return false; + } + X509* leaf_cert = sk_X509_value(signed_data->cert, kDeviceCertIndex); + // Step 3a: Get the device's public key. + device_public_key_.reset(X509_get_pubkey(leaf_cert)); + if (!device_public_key_) { + LOGE("Device X.509 certificate is missing a public key"); + return false; + } + // Step 3b: Check key type. + if (EVP_PKEY_get0_RSA(device_public_key_.get()) == nullptr) { + LOGE("Device public key is not RSA"); + return false; + } + key_type_ = OemCertificate::kRsa; + cert_data_.assign(public_cert, public_cert + public_cert_size); + return true; + } + + OemCertificate::KeyType key_type_ = OemCertificate::kNone; + // OpenSSL/BoringSSL's implementation of PKCS7 objects. + ScopedPkcs7 pkcs7_; + ScopedEvpKey device_public_key_; + std::vector cert_data_; +}; + +// ===== ===== ===== OEM Certificate ===== ===== ===== + +// static +std::unique_ptr OemCertificate::Create( + const uint8_t* private_key_data, size_t private_key_size, + const uint8_t* public_cert_data, size_t public_cert_size) { + std::unique_ptr oem_cert; + // Step 1: Verify public cert is well-formed. + std::unique_ptr oem_public_cert = + OemPublicCertificate::Load(public_cert_data, public_cert_size); + if (!oem_public_cert) { + LOGE("Invalid OEM Public Certificate"); + return oem_cert; + } + // Step 2: Verify private key is well-formed. + switch (oem_public_cert->key_type()) { + case kRsa: { + std::unique_ptr oem_private_key = + RsaPrivateKey::Load(private_key_data, private_key_size); + if (!oem_private_key) { + LOGE("Invalid OEM Private Key"); + return oem_cert; + } + } break; + case kNone: // Suppress compiler warnings. + return oem_cert; + } + // Step 3: Copy over data. + oem_cert.reset(new OemCertificate()); + oem_cert->private_key_.assign(private_key_data, + private_key_data + private_key_size); + oem_cert->public_cert_ = std::move(oem_public_cert); + return oem_cert; +} + +// static +std::unique_ptr OemCertificate::Create( + const std::vector& private_key, + const std::vector& public_cert) { + if (private_key.empty()) { + LOGE("Private key buffer is empty"); + return std::unique_ptr(); + } + if (public_cert.empty()) { + LOGE("Public cert buffer is empty"); + return std::unique_ptr(); + } + return Create(private_key.data(), private_key.size(), public_cert.data(), + public_cert.size()); +} + +OemCertificate::KeyType OemCertificate::key_type() const { + return public_cert_->key_type(); +} + +OEMCryptoResult OemCertificate::GetPublicCertificate( + uint8_t* public_cert, size_t* public_cert_length) const { + if (public_cert_length == nullptr) { + LOGE("Output |public_cert_length| is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (public_cert == nullptr && *public_cert_length > 0) { + LOGE("Output |public_cert| is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + const std::vector& cert_data = public_cert_->cert_data(); + if (*public_cert_length < cert_data.size()) { + *public_cert_length = cert_data.size(); + return OEMCrypto_ERROR_SHORT_BUFFER; + } + *public_cert_length = cert_data.size(); + memcpy(public_cert, cert_data.data(), cert_data.size()); + return OEMCrypto_SUCCESS; +} + +const std::vector& OemCertificate::GetPublicCertificate() const { + return public_cert_->cert_data(); +} + +OEMCryptoResult OemCertificate::IsCertificateValid() const { + switch (key_type()) { + case kRsa: + return VerifyRsaKey(public_cert_->GetPublicRsaKey(), private_key_); + case kNone: // Suppress compiler warnings. + break; + } + LOGE("Unexpected error key type: type = %d", static_cast(key_type())); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; +} + +// Constructor and destructor do not perform anything special, but +// must be declared within a scope which defines OemPublicCertificate. +OemCertificate::OemCertificate() {} +OemCertificate::~OemCertificate() {} + +} // namespace wvoec_ref diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.h b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.h new file mode 100644 index 00000000..70c7fffe --- /dev/null +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_oem_cert.h @@ -0,0 +1,104 @@ +// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary +// source code may only be used and distributed under the Widevine License +// Agreement. +// +// Reference implementation of OEMCrypto APIs +// +#ifndef OEMCRYPTO_OEM_CERT_H_ +#define OEMCRYPTO_OEM_CERT_H_ + +#include +#include + +#include "OEMCryptoCENCCommon.h" + +namespace wvoec_ref { + +class OemPublicCertificate; + +// An OEM Certificate is a factory provisioned root of trust +// certificate which consists of a public certificate and its +// matching private key. +// The public certificate must be an ASN.1 DER encoded PKCS #7 +// ContentInfo of type signedData (RFC2315). The device's X.509 +// certificate must be the first certificate in the chain of +// SignedContent |certificates|. +// The certificates are X.509 Certificate as defined in RFC 5280 +// signed by the device manufacturers certificate which is signed +// by Google. +// The OEM Public Cert should only contain the device's certificate +// and the OEM's intermediate certificate. +// The private key storage format is at the discretion of the OEM; +// the reference implementation uses PKCS8 PrivateKeyInfo. +class OemCertificate { + public: + enum KeyType { + kNone = 0, + // Private key is an ASN.1 DER encoded PrivateKeyInfo specifying + // an RSA encryption key. + kRsa = 1 + }; + + // Creates a new OEM Certificate and performs basic validation + // to ensure that the private key and public cert are well-formed. + // The |public_cert| provided is parsed as an X.509 Certificate + // and the public key is verified against the private key. + // The |private_key| is parsed depending on the key type. + // If any error occurs or if the provided data is malformed, an + // empty pointer is returned. + static std::unique_ptr Create(const uint8_t* private_key, + size_t private_key_size, + const uint8_t* public_cert, + size_t public_cert_size); + static std::unique_ptr Create( + const std::vector& private_key, + const std::vector& public_cert); + + // Returns the key type of the OEM Public key and private key. + // As of OEMCrypto v16, the only supported key type is RSA. + KeyType key_type() const; + + // Returns the private key data. Intended to be used for calls + // to OEMCrypto_LoadOEMPrivateKey(). + const std::vector& GetPrivateKey() const { return private_key_; } + + // Returns a copy of the ASN.1 DER encoded PKCS #7 certificate chain. + // If |*public_cert_length| is large enough, the complete + // certificate is copied to the buffer specified by |public_cert|, + // |*public_cert_length| is adjusted to the actual size of the + // certificate data, and SUCCESS is returned. + // If |*public_cert_length| is not large enough, then it is + // set to size of the certificate and ERROR_SHORT_BUFFER is + // returned. + OEMCryptoResult GetPublicCertificate(uint8_t* public_cert, + size_t* public_cert_length) const; + // Returns the certificate directly. Intended to be used for + // testing. + const std::vector& GetPublicCertificate() const; + + // Verifies that the RSA key included in the OEM Cert is valid. + // The existence of an OemCertificate already ensures that the + // OEM Public Certificate and private key data are well-formed. + // This takes the check another step further and ensures that + // the private key matches the public key in the public cert + // (ie, same modulos and public exponent). + OEMCryptoResult IsCertificateValid() const; + + ~OemCertificate(); + + OemCertificate(const OemCertificate&) = delete; + OemCertificate(OemCertificate&&) = delete; + const OemCertificate& operator=(const OemCertificate&) = delete; + OemCertificate& operator=(OemCertificate&&) = delete; + + private: + OemCertificate(); + + // Serialized private key matching the OEM certificate. + std::vector private_key_; + // Serialized OEM Certificate. + std::unique_ptr public_cert_; +}; +} // namespace wvoec_ref + +#endif // OEMCRYPTO_OEM_CERT_H_