widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Restructed reference root of trust (2/3 DRM Cert)

Browse Source 
[ Merge of http://go/wvgerrit/115551 ]

This change is the second part of a three part change for restructing
the root of trust used by the reference implementation.

The use of RSA_shared_ptr has been replaced with the standard library
std::shared_ptr using the RsaPrivateKey wrapper class.  The
AuthenticationRoot class now uses this for the built-in DRM cert key.

RSA decryption and signature operations within the session context are
now performed the RsaPrivateKey class.  This has reduced the code size
and complexity within the reference and testbed, focusing their
implementation on key policy and less on mechanics.

Bug: 168544740
Bug: 135283522
Test: oemcrypto_unittests ce_cdm_tests
Change-Id: Ic743a529a9858f3182290d8bcf5e1633737b005b
This commit is contained in:
Alex Dale
2021-02-18 19:53:12 -08:00
parent e4ee4eb404
commit f6f5099604
11 changed files with 187 additions and 458 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp
View File

@@ -187,7 +187,6 @@ bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
// If provisioning method is something other than ProvisioningError
// indicates it has already been initialized before. Must
// existing data.
rsa_key_set_ = false;
rsa_key_.reset();
test_rsa_key_.reset();
keybox_.reset();
@@ -196,8 +195,11 @@ bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
prov_method_ = method;
switch (method) {
case OEMCrypto_DrmCertificate: {
rsa_key_set_ = rsa_key_.LoadPkcs8RsaKey(kPrivateKey, kPrivateKeySize);
if (!rsa_key_set_) {
std::unique_ptr<RsaPrivateKey> key =
RsaPrivateKey::Load(kPrivateKey, kPrivateKeySize);
if (key) {
rsa_key_ = std::move(key);
} else {
// This error message is OK in unit tests which use test certificate.
LOGE(
"FATAL ERROR: Platform uses a baked-in certificate instead of a "
@@ -222,7 +224,7 @@ bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) {
bool AuthenticationRoot::IsValid() const {
switch (prov_method_) {
case OEMCrypto_DrmCertificate: {
return rsa_key_set_ && HasDeviceKey();
return HasDrmCertKey() && HasDeviceKey();
}
case OEMCrypto_Keybox: {
return HasDeviceKey();
@@ -324,17 +326,18 @@ OEMCryptoResult AuthenticationRoot::LoadTestRsaKey() {
LOGE("System does not support DRM certificates");
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
}
if (test_rsa_key_.get() != nullptr) {
if (test_rsa_key_) {
LOGE("Test RSA key is already loaded");
return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES;
}
if (!test_rsa_key_.LoadPkcs8RsaKey(
kTestRSAPKCS8PrivateKeyInfo2_2048,
sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048))) {
std::unique_ptr<RsaPrivateKey> key =
RsaPrivateKey::Load(kTestRSAPKCS8PrivateKeyInfo2_2048,
sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048));
if (!key) {
LOGE("Failed to load test RSA key");
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
}
rsa_key_set_ = true;
test_rsa_key_ = std::move(key);
return OEMCrypto_SUCCESS;
}