// Copyright 2018 Google LLC. All Rights Reserved. This file and proprietary // source code may only be used and distributed under the Widevine Master // License Agreement. // // Reference implementation of OEMCrypto APIs // #ifndef OEMCRYPTO_AUTH_REF_H_ #define OEMCRYPTO_AUTH_REF_H_ #include #include #include #include "OEMCryptoCENC.h" // Needed for enums only. #include "disallow_copy_and_assign.h" #include "oemcrypto_keybox_ref.h" #include "oemcrypto_oem_cert.h" #include "oemcrypto_rsa_key.h" namespace wvoec_ref { // The AuthenticationRoot class contains the OEMCrypto information // which makes up the "root of trust" of a device. class AuthenticationRoot { public: AuthenticationRoot() {} ~AuthenticationRoot() {} // Initializes the root of authentication for the provided // |method|. This will clear any previously initialied data. bool Initialize(OEMCrypto_ProvisioningMethod method); // General root of trust API. // Checks that the auth root has been properly initialized and can // be used by the rest of OEMCrypto for the current provisioning // method. bool IsValid() const; // Checks the validity of the underlying Keybox or OEM Certificate // depending on the provisioning method. // Similar to the expected behavior of OEMCrypto_IsKeyboxOrOEMCertValid(). OEMCryptoResult IsKeyboxOrOemCertValid() const; // Gets the device ID from the root of trust. // Similar to the expected behavior of OEMCrypto_GetDeviceID(). OEMCryptoResult GetDeviceId(uint8_t* device_id, size_t* device_id_length) const; // Returns the device ID from the root of trust. Intended to be used // for core message generation. std::vector DeviceId() const; // Returns the device key from the root of trust. For keybox-based // devices, this is the device key from the keybox (or test keybox // if installed). For devices that use a non-keybox provisioning // method, this will be a device specific key. std::vector DeviceKey() const; // Check for the existence of a device key. bool HasDeviceKey() const; // Clears any test data inside this root of trust. void Clear(); // DRM Certificate-based root of trust API. // Returns the shared RSA private key from the built-in DRM // Certificate. std::shared_ptr ShareDrmCertKey() { return test_drm_cert_key_ ? test_drm_cert_key_ : drm_cert_key_; } RsaPrivateKey* DrmCertKey() const { return test_drm_cert_key_ ? test_drm_cert_key_.get() : drm_cert_key_.get(); } bool HasDrmCertKey() const { return test_drm_cert_key_ || drm_cert_key_; } // Loads the system's built-in RSA key. Only implemented for // devices that are that pre-provisioned with a built-in DRM // Certificate, // This method implements the expected behavior of // OEMCrypto_LoadTestRSAKey(). OEMCryptoResult LoadTestRsaKey(); // Removes any installed test RSA key. void RemoveTestRsaKey() { test_drm_cert_key_.reset(); } // Keybox-based root of trust API. // Returns the currently installed keybox (or test keybox) if any // present. The test keybox takes priority over the standard. WvKeybox* keybox() const { return test_keybox_ ? test_keybox_.get() : keybox_.get(); } // Checks the validity of the keybox regardless of the provisioning // method. OEMCryptoResult IsKeyboxValid() const; // Installs a clear WV keybox as the root of trust. // A keybox can only be installed once, however, the provisioning // method stated at initialization remains the same. // // This method is similar to the expected behavior of // OEMCrypto_InstallKeyboxOrOEMCert() for keybox devices except // that the keybox provided here must be decrypted before installing. OEMCryptoResult InstallKeybox(const uint8_t* keybox_data, size_t keybox_length); // Installs a clear test WV keybox. Only settable for devices that // uses a keybox for provisioning. // // This method is similar to the expected behavior of // OEMCrypto_LoadTestKeybox() for keybox devices except that // the keybox provided here must be decrypted before installing. OEMCryptoResult InstallTestKeybox(const uint8_t* keybox_data, size_t keybox_length); // Removes any installed test keybox. void RemoveTestKeybox() { test_keybox_.reset(); } // Gets the keybox key data. // Implements the expected behavior of OEMCrypto_GetKeyData(). OEMCryptoResult GetKeyData(uint8_t* key_data, size_t* key_data_length) const; // OEM Certificate-base root of trust API. // Installs an OEM certificate as the root of trust. The provided // private key and public cert are parsed, but not validated. The // private key will be made available for sessions to load. OEMCryptoResult InstallOemCertificate(const uint8_t* private_key, size_t private_key_size, const uint8_t* public_cert, size_t public_cert_size); // For OEM Cert-based devices, returns the OEM Public Certificate // component of the OEM Certificate. // This method implements the expected behavior of // OEMCrypto_GetOEMPublicCertificate(). OEMCryptoResult GetOemPublicCertificate(uint8_t* public_cert, size_t* public_cert_length) const; // Returns the OEM private key. Intended to be used when loading // the OEM private key into a session. // Should only be called for devices that use OEM Certificates // for provisioning. std::shared_ptr ShareOemCertKey() { return oem_cert_key_; } RsaPrivateKey* OemCertKey() const { return oem_cert_key_.get(); } bool HasOemCertKey() const { return static_cast(oem_cert_key_); } private: OEMCrypto_ProvisioningMethod prov_method_ = OEMCrypto_ProvisioningError; // DRM certificate. // If no keybox, this is the private key of the baked-in DRM // Certificate. std::shared_ptr drm_cert_key_; std::shared_ptr test_drm_cert_key_; // Keybox data. std::unique_ptr keybox_; std::unique_ptr test_keybox_; // OEM certificate. std::unique_ptr oem_cert_; std::shared_ptr oem_cert_key_; CORE_DISALLOW_COPY_AND_ASSIGN(AuthenticationRoot); }; } // namespace wvoec_ref #endif // OEMCRYPTO_AUTH_REF_H_