widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9f7e2c4413f150ff30541bbc20c347ea58c40101
android/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.h
Alex Dale 9f7e2c4413 Restructed reference root of trust (3/3 OEM Cert) 
[ Merge of http://go/wvgerrit/116944 ]

This change is the last part of a three part change for restructing
the root of trust used by the reference implementation.

OEM Certificates are now managed by the root of trust of the crypto
engine.  Previously, OEM certs where handled separately on a session
by session basis.

Bug: 135283522
Test: oemcrypto_unittests ce_cdm_tests
Change-Id: I6cf1fa3fade28baad85b5fce57a8eab6f2ed17c1
2021-03-24 19:14:17 -07:00

173 lines
6.4 KiB
C++
Raw Blame History

// Copyright 2018 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine Master
// License Agreement.
//
// Reference implementation of OEMCrypto APIs
//
#ifndef OEMCRYPTO_AUTH_REF_H_
#define OEMCRYPTO_AUTH_REF_H_
#include <stdint.h>
#include <memory>
#include <vector>
#include "OEMCryptoCENC.h" // Needed for enums only.
#include "disallow_copy_and_assign.h"
#include "oemcrypto_keybox_ref.h"
#include "oemcrypto_oem_cert.h"
#include "oemcrypto_rsa_key.h"
namespace wvoec_ref {
// The AuthenticationRoot class contains the OEMCrypto information
// which makes up the "root of trust" of a device.
class AuthenticationRoot {
public:
AuthenticationRoot() {}
~AuthenticationRoot() {}
// Initializes the root of authentication for the provided
// |method|. This will clear any previously initialied data.
bool Initialize(OEMCrypto_ProvisioningMethod method);
// General root of trust API.
// Checks that the auth root has been properly initialized and can
// be used by the rest of OEMCrypto for the current provisioning
// method.
bool IsValid() const;
// Checks the validity of the underlying Keybox or OEM Certificate
// depending on the provisioning method.
// Similar to the expected behavior of OEMCrypto_IsKeyboxOrOEMCertValid().
OEMCryptoResult IsKeyboxOrOemCertValid() const;
// Gets the device ID from the root of trust.
// Similar to the expected behavior of OEMCrypto_GetDeviceID().
OEMCryptoResult GetDeviceId(uint8_t* device_id,
size_t* device_id_length) const;
// Returns the device ID from the root of trust. Intended to be used
// for core message generation.
std::vector<uint8_t> DeviceId() const;
// Returns the device key from the root of trust. For keybox-based
// devices, this is the device key from the keybox (or test keybox
// if installed). For devices that use a non-keybox provisioning
// method, this will be a device specific key.
std::vector<uint8_t> DeviceKey() const;
// Check for the existence of a device key.
bool HasDeviceKey() const;
// Clears any test data inside this root of trust.
void Clear();
// DRM Certificate-based root of trust API.
// Returns the shared RSA private key from the built-in DRM
// Certificate.
std::shared_ptr<RsaPrivateKey> ShareDrmCertKey() {
return test_drm_cert_key_ ? test_drm_cert_key_ : drm_cert_key_;
}
RsaPrivateKey* DrmCertKey() const {
return test_drm_cert_key_ ? test_drm_cert_key_.get() : drm_cert_key_.get();
}
bool HasDrmCertKey() const { return test_drm_cert_key_ || drm_cert_key_; }
// Loads the system's built-in RSA key. Only implemented for
// devices that are that pre-provisioned with a built-in DRM
// Certificate,
// This method implements the expected behavior of
// OEMCrypto_LoadTestRSAKey().
OEMCryptoResult LoadTestRsaKey();
// Removes any installed test RSA key.
void RemoveTestRsaKey() { test_drm_cert_key_.reset(); }
// Keybox-based root of trust API.
// Returns the currently installed keybox (or test keybox) if any
// present. The test keybox takes priority over the standard.
WvKeybox* keybox() const {
return test_keybox_ ? test_keybox_.get() : keybox_.get();
}
// Checks the validity of the keybox regardless of the provisioning
// method.
OEMCryptoResult IsKeyboxValid() const;
// Installs a clear WV keybox as the root of trust.
// A keybox can only be installed once, however, the provisioning
// method stated at initialization remains the same.
//
// This method is similar to the expected behavior of
// OEMCrypto_InstallKeyboxOrOEMCert() for keybox devices except
// that the keybox provided here must be decrypted before installing.
OEMCryptoResult InstallKeybox(const uint8_t* keybox_data,
size_t keybox_length);
// Installs a clear test WV keybox. Only settable for devices that
// uses a keybox for provisioning.
//
// This method is similar to the expected behavior of
// OEMCrypto_LoadTestKeybox() for keybox devices except that
// the keybox provided here must be decrypted before installing.
OEMCryptoResult InstallTestKeybox(const uint8_t* keybox_data,
size_t keybox_length);
// Removes any installed test keybox.
void RemoveTestKeybox() { test_keybox_.reset(); }
// Gets the keybox key data.
// Implements the expected behavior of OEMCrypto_GetKeyData().
OEMCryptoResult GetKeyData(uint8_t* key_data, size_t* key_data_length) const;
// OEM Certificate-base root of trust API.
// Installs an OEM certificate as the root of trust. The provided
// private key and public cert are parsed, but not validated. The
// private key will be made available for sessions to load.
OEMCryptoResult InstallOemCertificate(const uint8_t* private_key,
size_t private_key_size,
const uint8_t* public_cert,
size_t public_cert_size);
// For OEM Cert-based devices, returns the OEM Public Certificate
// component of the OEM Certificate.
// This method implements the expected behavior of
// OEMCrypto_GetOEMPublicCertificate().
OEMCryptoResult GetOemPublicCertificate(uint8_t* public_cert,
size_t* public_cert_length) const;
// Returns the OEM private key. Intended to be used when loading
// the OEM private key into a session.
// Should only be called for devices that use OEM Certificates
// for provisioning.
std::shared_ptr<RsaPrivateKey> ShareOemCertKey() { return oem_cert_key_; }
RsaPrivateKey* OemCertKey() const { return oem_cert_key_.get(); }
bool HasOemCertKey() const { return static_cast<bool>(oem_cert_key_); }
private:
OEMCrypto_ProvisioningMethod prov_method_ = OEMCrypto_ProvisioningError;
// DRM certificate.
// If no keybox, this is the private key of the baked-in DRM
// Certificate.
std::shared_ptr<RsaPrivateKey> drm_cert_key_;
std::shared_ptr<RsaPrivateKey> test_drm_cert_key_;
// Keybox data.
std::unique_ptr<WvKeybox> keybox_;
std::unique_ptr<WvKeybox> test_keybox_;
// OEM certificate.
std::unique_ptr<OemCertificate> oem_cert_;
std::shared_ptr<RsaPrivateKey> oem_cert_key_;
CORE_DISALLOW_COPY_AND_ASSIGN(AuthenticationRoot);
};
} // namespace wvoec_ref
#endif // OEMCRYPTO_AUTH_REF_H_
Reference in New Issue View Git Blame Copy Permalink