Source release 17.1.0

oemcrypto/util/include/oemcrypto_oem_cert.h

@@ -0,0 +1,104 @@
+// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary
+// source code may only be used and distributed under the Widevine License
+// Agreement.
+//
+//  Reference implementation utilities of OEMCrypto APIs
+//
+#ifndef WVOEC_UTIL_OEM_CERT_H_
+#define WVOEC_UTIL_OEM_CERT_H_
+
+#include <memory>
+#include <vector>
+
+#include "OEMCryptoCENCCommon.h"
+
+namespace wvoec {
+namespace util {
+class OemPublicCertificate;
+
+// An OEM Certificate is a factory provisioned root of trust
+// certificate which consists of a public certificate and its
+// matching private key.
+// The public certificate must be an ASN.1 DER encoded PKCS #7
+// ContentInfo of type signedData (RFC2315).  The device's X.509
+// certificate must be the first certificate in the chain of
+// SignedContent |certificates|.
+// The certificates are X.509 Certificate as defined in RFC 5280
+// signed by the device manufacturers certificate which is signed
+// by Google.
+// The OEM Public Cert should only contain the device's certificate
+// and the OEM's intermediate certificate.
+// The private key storage format is at the discretion of the OEM;
+// the reference implementation uses PKCS8 PrivateKeyInfo.
+class OemCertificate {
+ public:
+  enum KeyType {
+    kNone = 0,
+    // Private key is an ASN.1 DER encoded PrivateKeyInfo specifying
+    // an RSA encryption key.
+    kRsa = 1
+  };
+
+  // Creates a new OEM Certificate and performs basic validation
+  // to ensure that the private key and public cert are well-formed.
+  // The |public_cert| provided is parsed as an X.509 Certificate
+  // and the public key is verified against the private key.
+  // The |private_key| is parsed depending on the key type.
+  // If any error occurs or if the provided data is malformed, an
+  // empty pointer is returned.
+  static std::unique_ptr<OemCertificate> Create(const uint8_t* private_key,
+                                                size_t private_key_size,
+                                                const uint8_t* public_cert,
+                                                size_t public_cert_size);
+  static std::unique_ptr<OemCertificate> Create(
+      const std::vector<uint8_t>& private_key,
+      const std::vector<uint8_t>& public_cert);
+
+  // Returns the key type of the OEM Public key and private key.
+  // As of OEMCrypto v16, the only supported key type is RSA.
+  KeyType key_type() const;
+
+  // Returns the private key data.  Intended to be used for calls
+  // to OEMCrypto_LoadOEMPrivateKey().
+  const std::vector<uint8_t>& GetPrivateKey() const { return private_key_; }
+
+  // Returns a copy of the ASN.1 DER encoded PKCS #7 certificate chain.
+  // If |*public_cert_length| is large enough, the complete
+  // certificate is copied to the buffer specified by |public_cert|,
+  // |*public_cert_length| is adjusted to the actual size of the
+  // certificate data, and SUCCESS is returned.
+  // If |*public_cert_length| is not large enough, then it is
+  // set to size of the certificate and ERROR_SHORT_BUFFER is
+  // returned.
+  OEMCryptoResult GetPublicCertificate(uint8_t* public_cert,
+                                       size_t* public_cert_length) const;
+  // Returns the certificate directly.  Intended to be used for
+  // testing.
+  const std::vector<uint8_t>& GetPublicCertificate() const;
+
+  // Verifies that the RSA key included in the OEM Cert is valid.
+  // The existence of an OemCertificate already ensures that the
+  // OEM Public Certificate and private key data are well-formed.
+  // This takes the check another step further and ensures that
+  // the private key matches the public key in the public cert
+  // (ie, same modulos and public exponent).
+  OEMCryptoResult IsCertificateValid() const;
+
+  ~OemCertificate();
+
+  OemCertificate(const OemCertificate&) = delete;
+  OemCertificate(OemCertificate&&) = delete;
+  const OemCertificate& operator=(const OemCertificate&) = delete;
+  OemCertificate& operator=(OemCertificate&&) = delete;
+
+ private:
+  OemCertificate();
+
+  // Serialized private key matching the OEM certificate.
+  std::vector<uint8_t> private_key_;
+  // Serialized OEM Certificate.
+  std::unique_ptr<OemPublicCertificate> public_cert_;
+};  // class OemCertificate
+}  // namespace util
+}  // namespace wvoec
+#endif  // WVOEC_UTIL_OEM_CERT_H_