// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary // source code may only be used and distributed under the Widevine License // Agreement. // // Reference implementation utilities of OEMCrypto APIs // #ifndef WVOEC_UTIL_OEM_CERT_H_ #define WVOEC_UTIL_OEM_CERT_H_ #include #include #include "OEMCryptoCENCCommon.h" namespace wvoec { namespace util { class OemPublicCertificate; // An OEM Certificate is a factory provisioned root of trust // certificate which consists of a public certificate and its // matching private key. // The public certificate must be an ASN.1 DER encoded PKCS #7 // ContentInfo of type signedData (RFC2315). The device's X.509 // certificate must be the first certificate in the chain of // SignedContent |certificates|. // The certificates are X.509 Certificate as defined in RFC 5280 // signed by the device manufacturers certificate which is signed // by Google. // The OEM Public Cert should only contain the device's certificate // and the OEM's intermediate certificate. // The private key storage format is at the discretion of the OEM; // the reference implementation uses PKCS8 PrivateKeyInfo. class OemCertificate { public: enum KeyType { kNone = 0, // Private key is an ASN.1 DER encoded PrivateKeyInfo specifying // an RSA encryption key. kRsa = 1 }; // Creates a new OEM Certificate and performs basic validation // to ensure that the private key and public cert are well-formed. // The |public_cert| provided is parsed as an X.509 Certificate // and the public key is verified against the private key. // The |private_key| is parsed depending on the key type. // If any error occurs or if the provided data is malformed, an // empty pointer is returned. static std::unique_ptr Create(const uint8_t* private_key, size_t private_key_size, const uint8_t* public_cert, size_t public_cert_size); static std::unique_ptr Create( const std::vector& private_key, const std::vector& public_cert); // Returns the key type of the OEM Public key and private key. // As of OEMCrypto v16, the only supported key type is RSA. KeyType key_type() const; // Returns the private key data. Intended to be used for calls // to OEMCrypto_LoadOEMPrivateKey(). const std::vector& GetPrivateKey() const { return private_key_; } // Returns a copy of the ASN.1 DER encoded PKCS #7 certificate chain. // If |*public_cert_length| is large enough, the complete // certificate is copied to the buffer specified by |public_cert|, // |*public_cert_length| is adjusted to the actual size of the // certificate data, and SUCCESS is returned. // If |*public_cert_length| is not large enough, then it is // set to size of the certificate and ERROR_SHORT_BUFFER is // returned. OEMCryptoResult GetPublicCertificate(uint8_t* public_cert, size_t* public_cert_length) const; // Returns the certificate directly. Intended to be used for // testing. const std::vector& GetPublicCertificate() const; // Verifies that the RSA key included in the OEM Cert is valid. // The existence of an OemCertificate already ensures that the // OEM Public Certificate and private key data are well-formed. // This takes the check another step further and ensures that // the private key matches the public key in the public cert // (ie, same modulos and public exponent). OEMCryptoResult IsCertificateValid() const; ~OemCertificate(); OemCertificate(const OemCertificate&) = delete; OemCertificate(OemCertificate&&) = delete; const OemCertificate& operator=(const OemCertificate&) = delete; OemCertificate& operator=(OemCertificate&&) = delete; private: OemCertificate(); // Serialized private key matching the OEM certificate. std::vector private_key_; // Serialized OEM Certificate. std::unique_ptr public_cert_; }; // class OemCertificate } // namespace util } // namespace wvoec #endif // WVOEC_UTIL_OEM_CERT_H_