105 lines
4.2 KiB
C++
105 lines
4.2 KiB
C++
// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary
|
|
// source code may only be used and distributed under the Widevine License
|
|
// Agreement.
|
|
//
|
|
// Reference implementation utilities of OEMCrypto APIs
|
|
//
|
|
#ifndef WVOEC_UTIL_OEM_CERT_H_
|
|
#define WVOEC_UTIL_OEM_CERT_H_
|
|
|
|
#include <memory>
|
|
#include <vector>
|
|
|
|
#include "OEMCryptoCENCCommon.h"
|
|
|
|
namespace wvoec {
|
|
namespace util {
|
|
class OemPublicCertificate;
|
|
|
|
// An OEM Certificate is a factory provisioned root of trust
|
|
// certificate which consists of a public certificate and its
|
|
// matching private key.
|
|
// The public certificate must be an ASN.1 DER encoded PKCS #7
|
|
// ContentInfo of type signedData (RFC2315). The device's X.509
|
|
// certificate must be the first certificate in the chain of
|
|
// SignedContent |certificates|.
|
|
// The certificates are X.509 Certificate as defined in RFC 5280
|
|
// signed by the device manufacturers certificate which is signed
|
|
// by Google.
|
|
// The OEM Public Cert should only contain the device's certificate
|
|
// and the OEM's intermediate certificate.
|
|
// The private key storage format is at the discretion of the OEM;
|
|
// the reference implementation uses PKCS8 PrivateKeyInfo.
|
|
class OemCertificate {
|
|
public:
|
|
enum KeyType {
|
|
kNone = 0,
|
|
// Private key is an ASN.1 DER encoded PrivateKeyInfo specifying
|
|
// an RSA encryption key.
|
|
kRsa = 1
|
|
};
|
|
|
|
// Creates a new OEM Certificate and performs basic validation
|
|
// to ensure that the private key and public cert are well-formed.
|
|
// The |public_cert| provided is parsed as an X.509 Certificate
|
|
// and the public key is verified against the private key.
|
|
// The |private_key| is parsed depending on the key type.
|
|
// If any error occurs or if the provided data is malformed, an
|
|
// empty pointer is returned.
|
|
static std::unique_ptr<OemCertificate> Create(const uint8_t* private_key,
|
|
size_t private_key_size,
|
|
const uint8_t* public_cert,
|
|
size_t public_cert_size);
|
|
static std::unique_ptr<OemCertificate> Create(
|
|
const std::vector<uint8_t>& private_key,
|
|
const std::vector<uint8_t>& public_cert);
|
|
|
|
// Returns the key type of the OEM Public key and private key.
|
|
// As of OEMCrypto v16, the only supported key type is RSA.
|
|
KeyType key_type() const;
|
|
|
|
// Returns the private key data. Intended to be used for calls
|
|
// to OEMCrypto_LoadOEMPrivateKey().
|
|
const std::vector<uint8_t>& GetPrivateKey() const { return private_key_; }
|
|
|
|
// Returns a copy of the ASN.1 DER encoded PKCS #7 certificate chain.
|
|
// If |*public_cert_length| is large enough, the complete
|
|
// certificate is copied to the buffer specified by |public_cert|,
|
|
// |*public_cert_length| is adjusted to the actual size of the
|
|
// certificate data, and SUCCESS is returned.
|
|
// If |*public_cert_length| is not large enough, then it is
|
|
// set to size of the certificate and ERROR_SHORT_BUFFER is
|
|
// returned.
|
|
OEMCryptoResult GetPublicCertificate(uint8_t* public_cert,
|
|
size_t* public_cert_length) const;
|
|
// Returns the certificate directly. Intended to be used for
|
|
// testing.
|
|
const std::vector<uint8_t>& GetPublicCertificate() const;
|
|
|
|
// Verifies that the RSA key included in the OEM Cert is valid.
|
|
// The existence of an OemCertificate already ensures that the
|
|
// OEM Public Certificate and private key data are well-formed.
|
|
// This takes the check another step further and ensures that
|
|
// the private key matches the public key in the public cert
|
|
// (ie, same modulos and public exponent).
|
|
OEMCryptoResult IsCertificateValid() const;
|
|
|
|
~OemCertificate();
|
|
|
|
OemCertificate(const OemCertificate&) = delete;
|
|
OemCertificate(OemCertificate&&) = delete;
|
|
const OemCertificate& operator=(const OemCertificate&) = delete;
|
|
OemCertificate& operator=(OemCertificate&&) = delete;
|
|
|
|
private:
|
|
OemCertificate();
|
|
|
|
// Serialized private key matching the OEM certificate.
|
|
std::vector<uint8_t> private_key_;
|
|
// Serialized OEM Certificate.
|
|
std::unique_ptr<OemPublicCertificate> public_cert_;
|
|
}; // class OemCertificate
|
|
} // namespace util
|
|
} // namespace wvoec
|
|
#endif // WVOEC_UTIL_OEM_CERT_H_
|