118 lines
4.6 KiB
C++
118 lines
4.6 KiB
C++
// Copyright 2023 Google LLC. All Rights Reserved. This file and proprietary
|
|
// source code may only be used and distributed under the Widevine License
|
|
// Agreement.
|
|
//
|
|
// Reference implementation utilities of OEMCrypto APIs
|
|
//
|
|
#ifndef WVOEC_UTIL_SIGNED_CSR_PAYLOAD_VALIDATOR_H_
|
|
#define WVOEC_UTIL_SIGNED_CSR_PAYLOAD_VALIDATOR_H_
|
|
|
|
#include <sstream>
|
|
|
|
#include "bcc_validator.h"
|
|
#include "cbor_validator.h"
|
|
#include "cppbor.h"
|
|
#include "device_info_validator.h"
|
|
#include "prov4_validation_helper.h"
|
|
#include "wv_class_utils.h"
|
|
|
|
namespace wvoec {
|
|
namespace util {
|
|
// SignedCsrPayloadValidator parses and validates a Cbor struct of
|
|
// SignedData<CsrPayload>. The definition of SignedData<T> and CsrPayload can be
|
|
// found at:
|
|
// https://source.corp.google.com/h/googleplex-android/platform/superproject/main/+/main:hardware/interfaces/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
|
|
struct CertificateType {
|
|
std::pair<FieldStatus, std::string> type;
|
|
std::string ToString() const;
|
|
CborMessageStatus Validate(
|
|
std::vector<std::pair<CborMessageStatus, std::string>>& msgs) const;
|
|
};
|
|
|
|
// CsrPayload = [ ; CBOR Array defining the payload for Csr
|
|
// version: 3, ; The CsrPayload CDDL Schema version.
|
|
// CertificateType, ; The type of certificate being requested.
|
|
// DeviceInfo, ; Defined in the relevant DeviceInfoV*.cddl file.
|
|
// KeysToSign, ; Provided by the method parameters
|
|
// ]
|
|
struct CsrPayload {
|
|
std::pair<FieldStatus, std::string> version;
|
|
std::pair<FieldStatus, CertificateType> certificate_type;
|
|
std::pair<FieldStatus, DeviceInfo> device_info;
|
|
std::vector<BccPublicKeyInfo> keys_to_sign; // always empty
|
|
std::string ToString() const;
|
|
CborMessageStatus Validate(
|
|
std::vector<std::pair<CborMessageStatus, std::string>>& msgs) const;
|
|
};
|
|
|
|
struct SignedDataProtected {
|
|
std::pair<FieldStatus, int64_t> algorithm;
|
|
std::string ToString() const;
|
|
CborMessageStatus Validate(
|
|
std::vector<std::pair<CborMessageStatus, std::string>>& msgs) const;
|
|
};
|
|
|
|
// SignedData<[
|
|
// challenge: bstr .size (0..64), ; Provided by the method parameters
|
|
// bstr .cbor T,
|
|
// ]>,
|
|
struct DataToBeSigned {
|
|
std::pair<FieldStatus, std::vector<uint8_t>> challenge;
|
|
std::pair<FieldStatus, CsrPayload> csr_payload;
|
|
std::string ToString() const;
|
|
CborMessageStatus Validate(
|
|
std::vector<std::pair<CborMessageStatus, std::string>>& msgs) const;
|
|
};
|
|
|
|
// clang-format off
|
|
// SignedData<Data> = [
|
|
// protected: bstr .cbor { 1 : AlgorithmEdDSA / AlgorithmES256 / AlgorithmES384 },
|
|
// unprotected: {},
|
|
// payload: bstr .cbor Data / nil,
|
|
// signature: bstr ; PureEd25519(CDI_Leaf_Priv, SignedDataSigStruct<Data>) /
|
|
// ; ECDSA(CDI_Leaf_Priv, SignedDataSigStruct<Data>)
|
|
// ]
|
|
// clang-format on
|
|
struct SignedCsrPayload {
|
|
std::pair<FieldStatus, SignedDataProtected> protected_data;
|
|
std::pair<FieldStatus, std::string> unprotected;
|
|
std::pair<FieldStatus, DataToBeSigned> payload;
|
|
std::pair<FieldStatus, std::vector<uint8_t>> signature;
|
|
std::string ToString() const;
|
|
CborMessageStatus Validate(
|
|
std::vector<std::pair<CborMessageStatus, std::string>>& msgs) const;
|
|
};
|
|
|
|
class SignedCsrPayloadValidator : public CborValidator {
|
|
public:
|
|
explicit SignedCsrPayloadValidator() {}
|
|
virtual ~SignedCsrPayloadValidator() override = default;
|
|
WVCDM_DISALLOW_COPY_AND_MOVE(SignedCsrPayloadValidator);
|
|
|
|
// Verifies the Cbor struct of a client generated SignedData<CsrPayload>.
|
|
virtual CborMessageStatus Validate() override;
|
|
// Outputs SignedData<CsrPayload> in YAML.
|
|
virtual std::string GetFormattedMessage() const override;
|
|
|
|
private:
|
|
// Processes protected field in signed csr payload and extracts it to
|
|
// *|protected_data|.
|
|
// Caller ensures that all pointers are not null.
|
|
CborMessageStatus ProcessSignedDataProtected(
|
|
const cppbor::Map* protected_map, SignedDataProtected* protected_data);
|
|
// Processes the data to be signed and extracts it to *|payload_to_be_signed|.
|
|
// Caller ensures that all pointers are not null.
|
|
CborMessageStatus ProcessDataToBeSigned(
|
|
const cppbor::Array* payload_to_be_signed_array,
|
|
DataToBeSigned* payload_to_be_signed);
|
|
// Processes csr payload field and extracts it to *|csr_payload|.
|
|
// Caller ensures that all pointers are not null.
|
|
CborMessageStatus ProcessCsrPayload(const cppbor::Array* csr_payload_array,
|
|
CsrPayload* csr_payload);
|
|
// Used to generate formatted message.
|
|
std::stringstream msg_ss_;
|
|
}; // class SignedCsrPayloadValidator
|
|
} // namespace util
|
|
} // namespace wvoec
|
|
#endif // WVOEC_UTIL_SIGNED_CSR_PAYLOAD_VALIDATOR_H_
|