173 lines
7.3 KiB
C++
173 lines
7.3 KiB
C++
////////////////////////////////////////////////////////////////////////////////
|
|
// Copyright 2020 Google LLC.
|
|
//
|
|
// This software is licensed under the terms defined in the Widevine Master
|
|
// License Agreement. For a copy of this agreement, please contact
|
|
// widevine-licensing@google.com.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Description:
|
|
// Container of device security profiles. Security profiles indicate rules
|
|
// to allow using the profile. The rules are based on DRM capabilities of a
|
|
// device.
|
|
|
|
#ifndef COMMON_SECURITY_PROFILE_LIST_H_
|
|
#define COMMON_SECURITY_PROFILE_LIST_H_
|
|
|
|
#include <cstdint>
|
|
|
|
#include "absl/synchronization/mutex.h"
|
|
#include "common/hash_algorithm.h"
|
|
#include "common/output_protection_util.h"
|
|
#include "common/status.h"
|
|
#include "protos/public/client_identification.pb.h"
|
|
#include "protos/public/device_security_profile_data.pb.h"
|
|
#include "protos/public/device_security_profile_list.pb.h"
|
|
#include "protos/public/provisioned_device_info.pb.h"
|
|
#include "protos/public/security_profile.pb.h"
|
|
|
|
namespace widevine {
|
|
|
|
using ClientCapabilities = ClientIdentification::ClientCapabilities;
|
|
|
|
const char kDefaultProfileOwnerName[] = "Widevine";
|
|
|
|
// The SecurityProfileList will hold all security profiles. During license
|
|
// acquisition, information from the client and information from the server are
|
|
// combined to deternmine the device's security profile level.
|
|
|
|
// TODO(user): Clean up the virtual/protected functions once subclass
|
|
// default_device_security_profile_list gets removed.
|
|
class SecurityProfileList {
|
|
public:
|
|
explicit SecurityProfileList(const std::string& profile_namespace);
|
|
virtual ~SecurityProfileList() {}
|
|
|
|
// Initialize the security profile list with Widevine default profiles. The
|
|
// size of the profile list is returned.
|
|
virtual int Init();
|
|
|
|
// Add the specified profile to the existing list of profiles. Returns true
|
|
// if successfully inserted, false if unable to insert.
|
|
bool InsertProfile(const SecurityProfile& profile_to_insert);
|
|
|
|
// Populates |profiles_allow| with a list of profiles from the specified
|
|
// |profiles_to_check| list that meet the requirements for the this device.
|
|
// The number of profiles is returned.
|
|
virtual int GetQualifiedProfilesFromSpecifiedProfiles(
|
|
const std::vector<std::string>& profiles_to_check,
|
|
const std::string& owner, const ClientIdentification& client_id,
|
|
const ProvisionedDeviceInfo& device_info,
|
|
PlatformVerificationStatus device_vmp_status,
|
|
std::vector<std::string>* qualified_profiles) const;
|
|
|
|
// Populates |profiles_to_allow| with a list of profiles that meet the
|
|
// requirements for the this device. The number of profiles is returned.
|
|
virtual int GetQualifiedProfiles(
|
|
const ClientIdentification& client_id,
|
|
const ProvisionedDeviceInfo& device_info,
|
|
const PlatformVerificationStatus device_vmp_status,
|
|
const std::string& owner,
|
|
std::vector<std::string>* qualified_profiles) const;
|
|
|
|
// Return true if a profile exist matching the specified parameters {|name|,
|
|
// |owner|}. |security_profiles| is owned by the caller and is populated if
|
|
// one or more profile exist. For default DSP, the output profiles should
|
|
// contain single record. For custom DSP, it may contain multiple records
|
|
// since active dsp and inactive dsp could share the same dsp_name under the
|
|
// same owner.
|
|
virtual bool GetProfileByNameAndOwner(
|
|
const std::string& name, const std::string& owner,
|
|
std::vector<SecurityProfile>* security_profiles) const;
|
|
|
|
// Populates |security_profiles| owned by the content owner.
|
|
virtual int GetProfilesByOwner(
|
|
const std::string& owner,
|
|
std::vector<SecurityProfile>* security_profiles) const;
|
|
|
|
// Populates |owner_list| for security profiles. |is_default_dsp| boolean
|
|
// indicates the owner_list for default dsp or custom dsp.
|
|
virtual int GetProfilesOwnerList(const bool is_default_dsp,
|
|
std::vector<std::string>* owner_list) const;
|
|
|
|
// Return the device security capabilities. |drm_info| is populated with
|
|
// data from |client_id| and |device_info|. |drm_info| must not be null and
|
|
// is owned by the caller.
|
|
virtual bool GetDrmInfo(const ClientIdentification& client_id,
|
|
const ProvisionedDeviceInfo& device_info,
|
|
SecurityProfile::DrmInfo* drm_info) const;
|
|
|
|
// Return the number of profiles in the list.
|
|
int NumProfiles() const;
|
|
|
|
// Return a list of profile names.
|
|
virtual void GetProfileNames(std::vector<std::string>* profile_names) const;
|
|
|
|
// Deserialized SignedDeviceSecurityProfiles for custom DSPs.
|
|
static Status DeserializeSignedDeviceSecurityProfiles(
|
|
const std::string& serialized_signed_device_security_profiles,
|
|
std::string* serialized_device_security_profiles,
|
|
HashAlgorithm* hash_algorithm, std::string* signature);
|
|
|
|
// Validate signature and update security profile list for custom dsps.
|
|
Status ValidateAndUpdateProfileList(
|
|
const std::string& root_certificate_public_key,
|
|
const std::string& serialized_device_security_profiles,
|
|
HashAlgorithm hash_algorithm, const std::string& signature,
|
|
int* added_profile_num);
|
|
|
|
// Returns an instance of the Security profile list for default security
|
|
// profiles. Default security profiles are owned by Widevine.
|
|
// TODO (b/187073516): This singleton can be moved to the "Environment" class
|
|
// as a non-static API.
|
|
static SecurityProfileList* GetInstanceForDefaultSecurityProfiles();
|
|
|
|
protected:
|
|
void ClearAllProfiles();
|
|
|
|
private:
|
|
friend class SecurityProfileListTest;
|
|
|
|
// Add Widevine default profiles into profile_list. The number of added
|
|
// default profiles will be returned.
|
|
virtual int AddDefaultProfiles();
|
|
// Add Widevine custom profiles into profile_list. The number of added custom
|
|
// profiles will be returned.
|
|
virtual int AddCustomProfiles(
|
|
const DeviceSecurityProfileList& device_security_profile_list);
|
|
virtual int GetDefaultProfileStrings(
|
|
std::vector<std::string>* default_profile_strings) const;
|
|
|
|
bool DoesProfileQualify(const SecurityProfile& profile,
|
|
const ClientIdentification& client_id,
|
|
const ProvisionedDeviceInfo& device_info,
|
|
PlatformVerificationStatus device_vmp_status) const;
|
|
|
|
int64_t GetCurrentTimeSeconds() const;
|
|
|
|
bool IsProfileActive(const SecurityProfile& profile,
|
|
int64_t current_time_seconds) const;
|
|
|
|
bool InsertProfileLocked(const SecurityProfile& profile_to_insert)
|
|
ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
|
|
|
|
// Return true if a profile already exists in the profile_list.
|
|
bool DoesProfileExistLocked(const SecurityProfile& profile) const
|
|
ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
|
|
|
|
void ClearAllDefaultProfilesLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
|
|
void ClearAllCustomProfilesLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
|
|
|
|
// Return true is the client is a Chrome browser.
|
|
virtual bool IsChromeBrowser(const std::string& device_model) const;
|
|
|
|
mutable absl::Mutex mutex_;
|
|
// Security profiles
|
|
std::string profile_namespace_;
|
|
// TODO(user): Modify as Map<owner, DSPs>.
|
|
std::vector<SecurityProfile> security_profiles_ ABSL_GUARDED_BY(mutex_);
|
|
};
|
|
|
|
} // namespace widevine
|
|
#endif // COMMON_SECURITY_PROFILE_LIST_H_
|