Change order of loading certificates from pk7 cert

-------------
Add libcurl to media_cas_packager_sdk. libcurl will later be used by a key fetcher to retrieve entitlement key from License Server using a HTTP request.

-------------
Add a function named parsehelper to parse DCSL from the key smith response.

-------------
Move wv_cas_key_fetcher to media_cas_packager_sdk so partners can use it request entitlement keys from License Server.

-------------
Add pkcs7 write method to x509_cert.cc

-------------
Update boringssl_repo to latest in master-with-bazel

-------------
Add a TsPacket class to media_cas_packager_sdk to allow the construction of a ECM TS packet in the SDK.

-------------
Move InsertEcm() from our internal CAS directory to the media_cas_packager_sdk, to be used to build a ECM TS packet by the SDK.

-------------
Add METADATA in common folder

-------------
Refactoring of certificate verification into DrmRootCertificate.

-------------
Extend the default duration of leaf certificates.

-------------
Fix moe_test

-------------
Add a new method to WvCasEcm to allow partner to create a TS packet carrying the generated ECM.

-------------
Change from SHA1 to SHA256 for Cast certificates

-------------
Update crypto mode enumeration to match WV ECM document

-------------
Fix the way we set the validity dates

-------------
Move exported_root/util/status to common/ to prepare for util::Status migration

Also added constructor/operator to copy from/to util::Status.

-------------
Add GenerateDCSLrequest function to certificate_util.h.

-------------
Fix build break

-------------
Allow 'table_id' (in the section header) be specified by caller of SDK method WvCasEcm::GenerateTsPacket().

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=224535399

common/client_cert.cc

@@ -0,0 +1,260 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2017 Google LLC.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#include "common/client_cert.h"
+
+#include <memory>
+#include <utility>
+#include <vector>
+
+#include "glog/logging.h"
+#include "strings/serialize.h"
+#include "absl/strings/escaping.h"
+#include "absl/synchronization/mutex.h"
+#include "util/gtl/map_util.h"
+#include "util/status.h"
+#include "common/crypto_util.h"
+#include "common/drm_root_certificate.h"
+#include "common/error_space.h"
+#include "common/random_util.h"
+#include "common/signing_key_util.h"
+#include "common/wvm_token_handler.h"
+#include "protos/public/drm_certificate.pb.h"
+#include "protos/public/errors.pb.h"
+#include "protos/public/signed_drm_certificate.pb.h"
+
+// TODO(user): Get rid of this horror.
+
+namespace widevine {
+namespace {
+
+const int kKeyboxSizeBytes = 72;
+
+}  // namespace
+
+// TODO(user): change to util::StatusOr<std::unique_ptr<ClientCert>>
+// instead of ClientCert** to explicitly assigning ownership of the created
+// object to the caller.
+
+util::Status ClientCert::Create(const DrmRootCertificate* root_certificate,
+                                ClientIdentification::TokenType token_type,
+                                const std::string& token, ClientCert** client_cert) {
+  DCHECK(client_cert);
+  if (token_type == ClientIdentification::KEYBOX) {
+    *client_cert = nullptr;
+    if (token.size() < kKeyboxSizeBytes) {
+      return util::Status(error_space, INVALID_KEYBOX_TOKEN,
+                          "keybox-token-is-too-short");
+    }
+    return ClientCert::CreateWithKeybox(token, client_cert);
+  } else if (token_type == ClientIdentification::DRM_DEVICE_CERTIFICATE) {
+    return CreateWithDrmCertificate(root_certificate, token, client_cert);
+  } else {
+    return util::Status(error_space, util::error::UNIMPLEMENTED,
+                        "client-type-not-implemented");
+  }
+}
+
+util::Status ClientCert::CreateWithKeybox(const std::string& keybox_token,
+                                          ClientCert** client_cert) {
+  CHECK(client_cert);
+  *client_cert = nullptr;
+
+  std::unique_ptr<KeyboxClientCert> new_client_cert(new KeyboxClientCert);
+  util::Status status = new_client_cert->Initialize(keybox_token);
+  if (!status.ok()) {
+    return status;
+  }
+
+  *client_cert = new_client_cert.release();
+  return util::OkStatus();
+}
+
+util::Status ClientCert::CreateWithDrmCertificate(
+    const DrmRootCertificate* root_certificate, const std::string& drm_certificate,
+    ClientCert** client_cert) {
+  CHECK(client_cert);
+  *client_cert = nullptr;
+
+  std::unique_ptr<CertificateClientCert> new_client_cert(
+      new CertificateClientCert);
+  util::Status status =
+      new_client_cert->Initialize(root_certificate, drm_certificate);
+  if (!status.ok()) {
+    return status;
+  }
+
+  *client_cert = new_client_cert.release();
+  return util::OkStatus();
+}
+
+void ClientCert::CreateSignature(const std::string& message, std::string* signature) {
+  DCHECK(signature);
+  DCHECK(!signing_key().empty());
+  if (signature == nullptr) {
+    return;
+  }
+  using crypto_util::CreateSignatureHmacSha256;
+  *signature =
+      CreateSignatureHmacSha256(GetServerSigningKey(signing_key()), message);
+}
+
+void ClientCert::GenerateSigningKey(const std::string& message,
+                                    ProtocolVersion protocol_version) {
+  if (!signing_key_.empty()) return;
+  DCHECK(!key().empty());
+  using crypto_util::DeriveKey;
+  using crypto_util::kSigningKeyLabel;
+  set_signing_key(DeriveKey(key(), kSigningKeyLabel, message,
+                            SigningKeyMaterialSize(protocol_version)));
+}
+
+KeyboxClientCert::KeyboxClientCert() {}
+
+KeyboxClientCert::~KeyboxClientCert() {}
+
+void KeyboxClientCert::SetPreProvisioningKeys(
+    const std::multimap<uint32_t, std::string>& keymap) {
+  std::vector<WvmTokenHandler::PreprovKey> keyvector;
+  keyvector.reserve(keymap.size());
+  for (std::multimap<uint32_t, std::string>::const_iterator it = keymap.begin();
+       it != keymap.end(); ++it) {
+    std::string key = absl::HexStringToBytes(it->second);
+    DCHECK_EQ(key.size(), 16);
+    keyvector.push_back(WvmTokenHandler::PreprovKey(it->first, key));
+  }
+  WvmTokenHandler::SetPreprovKeys(keyvector);
+}
+
+bool KeyboxClientCert::IsSystemIdKnown(const uint32_t system_id) {
+  return WvmTokenHandler::IsSystemIdKnown(system_id);
+}
+
+uint32_t KeyboxClientCert::GetSystemId(const std::string& keybox_bytes) {
+  return WvmTokenHandler::GetSystemId(keybox_bytes);
+}
+
+util::Status KeyboxClientCert::Initialize(const std::string& keybox_bytes) {
+  if (keybox_bytes.size() < kKeyboxSizeBytes) {
+    return util::Status(error_space, INVALID_KEYBOX_TOKEN,
+                        "keybox-token-is-too-short");
+  }
+
+  set_system_id(WvmTokenHandler::GetSystemId(keybox_bytes));
+  set_serial_number(WvmTokenHandler::GetEncryptedUniqueId(keybox_bytes));
+  bool insecure_keybox = false;
+  util::Status status = WvmTokenHandler::DecryptDeviceKey(
+      keybox_bytes, &device_key_, nullptr, &insecure_keybox);
+  if (!status.ok()) {
+    Errors new_code = status.error_code() == util::error::NOT_FOUND
+                          ? MISSING_PRE_PROV_KEY
+                          : KEYBOX_DECRYPT_ERROR;
+    return util::Status(error_space, new_code, status.error_message());
+  }
+  return util::OkStatus();
+}
+
+util::Status KeyboxClientCert::VerifySignature(
+    const std::string& message, const std::string& signature,
+    ProtocolVersion protocol_version) {
+  DCHECK(!signing_key().empty());
+  using crypto_util::VerifySignatureHmacSha256;
+  if (!VerifySignatureHmacSha256(
+          GetClientSigningKey(signing_key(), protocol_version), signature,
+          message)) {
+    return util::Status(error_space, INVALID_SIGNATURE, "invalid-keybox-mac");
+  }
+  return util::OkStatus();
+}
+
+CertificateClientCert::CertificateClientCert() {}
+
+CertificateClientCert::~CertificateClientCert() {}
+
+util::Status CertificateClientCert::Initialize(
+    const DrmRootCertificate* drm_root_certificate,
+    const std::string& serialized_certificate) {
+  CHECK(drm_root_certificate);
+
+  SignedDrmCertificate signed_device_cert;
+  DrmCertificate device_cert;
+  util::Status status = drm_root_certificate->VerifyCertificate(
+      serialized_certificate, &signed_device_cert, &device_cert);
+  if (!status.ok()) {
+    return status;
+  }
+
+  const SignedDrmCertificate& signer = signed_device_cert.signer();
+  DrmCertificate model_certificate;
+  if (!model_certificate.ParseFromString(signer.drm_certificate())) {
+    return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                        "drm-certificate-invalid-signer");
+  }
+  if (!model_certificate.has_serial_number()) {
+    return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                        "missing-signer-serial-number");
+  }
+  // Check to see if this model certificate is signed by a
+  // provisioner (entity using Widevine Provisioning Server SDK).
+  if (signer.has_signer()) {
+    DrmCertificate provisioner_certificate;
+    if (!provisioner_certificate.ParseFromString(
+            signer.signer().drm_certificate())) {
+      return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                          "model-certificate-invalid-signer");
+    }
+    if (provisioner_certificate.type() == DrmCertificate::PROVISIONER) {
+      set_signed_by_provisioner(true);
+    } else {
+      return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                          "expected-provisioning-provider-certificate-type");
+    }
+    if (!provisioner_certificate.has_provider_id() ||
+        provisioner_certificate.provider_id().empty()) {
+      return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                          "missing-provisioning-service-id");
+    }
+    set_service_id(provisioner_certificate.provider_id());
+  }
+  set_signer_serial_number(model_certificate.serial_number());
+  set_signer_creation_time_seconds(model_certificate.creation_time_seconds());
+  if (!model_certificate.has_system_id()) {
+    return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                        "model-certificate-missing-system-id");
+  }
+  set_system_id(model_certificate.system_id());
+  set_serial_number(device_cert.serial_number());
+  set_public_key(device_cert.public_key());
+  rsa_public_key_.reset(RsaPublicKey::Create(public_key()));
+  if (rsa_public_key_ == nullptr) {
+    return util::Status(error_space, INVALID_DRM_CERTIFICATE,
+                        "drm-certificate-public-key-failed");
+  }
+
+  // TODO(user): Move this somewhere else. It is license protocol.
+  set_key(Random16Bytes());
+  if (!rsa_public_key_->Encrypt(key(), &encrypted_session_key_)) {
+    return util::Status(error_space, ENCRYPT_ERROR,
+                        "drm-certificate-failed-encrypt-session-key");
+  }
+
+  return util::OkStatus();
+}
+
+util::Status CertificateClientCert::VerifySignature(
+    const std::string& message, const std::string& signature,
+    ProtocolVersion protocol_version) {
+  CHECK(rsa_public_key_);
+
+  if (!rsa_public_key_->VerifySignature(message, signature)) {
+    return util::Status(error_space, INVALID_SIGNATURE, "");
+  }
+  return util::OkStatus();
+}
+
+}  // namespace widevine