Change order of loading certificates from pk7 cert

------------- Add libcurl to media_cas_packager_sdk. libcurl will later be used by a key fetcher to retrieve entitlement key from License Server using a HTTP request. ------------- Add a function named parsehelper to parse DCSL from the key smith response. ------------- Move wv_cas_key_fetcher to media_cas_packager_sdk so partners can use it request entitlement keys from License Server. ------------- Add pkcs7 write method to x509_cert.cc ------------- Update boringssl_repo to latest in master-with-bazel ------------- Add a TsPacket class to media_cas_packager_sdk to allow the construction of a ECM TS packet in the SDK. ------------- Move InsertEcm() from our internal CAS directory to the media_cas_packager_sdk, to be used to build a ECM TS packet by the SDK. ------------- Add METADATA in common folder ------------- Refactoring of certificate verification into DrmRootCertificate. ------------- Extend the default duration of leaf certificates. ------------- Fix moe_test ------------- Add a new method to WvCasEcm to allow partner to create a TS packet carrying the generated ECM. ------------- Change from SHA1 to SHA256 for Cast certificates ------------- Update crypto mode enumeration to match WV ECM document ------------- Fix the way we set the validity dates ------------- Move exported_root/util/status to common/ to prepare for util::Status migration Also added constructor/operator to copy from/to util::Status. ------------- Add GenerateDCSLrequest function to certificate_util.h. ------------- Fix build break ------------- Allow 'table_id' (in the section header) be specified by caller of SDK method WvCasEcm::GenerateTsPacket(). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=224535399
2018-12-07 10:16:38 -08:00
parent fb96918196
commit 121d554c20
63 changed files with 4834 additions and 560 deletions
--- a/common/drm_root_certificate.h
+++ b/common/drm_root_certificate.h
@@ -13,6 +13,8 @@
 #ifndef COMMON_DRM_ROOT_CERTIFICATE_H_
 #define COMMON_DRM_ROOT_CERTIFICATE_H_

+// common_typos_disable. Successful / successfull.
+
 #include <memory>
 #include <string>

@@ -23,41 +25,82 @@

 namespace widevine {

+class DrmCertificate;
+class RsaKeyFactory;
+class RsaPublicKey;
+class SignedDrmCertificate;
+class VerifiedCertSignatureCache;
+
+// Root certificate and certificate chain verifier with internal caching.
+// This object is thread-safe.
 class DrmRootCertificate {
 public:
-  virtual ~DrmRootCertificate() {}
+  virtual ~DrmRootCertificate();
+
  // Creates a DrmRootCertificate object given a certificate type.
  // |cert| may not be nullptr, and it points to a
  // std::unique_ptr<DrmRootCertificate> which will be used to return a newly
-  // created DrmRootCertificate* if successful. The caller assumes ownership of
-  // the new DrmRootCertificate. This method returns util::Status::OK on
-  // success, or appropriate error status otherwise.
+  // created const DrmRootCertificate* if successful. The caller assumes
+  // ownership of the new DrmRootCertificate. This method returns
+  // util::Status::OK on success, or appropriate error status otherwise.
  static util::Status CreateByType(CertificateType cert_type,
                                   std::unique_ptr<DrmRootCertificate>* cert);
-  // Returns the hex-encoded SHA-256 digest for the specified root certificate.
-  static std::string GetDigest(CertificateType cert_type);
-  // Given |cert_type|, the appropiate root certificate is returned as
-  // a serialized SignedDrmCertificates.
-  static std::string GetDrmRootCertificate(CertificateType cert_type);
+
+  // Variant on the method above to make CLIF happy until b/110539622 is fixed.
+  static std::unique_ptr<DrmRootCertificate> CreateByType(
+      CertificateType cert_type, util::Status* status);
+
+  // Creates a DrmRootCertificate object given a certificate type std::string, which
+  // must be one of "prod", "qa", or "test".
+  // |cert| may not be nullptr, and it points to a
+  // std::unique_ptr<DrmRootCertificate> which will be used to return a newly
+  // created const DrmRootCertificate* if successful. The caller assumes
+  // ownership of the new DrmRootCertificate. This method returns
+  // util::Status::OK on success, or appropriate error status otherwise.
+  static util::Status CreateByTypeString(
+      const std::string& cert_type_string,
+      std::unique_ptr<DrmRootCertificate>* cert);
+
+  // |certificate| will contgain the DRM certificate upon successful return.
+  // May be null.
+  // Returns util::Status::OK if successful, or an appropriate error code
+  // otherwise.
+  virtual util::Status VerifyCertificate(
+      const std::string& serialized_certificate,
+      SignedDrmCertificate* signed_certificate,
+      DrmCertificate* certificate) const;
+
+  // Returns the hex-encoded SHA-256 digest for this certificate.
+  virtual std::string GetDigest() const;
+
+  const CertificateType type() const { return type_; }
+
  const std::string& public_key() const { return public_key_; }

-  // Verifies a DRM certificate.
+ protected:
+  DrmRootCertificate(CertificateType cert_type,
+                     const std::string& serialized_certificate,
+                     const std::string& serial_number, const std::string& public_key,
+                     std::unique_ptr<RsaKeyFactory> key_factory);
+
 private:
  friend class DrmRootCertificateTest;

-  // Creates a DrmRootCertificate object given a serialized
-  // SignedDrmCertificate. |cert| may not be nullptr, and it points to a
-  // std::unique_ptr<DrmRootCertificate> which will be used to return a newly
-  // created DrmRootCertificate* if successful. The caller assumes ownership of
-  // the new DrmRootCertificate. This method returns util::Status::OK on
-  // success, or appropriate error status otherwise.
-  // TODO(user): Consider moving to private.
-  static util::Status Create(const std::string& signed_drm_certificate,
+  static util::Status Create(CertificateType cert_type,
+                             std::unique_ptr<RsaKeyFactory> key_factory,
                             std::unique_ptr<DrmRootCertificate>* cert);
-  explicit DrmRootCertificate(const std::string& public_key)
-      : public_key_(public_key) {}

+  util::Status VerifySignatures(const SignedDrmCertificate& signed_cert,
+                                const std::string& cert_serial_number,
+                                bool use_cache) const;
+
+  CertificateType type_;
+  std::string serialized_certificate_;
+  std::string serial_number_;
  std::string public_key_;
+  std::unique_ptr<RsaKeyFactory> key_factory_;
+  mutable std::unique_ptr<VerifiedCertSignatureCache> signature_cache_;
+
  DISALLOW_IMPLICIT_CONSTRUCTORS(DrmRootCertificate);
 };