Change order of loading certificates from pk7 cert
------------- Add libcurl to media_cas_packager_sdk. libcurl will later be used by a key fetcher to retrieve entitlement key from License Server using a HTTP request. ------------- Add a function named parsehelper to parse DCSL from the key smith response. ------------- Move wv_cas_key_fetcher to media_cas_packager_sdk so partners can use it request entitlement keys from License Server. ------------- Add pkcs7 write method to x509_cert.cc ------------- Update boringssl_repo to latest in master-with-bazel ------------- Add a TsPacket class to media_cas_packager_sdk to allow the construction of a ECM TS packet in the SDK. ------------- Move InsertEcm() from our internal CAS directory to the media_cas_packager_sdk, to be used to build a ECM TS packet by the SDK. ------------- Add METADATA in common folder ------------- Refactoring of certificate verification into DrmRootCertificate. ------------- Extend the default duration of leaf certificates. ------------- Fix moe_test ------------- Add a new method to WvCasEcm to allow partner to create a TS packet carrying the generated ECM. ------------- Change from SHA1 to SHA256 for Cast certificates ------------- Update crypto mode enumeration to match WV ECM document ------------- Fix the way we set the validity dates ------------- Move exported_root/util/status to common/ to prepare for util::Status migration Also added constructor/operator to copy from/to util::Status. ------------- Add GenerateDCSLrequest function to certificate_util.h. ------------- Fix build break ------------- Allow 'table_id' (in the section header) be specified by caller of SDK method WvCasEcm::GenerateTsPacket(). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=224535399
This commit is contained in:
Fang Yu
@@ -184,6 +184,24 @@ std::string X509Cert::GetSerialNumber() const {
|
||||
return result;
|
||||
}
|
||||
|
||||
bool X509Cert::GetNotBeforeSeconds(int64_t* valid_start_seconds) const {
|
||||
if (openssl_cert_ == nullptr) {
|
||||
return false;
|
||||
}
|
||||
return Asn1TimeToEpochSeconds(X509_get0_notBefore(openssl_cert_),
|
||||
valid_start_seconds)
|
||||
.ok();
|
||||
}
|
||||
|
||||
bool X509Cert::GetNotAfterSeconds(int64_t* valid_end_seconds) const {
|
||||
if (openssl_cert_ == nullptr) {
|
||||
return false;
|
||||
}
|
||||
return Asn1TimeToEpochSeconds(X509_get0_notAfter(openssl_cert_),
|
||||
valid_end_seconds)
|
||||
.ok();
|
||||
}
|
||||
|
||||
bool X509Cert::IsCaCertificate() const {
|
||||
return X509_check_ca(openssl_cert_) != 0;
|
||||
}
|
||||
@@ -204,6 +222,40 @@ bool X509Cert::GetV3BooleanExtension(const std::string& oid, bool* value) const
|
||||
return true;
|
||||
}
|
||||
|
||||
util::Status X509Cert::Asn1TimeToEpochSeconds(const ASN1_TIME* asn1_time,
|
||||
int64_t* epoch_seconds) const {
|
||||
if (asn1_time == nullptr) {
|
||||
// This code is exported to shared source. The exported code does not yet
|
||||
// support MakeStatus.
|
||||
// NOLINTNEXTLINE
|
||||
return util::Status(util::error::INVALID_ARGUMENT,
|
||||
"asn1_time cannot be null.");
|
||||
}
|
||||
|
||||
if (epoch_seconds == nullptr) {
|
||||
// NOLINTNEXTLINE
|
||||
return util::Status(util::error::INVALID_ARGUMENT,
|
||||
"epoch_seconds cannot be null.");
|
||||
}
|
||||
|
||||
ScopedAsn1Time epoch_time(ASN1_TIME_new());
|
||||
if (!ASN1_TIME_set(epoch_time.get(), 0)) {
|
||||
// NOLINTNEXTLINE
|
||||
return util::Status(util::error::INTERNAL, "Failed to set epoch time.");
|
||||
}
|
||||
|
||||
int day = 0;
|
||||
int seconds = 0;
|
||||
if (!ASN1_TIME_diff(&day, &seconds, epoch_time.get(), asn1_time)) {
|
||||
// NOLINTNEXTLINE
|
||||
return util::Status(util::error::INTERNAL,
|
||||
"Failed to convert asn1 time to epoch time.");
|
||||
}
|
||||
|
||||
*epoch_seconds = 24L * 3600L * day + seconds;
|
||||
return util::OkStatus();
|
||||
}
|
||||
|
||||
X509CertChain::~X509CertChain() { Reset(); }
|
||||
|
||||
void X509CertChain::Reset() {
|
||||
@@ -248,12 +300,48 @@ util::Status X509CertChain::LoadPkcs7(const std::string& pk7_cert_chain) {
|
||||
}
|
||||
|
||||
while (sk_X509_num(cert_stack.get()) > 0) {
|
||||
cert_chain_.push_back(new X509Cert(sk_X509_pop(cert_stack.get())));
|
||||
cert_chain_.insert(cert_chain_.begin(),
|
||||
new X509Cert(sk_X509_pop(cert_stack.get())));
|
||||
}
|
||||
|
||||
return util::OkStatus();
|
||||
}
|
||||
|
||||
std::string X509CertChain::GetPkcs7() {
|
||||
std::string pkcs7_cert;
|
||||
ScopedX509Stack cert_stack(sk_X509_new_null());
|
||||
for (X509Cert* cert : cert_chain_) {
|
||||
// X509 stack takes ownership of certificates. Copy certificates to retain
|
||||
// |cert_chain_|.
|
||||
X509Cert cert_copy;
|
||||
if (!cert_copy.LoadPem(cert->GetPem()).ok()) {
|
||||
LOG(WARNING) << "Certificate chain serialization failed";
|
||||
return "";
|
||||
}
|
||||
X509* openssl_cert_copy = const_cast<X509*>(cert_copy.openssl_cert());
|
||||
cert_copy.openssl_cert_ = nullptr;
|
||||
sk_X509_push(cert_stack.get(), openssl_cert_copy);
|
||||
}
|
||||
ScopedPKCS7 pkcs7(
|
||||
PKCS7_sign(nullptr, nullptr, cert_stack.get(), nullptr, PKCS7_DETACHED));
|
||||
if (!pkcs7) {
|
||||
LOG(WARNING) << "Could not convert certificate chain to PKCS7";
|
||||
return "";
|
||||
}
|
||||
ScopedBIO bio(BIO_new(BIO_s_mem()));
|
||||
if (bio.get() == nullptr || !i2d_PKCS7_bio(bio.get(), pkcs7.get())) {
|
||||
LOG(WARNING) << "Failed writing PKCS7 to bio";
|
||||
return "";
|
||||
}
|
||||
int cert_size = BIO_pending(bio.get());
|
||||
pkcs7_cert.resize(cert_size);
|
||||
if (BIO_read(bio.get(), &pkcs7_cert[0], cert_size) != cert_size) {
|
||||
LOG(WARNING) << "BIO_read failure";
|
||||
return "";
|
||||
}
|
||||
return pkcs7_cert;
|
||||
}
|
||||
|
||||
X509Cert* X509CertChain::GetCert(size_t cert_index) const {
|
||||
if (cert_index >= cert_chain_.size()) {
|
||||
return NULL;
|
||||
@@ -325,6 +413,25 @@ util::Status X509CA::VerifyCertChain(const X509CertChain& cert_chain) {
|
||||
return OpenSslX509Verify(leaf_cert->openssl_cert(), intermediates.get());
|
||||
}
|
||||
|
||||
util::Status X509CA::VerifyCertWithChain(const X509Cert& cert,
|
||||
const X509CertChain& cert_chain) {
|
||||
ScopedX509StackOnly intermediates(sk_X509_new_null());
|
||||
if (!intermediates) {
|
||||
// MakeStatus is now preferred. But we don't support it in the exported
|
||||
// version, yet. So, ignore lint here.
|
||||
// NOLINTNEXTLINE
|
||||
return util::Status(
|
||||
util::Status::canonical_space(), util::error::INTERNAL,
|
||||
"Failed to allocate X.509 intermediate certificate stack");
|
||||
}
|
||||
for (size_t idx = 0; idx < cert_chain.GetNumCerts(); ++idx) {
|
||||
sk_X509_push(intermediates.get(),
|
||||
const_cast<X509*>(cert_chain.GetCert(idx)->openssl_cert()));
|
||||
}
|
||||
|
||||
return OpenSslX509Verify(cert.openssl_cert(), intermediates.get());
|
||||
}
|
||||
|
||||
util::Status X509CA::OpenSslX509Verify(const X509* cert,
|
||||
STACK_OF(X509) * intermediates) {
|
||||
DCHECK(cert);
|
||||
|
||||
Reference in New Issue
Block a user