Change order of loading certificates from pk7 cert

------------- Add libcurl to media_cas_packager_sdk. libcurl will later be used by a key fetcher to retrieve entitlement key from License Server using a HTTP request. ------------- Add a function named parsehelper to parse DCSL from the key smith response. ------------- Move wv_cas_key_fetcher to media_cas_packager_sdk so partners can use it request entitlement keys from License Server. ------------- Add pkcs7 write method to x509_cert.cc ------------- Update boringssl_repo to latest in master-with-bazel ------------- Add a TsPacket class to media_cas_packager_sdk to allow the construction of a ECM TS packet in the SDK. ------------- Move InsertEcm() from our internal CAS directory to the media_cas_packager_sdk, to be used to build a ECM TS packet by the SDK. ------------- Add METADATA in common folder ------------- Refactoring of certificate verification into DrmRootCertificate. ------------- Extend the default duration of leaf certificates. ------------- Fix moe_test ------------- Add a new method to WvCasEcm to allow partner to create a TS packet carrying the generated ECM. ------------- Change from SHA1 to SHA256 for Cast certificates ------------- Update crypto mode enumeration to match WV ECM document ------------- Fix the way we set the validity dates ------------- Move exported_root/util/status to common/ to prepare for util::Status migration Also added constructor/operator to copy from/to util::Status. ------------- Add GenerateDCSLrequest function to certificate_util.h. ------------- Fix build break ------------- Allow 'table_id' (in the section header) be specified by caller of SDK method WvCasEcm::GenerateTsPacket(). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=224535399
2018-12-07 10:16:38 -08:00
parent fb96918196
commit 121d554c20
63 changed files with 4834 additions and 560 deletions
--- a/common/x509_cert.h
+++ b/common/x509_cert.h
@@ -70,6 +70,16 @@ class X509Cert {
  // if an error occurs.
  std::string GetSerialNumber() const;

+  // Gets the start of the validity period for the certificate in seconds
+  // since the epoch. |valid_start_seconds| must not be null. Returns true on
+  // success, false otherwise.
+  bool GetNotBeforeSeconds(int64_t* valid_start_seconds) const;
+
+  // Gets the end of the validity period for the certificate in seconds
+  // since the epoch. |valid_end_seconds| must not be null. Returns true on
+  // success, false otherwise.
+  bool GetNotAfterSeconds(int64_t* valid_end_seconds) const;
+
  // Returns true if the certificate is a CA (root or intermediate) certificate.
  bool IsCaCertificate() const;

@@ -81,6 +91,8 @@ class X509Cert {

 private:
  explicit X509Cert(X509* openssl_cert);
+  util::Status Asn1TimeToEpochSeconds(const ASN1_TIME* asn1_time,
+                                      int64_t* epoch_seconds) const;

  X509* openssl_cert_;
  std::string subject_name_;
@@ -107,6 +119,10 @@ class X509CertChain {
  // container.
  util::Status LoadPkcs7(const std::string& pk7_cert_chain);

+  // Writes the |cert_chain_| to a DER-encoded PKCS#7 X.509 cryptographic
+  // message. The final message does not include signed data.
+  std::string GetPkcs7();
+
  // Returns the number of certificates in the chain.
  size_t GetNumCerts() const { return cert_chain_.size(); }

@@ -138,6 +154,12 @@ class X509CA {
  // used when constructing X509CA. This method is thread-safe.
  util::Status VerifyCertChain(const X509CertChain& cert_chain);

+  // Does X.509 PKI validation of |cert| using the |cert_chain|
+  // certificates. This method allows |cert| to be an ICA. This method is
+  // thread-safe.
+  util::Status VerifyCertWithChain(const X509Cert& cert,
+                                   const X509CertChain& cert_chain);
+
 private:
  util::Status InitializeStore();
  util::Status OpenSslX509Verify(const X509* cert, STACK_OF(X509) * stack);