Update includes and BUILD
This commit is contained in:
Lu Chen
@@ -80,6 +80,12 @@ class CertificateClientCert : public ClientCert {
|
||||
widevine::ClientIdentification::TokenType type() const override {
|
||||
return ClientIdentification::DRM_DEVICE_CERTIFICATE;
|
||||
}
|
||||
const std::string& encrypted_unique_id() const override {
|
||||
return device_cert_.rot_id().encrypted_unique_id();
|
||||
}
|
||||
const std::string& unique_id_hash() const override {
|
||||
return device_cert_.rot_id().unique_id_hash();
|
||||
}
|
||||
|
||||
private:
|
||||
std::unique_ptr<ClientCertAlgorithm> algorithm_;
|
||||
|
||||
@@ -68,6 +68,8 @@ class ClientCert {
|
||||
virtual bool signed_by_provisioner() const = 0;
|
||||
virtual uint32_t system_id() const = 0;
|
||||
virtual widevine::ClientIdentification::TokenType type() const = 0;
|
||||
virtual const std::string& encrypted_unique_id() const = 0;
|
||||
virtual const std::string& unique_id_hash() const = 0;
|
||||
};
|
||||
|
||||
} // namespace widevine
|
||||
|
||||
@@ -22,29 +22,50 @@ using oemcrypto_core_message::serialize::
|
||||
using oemcrypto_core_message::serialize::CreateCoreRenewalResponse;
|
||||
using widevine::Sha256_Hash;
|
||||
|
||||
// TODO(user): Check the Core*RequestFromMessage and
|
||||
// CreateCore*ResponseFromProto return value when b/148472911 is fixed.
|
||||
namespace widevine {
|
||||
namespace core_message_util {
|
||||
void GetCoreProvisioningResponse(const std::string& provisioning_response,
|
||||
std::string* core_message) {
|
||||
bool GetCoreProvisioningResponse(
|
||||
const std::string& serialized_provisioning_response,
|
||||
const std::string& request_core_message,
|
||||
std::string* response_core_message) {
|
||||
oemcrypto_core_message::ODK_ProvisioningRequest odk_provisioning_request;
|
||||
CoreProvisioningRequestFromMessage(*core_message, &odk_provisioning_request);
|
||||
CreateCoreProvisioningResponseFromProto(
|
||||
provisioning_response, odk_provisioning_request, core_message);
|
||||
CoreProvisioningRequestFromMessage(request_core_message,
|
||||
&odk_provisioning_request);
|
||||
CreateCoreProvisioningResponseFromProto(serialized_provisioning_response,
|
||||
odk_provisioning_request,
|
||||
response_core_message);
|
||||
return true;
|
||||
}
|
||||
|
||||
void GetCoreRenewalOrReleaseLicenseResponse(std::string* core_message) {
|
||||
bool GetCoreRenewalOrReleaseLicenseResponse(
|
||||
const std::string& request_core_message,
|
||||
std::string* response_core_message) {
|
||||
oemcrypto_core_message::ODK_RenewalRequest odk_renewal_request;
|
||||
CoreRenewalRequestFromMessage(*core_message, &odk_renewal_request);
|
||||
CreateCoreRenewalResponse(odk_renewal_request, core_message);
|
||||
CoreRenewalRequestFromMessage(request_core_message, &odk_renewal_request);
|
||||
// TODO(user): This function is going to need to know what the renewal
|
||||
// license is, and extract the renewal duration. This should be the sum of
|
||||
// renewal_delay_seconds + 2 * renewal_recovery_duration_seconds. Or if you
|
||||
// want, we could also create CreateCoreRenewalResponseFromProto -- is that
|
||||
// better?
|
||||
uint64_t renewal_duration_seconds = 3600; // I just made this up for now.
|
||||
CreateCoreRenewalResponse(odk_renewal_request, renewal_duration_seconds,
|
||||
response_core_message);
|
||||
return true;
|
||||
}
|
||||
|
||||
void GetCoreNewLicenseResponse(const std::string& license,
|
||||
std::string* core_message) {
|
||||
bool GetCoreNewLicenseResponse(const std::string& license,
|
||||
const std::string& request_core_message,
|
||||
const bool nonce_required,
|
||||
std::string* response_core_message) {
|
||||
oemcrypto_core_message::ODK_LicenseRequest odk_license_request;
|
||||
CoreLicenseRequestFromMessage(*core_message, &odk_license_request);
|
||||
std::string core_request_sha256 = Sha256_Hash(*core_message);
|
||||
CoreLicenseRequestFromMessage(request_core_message, &odk_license_request);
|
||||
std::string core_request_sha256 = Sha256_Hash(request_core_message);
|
||||
CreateCoreLicenseResponseFromProto(license, odk_license_request,
|
||||
core_request_sha256, core_message);
|
||||
core_request_sha256, nonce_required,
|
||||
response_core_message);
|
||||
return true;
|
||||
}
|
||||
|
||||
} // namespace core_message_util
|
||||
|
||||
@@ -13,20 +13,27 @@
|
||||
|
||||
namespace widevine {
|
||||
namespace core_message_util {
|
||||
// Gets the core message from |provisioning_response|. The output is held in
|
||||
// |core_message|. The provisioning response to be sent will be updated with
|
||||
// this |core_message|.
|
||||
void GetCoreProvisioningResponse(const std::string& provisioning_response,
|
||||
std::string* core_message);
|
||||
// Gets the |response_core_message| by parsing |request_core_message| and
|
||||
// |serialized_provisioning_response|. The output is held in
|
||||
// |response_core_message|.
|
||||
bool GetCoreProvisioningResponse(
|
||||
const std::string& serialized_provisioning_response,
|
||||
const std::string& request_core_message,
|
||||
std::string* response_core_message);
|
||||
|
||||
// Gets the core message for renewal or release license response. The output
|
||||
// is held in |core_message|.
|
||||
void GetCoreRenewalOrReleaseLicenseResponse(std::string* core_message);
|
||||
// Gets the |response_core_message| by parsing |request_core_message| for
|
||||
// release and renewal response. The output is held in |response_core_message|.
|
||||
bool GetCoreRenewalOrReleaseLicenseResponse(
|
||||
const std::string& request_core_message,
|
||||
std::string* response_core_message);
|
||||
|
||||
// Gets the core message from |license|. The output is held in |core_message|.
|
||||
// The license to be sent will be updated with this |core_message|.
|
||||
void GetCoreNewLicenseResponse(const std::string& license,
|
||||
std::string* core_message);
|
||||
// Gets the |response_core_message| by parsing |request_core_message| and
|
||||
// |license| for new license response. The output is held in
|
||||
// |response_core_message|.
|
||||
bool GetCoreNewLicenseResponse(const std::string& license,
|
||||
const std::string& request_core_message,
|
||||
const bool nonce_required,
|
||||
std::string* response_core_message);
|
||||
|
||||
} // namespace core_message_util
|
||||
} // namespace widevine
|
||||
|
||||
@@ -78,6 +78,8 @@ class MockClientCert : public ClientCert {
|
||||
MOCK_CONST_METHOD0(signer_serial_number, std::string &());
|
||||
MOCK_CONST_METHOD0(signer_creation_time_seconds, uint32_t());
|
||||
MOCK_CONST_METHOD0(type, ClientIdentification::TokenType());
|
||||
MOCK_CONST_METHOD0(encrypted_unique_id, const std::string &());
|
||||
MOCK_CONST_METHOD0(unique_id_hash, const std::string &());
|
||||
MOCK_CONST_METHOD0(signed_by_provisioner, bool());
|
||||
MOCK_CONST_METHOD3(VerifySignature, Status(const std::string &message,
|
||||
const std::string &signature,
|
||||
|
||||
@@ -43,6 +43,10 @@ class KeyboxClientCert : public ClientCert {
|
||||
widevine::ClientIdentification::TokenType type() const override {
|
||||
return ClientIdentification::KEYBOX;
|
||||
}
|
||||
const std::string& encrypted_unique_id() const override {
|
||||
return unimplemented_;
|
||||
}
|
||||
const std::string& unique_id_hash() const override { return unimplemented_; }
|
||||
|
||||
// Set the system-wide pre-provisioning keys; argument must be human-readable
|
||||
// hex digits.
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "common/rot_id_generator.h"
|
||||
|
||||
#include <memory>
|
||||
#include <vector>
|
||||
|
||||
#include "google/protobuf/util/message_differencer.h"
|
||||
#include "testing/gmock.h"
|
||||
@@ -109,9 +110,9 @@ TEST_F(RootOfTrustIdGeneratorTest, GenerateIdSuccess) {
|
||||
|
||||
// Verify hashed unique id matches.
|
||||
std::string unique_id_hash = generator.GenerateUniqueIdHash(kTestUniqueId);
|
||||
EXPECT_TRUE(IsRotIdRevoked(root_of_trust_id.encrypted_unique_id(),
|
||||
kTestSystemId, root_of_trust_id.unique_id_hash(),
|
||||
{unique_id_hash}));
|
||||
EXPECT_TRUE(IsRotIdRevoked<std::vector<std::string>>(
|
||||
root_of_trust_id.encrypted_unique_id(), kTestSystemId,
|
||||
root_of_trust_id.unique_id_hash(), {unique_id_hash}));
|
||||
}
|
||||
|
||||
TEST_F(RootOfTrustIdGeneratorTest, GenerateIdUniqueSuccess) {
|
||||
@@ -156,7 +157,7 @@ TEST_F(RootOfTrustIdGeneratorTest, GenerateIdUniqueSuccess) {
|
||||
|
||||
// Verify hashed unique id matches.
|
||||
std::string unique_id_hash = generator.GenerateUniqueIdHash(kTestUniqueId);
|
||||
EXPECT_TRUE(IsRotIdRevoked(
|
||||
EXPECT_TRUE(IsRotIdRevoked<std::vector<std::string>>(
|
||||
second_root_of_trust_id.encrypted_unique_id(), kTestSystemId,
|
||||
second_root_of_trust_id.unique_id_hash(), {unique_id_hash}));
|
||||
}
|
||||
|
||||
@@ -21,25 +21,6 @@
|
||||
|
||||
namespace widevine {
|
||||
|
||||
bool IsRotIdRevoked(const std::string& encrypted_unique_id, uint32_t system_id,
|
||||
const std::string& rot_id_hash,
|
||||
const std::vector<std::string>& revoked_ids) {
|
||||
// This could conceivably happen for legacy DRM certificates without a ROT id.
|
||||
// No need to match if there's nothing to match against.
|
||||
if (encrypted_unique_id.empty() || rot_id_hash.empty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (const auto& revoked_id : revoked_ids) {
|
||||
std::string revoked_hash =
|
||||
GenerateRotIdHash(encrypted_unique_id, system_id, revoked_id);
|
||||
if (rot_id_hash == revoked_hash) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
std::string GenerateRotIdHash(const std::string& salt, uint32_t system_id,
|
||||
const std::string& unique_id_hash) {
|
||||
if (salt.empty() || unique_id_hash.empty()) {
|
||||
|
||||
@@ -21,15 +21,6 @@
|
||||
|
||||
namespace widevine {
|
||||
|
||||
// Helper function that compares the |rot_id_hash| to a hash of each of the
|
||||
// |revoked_ids|. The |revoked_ids| are the unique id hash (aka inner hash)
|
||||
// values as defined in the spec at go/wv-kb-id. The |encrypted_unique_id| and
|
||||
// |system_id| are used to compute the hash of each of the |revoked_ids|.
|
||||
// Returns true if any of the revoked_ids match.
|
||||
bool IsRotIdRevoked(const std::string& encrypted_unique_id, uint32_t system_id,
|
||||
const std::string& rot_id_hash,
|
||||
const std::vector<std::string>& revoked_ids);
|
||||
|
||||
// Helper function that generates the hash for the ROT id from the
|
||||
// |unique_id_hash|, the |system_id| and the |salt|. |salt| is typically an
|
||||
// encrypted unique id. Since we use an ephemeral eliptic curve key as part of
|
||||
@@ -41,5 +32,28 @@ bool IsRotIdRevoked(const std::string& encrypted_unique_id, uint32_t system_id,
|
||||
std::string GenerateRotIdHash(const std::string& salt, uint32_t system_id,
|
||||
const std::string& unique_id_hash);
|
||||
|
||||
// Helper function that compares the |rot_id_hash| to a hash of each of the
|
||||
// |revoked_ids|. The |revoked_ids| are the unique id hash (aka inner hash)
|
||||
// values as defined in the spec at go/wv-kb-id. The |encrypted_unique_id| and
|
||||
// |system_id| are used to compute the hash of each of the |revoked_ids|.
|
||||
// Returns true if any of the revoked_ids match.
|
||||
template <typename V>
|
||||
bool IsRotIdRevoked(const std::string& encrypted_unique_id, uint32_t system_id,
|
||||
const std::string& rot_id_hash, const V& revoked_ids) {
|
||||
// This could conceivably happen for legacy DRM certificates without a ROT id.
|
||||
// No need to match if there's nothing to match against.
|
||||
if (encrypted_unique_id.empty() || rot_id_hash.empty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (const auto& revoked_id : revoked_ids) {
|
||||
if (GenerateRotIdHash(encrypted_unique_id, system_id, revoked_id) ==
|
||||
rot_id_hash) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
} // namespace widevine
|
||||
#endif // COMMON_ROT_ID_UTIL_H_
|
||||
|
||||
@@ -31,28 +31,28 @@ constexpr uint32_t kOtherFakeSystemId = 9876;
|
||||
namespace widevine {
|
||||
|
||||
TEST(RotIdUtilTest, IsRotIdRevokedMatches) {
|
||||
ASSERT_TRUE(IsRotIdRevoked(kFakeEncryptedId, kFakeSystemId,
|
||||
absl::HexStringToBytes(kRotIdHashHex),
|
||||
{"NO MATCH UNIQUE ID HASH 1", kFakeUniqueIdHash}));
|
||||
ASSERT_TRUE(IsRotIdRevoked<std::vector<std::string>>(
|
||||
kFakeEncryptedId, kFakeSystemId, absl::HexStringToBytes(kRotIdHashHex),
|
||||
{"NO MATCH UNIQUE ID HASH 1", kFakeUniqueIdHash}));
|
||||
}
|
||||
|
||||
TEST(RotIdUtilTest, IsRotIdRevokedNoMatchSystemId) {
|
||||
ASSERT_FALSE(
|
||||
IsRotIdRevoked(kFakeEncryptedId, kOtherFakeSystemId,
|
||||
absl::HexStringToBytes(kRotIdHashHex),
|
||||
{"NO MATCH UNIQUE ID HASH 1", kFakeUniqueIdHash}));
|
||||
ASSERT_FALSE(IsRotIdRevoked<std::vector<std::string>>(
|
||||
kFakeEncryptedId, kOtherFakeSystemId,
|
||||
absl::HexStringToBytes(kRotIdHashHex),
|
||||
{"NO MATCH UNIQUE ID HASH 1", kFakeUniqueIdHash}));
|
||||
}
|
||||
|
||||
TEST(RotIdUtilTest, IsRotIdRevokedNoMatch) {
|
||||
ASSERT_FALSE(IsRotIdRevoked(
|
||||
ASSERT_FALSE(IsRotIdRevoked<std::vector<std::string>>(
|
||||
kFakeEncryptedId, kFakeSystemId, kFakeUniqueIdHash,
|
||||
{"NO MATCH UNIQUE ID HASH 1", "NO MATCH UNIQUE ID HASH 2"}));
|
||||
}
|
||||
|
||||
TEST(RotIdUtilTest, IsRotIdRevokedEmptyList) {
|
||||
ASSERT_FALSE(IsRotIdRevoked(kFakeEncryptedId, kFakeSystemId,
|
||||
kFakeUniqueIdHash,
|
||||
{/* Intentionally empty vector */}));
|
||||
ASSERT_FALSE(IsRotIdRevoked<std::vector<std::string>>(
|
||||
kFakeEncryptedId, kFakeSystemId, kFakeUniqueIdHash,
|
||||
{/* Intentionally empty vector */}));
|
||||
}
|
||||
|
||||
// This test really only ensures the stability of the implementation. If the
|
||||
|
||||
@@ -86,10 +86,10 @@ class SecurityProfileList {
|
||||
|
||||
mutable absl::Mutex mutex_;
|
||||
// Widevine security profiles
|
||||
std::vector<SecurityProfile> security_profiles_ GUARDED_BY(mutex_);
|
||||
std::vector<SecurityProfile> security_profiles_ ABSL_GUARDED_BY(mutex_);
|
||||
// Custom security profiles
|
||||
std::map<std::string, SecurityProfile> custom_security_profiles_
|
||||
GUARDED_BY(mutex_);
|
||||
ABSL_GUARDED_BY(mutex_);
|
||||
};
|
||||
|
||||
} // namespace widevine
|
||||
|
||||
Reference in New Issue
Block a user