Add AES-ECB as a supported encryption mode in ECMG

2021-09-07 18:08:13 -07:00
parent b3a5fff77d
commit c387750897
11 changed files with 48 additions and 10 deletions
--- a/common/BUILD
+++ b/common/BUILD
@@ -101,6 +101,7 @@ cc_library(
        ":error_space",
        ":hash_algorithm",
        ":hash_algorithm_util",
+        ":output_protection_util",
        ":rsa_key",
        ":status",
        "//base",
@@ -127,6 +128,7 @@ cc_test(
        ":error_space",
        ":hash_algorithm",
        ":hash_algorithm_util",
+        ":output_protection_util",
        ":rsa_key",
        ":rsa_test_keys",
        ":security_profile_list",
@@ -431,7 +433,6 @@ cc_library(
        ":rsa_util",
        ":sha_util",
        "//base",
-        "@abseil_repo//absl/base:core_headers",
        "//external:openssl",
    ],
 )
@@ -870,6 +871,7 @@ cc_library(
        ":drm_service_certificate",
        ":error_space",
        ":rsa_key",
+        ":rsa_util",
        ":status",
        ":x509_cert",
        "//base",
--- a/common/crypto_util.cc
+++ b/common/crypto_util.cc
@@ -95,7 +95,12 @@ std::string CreateSignatureHmac(const EVP_MD* hash_algorithm,
 bool VerifySignatureHmacSha256(absl::string_view key,
                               absl::string_view signature,
                               absl::string_view message) {
-  return CreateSignatureHmacSha256(key, message) == signature;
+  std::string actual_signature = CreateSignatureHmacSha256(key, message);
+  bool result = actual_signature == signature;
+  if (!result) {
+    VLOG(1) << "Invalid signature. actual signature: " << actual_signature;
+  }
+  return result;
 }

 // Compares the SHA-384 HMAC against the provided signature.
--- a/common/ec_key.h
+++ b/common/ec_key.h
@@ -145,13 +145,11 @@ class ECPublicKey {
  // Returns true on success and false on error.
  virtual bool GetRawPublicKey(std::string* raw_public_key) const;

- private:
-  friend class ECPrivateKey;
-
-  ECPublicKey& operator=(const ECPublicKey&) = delete;
-
  const EC_KEY* key() const { return key_.get(); }

+ private:
+  ECPublicKey& operator=(const ECPublicKey&) = delete;
+
  ScopedECKEY key_;
 };

--- a/common/rsa_key.cc
+++ b/common/rsa_key.cc
@@ -363,6 +363,18 @@ bool RsaPublicKey::MatchesPublicKey(const RsaPublicKey& public_key) const {

 uint32_t RsaPublicKey::KeySize() const { return RSA_size(key_); }

+bool RsaPublicKey::SerializedKey(std::string* serialized_key) const {
+  if (serialized_key == nullptr) {
+    return false;
+  }
+  std::string tmp_serialized_key;
+  if (!rsa_util::SerializeRsaPublicKey(key(), &tmp_serialized_key)) {
+    return false;
+  }
+  *serialized_key = tmp_serialized_key;
+  return true;
+}
+
 RsaKeyFactory::RsaKeyFactory() {}

 RsaKeyFactory::~RsaKeyFactory() {}
--- a/common/rsa_key.h
+++ b/common/rsa_key.h
@@ -125,6 +125,9 @@ class RsaPublicKey {
  // Returns the RSA key size (modulus) in bytes.
  virtual uint32_t KeySize() const;

+  // Returns true if the key is successfully serialized into |serialized_key|.
+  virtual bool SerializedKey(std::string* serialized_key) const;
+
 private:
  friend class RsaPrivateKey;
  friend class X509CertificateBuilder;  // TODO(user): Get rid of this.
--- a/common/security_profile_list.h
+++ b/common/security_profile_list.h
@@ -18,6 +18,7 @@

 #include "absl/synchronization/mutex.h"
 #include "common/hash_algorithm.h"
+#include "common/output_protection_util.h"
 #include "common/status.h"
 #include "protos/public/client_identification.pb.h"
 #include "protos/public/device_security_profile_data.pb.h"
@@ -26,6 +27,7 @@
 #include "protos/public/security_profile.pb.h"

 namespace widevine {
+
 using ClientCapabilities = ClientIdentification::ClientCapabilities;

 const char kDefaultProfileOwnerName[] = "Widevine";
@@ -56,13 +58,16 @@ class SecurityProfileList {
      const std::vector<std::string>& profiles_to_check,
      const std::string& owner, const ClientIdentification& client_id,
      const ProvisionedDeviceInfo& device_info,
+      PlatformVerificationStatus device_vmp_status,
      std::vector<std::string>* qualified_profiles) const;

  // Populates |profiles_to_allow| with a list of profiles that meet the
  // requirements for the this device. The number of profiles is returned.
  virtual int GetQualifiedProfiles(
      const ClientIdentification& client_id,
-      const ProvisionedDeviceInfo& device_info, const std::string& owner,
+      const ProvisionedDeviceInfo& device_info,
+      const PlatformVerificationStatus device_vmp_status,
+      const std::string& owner,
      std::vector<std::string>* qualified_profiles) const;

  // Return true if a profile exist matching the specified parameters {|name|,
@@ -121,6 +126,8 @@ class SecurityProfileList {
  void ClearAllProfiles();

 private:
+  friend class SecurityProfileListTest;
+
  // Add Widevine default profiles into profile_list. The number of added
  // default profiles will be returned.
  virtual int AddDefaultProfiles();
@@ -133,7 +140,8 @@ class SecurityProfileList {

  bool DoesProfileQualify(const SecurityProfile& profile,
                          const ClientIdentification& client_id,
-                          const ProvisionedDeviceInfo& device_info) const;
+                          const ProvisionedDeviceInfo& device_info,
+                          PlatformVerificationStatus device_vmp_status) const;

  int64_t GetCurrentTimeSeconds() const;

@@ -149,6 +157,10 @@ class SecurityProfileList {

  void ClearAllDefaultProfilesLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
  void ClearAllCustomProfilesLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
+
+  // Return true is the client is a Chrome browser.
+  virtual bool IsChromeBrowser(const std::string& device_model) const;
+
  mutable absl::Mutex mutex_;
  // Security profiles
  std::string profile_namespace_;