////////////////////////////////////////////////////////////////////////////////
// Copyright 2019 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
//   Helper methods for the Root of Trust Id.

#ifndef COMMON_ROT_ID_UTIL_H_
#define COMMON_ROT_ID_UTIL_H_

#include <memory>
#include <vector>

#include <cstdint>
#include "common/ec_key.h"
#include "common/local_ec_key_source.h"

namespace widevine {

// Helper function that generates the unique id hash from the |unique_id| and
// the |salt|. |salt| is an internal secret.
//
// Returns the hash value on success.
// If |salt| or |unique_id| are empty, this will return an empty string.
std::string GenerateUniqueIdHash(const std::string& unique_id,
                                 const std::string& salt);

// Helper function that generates the hash for the ROT id from the
// |unique_id_hash|, the |system_id| and the |salt|. |salt| is typically an
// encrypted unique id. Since we use an ephemeral eliptic curve key as part of
// the encrypted unique id, the value is effectively random can be used as a
// salt.
// Returns the hash value on success.
// If |salt| or |unique_id_hash| are empty, this will return an empty
// string.
std::string GenerateRotIdHash(const std::string& salt, uint32_t system_id,
                              const std::string& unique_id_hash);

// Helper function that compares the |rot_id_hash| to a hash of each of the
// |revoked_ids|. The |revoked_ids| are the unique id hash (aka inner hash)
// values as defined in the spec at go/wv-kb-id. The |encrypted_unique_id| and
// |system_id| are used to compute the hash of each of the |revoked_ids|.
// Returns true if any of the revoked_ids match.
template <typename V>
bool IsRotIdRevoked(const std::string& encrypted_unique_id, uint32_t system_id,
                    const std::string& rot_id_hash, const V& revoked_ids) {
  // This could conceivably happen for legacy DRM certificates without a ROT id.
  // No need to match if there's nothing to match against.
  if (encrypted_unique_id.empty() || rot_id_hash.empty()) {
    return false;
  }

  for (const auto& revoked_id : revoked_ids) {
    if (GenerateRotIdHash(encrypted_unique_id, system_id, revoked_id) ==
        rot_id_hash) {
      return true;
    }
  }
  return false;
}

}  // namespace widevine
#endif  // COMMON_ROT_ID_UTIL_H_