////////////////////////////////////////////////////////////////////////////////
// Copyright 2013 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
//   Service certificate holder used to decrypt encrypted client credentials.

#ifndef COMMON_DRM_SERVICE_CERTIFICATE_H_
#define COMMON_DRM_SERVICE_CERTIFICATE_H_

#include <map>
#include <memory>
#include <string>

#include <cstdint>
#include "base/macros.h"
#include "common/certificate_type.h"
#include "common/rsa_key.h"
#include "common/status.h"

namespace widevine {
class RequestInspectorTest;
}  // namespace widevine

namespace widevine {

class ClientIdentification;
class DrmRootCertificate;
class EncryptedClientIdentification;

// TODO(user): Add a DrmCertificateList class to provide the static method
// functionality.
class DrmServiceCertificate {
 public:
  // Create a new DrmServiceCertificate object and add it to the list of valid
  // service certificates. |drm_root_cert| is the root certificate for the type
  // of certifiate being added. |service_certificate| is a
  // Google-generated certificate used to authenticate the service provider for
  // purposes of device privacy, |service_private_key| is the encrypted PKCS#8
  // private RSA key corresponding to the service certificate,
  // |service_private_key_passphrase| is the password required to decrypt
  // |service_private_key|.
  // Returns status::OK if successful, or appropriate error code otherwise.
  // If the default service certificate is not set, this certificate will be
  // used as the default service certificate.
  // This method is thread-safe.
  static Status AddDrmServiceCertificate(
      const DrmRootCertificate* root_drm_cert,
      const std::string& service_certificate, const std::string& service_private_key,
      const std::string& service_private_key_passphrase);

  // Same as AddDrmServiceCertificate(), but will clear the default service
  // certificate if it's set.  This will result in this service certificate
  // being set as the default service certificate.
  static Status SetDefaultDrmServiceCertificate(
      const DrmRootCertificate* root_drm_cert,
      const std::string& service_certificate, const std::string& service_private_key,
      const std::string& service_private_key_passphrase);

  // Returns the default service certificate. Will return null if no default
  // Service Certificate is set. This method is thread-safe.
  static const DrmServiceCertificate* GetDefaultDrmServiceCertificate();

  // Returns the default service certificate. Will abort if no default Service
  // Certificate is set. This method is thread-safe.
  static const DrmServiceCertificate* GetDefaultDrmServiceCertificateOrDie();

  // Returns the service certificate with the given serial number if found, or
  // null otherwise.
  static const DrmServiceCertificate* GetDrmServiceCertificate(
      const std::string& cert_serial_number);

  // Decrypts the EncryptedClientIdentification message passed in
  // |encrypted_client_id| into |client_id| using the private key for the
  // certificate which was used to encrypt the information. |client_id| must
  // not be NULL. Returns status::OK if successful, or an appropriate error
  // otherwise. This method is thread-safe.
  static Status DecryptClientIdentification(
      const EncryptedClientIdentification& encrypted_client_id,
      ClientIdentification* client_id);

  const std::string& certificate() const { return certificate_; }
  const std::string& provider_id() const { return provider_id_; }
  const std::string& serial_number() const { return serial_number_; }
  const RsaPrivateKey* const private_key() const { return private_key_.get(); }
  const RsaPublicKey* const public_key() const { return public_key_.get(); }

  // Returns the validation result of drm service certificate. Returns
  // status::OK if successful, or  in case of error, contact
  // widevine-tam@google.com to get the next valid service certificate renewed
  // via get deviceCertificate StatusList.
  static Status ValidateDrmServiceCertificate();

 private:
  friend class DrmServiceCertificateTest;
  friend class widevine::RequestInspectorTest;

  static Status AddDrmServiceCertificate(
      const std::string& root_public_key, const std::string& service_certificate,
      const std::string& service_private_key,
      const std::string& service_private_key_passphrase);

  static Status SetDefaultDrmServiceCertificate(
      const std::string& root_public_key, const std::string& service_certificate,
      const std::string& service_private_key,
      const std::string& service_private_key_passphrase);

  DrmServiceCertificate(const std::string& service_certificate,
                        const std::string& provider_id, const std::string& serial_number,
                        const uint32_t creation_time_seconds,
                        std::unique_ptr<RsaPublicKey> public_key,
                        std::unique_ptr<RsaPrivateKey> private_key);

  static void ResetServiceCertificates();

  std::string certificate_;
  std::string provider_id_;
  std::string serial_number_;
  uint32_t creation_time_seconds_;
  std::unique_ptr<RsaPublicKey> public_key_;
  std::unique_ptr<RsaPrivateKey> private_key_;

  DISALLOW_IMPLICIT_CONSTRUCTORS(DrmServiceCertificate);
};

}  // namespace widevine

#endif  // COMMON_DRM_SERVICE_CERTIFICATE_H_