112 lines
4.3 KiB
C++
112 lines
4.3 KiB
C++
////////////////////////////////////////////////////////////////////////////////
|
|
// Copyright 2013 Google LLC.
|
|
//
|
|
// This software is licensed under the terms defined in the Widevine Master
|
|
// License Agreement. For a copy of this agreement, please contact
|
|
// widevine-licensing@google.com.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Description:
|
|
// Root device certificate holder class which deserializes, validates,
|
|
// and extracts the root certificate public key.
|
|
|
|
#ifndef COMMON_DRM_ROOT_CERTIFICATE_H_
|
|
#define COMMON_DRM_ROOT_CERTIFICATE_H_
|
|
|
|
// common_typos_disable. Successful / successfull.
|
|
|
|
#include <memory>
|
|
#include <string>
|
|
|
|
#include "common/certificate_type.h"
|
|
#include "common/signer_public_key.h"
|
|
#include "common/status.h"
|
|
#include "protos/public/drm_certificate.pb.h"
|
|
|
|
namespace widevine {
|
|
|
|
class DrmCertificate;
|
|
class RsaKeyFactory;
|
|
class RsaPublicKey;
|
|
class SignedDrmCertificate;
|
|
class VerifiedCertSignatureCache;
|
|
|
|
// Root certificate and certificate chain verifier with internal caching.
|
|
// This object is thread-safe.
|
|
class DrmRootCertificate {
|
|
public:
|
|
DrmRootCertificate(const DrmRootCertificate&) = delete;
|
|
DrmRootCertificate& operator=(const DrmRootCertificate&) = delete;
|
|
|
|
virtual ~DrmRootCertificate();
|
|
|
|
// Creates a DrmRootCertificate object given a certificate type.
|
|
// |cert| may not be nullptr, and it points to a
|
|
// std::unique_ptr<DrmRootCertificate> which will be used to return a newly
|
|
// created const DrmRootCertificate* if successful. The caller assumes
|
|
// ownership of the new DrmRootCertificate. This method returns
|
|
// Status::OK on success, or appropriate error status otherwise.
|
|
static Status CreateByType(CertificateType cert_type,
|
|
std::unique_ptr<DrmRootCertificate>* cert);
|
|
|
|
// Variant on the method above to make CLIF happy until b/110539622 is fixed.
|
|
static std::unique_ptr<DrmRootCertificate> CreateByType(
|
|
CertificateType cert_type, Status* status);
|
|
|
|
// Creates a DrmRootCertificate object given a certificate type std::string, which
|
|
// must be one of "prod", "qa", or "test".
|
|
// |cert| may not be nullptr, and it points to a
|
|
// std::unique_ptr<DrmRootCertificate> which will be used to return a newly
|
|
// created const DrmRootCertificate* if successful. The caller assumes
|
|
// ownership of the new DrmRootCertificate. This method returns
|
|
// Status::OK on success, or appropriate error status otherwise.
|
|
static Status CreateByTypeString(const std::string& cert_type_string,
|
|
std::unique_ptr<DrmRootCertificate>* cert);
|
|
|
|
// |certificate| will contgain the DRM certificate upon successful return.
|
|
// May be null.
|
|
// Returns Status::OK if successful, or an appropriate error code otherwise.
|
|
virtual Status VerifyCertificate(const std::string& serialized_certificate,
|
|
SignedDrmCertificate* signed_certificate,
|
|
DrmCertificate* certificate) const;
|
|
|
|
// Returns the hex-encoded SHA-256 digest for this certificate.
|
|
virtual std::string GetDigest() const;
|
|
|
|
const CertificateType type() const { return type_; }
|
|
|
|
virtual const std::string& public_key() const {
|
|
return root_cert_.public_key();
|
|
}
|
|
|
|
protected:
|
|
DrmRootCertificate(CertificateType cert_type,
|
|
const std::string& serialized_certificate,
|
|
const std::string& serial_number,
|
|
const std::string& public_key,
|
|
std::unique_ptr<RsaKeyFactory> key_factory);
|
|
|
|
private:
|
|
friend class DrmRootCertificateTest;
|
|
|
|
static Status Create(CertificateType cert_type,
|
|
std::unique_ptr<RsaKeyFactory> key_factory,
|
|
std::unique_ptr<DrmRootCertificate>* cert);
|
|
|
|
Status VerifySignatures(const SignedDrmCertificate& signed_cert,
|
|
const std::string& cert_serial_number, bool use_cache,
|
|
uint32_t* certs_in_chain) const;
|
|
|
|
CertificateType type_;
|
|
std::string serialized_certificate_;
|
|
DrmCertificate root_cert_;
|
|
// TODO(b/143309971): Either add an ec key_factory object, or drop the rsa
|
|
// |key_factory_|.
|
|
std::unique_ptr<RsaKeyFactory> key_factory_;
|
|
mutable std::unique_ptr<VerifiedCertSignatureCache> signature_cache_;
|
|
};
|
|
|
|
} // namespace widevine
|
|
|
|
#endif // COMMON_DRM_ROOT_CERTIFICATE_H_
|