Update to support OEMCrypto v16 with ODK
This commit is contained in:
KongQun Yang
@@ -13,10 +13,16 @@
|
||||
|
||||
#include <memory>
|
||||
|
||||
#include "glog/logging.h"
|
||||
#include "google/protobuf/util/message_differencer.h"
|
||||
#include "testing/gmock.h"
|
||||
#include "testing/gunit.h"
|
||||
#include "absl/memory/memory.h"
|
||||
#include "common/ec_key.h"
|
||||
#include "common/ec_test_keys.h"
|
||||
#include "common/error_space.h"
|
||||
#include "common/hash_algorithm.h"
|
||||
#include "common/hash_algorithm_util.h"
|
||||
#include "common/rsa_key.h"
|
||||
#include "common/rsa_test_keys.h"
|
||||
#include "common/test_drm_certificates.h"
|
||||
@@ -25,6 +31,7 @@
|
||||
#include "protos/public/signed_drm_certificate.pb.h"
|
||||
|
||||
using google::protobuf::util::MessageDifferencer;
|
||||
using ::testing::Values;
|
||||
|
||||
namespace widevine {
|
||||
|
||||
@@ -80,76 +87,222 @@ TEST(DrmRootCertificateTestCertificatesTest, Success) {
|
||||
->VerifyCertificate(test_certs.test_user_device_certificate(),
|
||||
nullptr, nullptr)
|
||||
.ok());
|
||||
EXPECT_TRUE(root_cert
|
||||
->VerifyCertificate(test_certs.test_service_certificate(),
|
||||
nullptr, nullptr)
|
||||
.ok());
|
||||
EXPECT_TRUE(
|
||||
root_cert
|
||||
->VerifyCertificate(test_certs.test_service_certificate_no_type(),
|
||||
nullptr, nullptr)
|
||||
.ok());
|
||||
}
|
||||
|
||||
class DrmRootCertificateTest : public testing::Test {
|
||||
TEST(DrmRootCertificateTestCertificatesTest, NonWidevineRootSigner) {
|
||||
// TODO(b/138929855): Add test to verify certificate chain is signed by
|
||||
// Widevine.
|
||||
}
|
||||
|
||||
class SignerPrivateKey {
|
||||
public:
|
||||
virtual ~SignerPrivateKey() {}
|
||||
virtual bool GenerateSignature(const std::string& message,
|
||||
HashAlgorithm hash_algorithm,
|
||||
std::string* signature) const = 0;
|
||||
virtual DrmCertificate::Algorithm algorithm() const = 0;
|
||||
static std::unique_ptr<SignerPrivateKey> Create(
|
||||
const std::string& private_key,
|
||||
widevine::DrmCertificate::Algorithm algorithm);
|
||||
|
||||
protected:
|
||||
DrmRootCertificateTest() {
|
||||
private_keys_.emplace_back(
|
||||
RsaPrivateKey::Create(test_keys_.private_test_key_1_3072_bits()));
|
||||
private_keys_.emplace_back(
|
||||
RsaPrivateKey::Create(test_keys_.private_test_key_2_2048_bits()));
|
||||
private_keys_.emplace_back(
|
||||
RsaPrivateKey::Create(test_keys_.private_test_key_3_2048_bits()));
|
||||
SignerPrivateKey() {}
|
||||
};
|
||||
|
||||
template <typename T>
|
||||
class SignerPrivateKeyImpl : public SignerPrivateKey {
|
||||
public:
|
||||
SignerPrivateKeyImpl(std::unique_ptr<T> private_key,
|
||||
DrmCertificate::Algorithm algorithm)
|
||||
: private_key_(std::move(private_key)), algorithm_(algorithm) {}
|
||||
~SignerPrivateKeyImpl() override {}
|
||||
bool GenerateSignature(const std::string& message,
|
||||
HashAlgorithm hash_algorithm,
|
||||
std::string* signature) const override {
|
||||
return private_key_->GenerateSignature(message, hash_algorithm, signature);
|
||||
}
|
||||
DrmCertificate::Algorithm algorithm() const override { return algorithm_; }
|
||||
|
||||
private:
|
||||
std::unique_ptr<T> private_key_;
|
||||
DrmCertificate::Algorithm algorithm_;
|
||||
};
|
||||
|
||||
std::unique_ptr<SignerPrivateKey> SignerPrivateKey::Create(
|
||||
const std::string& private_key,
|
||||
widevine::DrmCertificate::Algorithm algorithm) {
|
||||
DCHECK(algorithm != DrmCertificate::UNKNOWN_ALGORITHM);
|
||||
switch (algorithm) {
|
||||
case DrmCertificate::RSA: {
|
||||
auto rsa_key =
|
||||
std::unique_ptr<RsaPrivateKey>(RsaPrivateKey::Create(private_key));
|
||||
CHECK(rsa_key);
|
||||
std::unique_ptr<SignerPrivateKey> new_rsa_signer_private_key =
|
||||
absl::make_unique<SignerPrivateKeyImpl<RsaPrivateKey>>(
|
||||
std::move(rsa_key), algorithm);
|
||||
CHECK(new_rsa_signer_private_key);
|
||||
return new_rsa_signer_private_key;
|
||||
}
|
||||
case DrmCertificate::ECC_SECP256R1:
|
||||
case DrmCertificate::ECC_SECP384R1:
|
||||
case DrmCertificate::ECC_SECP521R1: {
|
||||
auto ec_key = ECPrivateKey::Create(private_key);
|
||||
CHECK(ec_key);
|
||||
std::unique_ptr<SignerPrivateKey> new_ec_signer_private_key =
|
||||
absl::make_unique<SignerPrivateKeyImpl<ECPrivateKey>>(
|
||||
std::move(ec_key), algorithm);
|
||||
CHECK(new_ec_signer_private_key);
|
||||
return new_ec_signer_private_key;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
static const int kDrmRootKey = 0;
|
||||
static const int kInterMediateKey = 1;
|
||||
static const int kClientKey = 2;
|
||||
|
||||
class DrmRootCertificateTest : public testing::TestWithParam<const char*> {
|
||||
protected:
|
||||
DrmRootCertificateTest() {}
|
||||
|
||||
void SetUp() override {
|
||||
drm_certificates_[0].set_serial_number("level 0");
|
||||
drm_certificates_[0].set_creation_time_seconds(0);
|
||||
drm_certificates_[0].set_public_key(
|
||||
test_keys_.public_test_key_1_3072_bits());
|
||||
drm_certificates_[1].set_serial_number("level 1");
|
||||
drm_certificates_[1].set_creation_time_seconds(1);
|
||||
drm_certificates_[1].set_public_key(
|
||||
test_keys_.public_test_key_2_2048_bits());
|
||||
drm_certificates_[2].set_serial_number("level 2");
|
||||
drm_certificates_[2].set_creation_time_seconds(2);
|
||||
drm_certificates_[2].set_public_key(
|
||||
test_keys_.public_test_key_3_2048_bits());
|
||||
bool algorithm_status = false;
|
||||
std::string algorithm(GetParam());
|
||||
if (algorithm == "RSA") {
|
||||
RsaTestSetup();
|
||||
algorithm_status = true;
|
||||
}
|
||||
if (algorithm == "ECC") {
|
||||
EcTestSetup();
|
||||
algorithm_status = true;
|
||||
}
|
||||
|
||||
CHECK(algorithm_status);
|
||||
|
||||
ASSERT_EQ(OkStatus(), DrmRootCertificate::CreateByType(
|
||||
kCertificateTypeTesting, &root_cert_));
|
||||
}
|
||||
|
||||
void GenerateSignedDrmCertificate() {
|
||||
SignedDrmCertificate* current_sc(&signed_drm_certificate_);
|
||||
ASSERT_TRUE(drm_certificates_[2].SerializeToString(
|
||||
current_sc->mutable_drm_certificate()));
|
||||
ASSERT_TRUE(private_keys_[1]->GenerateSignature(
|
||||
current_sc->drm_certificate(), current_sc->mutable_signature()));
|
||||
void RsaTestSetup() {
|
||||
private_keys_.resize(3);
|
||||
private_keys_[kDrmRootKey] =
|
||||
SignerPrivateKey::Create(rsa_test_keys_.private_test_key_1_3072_bits(),
|
||||
widevine::DrmCertificate::RSA);
|
||||
drm_certificates_[kDrmRootKey].set_serial_number("level 0");
|
||||
drm_certificates_[kDrmRootKey].set_creation_time_seconds(0);
|
||||
drm_certificates_[kDrmRootKey].set_public_key(
|
||||
rsa_test_keys_.public_test_key_1_3072_bits());
|
||||
|
||||
current_sc = current_sc->mutable_signer();
|
||||
ASSERT_TRUE(drm_certificates_[1].SerializeToString(
|
||||
current_sc->mutable_drm_certificate()));
|
||||
ASSERT_TRUE(private_keys_[0]->GenerateSignature(
|
||||
current_sc->drm_certificate(), current_sc->mutable_signature()));
|
||||
private_keys_[kInterMediateKey] =
|
||||
SignerPrivateKey::Create(rsa_test_keys_.private_test_key_2_2048_bits(),
|
||||
widevine::DrmCertificate::RSA);
|
||||
drm_certificates_[kInterMediateKey].set_serial_number("level 1");
|
||||
drm_certificates_[kInterMediateKey].set_creation_time_seconds(1);
|
||||
drm_certificates_[kInterMediateKey].set_public_key(
|
||||
rsa_test_keys_.public_test_key_2_2048_bits());
|
||||
|
||||
current_sc = current_sc->mutable_signer();
|
||||
ASSERT_TRUE(drm_certificates_[0].SerializeToString(
|
||||
current_sc->mutable_drm_certificate()));
|
||||
ASSERT_TRUE(private_keys_[0]->GenerateSignature(
|
||||
current_sc->drm_certificate(), current_sc->mutable_signature()));
|
||||
private_keys_[kClientKey] =
|
||||
SignerPrivateKey::Create(rsa_test_keys_.private_test_key_1_3072_bits(),
|
||||
widevine::DrmCertificate::RSA);
|
||||
drm_certificates_[kClientKey].set_serial_number("level 2");
|
||||
drm_certificates_[kClientKey].set_creation_time_seconds(2);
|
||||
drm_certificates_[kClientKey].set_public_key(
|
||||
rsa_test_keys_.public_test_key_3_2048_bits());
|
||||
}
|
||||
|
||||
RsaTestKeys test_keys_;
|
||||
std::vector<std::unique_ptr<RsaPrivateKey>> private_keys_;
|
||||
void EcTestSetup() {
|
||||
private_keys_.resize(3);
|
||||
private_keys_[kDrmRootKey] =
|
||||
SignerPrivateKey::Create(rsa_test_keys_.private_test_key_1_3072_bits(),
|
||||
widevine::DrmCertificate::RSA);
|
||||
drm_certificates_[kDrmRootKey].set_serial_number("level 0");
|
||||
drm_certificates_[kDrmRootKey].set_creation_time_seconds(0);
|
||||
drm_certificates_[kDrmRootKey].set_public_key(
|
||||
rsa_test_keys_.public_test_key_1_3072_bits());
|
||||
|
||||
private_keys_[kInterMediateKey] =
|
||||
SignerPrivateKey::Create(ec_test_keys_.private_test_key_1_secp521r1(),
|
||||
DrmCertificate::ECC_SECP521R1);
|
||||
drm_certificates_[kInterMediateKey].set_serial_number("level 1");
|
||||
drm_certificates_[kInterMediateKey].set_creation_time_seconds(1);
|
||||
drm_certificates_[kInterMediateKey].set_public_key(
|
||||
ec_test_keys_.public_test_key_1_secp521r1());
|
||||
drm_certificates_[kInterMediateKey].set_algorithm(
|
||||
DrmCertificate::ECC_SECP521R1);
|
||||
|
||||
private_keys_[kClientKey] =
|
||||
SignerPrivateKey::Create(ec_test_keys_.private_test_key_1_secp256r1(),
|
||||
DrmCertificate::ECC_SECP256R1);
|
||||
drm_certificates_[kClientKey].set_serial_number("level 2");
|
||||
drm_certificates_[kClientKey].set_creation_time_seconds(2);
|
||||
drm_certificates_[kClientKey].set_public_key(
|
||||
ec_test_keys_.public_test_key_1_secp256r1());
|
||||
drm_certificates_[kClientKey].set_algorithm(DrmCertificate::ECC_SECP256R1);
|
||||
|
||||
// Client certificate.
|
||||
|
||||
// Intermediate certificate.
|
||||
}
|
||||
|
||||
void GenerateSignedDrmCertificate() {
|
||||
SignedDrmCertificate* current_sc(&signed_drm_certificate_);
|
||||
drm_certificates_[kClientKey].set_algorithm(
|
||||
private_keys_[kClientKey]->algorithm());
|
||||
ASSERT_TRUE(drm_certificates_[kClientKey].SerializeToString(
|
||||
current_sc->mutable_drm_certificate()));
|
||||
ASSERT_TRUE(private_keys_[kInterMediateKey]->GenerateSignature(
|
||||
current_sc->drm_certificate(),
|
||||
HashAlgorithmProtoToEnum(current_sc->hash_algorithm()),
|
||||
current_sc->mutable_signature()));
|
||||
|
||||
current_sc = current_sc->mutable_signer();
|
||||
drm_certificates_[kInterMediateKey].set_algorithm(
|
||||
private_keys_[kInterMediateKey]->algorithm());
|
||||
ASSERT_TRUE(drm_certificates_[kInterMediateKey].SerializeToString(
|
||||
current_sc->mutable_drm_certificate()));
|
||||
ASSERT_TRUE(private_keys_[kDrmRootKey]->GenerateSignature(
|
||||
current_sc->drm_certificate(),
|
||||
HashAlgorithmProtoToEnum(current_sc->hash_algorithm()),
|
||||
current_sc->mutable_signature()));
|
||||
|
||||
current_sc = current_sc->mutable_signer();
|
||||
drm_certificates_[kDrmRootKey].set_algorithm(
|
||||
private_keys_[kDrmRootKey]->algorithm());
|
||||
ASSERT_TRUE(drm_certificates_[kDrmRootKey].SerializeToString(
|
||||
current_sc->mutable_drm_certificate()));
|
||||
ASSERT_TRUE(private_keys_[kDrmRootKey]->GenerateSignature(
|
||||
current_sc->drm_certificate(),
|
||||
HashAlgorithmProtoToEnum(current_sc->hash_algorithm()),
|
||||
current_sc->mutable_signature()));
|
||||
}
|
||||
|
||||
RsaTestKeys rsa_test_keys_;
|
||||
ECTestKeys ec_test_keys_;
|
||||
std::vector<std::unique_ptr<SignerPrivateKey>> private_keys_;
|
||||
SignedDrmCertificate signed_drm_certificate_;
|
||||
DrmCertificate drm_certificates_[3];
|
||||
std::unique_ptr<DrmRootCertificate> root_cert_;
|
||||
};
|
||||
|
||||
TEST_F(DrmRootCertificateTest, SuccessNoOutput) {
|
||||
INSTANTIATE_TEST_SUITE_P(SuccessNoOutput, DrmRootCertificateTest,
|
||||
Values("RSA", "ECC"));
|
||||
|
||||
TEST_P(DrmRootCertificateTest, SuccessNoOutput) {
|
||||
GenerateSignedDrmCertificate();
|
||||
ASSERT_EQ(OkStatus(),
|
||||
root_cert_->VerifyCertificate(
|
||||
signed_drm_certificate_.SerializeAsString(), nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, SuccessWithOutput) {
|
||||
TEST_P(DrmRootCertificateTest, SuccessWithOutput) {
|
||||
GenerateSignedDrmCertificate();
|
||||
SignedDrmCertificate out_signed_cert;
|
||||
DrmCertificate out_cert;
|
||||
@@ -161,13 +314,13 @@ TEST_F(DrmRootCertificateTest, SuccessWithOutput) {
|
||||
EXPECT_TRUE(MessageDifferencer::Equals(out_cert, drm_certificates_[2]));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, InvalidSignedDrmCertificate) {
|
||||
TEST_P(DrmRootCertificateTest, InvalidSignedDrmCertificate) {
|
||||
EXPECT_EQ(Status(error_space, INVALID_DRM_CERTIFICATE,
|
||||
"invalid-signed-drm-certificate"),
|
||||
root_cert_->VerifyCertificate("pure garbage", nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, InvalidSignerCertificate) {
|
||||
TEST_P(DrmRootCertificateTest, InvalidSignerCertificate) {
|
||||
GenerateSignedDrmCertificate();
|
||||
signed_drm_certificate_.mutable_signer()->set_drm_certificate("more garbage");
|
||||
EXPECT_EQ(Status(error_space, INVALID_DRM_CERTIFICATE,
|
||||
@@ -176,7 +329,7 @@ TEST_F(DrmRootCertificateTest, InvalidSignerCertificate) {
|
||||
signed_drm_certificate_.SerializeAsString(), nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, MissingDrmCertificate) {
|
||||
TEST_P(DrmRootCertificateTest, MissingDrmCertificate) {
|
||||
GenerateSignedDrmCertificate();
|
||||
signed_drm_certificate_.clear_drm_certificate();
|
||||
EXPECT_EQ(
|
||||
@@ -185,7 +338,7 @@ TEST_F(DrmRootCertificateTest, MissingDrmCertificate) {
|
||||
nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, InvalidDrmCertificate) {
|
||||
TEST_P(DrmRootCertificateTest, InvalidDrmCertificate) {
|
||||
GenerateSignedDrmCertificate();
|
||||
signed_drm_certificate_.set_drm_certificate("junk");
|
||||
EXPECT_EQ(
|
||||
@@ -194,7 +347,7 @@ TEST_F(DrmRootCertificateTest, InvalidDrmCertificate) {
|
||||
nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, InvalidPublicKey) {
|
||||
TEST_P(DrmRootCertificateTest, InvalidPublicKey) {
|
||||
drm_certificates_[0].set_public_key("rubbish");
|
||||
GenerateSignedDrmCertificate();
|
||||
EXPECT_EQ(
|
||||
@@ -203,7 +356,7 @@ TEST_F(DrmRootCertificateTest, InvalidPublicKey) {
|
||||
nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, MissingPublicKey) {
|
||||
TEST_P(DrmRootCertificateTest, MissingPublicKey) {
|
||||
drm_certificates_[2].clear_public_key();
|
||||
GenerateSignedDrmCertificate();
|
||||
EXPECT_EQ(Status(error_space, INVALID_DRM_CERTIFICATE, "missing-public-key"),
|
||||
@@ -211,7 +364,7 @@ TEST_F(DrmRootCertificateTest, MissingPublicKey) {
|
||||
signed_drm_certificate_.SerializeAsString(), nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, MissingCreationTime) {
|
||||
TEST_P(DrmRootCertificateTest, MissingCreationTime) {
|
||||
drm_certificates_[2].clear_creation_time_seconds();
|
||||
GenerateSignedDrmCertificate();
|
||||
EXPECT_EQ(
|
||||
@@ -220,7 +373,7 @@ TEST_F(DrmRootCertificateTest, MissingCreationTime) {
|
||||
nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, MissingSerialNumber) {
|
||||
TEST_P(DrmRootCertificateTest, MissingSerialNumber) {
|
||||
drm_certificates_[2].set_serial_number("");
|
||||
GenerateSignedDrmCertificate();
|
||||
EXPECT_EQ(
|
||||
@@ -229,7 +382,7 @@ TEST_F(DrmRootCertificateTest, MissingSerialNumber) {
|
||||
nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, InvalidSignatureWithNoCache) {
|
||||
TEST_P(DrmRootCertificateTest, InvalidSignatureWithNoCache) {
|
||||
GenerateSignedDrmCertificate();
|
||||
signed_drm_certificate_.mutable_signer()->set_signature(
|
||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
|
||||
@@ -239,7 +392,7 @@ TEST_F(DrmRootCertificateTest, InvalidSignatureWithNoCache) {
|
||||
nullptr, nullptr));
|
||||
}
|
||||
|
||||
TEST_F(DrmRootCertificateTest, InvalidSignatureWithCache) {
|
||||
TEST_P(DrmRootCertificateTest, InvalidSignatureWithCache) {
|
||||
GenerateSignedDrmCertificate();
|
||||
// Verify and cache.
|
||||
ASSERT_EQ(OkStatus(),
|
||||
|
||||
Reference in New Issue
Block a user