NewProvisioningSession expects pkcs8 private key and SHA race fix

-------------
Fix SHA hashing to remove race condition. This change
fixes the implementation by passing in the digest buffer.

-------------
The input to ProvisioningEngine::NewProvisioningSession should be
pkcs8 private key instead of pkcs1 private key

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=151273394

Change-Id: Ibcdff7757b2ac2878ee8b1b88365083964bfa10a

provisioning_sdk/internal/provisioning_engine_impl.cc

@@ -77,10 +77,8 @@ bool VerifyAndExtractCertificate(const RsaPublicKey* public_key,
 }
 
 bool GenerateCertificate(DrmDeviceCertificate::CertificateType type,
-                         uint32_t system_id,
-                         const std::string& provider_id,
-                         const std::string& serial_number,
-                         const std::string& public_key,
+                         uint32_t system_id, const std::string& provider_id,
+                         const std::string& serial_number, const std::string& public_key,
                          const RsaPrivateKey& signing_key,
                          const SignedDrmDeviceCertificate& signer,
                          std::string* certificate) {
@@ -145,10 +143,10 @@ ProvisioningEngineImpl::~ProvisioningEngineImpl() {}
 ProvisioningStatus ProvisioningEngineImpl::Initialize(
     CertificateType certificate_type, const std::string& drm_service_certificate,
     const std::string& service_private_key,
-    const std::string& service_private_key_phassphrase,
+    const std::string& service_private_key_passphrase,
     const std::string& provisioning_drm_certificate,
     const std::string& provisioning_private_key,
-    const std::string& provisioning_private_key_phassphrase,
+    const std::string& provisioning_private_key_passphrase,
     const std::string& secret_spoid_sauce) {
   if (!LoadDrmRootPublicKey(certificate_type)) return INVALID_CERTIFICATE_TYPE;
 
@@ -167,7 +165,7 @@ ProvisioningStatus ProvisioningEngineImpl::Initialize(
       rsa_key_factory_->CreateFromPkcs1PublicKey(drm_cert.public_key());
   if (!service_public_key_) return INVALID_SERVICE_DRM_CERTIFICATE;
   service_private_key_ = rsa_key_factory_->CreateFromPkcs8PrivateKey(
-      service_private_key, service_private_key_phassphrase);
+      service_private_key, service_private_key_passphrase);
   if (!service_private_key_) return INVALID_SERVICE_PRIVATE_KEY;
   if (!service_public_key_->MatchesPrivateKey(*service_private_key_)) {
     LOG(WARNING) << "Services public key and private key do not match.";
@@ -189,7 +187,7 @@ ProvisioningStatus ProvisioningEngineImpl::Initialize(
       rsa_key_factory_->CreateFromPkcs1PublicKey(drm_cert.public_key());
   if (!provisioning_public_key_) return INVALID_PROVISIONER_DRM_CERTIFICATE;
   provisioning_private_key_ = rsa_key_factory_->CreateFromPkcs8PrivateKey(
-      provisioning_private_key, provisioning_private_key_phassphrase);
+      provisioning_private_key, provisioning_private_key_passphrase);
   if (!provisioning_private_key_) return INVALID_PROVISIONER_PRIVATE_KEY;
   if (!provisioning_public_key_->MatchesPrivateKey(
           *provisioning_private_key_)) {

provisioning_sdk/internal/provisioning_engine_impl.h

@@ -72,8 +72,7 @@ class ProvisioningEngineImpl {
   //   (creation_time_seconds). Zero means it will never expire.
   // * Returns OK on success, or an appropriate error status code otherwise.
   ProvisioningStatus SetCertificateStatusList(
-      const std::string& certificate_status_list,
-      uint32_t expiration_period_seconds);
+      const std::string& certificate_status_list, uint32_t expiration_period_seconds);
 
   // Generate an intermediate DRM certificate.
   // * |system_id| is the Widevine system ID for the type of device.
@@ -129,8 +128,7 @@ class ProvisioningEngineImpl {
       const std::string& certificate_serial_number, std::string* certificate) const;
 
   // Get the device info for the given |system_id|.
-  std::shared_ptr<ProvisionedDeviceInfo> GetDeviceInfo(
-      uint32_t system_id) const;
+  std::shared_ptr<ProvisionedDeviceInfo> GetDeviceInfo(uint32_t system_id) const;
 
   // Returns the service private key.
   const RsaPrivateKey* service_private_key() const {

provisioning_sdk/internal/provisioning_session_impl.cc

@@ -18,11 +18,11 @@
 #include "common/sha_util.h"
 #include "provisioning_sdk/public/provisioning_status.h"
 
-DEFINE_int32(provisioning_log_every_n, 1,
+DEFINE_int32(prov_sdk_log_every_n, 1,
              "parameter for LOG_EVERY_N to help abate log spamming.");
 
 #define LOG_EVERY_N_WITH_PROTO(message, proto)         \
-  LOG_EVERY_N(WARNING, FLAGS_provisioning_log_every_n) \
+  LOG_EVERY_N(WARNING, FLAGS_prov_sdk_log_every_n) \
       << (message) << " [proto: " << (proto).ShortDebugString() << "]"
 
 namespace widevine {
@@ -42,8 +42,10 @@ ProvisioningStatus ProvisioningSessionImpl::Initialize(
   auto rsa_public_key =
       rsa_key_factory_->CreateFromPkcs1PublicKey(device_public_key);
   if (!rsa_public_key) return INVALID_DEVICE_PUBLIC_KEY;
-  auto rsa_private_key =
-      rsa_key_factory_->CreateFromPkcs1PrivateKey(device_private_key);
+  // Use empty std::string to indicate the private key is not encrypted.
+  const std::string kClearPkcs8PrivateKeyPassphrase;
+  auto rsa_private_key = rsa_key_factory_->CreateFromPkcs8PrivateKey(
+      device_private_key, kClearPkcs8PrivateKeyPassphrase);
   if (!rsa_private_key) return INVALID_DEVICE_PRIVATE_KEY;
   if (!rsa_public_key->MatchesPrivateKey(*rsa_private_key)) {
     LOG(WARNING) << "Device public key and private key do not match.";
@@ -141,7 +143,7 @@ bool ProvisioningSessionImpl::ValidateAndDeserializeRequest(
     const std::string& message, SignedProvisioningMessage* signed_request,
     ProvisioningRequest* request) const {
   if (!signed_request->ParseFromString(message)) {
-    LOG_EVERY_N(WARNING, FLAGS_provisioning_log_every_n)
+    LOG_EVERY_N(WARNING, FLAGS_prov_sdk_log_every_n)
         << "Failed to parse SignedProvisioningMessage.";
     return false;
   }

provisioning_sdk/internal/provisioning_session_impl_test.cc

@@ -19,6 +19,7 @@
 using ::testing::_;
 using ::testing::ByMove;
 using ::testing::DoAll;
+using ::testing::IsEmpty;
 using ::testing::Return;
 using ::testing::SaveArg;
 using ::testing::SetArgPointee;
@@ -113,7 +114,7 @@ TEST_F(ProvisioningSessionImplTest, InitializeWithInvalidPrivateKey) {
       .WillOnce(
           Return(ByMove(std::unique_ptr<RsaPublicKey>(new MockRsaPublicKey))));
   EXPECT_CALL(*mock_rsa_key_factory_,
-              CreateFromPkcs1PrivateKey(kDevicePrivateKey))
+              CreateFromPkcs8PrivateKey(kDevicePrivateKey, IsEmpty()))
       .WillOnce(Return(ByMove(nullptr)));
   EXPECT_EQ(
       INVALID_DEVICE_PRIVATE_KEY,
@@ -127,7 +128,7 @@ TEST_F(ProvisioningSessionImplTest, InitializeWithMismatchPublicPrivateKey) {
       .WillOnce(
           Return(ByMove(std::unique_ptr<RsaPublicKey>(mock_rsa_public_key))));
   EXPECT_CALL(*mock_rsa_key_factory_,
-              CreateFromPkcs1PrivateKey(kDevicePrivateKey))
+              CreateFromPkcs8PrivateKey(kDevicePrivateKey, IsEmpty()))
       .WillOnce(Return(
           ByMove(std::unique_ptr<RsaPrivateKey>(new MockRsaPrivateKey))));
   EXPECT_CALL(*mock_rsa_public_key, MatchesPrivateKey(_))
@@ -146,7 +147,7 @@ class ProvisioningSessionImplProcessTest : public ProvisioningSessionImplTest {
         .WillOnce(
             Return(ByMove(std::unique_ptr<RsaPublicKey>(mock_rsa_public_key))));
     EXPECT_CALL(*mock_rsa_key_factory_,
-                CreateFromPkcs1PrivateKey(kDevicePrivateKey))
+                CreateFromPkcs8PrivateKey(kDevicePrivateKey, IsEmpty()))
         .WillOnce(Return(
             ByMove(std::unique_ptr<RsaPrivateKey>(new MockRsaPrivateKey))));
     EXPECT_CALL(*mock_rsa_public_key, MatchesPrivateKey(_))