Export provisioning sdk

Change-Id: I4d47d80444c9507f84896767dc676112ca11e901
2017-01-24 20:06:25 -08:00
parent d2903a4951
commit 8d17e4549a
110 changed files with 10187 additions and 0 deletions
--- a/provisioning_sdk/public/provisioning_engine.h
+++ b/provisioning_sdk/public/provisioning_engine.h
@@ -0,0 +1,153 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef PROVISIONING_SDK_PUBLIC_PROVISIONING_ENGINE_H_
+#define PROVISIONING_SDK_PUBLIC_PROVISIONING_ENGINE_H_
+
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "provisioning_sdk/public/certificate_type.h"
+#include "provisioning_sdk/public/provisioning_status.h"
+
+namespace widevine {
+
+class ProvisioningEngineImpl;
+class ProvisioningSession;
+
+// Class which is used to implement a Widevine DRM device provisioning engine.
+// There should be only one instance of ProvisioningEngine. The engine should
+// be "Initialized" before being used. ProvisioningEngine::Initialize is the
+// only method that is not thread-safe. After initializing the engine, it can
+// be safely used in different threads.
+class ProvisioningEngine {
+ public:
+  ProvisioningEngine();
+  ~ProvisioningEngine();
+
+  // Initializes the provisioning engine with required credentials.
+  // * |certificate_type| indicates which type of certificate chains will be
+  //   used for device provisioning via this engine.
+  // * |service_drm_certificate| is a Google-generated certificate used to
+  //   authenticate the service provider for purposes of user privacy.
+  // * |service_private_key| is the encrypted PKCS#8 private RSA key
+  //   corresponding to the service certificate.
+  // * |service_private_key_passphrase| is the password required to decrypt
+  //   |service_private_key|, if any.
+  // * |provisioning_drm_certificate| is a Google-generated certificate used to
+  //   sign intermediate DRM certificates.
+  // * |provisioning_private_key| is the encrypted PKCS#8 private RSA key
+  //   corresponding to the provisioning certificate.
+  // * |provisioning_private_key_passphrase| is the password required to
+  //   decrypt |provisioning_private_key|, if any.
+  // * |secret_spoid_sauce| is a stable secret used as a factor in the
+  //   derivation of Stable Per-Origin IDentifiers.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus Initialize(
+      CertificateType certificate_type,
+      const std::string& service_drm_certificate,
+      const std::string& service_private_key,
+      const std::string& service_private_key_passphrase,
+      const std::string& provisioning_drm_certificate,
+      const std::string& provisioning_private_key,
+      const std::string& provisioning_private_key_passphrase,
+      const std::string& secret_spoid_sauce);
+
+  // Set the certificate status list for this engine.
+  // * |certificate_status_list| is a certificate status list generated by the
+  //   Widevine Provisioning Service.
+  // * |expiration_period| is the number of seconds until the
+  //   |certificate_status_list| expires after its creation time
+  //   (creation_time_seconds). Zero means it will never expire.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus SetCertificateStatusList(
+      const std::string& certificate_status_list,
+      uint32_t expiration_period_seconds);
+
+  // Generate an intermediate DRM certificate.
+  // * |system_id| is the Widevine system ID for the type of device.
+  // * |public_key| is a DER-encoded PKCS#1.5 RSAPublicKey message which will
+  //   be embedded in the generated certificate.
+  // * |certificate| will contain the new intermediate certificate, upon
+  //   successful return.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  // NOTE: The generated certificate and associated private key should be stored
+  //       securely to be reused. They should also be propagated to all
+  //       engines, including this one, by invoking
+  //       |AddIntermediatedrmcertificate| on all active ProvisioningEngine(s).
+  ProvisioningStatus GenerateDrmIntermediateCertificate(
+      uint32_t system_id,
+      const std::string& public_key,
+      std::string* certificate) const;
+
+  // Add an intermediate DRM certificate to the provisioning engine. This is
+  // usually done once for each supported device type.
+  // * |intermediate_cert| is the intermediate DRM certificate to be added.
+  // * |cert_private_key| is a PKCS#8 private key corresponding to
+  //   |intermediate_cert|.
+  // * |cert_private_key_passphrase| is the passphrase for cert_private_key,
+  //   if any.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus AddDrmIntermediateCertificate(
+      const std::string& intermediate_cert,
+      const std::string& cert_private_key,
+      const std::string& cert_private_key_passphrase);
+
+  // Create a session to handle a provisioning exchange between a client device
+  // and the provisioning server.
+  // * |device_public_key| is a DER-encoded PKCS#1.5 RSAPublicKey message which
+  //   will used to create the DRM certificate to be provisioned onto the
+  //   device.
+  // * |device_private_key| is a DER-encoded PKCS#8 PrivateKeyInfo message
+  //   which contains the private key matching |device_public_key|.
+  // * |new_session| will point, on successful return, to the newly created
+  //   ProvisioningSession.
+  // * Returns OK if successful, or an appropriate error status code otherwise.
+  // The key pairs can be re-used if the created session failed to process the
+  // message.
+  // NOTE: All ProvisioningSession objects must be deleted before the
+  //       ProvisioningEngine which created them.
+  ProvisioningStatus NewProvisioningSession(
+      const std::string& device_public_key,
+      const std::string& device_private_key,
+      std::unique_ptr<ProvisioningSession>* new_session) const;
+
+  // Generate a new device DRM certificate to be provisioned by means other than
+  // the Widevine provisioning protocol.
+  // NOTE: This API should only be used to provision devices which were
+  //       manufactured without Widevine DRM support. It is meant to be used as
+  //       an exception, and not the norm. Most devices should be provisioned
+  //       by means of a ProvisioningSession.
+  // * |system_id| is the Widevine system ID for the type of device being
+  //   provisioned.
+  // * |public_key| is a DER-encoded PKCS#1.5 RSAPublicKey message which will
+  //   be embedded in the generated certificate.
+  // * |serial_number| is a binary std::string to be used as the generated DRM
+  //   certificate serial number.
+  // * |certificate| will contain, upon successful return the generated
+  //   certificate.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus GenerateDeviceDrmCertificate(
+      uint32_t system_id,
+      const std::string& public_key,
+      const std::string& serial_number,
+      std::string* certificate) const;
+
+ private:
+#ifndef SWIGPYTHON
+  ProvisioningEngine(const ProvisioningEngine&) = delete;
+  ProvisioningEngine& operator=(const ProvisioningEngine&) = delete;
+#endif
+
+  std::unique_ptr<ProvisioningEngineImpl> impl_;
+};
+
+}  // namespace widevine
+
+#endif  // PROVISIONING_SDK_PUBLIC_PROVISIONING_ENGINE_H_