95 lines
3.7 KiB
C++
95 lines
3.7 KiB
C++
////////////////////////////////////////////////////////////////////////////////
|
|
// Copyright 2013 Google LLC.
|
|
//
|
|
// This software is licensed under the terms defined in the Widevine Master
|
|
// License Agreement. For a copy of this agreement, please contact
|
|
// widevine-licensing@google.com.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Description:
|
|
// Functionality used to verifier ChromeOS remote attestation.
|
|
|
|
#ifndef COMMON_REMOTE_ATTESTATION_VERIFIER_H_
|
|
#define COMMON_REMOTE_ATTESTATION_VERIFIER_H_
|
|
|
|
#include <map>
|
|
#include <memory>
|
|
#include <string>
|
|
|
|
#include "absl/base/thread_annotations.h"
|
|
#include "absl/synchronization/mutex.h"
|
|
#include "common/status.h"
|
|
#include "common/x509_cert.h"
|
|
#include "protos/public/client_identification.pb.h"
|
|
#include "protos/public/remote_attestation.pb.h"
|
|
|
|
namespace widevine {
|
|
|
|
// Singleton class used to do remote attestation. Access singleton instance via
|
|
// the get() method.
|
|
// TODO(user): This class is tested as part of the Session unit tests, but
|
|
// finer unit tests should be implemented for the failure cases.
|
|
class RemoteAttestationVerifier {
|
|
public:
|
|
RemoteAttestationVerifier() : enable_test_certificates_(false) {}
|
|
|
|
RemoteAttestationVerifier(const RemoteAttestationVerifier&) = delete;
|
|
RemoteAttestationVerifier& operator=(const RemoteAttestationVerifier&) =
|
|
delete;
|
|
|
|
virtual ~RemoteAttestationVerifier() {}
|
|
|
|
// Singleton accessor.
|
|
static RemoteAttestationVerifier& get();
|
|
|
|
// Call to use the test (non-production) remote attestation root certificate.
|
|
// This method is thread-safe.
|
|
void EnableTestDrmCertificates(bool enable);
|
|
|
|
// Call to verify a RemoteAttestation challenge response, used in licensing
|
|
// protocol.
|
|
// |message| is the challenge message,
|
|
// |remote_attestation| is the remote attestation response to verify,
|
|
// |remote_attestation_cert_sn| is a pointer to a std::string which on successful
|
|
// return will contain the serial number for the client's remote attestation
|
|
// certificate.
|
|
// This method is thread-safe.
|
|
Status VerifyRemoteAttestation(const std::string& message,
|
|
const RemoteAttestation& remote_attestation,
|
|
std::string* remote_attestation_cert_sn);
|
|
|
|
// Call to verify a RemoteAttestation challenge response, used in certificate
|
|
// provisioning protocol.
|
|
// |message| is the challenge message,
|
|
// |remote_attestation| is the remote attestation response to verify,
|
|
// |privacy_key| is used to decrypt the EncryptedClientIdentification within
|
|
// the |remote_attestation| message.
|
|
// This method is thread-safe.
|
|
Status VerifyRemoteAttestation(const std::string& message,
|
|
const RemoteAttestation& remote_attestation,
|
|
const std::string& privacy_key);
|
|
|
|
private:
|
|
// Common subroutine to perform the verification.
|
|
// |message| is the challenge message,
|
|
// |remote_attestation| is the remote attestation response to verify,
|
|
// |client_id| is the decrypted client identification carrying the token,
|
|
// |remote_attestation_cert_sn| is a pointer to a std::string which on successful
|
|
// return will contain the serial number for the client's remote attestation
|
|
// certificate.
|
|
Status VerifyRemoteAttestation(const std::string& message,
|
|
const RemoteAttestation& remote_attestation,
|
|
const ClientIdentification& client_id,
|
|
std::string* remote_attestation_cert_sn);
|
|
|
|
Status LoadCa();
|
|
|
|
bool enable_test_certificates_;
|
|
absl::Mutex ca_mutex_;
|
|
std::unique_ptr<X509CA> ca_ ABSL_GUARDED_BY(ca_mutex_);
|
|
};
|
|
|
|
} // namespace widevine
|
|
|
|
#endif // COMMON_REMOTE_ATTESTATION_VERIFIER_H_
|