162 lines
6.8 KiB
C++
162 lines
6.8 KiB
C++
////////////////////////////////////////////////////////////////////////////////
|
|
// Copyright 2013 Google LLC.
|
|
//
|
|
// This software is licensed under the terms defined in the Widevine Master
|
|
// License Agreement. For a copy of this agreement, please contact
|
|
// widevine-licensing@google.com.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Description:
|
|
// Service certificate holder used to decrypt encrypted client credentials.
|
|
|
|
#ifndef COMMON_DRM_SERVICE_CERTIFICATE_H_
|
|
#define COMMON_DRM_SERVICE_CERTIFICATE_H_
|
|
|
|
#include <map>
|
|
#include <memory>
|
|
#include <string>
|
|
|
|
#include <cstdint>
|
|
#include "common/certificate_type.h"
|
|
#include "common/rsa_key.h"
|
|
#include "common/status.h"
|
|
#include "protos/public/external_license.pb.h"
|
|
|
|
namespace widevine {
|
|
class RequestInspectorTest;
|
|
} // namespace widevine
|
|
|
|
namespace widevine {
|
|
|
|
class ClientIdentification;
|
|
class DrmRootCertificate;
|
|
class EncryptedClientIdentification;
|
|
|
|
// TODO(user): Add a DrmCertificateList class to provide the static method
|
|
// functionality.
|
|
class DrmServiceCertificate {
|
|
public:
|
|
DrmServiceCertificate(const DrmServiceCertificate&) = delete;
|
|
DrmServiceCertificate& operator=(const DrmServiceCertificate&) = delete;
|
|
|
|
// Create a new DrmServiceCertificate object and add it to the list of valid
|
|
// service certificates. |drm_root_cert| is the root certificate for the type
|
|
// of certifiate being added. |service_certificate| is a
|
|
// Google-generated certificate used to authenticate the service provider for
|
|
// purposes of device privacy, |service_private_key| is the encrypted PKCS#8
|
|
// private RSA key corresponding to the service certificate,
|
|
// |service_private_key_passphrase| is the password required to decrypt
|
|
// |service_private_key|.
|
|
// Returns status::OK if successful, or appropriate error code otherwise.
|
|
// If the default service certificate is not set, this certificate will be
|
|
// used as the default service certificate.
|
|
// This method is thread-safe.
|
|
static Status AddDrmServiceCertificate(
|
|
const DrmRootCertificate* root_drm_cert,
|
|
const std::string& service_certificate,
|
|
const std::string& service_private_key,
|
|
const std::string& service_private_key_passphrase);
|
|
|
|
// Same as AddDrmServiceCertificate(), but will clear the default service
|
|
// certificate if it's set. This will result in this service certificate
|
|
// being set as the default service certificate.
|
|
static Status SetDefaultDrmServiceCertificate(
|
|
const DrmRootCertificate* root_drm_cert,
|
|
const std::string& service_certificate,
|
|
const std::string& service_private_key,
|
|
const std::string& service_private_key_passphrase);
|
|
|
|
// Returns the default service certificate. Will return null if no default
|
|
// Service Certificate is set. This method is thread-safe.
|
|
static const DrmServiceCertificate* GetDefaultDrmServiceCertificate();
|
|
|
|
// Returns the default service certificate. Will abort if no default Service
|
|
// Certificate is set. This method is thread-safe.
|
|
static const DrmServiceCertificate* GetDefaultDrmServiceCertificateOrDie();
|
|
|
|
// Returns the service certificate with the given |cert_serial_number|, or
|
|
// null otherwise.
|
|
static const DrmServiceCertificate* GetDrmServiceCertificateBySerialNumber(
|
|
const std::string& cert_serial_number);
|
|
|
|
// Returns the service certificate with the given |provider_id|, or
|
|
// null otherwise. If multple certificates exist for the provider, the
|
|
// newest certificate is returned.
|
|
static const DrmServiceCertificate* GetDrmServiceCertificateByProvider(
|
|
const std::string& provider_id);
|
|
|
|
// Decrypts the EncryptedClientIdentification message passed in
|
|
// |encrypted_client_id| into |client_id| using the private key for the
|
|
// certificate which was used to encrypt the information. |client_id| must
|
|
// not be NULL. Returns status::OK if successful, or an appropriate error
|
|
// otherwise. This method is thread-safe.
|
|
static Status DecryptClientIdentification(
|
|
const EncryptedClientIdentification& encrypted_client_id,
|
|
ClientIdentification* client_id);
|
|
|
|
const std::string& certificate() const { return certificate_; }
|
|
const std::string& provider_id() const { return provider_id_; }
|
|
const std::string& serial_number() const { return serial_number_; }
|
|
uint32_t creation_time_seconds() const { return creation_time_seconds_; }
|
|
const RsaPrivateKey* const private_key() const { return private_key_.get(); }
|
|
const RsaPublicKey* const public_key() const { return public_key_.get(); }
|
|
|
|
// Returns the validation result of drm service certificate. Returns
|
|
// status::OK if successful, or in case of error, contact
|
|
// widevine-tam@google.com to get the next valid service certificate renewed
|
|
// via get deviceCertificate StatusList.
|
|
static Status ValidateDrmServiceCertificate();
|
|
|
|
// Decrypts the EncryptedLicenseRequest message passed in
|
|
// |encrypted_license_request|. If successful, the decrypted license request
|
|
// is placed into |license_challenge|. The decryption is performed using the
|
|
// private key for the certificate which was used to encrypt the information.
|
|
// |license_challenge| must not be NULL. Returns status::OK if successful,
|
|
// or an appropriate error otherwise. This method is thread-safe.
|
|
static Status DecryptLicenseChallenge(
|
|
const EncryptedLicenseRequest& encrypted_license_request,
|
|
std::string* license_challenge);
|
|
|
|
private:
|
|
friend class DrmServiceCertificateTest;
|
|
friend class widevine::RequestInspectorTest;
|
|
|
|
static Status AddDrmServiceCertificate(
|
|
const std::string& root_public_key,
|
|
const std::string& service_certificate,
|
|
const std::string& service_private_key,
|
|
const std::string& service_private_key_passphrase);
|
|
|
|
static Status SetDefaultDrmServiceCertificate(
|
|
const std::string& root_public_key,
|
|
const std::string& service_certificate,
|
|
const std::string& service_private_key,
|
|
const std::string& service_private_key_passphrase);
|
|
|
|
static Status DecryptEncryptedPayload(
|
|
const std::string& service_certificate_serial_number,
|
|
const std::string& provider_id, const std::string& encrypted_payload,
|
|
const std::string& iv, const std::string& privacy_key,
|
|
std::string* payload);
|
|
|
|
DrmServiceCertificate(const std::string& service_certificate,
|
|
const std::string& provider_id,
|
|
const std::string& serial_number,
|
|
const uint32_t creation_time_seconds,
|
|
std::unique_ptr<RsaPublicKey> public_key,
|
|
std::unique_ptr<RsaPrivateKey> private_key);
|
|
|
|
static void ResetServiceCertificates();
|
|
|
|
std::string certificate_;
|
|
std::string provider_id_;
|
|
std::string serial_number_;
|
|
uint32_t creation_time_seconds_;
|
|
std::unique_ptr<RsaPublicKey> public_key_;
|
|
std::unique_ptr<RsaPrivateKey> private_key_;
|
|
};
|
|
|
|
} // namespace widevine
|
|
|
|
#endif // COMMON_DRM_SERVICE_CERTIFICATE_H_
|