WvPL License SDK release: 16.5.0

centos/common/certificate_type.h

@@ -0,0 +1,16 @@
+// Copyright 2017 Google LLC. All rights reserved.
+
+#ifndef VIDEO_WIDEVINE_EXPORT_COMMON_CERTIFICATE_TYPE_H_
+#define VIDEO_WIDEVINE_EXPORT_COMMON_CERTIFICATE_TYPE_H_
+
+namespace video_widevine {
+
+enum CertificateType {
+  kCertificateTypeTesting,
+  kCertificateTypeDevelopment,
+  kCertificateTypeProduction,
+};
+
+}  // namespace video_widevine
+
+#endif  // VIDEO_WIDEVINE_EXPORT_COMMON_CERTIFICATE_TYPE_H_

centos/common/hash_algorithm.h

@@ -0,0 +1,12 @@
+// Copyright 2020 Google LLC. All rights reserved.
+
+#ifndef VIDEO_WIDEVINE_EXPORT_COMMON_HASH_ALGORITHM_H_
+#define VIDEO_WIDEVINE_EXPORT_COMMON_HASH_ALGORITHM_H_
+
+namespace video_widevine {
+
+enum class HashAlgorithm { kUnspecified, kSha1, kSha256, kSha384 };
+
+}  // namespace video_widevine
+
+#endif  // VIDEO_WIDEVINE_EXPORT_COMMON_HASH_ALGORITHM_H_

centos/common/security_profile_list.h

@@ -0,0 +1,172 @@
+// Copyright 2020 Google LLC. All rights reserved.
+//
+// Description:
+//   Container of device security profiles.  Security profiles indicate rules
+//   to allow using the profile. The rules are based on DRM capabilities of a
+//   device.
+
+#ifndef VIDEO_WIDEVINE_EXPORT_COMMON_SECURITY_PROFILE_LIST_H_
+#define VIDEO_WIDEVINE_EXPORT_COMMON_SECURITY_PROFILE_LIST_H_
+
+#include <cstdint>
+
+#include "absl/synchronization/mutex.h"
+#include "common/hash_algorithm.h"
+#include "common/output_protection_util.h"
+#include "common/status.h"
+#include "protos/public/client_identification.pb.h"
+#include "protos/public/device_security_profile_data.pb.h"
+#include "protos/public/device_security_profile_list.pb.h"
+#include "protos/public/provisioned_device_info.pb.h"
+#include "protos/public/security_profile.pb.h"
+
+namespace video_widevine {
+
+using ClientCapabilities = ClientIdentification::ClientCapabilities;
+
+const char kDefaultProfileOwnerName[] = "Widevine";
+
+// The SecurityProfileList will hold all security profiles.  During license
+// acquisition, information from the client and information from the server are
+// combined to deternmine the device's security profile level.
+
+// TODO(169946984): Clean up the virtual/protected functions once subclass
+// default_device_security_profile_list gets removed.
+class SecurityProfileList {
+ public:
+  explicit SecurityProfileList(const std::string& profile_namespace);
+  virtual ~SecurityProfileList() {}
+
+  // Initialize the security profile list with Widevine default profiles. The
+  // size of the profile list is returned.
+  virtual int Init();
+
+  // Add the specified profile to the existing list of profiles.  Returns true
+  // if successfully inserted, false if unable to insert.
+  bool InsertProfile(const SecurityProfile& profile_to_insert);
+
+  // Populates |profiles_allow| with a list of profiles from the specified
+  // |profiles_to_check| list that meet the requirements for the this device.
+  // The number of profiles is returned.
+  virtual int GetQualifiedProfilesFromSpecifiedProfiles(
+      const std::vector<std::string>& profiles_to_check,
+      const std::string& owner, const ClientIdentification& client_id,
+      const ProvisionedDeviceInfo& device_info,
+      PlatformVerificationStatus device_vmp_status,
+      std::vector<std::string>* qualified_profiles) const;
+
+  // Populates |profiles_to_allow| with a list of profiles that meet the
+  // requirements for the this device. The number of profiles is returned.
+  virtual int GetQualifiedProfiles(
+      const ClientIdentification& client_id,
+      const ProvisionedDeviceInfo& device_info,
+      const PlatformVerificationStatus device_vmp_status,
+      const std::string& owner,
+      std::vector<std::string>* qualified_profiles) const;
+
+  // Return true if a profile exist matching the specified parameters {|name|,
+  // |owner|}. |security_profiles| is owned by the caller and is populated if
+  // one or more profile exist. For default DSP, the output profiles should
+  // contain single record. For custom DSP, it may contain multiple records
+  // since active dsp and inactive dsp could share the same dsp_name under the
+  // same owner.
+  virtual bool GetProfileByNameAndOwner(
+      const std::string& name, const std::string& owner,
+      std::vector<SecurityProfile>* security_profiles) const;
+
+  // Populates |security_profiles| owned by the content owner.
+  virtual int GetProfilesByOwner(
+      const std::string& owner,
+      std::vector<SecurityProfile>* security_profiles) const;
+
+  // Populates |owner_list| for security profiles. |is_default_dsp| boolean
+  // indicates the owner_list for default dsp or custom dsp.
+  virtual int GetProfilesOwnerList(const bool is_default_dsp,
+                                   std::vector<std::string>* owner_list) const;
+
+  // Return the device security capabilities.  |drm_info| is populated with
+  // data from |client_id| and |device_info|.  |drm_info| must not be null and
+  // is owned by the caller.
+  virtual bool GetDrmInfo(const ClientIdentification& client_id,
+                          const ProvisionedDeviceInfo& device_info,
+                          SecurityProfile::DrmInfo* drm_info) const;
+
+  // Return the number of profiles in the list.
+  int NumProfiles() const;
+
+  // Return a list of profile names.
+  virtual void GetProfileNames(std::vector<std::string>* profile_names) const;
+
+  // Deserialized SignedDeviceSecurityProfiles for custom DSPs.
+  static Status DeserializeSignedDeviceSecurityProfiles(
+      const std::string& serialized_signed_device_security_profiles,
+      std::string* serialized_device_security_profiles,
+      HashAlgorithm* hash_algorithm, std::string* signature);
+
+  // Validate signature and update security profile list for custom dsps.
+  Status ValidateAndUpdateProfileList(
+      const std::string& root_certificate_public_key,
+      const std::string& serialized_device_security_profiles,
+      HashAlgorithm hash_algorithm, const std::string& signature,
+      int* added_profile_num);
+
+  // Returns an instance of the Security profile list for default security
+  // profiles.  Default security profiles are owned by Widevine.
+  // TODO (b/187073516): This singleton can be moved to the "Environment" class
+  // as a non-static API.
+  static SecurityProfileList* GetInstanceForDefaultSecurityProfiles();
+
+ protected:
+  void ClearAllProfiles();
+
+ private:
+  friend class SecurityProfileListTest;
+
+  // Add Widevine default profiles into profile_list. The number of added
+  // default profiles will be returned.
+  virtual int AddDefaultProfiles();
+  // Add Widevine custom profiles into profile_list. The number of added custom
+  // profiles will be returned.
+  virtual int AddCustomProfiles(
+      const DeviceSecurityProfileList& device_security_profile_list);
+  virtual int GetDefaultProfileStrings(
+      std::vector<std::string>* default_profile_strings) const;
+
+  bool DoesProfileQualify(const SecurityProfile& profile,
+                          const ClientIdentification& client_id,
+                          const ProvisionedDeviceInfo& device_info,
+                          PlatformVerificationStatus device_vmp_status) const;
+  bool CheckAnalogOutputCapabilities(
+      ClientIdentification_ClientCapabilities_AnalogOutputCapabilities
+          client_output_capabilities,
+      ClientIdentification_ClientCapabilities_AnalogOutputCapabilities
+          profile_output_capabilities,
+      bool client_can_disable_analog_output) const;
+
+  int64_t GetCurrentTimeSeconds() const;
+
+  bool IsProfileActive(const SecurityProfile& profile,
+                       int64_t current_time_seconds) const;
+
+  bool InsertProfileLocked(const SecurityProfile& profile_to_insert)
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
+
+  // Return true if a profile already exists in the profile_list.
+  bool DoesProfileExistLocked(const SecurityProfile& profile) const
+      ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
+
+  void ClearAllDefaultProfilesLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
+  void ClearAllCustomProfilesLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mutex_);
+
+  // Return true is the client is a Chrome browser.
+  virtual bool IsChromeBrowser(const std::string& device_model) const;
+
+  mutable absl::Mutex mutex_;
+  // Security profiles
+  std::string profile_namespace_;
+  // TODO(huihli): Modify as Map<owner, DSPs>.
+  std::vector<SecurityProfile> security_profiles_ ABSL_GUARDED_BY(mutex_);
+};
+
+}  // namespace video_widevine
+#endif  // VIDEO_WIDEVINE_EXPORT_COMMON_SECURITY_PROFILE_LIST_H_

centos/common/status.h

@@ -0,0 +1,108 @@
+// Copyright 2017 Google LLC. All rights reserved.
+
+#ifndef VIDEO_WIDEVINE_EXPORT_COMMON_STATUS_H_
+#define VIDEO_WIDEVINE_EXPORT_COMMON_STATUS_H_
+
+#include <iosfwd>
+#include <string>
+
+#include "util/error_space.h"
+
+namespace video_widevine {
+namespace error {
+
+enum StatusCode {
+  // Success.
+  OK = 0,
+
+  // Client specified an invalid argument.
+  INVALID_ARGUMENT = 3,
+
+  // Some requested entity (e.g., file or directory) was not found.
+  NOT_FOUND = 5,
+
+  // Some entity that we attempted to create (e.g., file or directory)
+  // already exists.
+  ALREADY_EXISTS = 6,
+
+  // The caller does not have permission to execute the specified
+  // operation.  PERMISSION_DENIED must not be used for rejections
+  // caused by exhausting some resource (use RESOURCE_EXHAUSTED
+  // instead for those errors).
+  PERMISSION_DENIED = 7,
+
+  // The operation was rejected because the system is not in a state
+  // required for the operation's execution.  For example, the directory
+  // to be deleted is non-empty, an rmdir operation is applied to
+  // a non-directory, etc.
+  FAILED_PRECONDITION = 9,
+
+  // Operation is not implemented or not supported/enabled in this service.
+  UNIMPLEMENTED = 12,
+
+  // Internal errors.  Means some invariants expected by underlying
+  // system has been broken.  If you see one of these errors,
+  // something is very broken.
+  INTERNAL = 13,
+
+  // Operation is not implemented or not supported/enabled in this service.
+  UNAVAILABLE = 14,
+
+  // Number of generic (non license related) errors.
+  NUM_ERRORS,
+};
+
+}  // namespace error
+
+class Status {
+ public:
+
+  Status() = default;
+
+  ~Status() = default;
+
+  explicit Status(error::StatusCode c) : status_code_(c) {}
+
+  Status(error::StatusCode c, const std::string& error_message)
+      : status_code_(c), error_message_(error_message) {}
+
+  Status(const util::ErrorSpace* e, error::StatusCode c,
+         const std::string& error_message)
+      : error_space_(e), status_code_(c), error_message_(error_message) {}
+
+  Status(const util::ErrorSpace* e, int error,
+         const std::string& error_message)
+      : error_space_(e), status_code_(error), error_message_(error_message) {}
+
+  bool ok() const { return status_code_ == error::OK; }
+  const util::ErrorSpace* error_space() const { return error_space_; }
+  static const util::ErrorSpace* canonical_space();
+  std::string ToString() const;
+  std::string error_message() const { return error_message_; }
+  int error_code() const { return status_code_; }
+
+ private:
+  const util::ErrorSpace* error_space_ = canonical_space();
+  int status_code_ = error::OK;
+  std::string error_message_;
+};
+
+inline Status OkStatus() { return Status(); }
+
+inline bool operator==(const Status& s1, const Status& s2) {
+  return s1.error_space() == s2.error_space() &&
+         s1.error_code() == s2.error_code() &&
+         s1.error_message() == s2.error_message();
+}
+inline bool operator!=(const Status& s1, const Status& s2) {
+  return !(s1 == s2);
+}
+
+// Prints a human-readable representation of 'x' to 'os'.
+std::ostream& operator<<(std::ostream& os, const Status& x);
+
+#define CHECK_OK(expression) CHECK(expression.ok()) << expression.ToString()
+
+}  // namespace video_widevine
+
+#endif  // VIDEO_WIDEVINE_EXPORT_COMMON_STATUS_H_