248 lines
10 KiB
C++
248 lines
10 KiB
C++
// Copyright 2021 Google LLC. All rights reserved.
|
|
|
|
#ifndef VIDEO_WIDEVINE_EXPORT_SDK_INTERNAL_ENVIRONMENT_IMPL_H_
|
|
#define VIDEO_WIDEVINE_EXPORT_SDK_INTERNAL_ENVIRONMENT_IMPL_H_
|
|
|
|
#include <cstdint>
|
|
#include <list>
|
|
#include <map>
|
|
#include <memory>
|
|
#include <string>
|
|
|
|
#include <cstdint>
|
|
#include "base/macros.h"
|
|
#include "absl/strings/string_view.h"
|
|
#include "absl/synchronization/mutex.h"
|
|
#include "common/core_message_util.h"
|
|
#include "common/security_profile_list.h"
|
|
#include "common/status.h"
|
|
#include "sdk/internal/session_usage_report.h"
|
|
#include "common/crypto_util.h"
|
|
#include "protos/public/client_identification.pb.h"
|
|
#include "protos/public/device_certificate_status.pb.h"
|
|
#include "protos/public/license_protocol.pb.h"
|
|
#include "protos/public/license_server_sdk.pb.h"
|
|
#include "protos/public/oem_key_container.pb.h"
|
|
#include "protos/public/provider_key.pb.h"
|
|
#include "protos/public/provisioned_device_info.pb.h"
|
|
|
|
namespace video_widevine {
|
|
|
|
class ClientCert;
|
|
class ClientIdentification;
|
|
class DrmRootCertificate;
|
|
class Session;
|
|
class SessionInit;
|
|
class SessionImpl;
|
|
|
|
using oemcrypto_core_message::features::CoreMessageFeatures;
|
|
|
|
// Helper function to determine which provider client token to use.
|
|
std::string GetProviderClientToken(const SessionInit& session_init,
|
|
const ClientIdentification& client_id);
|
|
|
|
class EnvironmentImpl {
|
|
public:
|
|
explicit EnvironmentImpl(const DrmRootCertificate* root_cert);
|
|
// Set the custom device security profile list which is returned, from a call
|
|
// to Widevine PublishedDevicesService.
|
|
Status SetCustomDeviceSecurityProfiles(
|
|
absl::string_view serialized_signed_device_security_profiles);
|
|
|
|
// Set pre-provisioning keys system-wide. Map key is system_id, value.
|
|
// Value should be human-readable hex digits suitable for passing to
|
|
// absl::HexStringToBytes().
|
|
// Must be called before any other calls to this class. Calls are
|
|
// thread-safe, so the keys can be updated at any time.
|
|
void SetPreProvisioningKeys(const std::map<uint32_t, std::string>& keys);
|
|
void SetPreProvisioningKeys(const std::multimap<uint32_t, std::string>& keys);
|
|
|
|
Status AddDrmServiceCertificate(
|
|
absl::string_view service_certificate,
|
|
absl::string_view service_private_key,
|
|
absl::string_view service_private_key_passphrase);
|
|
|
|
// Returns true if service certificate is loaded.
|
|
bool is_service_certificate_loaded();
|
|
|
|
// Set the certificate status list system-wide.
|
|
// |expiration_period| is the number of seconds until the
|
|
// certificate_status_list expires after its creation time
|
|
// (creation_time_seconds). If |allow_unknown_devices| is false, an error is
|
|
// returned if the device does not appear in the certificate_status_list.
|
|
Status SetCertificateStatusList(absl::string_view certificate_status_list,
|
|
uint32_t expiration_period_seconds,
|
|
bool allow_unknown_devices);
|
|
|
|
// Enable delivery of licenses to client devices. This includes devices with
|
|
// TEST_ONLY status, and development platform verification certificates.
|
|
// Defaults to false.
|
|
void AllowDevelopmentClients(bool enable);
|
|
|
|
// Enable delivery of licenses to TEST_ONLY client devices.
|
|
// |device_list_make| is a comma separated list of devices to allow even
|
|
// if the device is in a TEST_ONLY state. This list wil be used only if
|
|
// AllowDevelopmentClient(false) is in use.
|
|
void AllowTestOnlyDevicesByMake(absl::string_view device_list_make);
|
|
|
|
// Enable delivery of licenses to TEST_ONLY client devices.
|
|
// |device_list_provider| is a comma separated list of providers to allow
|
|
// even if the device is in a TEST_ONLY state. This list wil be used only if
|
|
// AllowDevelopmentClient(false) is in use.
|
|
void AllowTestOnlyDevicesByProvider(absl::string_view device_list_provider);
|
|
|
|
// Enable delivery of licenses to revoked client devices. |system_id_list| is
|
|
// a comma separated list of systems Ids to allow even if the device is in the
|
|
// revoked state.
|
|
void AllowRevokedDevices(absl::string_view system_id_list);
|
|
|
|
// A comma separated list of DRM Certificate Serial Numbers that are revoked.
|
|
void RevokedDrmCertificateSerialNumbers(
|
|
absl::string_view drm_certificate_serial_numbers);
|
|
|
|
// Restriction on core message features. If this is an empty string, the
|
|
// default feature set is used. If it is an integer, that is the ODK version
|
|
// supported.
|
|
void SetCoreMessageFeatures(absl::string_view core_message_features);
|
|
|
|
// Generates a SignedMessage containing a message generated in response to
|
|
// an error condition. |status| is a previous error status returned by the
|
|
// Session or Status(error::UNAVAILABLE, ...) to indicate that the
|
|
// backend is unavailable, |signed_message| points to a std::string to contain the
|
|
// serialized SignedMessage, and may not be NULL. This method returns true if
|
|
// there is an error license to be sent to the client, or false otherwise.
|
|
// Example usage in the CreateSession() comments above.
|
|
bool GenerateErrorResponse(const Status& status,
|
|
std::string* signed_message_bytes);
|
|
|
|
// Generates a SignedMessage containing a service certifcate for the specified
|
|
// |provider|. Returns false if |provider| does not exist. Returns the
|
|
// default service certificate if |provider| is empty.
|
|
bool GenerateServiceCertificateResponse(absl::string_view provider,
|
|
std::string* signed_message_bytes);
|
|
|
|
// DeriveKey uses the NIST 800-108 KDF recommendation, using AES-CMAC PRF.
|
|
// NIST 800-108:
|
|
// http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
|
|
// AES-CMAC:
|
|
// http://tools.ietf.org/html/rfc4493
|
|
std::string DeriveKey(absl::string_view key, absl::string_view label,
|
|
absl::string_view context, const uint32_t size_bits);
|
|
|
|
// Returns a std::string containing the Widevine License Server SDK version in the
|
|
// form <major_version>.<minor_version>.<release> <build date> <build time> .
|
|
std::string GetSdkVersionString();
|
|
|
|
// Generate a signed request to be sent to Widevine Certificate Provisioning
|
|
// Server to retrieve 'DeviceCertificateStatusList'.
|
|
Status GenerateDeviceStatusListRequest(
|
|
std::string* signed_device_certificate_status_list_request);
|
|
|
|
// If set to true, adds SDK and server version information to the license
|
|
// response.
|
|
void SetIncludeVersionInfoInLicense(bool include_version_info);
|
|
|
|
// Sets the service version information which can be included with the license
|
|
// response. If SetIncludeVersionInfoInLicense() is set to true and the server
|
|
// version is not empty, then the server version will be included in the
|
|
// license response. The host_version must be <= 32 characters and limited to
|
|
// alphanumeric and '_', '-', ':', ';'and '.'.
|
|
bool SetHostServerVersion(absl::string_view host_version);
|
|
|
|
void SetDefaultDeviceSecurityProfileList(SecurityProfileList* profile_list);
|
|
|
|
// Return a list of the default profile names.
|
|
Status GetDefaultDeviceSecurityProfileNames(
|
|
std::vector<std::string>* profile_names) const;
|
|
|
|
// Return the default profile associated with |profile_name|.
|
|
Status GetDefaultDeviceSecurityProfile(
|
|
absl::string_view profile_name,
|
|
SecurityProfile* device_security_profile) const;
|
|
|
|
// Obtain the owner list for custom profiles.
|
|
Status GetCustomDeviceSecurityProfileOwners(
|
|
std::vector<std::string>* custom_profile_owners) const;
|
|
|
|
// Return a list of custom profile names associated with |owner_name|.
|
|
Status GetCustomDeviceSecurityProfileNames(
|
|
absl::string_view owner_name,
|
|
std::vector<std::string>* profile_names) const;
|
|
|
|
// Return the custom profiles associated with |owner_name|.
|
|
Status GetCustomDeviceSecurityProfiles(
|
|
absl::string_view owner_name,
|
|
std::vector<SecurityProfile>* custom_device_security_profiles) const;
|
|
|
|
// Return device security profile list pointer.
|
|
video_widevine::SecurityProfileList* device_security_profile_list() const;
|
|
|
|
// Specify a comma separated list of system Ids that can support having
|
|
// OEMCrypto version, as specified in the license request, reflected back in
|
|
// the Key Control Block which is used by partner. Otherwise, only 'kctl' or
|
|
// 'kc09' is returned in KCB.
|
|
void SetDevicesToHandleOEMCryptoVersionInKCB(
|
|
absl::string_view system_id_list);
|
|
|
|
// Return drm root certificate pointer.
|
|
const DrmRootCertificate* drm_root_certificate() const;
|
|
|
|
CoreMessageFeatures core_message_features() const;
|
|
|
|
bool include_version_info_in_license() const;
|
|
|
|
// If |auto_set_provider_session_token| is 'true', the provider session token
|
|
// may be automatically set,
|
|
// * if the provider session token has not been specified.
|
|
// * for OFFLINE requests
|
|
// * if Policy.can_persist is set to 'true'.
|
|
// * if Policy.can_renew is set to 'true'.
|
|
// * if OEMCryptoVersion of the client making the request is at least 16.
|
|
//
|
|
// The default setting for |auto_set_provider_session_token| is 'true'.
|
|
virtual void SetAutoSetProviderSessionToken(
|
|
bool auto_set_provider_session_token) {
|
|
auto_set_provider_session_token_ = auto_set_provider_session_token;
|
|
}
|
|
|
|
// Returns the setting as to whether the provider session token will be
|
|
// automatically set.
|
|
virtual bool GetAutoSetProviderSessionToken() const {
|
|
return auto_set_provider_session_token_;
|
|
}
|
|
|
|
// Set the provider key used for L3 CDM.
|
|
// |provider_key_config_bytes| is a serialized ProviderKeyConfig proto
|
|
// message. Return OK if parsing is successful, otherwise an error is
|
|
// returned.
|
|
virtual Status SetProviderKeyConfig(
|
|
absl::string_view provider_key_config_bytes);
|
|
|
|
// Returns the provider key config.
|
|
virtual const ProviderKeyConfig& GetProviderKeyConfig() const {
|
|
return provider_key_config_;
|
|
}
|
|
|
|
virtual ~EnvironmentImpl();
|
|
|
|
private:
|
|
// This function wrapper allows safe static creation of the version string.
|
|
std::string* GetHostVersionString();
|
|
|
|
bool include_version_info_in_license_ = true;
|
|
bool is_service_certificate_loaded_ = false;
|
|
CoreMessageFeatures core_message_features_ =
|
|
CoreMessageFeatures::kDefaultFeatures;
|
|
bool auto_set_provider_session_token_ = true;
|
|
|
|
// DRM root certificate used for verifying all other DRM certificates.
|
|
const DrmRootCertificate* drm_root_certificate_;
|
|
mutable absl::Mutex profile_mutex_;
|
|
SecurityProfileList* profile_list_ ABSL_GUARDED_BY(profile_mutex_);
|
|
// Provider key configuration assigned to a provider for use with L3 CDM.
|
|
ProviderKeyConfig provider_key_config_;
|
|
};
|
|
} // namespace video_widevine
|
|
|
|
#endif // VIDEO_WIDEVINE_EXPORT_SDK_INTERNAL_ENVIRONMENT_IMPL_H_
|