Add RSA signing support in WidevineEncryptorSource

Defines an abstract request signer class and two implementations of the
signer class, AesRequestSigner for AES-CBC signing and RsaRequestSigner
for RSA-PSS signing.

WidevineEncryptorSource now uses Signer for signature generation.

Change-Id: I4528409a9be998535bccde40fdadb412e4bbdaf3

media/base/request_signer.cc

@@ -0,0 +1,73 @@
+// Copyright (c) 2013 Google Inc. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "media/base/request_signer.h"
+
+#include "base/sha1.h"
+#include "base/strings/string_number_conversions.h"
+#include "media/base/aes_encryptor.h"
+#include "media/base/rsa_key.h"
+
+namespace media {
+
+RequestSigner::RequestSigner(const std::string& signer_name)
+    : signer_name_(signer_name) {}
+RequestSigner::~RequestSigner() {}
+
+AesRequestSigner::AesRequestSigner(const std::string& signer_name,
+                                   scoped_ptr<AesCbcEncryptor> encryptor)
+    : RequestSigner(signer_name), aes_cbc_encryptor_(encryptor.Pass()) {
+  DCHECK(aes_cbc_encryptor_);
+}
+AesRequestSigner::~AesRequestSigner() {}
+
+AesRequestSigner* AesRequestSigner::CreateSigner(const std::string& signer_name,
+                                                 const std::string& aes_key_hex,
+                                                 const std::string& iv_hex) {
+  std::vector<uint8> aes_key;
+  if (!base::HexStringToBytes(aes_key_hex, &aes_key)) {
+    LOG(ERROR) << "Failed to convert hex string to bytes: " << aes_key_hex;
+    return NULL;
+  }
+  std::vector<uint8> iv;
+  if (!base::HexStringToBytes(iv_hex, &iv)) {
+    LOG(ERROR) << "Failed to convert hex string to bytes: " << iv_hex;
+    return NULL;
+  }
+
+  scoped_ptr<AesCbcEncryptor> encryptor(new AesCbcEncryptor());
+  if (!encryptor->InitializeWithIv(aes_key, iv))
+    return NULL;
+  return new AesRequestSigner(signer_name, encryptor.Pass());
+}
+
+bool AesRequestSigner::GenerateSignature(const std::string& message,
+                                         std::string* signature) {
+  aes_cbc_encryptor_->Encrypt(base::SHA1HashString(message), signature);
+  return true;
+}
+
+RsaRequestSigner::RsaRequestSigner(const std::string& signer_name,
+                                   scoped_ptr<RsaPrivateKey> rsa_private_key)
+    : RequestSigner(signer_name), rsa_private_key_(rsa_private_key.Pass()) {
+  DCHECK(rsa_private_key_);
+}
+RsaRequestSigner::~RsaRequestSigner() {}
+
+RsaRequestSigner* RsaRequestSigner::CreateSigner(
+    const std::string& signer_name,
+    const std::string& pkcs1_rsa_key) {
+  scoped_ptr<RsaPrivateKey> rsa_private_key(
+      RsaPrivateKey::Create(pkcs1_rsa_key));
+  if (!rsa_private_key)
+    return NULL;
+  return new RsaRequestSigner(signer_name, rsa_private_key.Pass());
+}
+
+bool RsaRequestSigner::GenerateSignature(const std::string& message,
+                                         std::string* signature) {
+  return rsa_private_key_->GenerateSignature(message, signature);
+}
+
+}  // namespace media

media/base/request_signer.h

@@ -0,0 +1,86 @@
+// Copyright (c) 2013 Google Inc. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef MEDIA_BASE_REQUEST_SIGNER_H_
+#define MEDIA_BASE_REQUEST_SIGNER_H_
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/memory/scoped_ptr.h"
+
+namespace media {
+
+class AesCbcEncryptor;
+class RsaPrivateKey;
+
+// Define an abstract signer class for signature generation.
+class RequestSigner {
+ public:
+  virtual ~RequestSigner();
+
+  // Generate signature for |message|. |signature| should not be NULL.
+  // Return true on success.
+  virtual bool GenerateSignature(const std::string& message,
+                                 std::string* signature) = 0;
+
+  const std::string& signer_name() const { return signer_name_; }
+
+ protected:
+  explicit RequestSigner(const std::string& signer_name);
+
+ private:
+  std::string signer_name_;
+
+  DISALLOW_COPY_AND_ASSIGN(RequestSigner);
+};
+
+// AesRequestSigner uses AES-CBC signing.
+class AesRequestSigner : public RequestSigner {
+ public:
+  virtual ~AesRequestSigner();
+
+  // Create an AesSigner object from key and iv in hex.
+  // Return NULL on failure.
+  static AesRequestSigner* CreateSigner(const std::string& signer_name,
+                                        const std::string& aes_key_hex,
+                                        const std::string& iv_hex);
+
+  virtual bool GenerateSignature(const std::string& message,
+                                 std::string* signature) OVERRIDE;
+
+ private:
+  AesRequestSigner(const std::string& signer_name,
+                   scoped_ptr<AesCbcEncryptor> encryptor);
+
+  scoped_ptr<AesCbcEncryptor> aes_cbc_encryptor_;
+
+  DISALLOW_COPY_AND_ASSIGN(AesRequestSigner);
+};
+
+// RsaRequestSigner uses RSA-PSS signing.
+class RsaRequestSigner : public RequestSigner {
+ public:
+  virtual ~RsaRequestSigner();
+
+  // Create an RsaSigner object using a DER encoded PKCS#1 RSAPrivateKey.
+  // Return NULL on failure.
+  static RsaRequestSigner* CreateSigner(const std::string& signer_name,
+                                        const std::string& pkcs1_rsa_key);
+
+  virtual bool GenerateSignature(const std::string& message,
+                                 std::string* signature) OVERRIDE;
+
+ private:
+  RsaRequestSigner(const std::string& signer_name,
+                   scoped_ptr<RsaPrivateKey> rsa_private_key);
+
+  scoped_ptr<RsaPrivateKey> rsa_private_key_;
+
+  DISALLOW_COPY_AND_ASSIGN(RsaRequestSigner);
+};
+
+}  // namespace media
+
+#endif  // MEDIA_BASE_REQUEST_SIGNER_H_

media/base/status.h

@@ -52,7 +52,11 @@ enum Code {
   // This track fragment is finalized.
   FRAGMENT_FINALIZED,
 
-  // TODO(kqyang): define packager specific error codes.
+  // Server errors. Receives malformed response from server.
+  SERVER_ERROR,
+
+  // Internal errors. Some invariants have been broken.
+  INTERNAL_ERROR,
 };
 
 }  // namespace error

media/base/widevine_encryptor_source.cc

@@ -7,11 +7,9 @@
 #include "base/base64.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
-#include "base/sha1.h"
-#include "base/strings/string_number_conversions.h"
 #include "base/values.h"
-#include "media/base/aes_encryptor.h"
 #include "media/base/httpfetcher.h"
+#include "media/base/request_signer.h"
 
 // TODO(kqyang): Move media/mp4/rcheck.h to media/base/.
 //               Remove this definition and use RCHECK in rcheck.h instead.
@@ -87,51 +85,16 @@ namespace media {
 
 WidevineEncryptorSource::WidevineEncryptorSource(const std::string& server_url,
                                                  const std::string& content_id,
-                                                 TrackType track_type)
+                                                 TrackType track_type,
+                                                 scoped_ptr<RequestSigner> signer)
     : server_url_(server_url),
       content_id_(content_id),
-      track_type_(track_type) {
+      track_type_(track_type),
-  DCHECK(!server_url.empty());
+      signer_(signer.Pass()) {
-  DCHECK(!content_id.empty());
+  DCHECK(signer_);
 }
 WidevineEncryptorSource::~WidevineEncryptorSource() {}
 
-bool WidevineEncryptorSource::SetAesSigningKey(const std::string& signer,
-                                               const std::string& aes_key_hex,
-                                               const std::string& iv_hex) {
-  DCHECK(!aes_cbc_encryptor_);
-  signer_ = signer;
-
-  std::vector<uint8> aes_key;
-  if (!base::HexStringToBytes(aes_key_hex, &aes_key)) {
-    LOG(ERROR) << "Failed to convert hex string to bytes: " << aes_key_hex;
-    return false;
-  }
-  std::vector<uint8> iv;
-  if (!base::HexStringToBytes(iv_hex, &iv)) {
-    LOG(ERROR) << "Failed to convert hex string to bytes: " << iv_hex;
-    return false;
-  }
-
-  scoped_ptr<AesCbcEncryptor> encryptor(new AesCbcEncryptor());
-  if (!encryptor->InitializeWithIv(aes_key, iv)) {
-    LOG(ERROR) << "Failed to initialize encryptor with key: " << aes_key_hex
-               << " iv:" << iv_hex;
-    return false;
-  }
-  aes_cbc_encryptor_ = encryptor.Pass();
-  return true;
-}
-
-bool WidevineEncryptorSource::SetRsaSigningKey(
-    const std::string& signer,
-    const std::string& pkcs8_rsa_key) {
-  DCHECK(!aes_cbc_encryptor_);
-  // TODO(kqyang): Implement it.
-  NOTIMPLEMENTED();
-  return false;
-}
-
 Status WidevineEncryptorSource::Initialize() {
   std::string request;
   FillRequest(content_id_, &request);
@@ -169,13 +132,17 @@ Status WidevineEncryptorSource::Initialize() {
   return Status::OK;
 }
 
-void WidevineEncryptorSource::GenerateSignature(const std::string& message,
+WidevineEncryptorSource::TrackType
-                                                std::string* signature) {
+WidevineEncryptorSource::GetTrackTypeFromString(
-  DCHECK(signature);
+    const std::string& track_type_string) {
-  if (aes_cbc_encryptor_)
+  if (track_type_string == "SD")
-    aes_cbc_encryptor_->Encrypt(base::SHA1HashString(message), signature);
+    return TRACK_TYPE_SD;
-  else
+  if (track_type_string == "HD")
-    NOTIMPLEMENTED() << "Rsa signing is not implemented yet.";
+    return TRACK_TYPE_HD;
+  if (track_type_string == "AUDIO")
+    return TRACK_TYPE_AUDIO;
+  LOG(WARNING) << "Unexpected track type: " << track_type_string;
+  return TRACK_TYPE_UNKNOWN;
 }
 
 void WidevineEncryptorSource::FillRequest(const std::string& content_id,
@@ -219,7 +186,8 @@ Status WidevineEncryptorSource::SignRequest(const std::string& request,
 
   // Sign the request.
   std::string signature;
-  GenerateSignature(request, &signature);
+  if (!signer_->GenerateSignature(request, &signature))
+    return Status(error::INTERNAL_ERROR, "Signature generation failed.");
 
   // Encode request and signature using Base64 encoding.
   std::string request_base64_string;
@@ -231,7 +199,7 @@ Status WidevineEncryptorSource::SignRequest(const std::string& request,
   base::DictionaryValue signed_request_dict;
   signed_request_dict.SetString("request", request_base64_string);
   signed_request_dict.SetString("signature", signature_base64_string);
-  signed_request_dict.SetString("signer", signer_);
+  signed_request_dict.SetString("signer", signer_->signer_name());
 
   base::JSONWriter::Write(&signed_request_dict, signed_request);
   return Status::OK;
@@ -258,17 +226,7 @@ bool WidevineEncryptorSource::DecodeResponse(const std::string& raw_response,
 
 bool WidevineEncryptorSource::IsExpectedTrackType(
     const std::string& track_type_string) {
-  switch (track_type_) {
+  return track_type_ == GetTrackTypeFromString(track_type_string);
-    case TRACK_TYPE_SD:
-      return track_type_string == "SD";
-    case TRACK_TYPE_HD:
-      return track_type_string == "HD";
-    case TRACK_TYPE_AUDIO:
-      return track_type_string == "AUDIO";
-    default:
-      NOTREACHED() << "Unexpected track type " << track_type_;
-      return false;
-  }
 }
 
 bool WidevineEncryptorSource::ExtractEncryptionKey(const std::string& response,

media/base/widevine_encryptor_source.h

@@ -5,10 +5,13 @@
 #ifndef MEDIA_BASE_WIDEVINE_ENCRYPTOR_SOURCE_H_
 #define MEDIA_BASE_WIDEVINE_ENCRYPTOR_SOURCE_H_
 
+#include "base/basictypes.h"
 #include "media/base/encryptor_source.h"
 
 namespace media {
 
+class RequestSigner;
+
 // Defines an encryptor source which talks to Widevine encryption server.
 class WidevineEncryptorSource : public EncryptorSource {
  public:
@@ -19,29 +22,20 @@ class WidevineEncryptorSource : public EncryptorSource {
     TRACK_TYPE_AUDIO
   };
 
+  // Caller transfers the ownership of |signer|, which should not be NULL.
   WidevineEncryptorSource(const std::string& server_url,
                           const std::string& content_id,
-                          TrackType track_type);
+                          TrackType track_type,
-  ~WidevineEncryptorSource();
+                          scoped_ptr<RequestSigner> signer);
-
+  virtual ~WidevineEncryptorSource();
-  // Set AES Signing Key. Use AES-CBC signing for the encryption request.
-  bool SetAesSigningKey(const std::string& signer,
-                        const std::string& aes_key_hex,
-                        const std::string& iv_hex);
-
-  // Set RSA Signing Key. Use RSA-PSS signing for the encryption request.
-  bool SetRsaSigningKey(const std::string& signer,
-                        const std::string& pkcs8_rsa_key);
 
   // EncryptorSource implementation.
-  // Note: SetAesSigningKey or SetRsaSigningKey (exclusive) must be called
-  //       before calling Initialize.
   virtual Status Initialize() OVERRIDE;
 
+  static WidevineEncryptorSource::TrackType GetTrackTypeFromString(
+      const std::string& track_type_string);
+
  private:
-  // Generate signature using AES-CBC or RSA-PSS.
-  // |signature| should not be NULL.
-  void GenerateSignature(const std::string& message, std::string* signature);
   // Fill |request| with necessary fields for Widevine encryption request.
   // |request| should not be NULL.
   void FillRequest(const std::string& content_id, std::string* request);
@@ -63,9 +57,7 @@ class WidevineEncryptorSource : public EncryptorSource {
   std::string server_url_;
   std::string content_id_;
   TrackType track_type_;
-
+  scoped_ptr<RequestSigner> signer_;
-  std::string signer_;
-  scoped_ptr<AesCbcEncryptor> aes_cbc_encryptor_;
 
   DISALLOW_COPY_AND_ASSIGN(WidevineEncryptorSource);
 };

packager.gyp

@@ -9,6 +9,41 @@
     ],
   },
   'targets': [
+    {
+      'target_name': 'httpfetcher',
+      'type': 'static_library',
+      'sources': [
+        'media/base/httpfetcher.cc',
+        'media/base/httpfetcher.h',
+        'media/base/status.cc',
+      ],
+      'cflags!': [ '-fno-exceptions' ],
+      'cflags_cc!': [ '-fno-exceptions' ],
+      'conditions': [
+        ['OS=="mac"', {
+          'xcode_settings': {
+            'GCC_ENABLE_CPP_EXCEPTIONS': 'YES'
+          }
+        }]
+      ],
+      'dependencies': [
+        'third_party/happyhttp/happyhttp.gyp:happyhttp_lib',
+      ],
+    },
+    {
+      # Note that this test performs real http requests to a http server.
+      'target_name': 'httpfetcher_unittest',
+      'type': 'executable',
+      'sources': [
+        'media/base/httpfetcher_unittest.cc',
+      ],
+      'dependencies': [
+        'base/base.gyp:base',
+        'httpfetcher',
+        'testing/gtest.gyp:gtest',
+        'testing/gtest.gyp:gtest_main',
+      ],
+    },
     {
       'target_name': 'media_base',
       'type': 'static_library',
@@ -49,6 +84,8 @@
         'media/base/muxer.h',
         'media/base/muxer_options.cc',
         'media/base/muxer_options.h',
+        'media/base/request_signer.cc',
+        'media/base/request_signer.h',
         'media/base/rsa_key.cc',
         'media/base/rsa_key.h',
         'media/base/status.cc',
@@ -58,9 +95,12 @@
         'media/base/text_track.h',
         'media/base/video_stream_info.cc',
         'media/base/video_stream_info.h',
+        'media/base/widevine_encryptor_source.cc',
+        'media/base/widevine_encryptor_source.h',
       ],
       'dependencies': [
         'base/base.gyp:base',
+        'httpfetcher',
         'third_party/openssl/openssl.gyp:openssl',
       ],
     },
@@ -110,7 +150,7 @@
         'media/mp4/aac_audio_specific_config.h',
         'media/mp4/box.cc',
         'media/mp4/box.h',
-        'media/mp4/box_buffer_interface.h',
+        'media/mp4/box_buffer.h',
         'media/mp4/box_definitions.cc',
         'media/mp4/box_definitions.h',
         'media/mp4/box_reader.cc',