media/cdm/json_web_key.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "media/cdm/json_web_key.h"
   6
   7 #include "base/base64.h"
   8 #include "base/json/json_reader.h"
   9 #include "base/json/json_string_value_serializer.h"
  10 #include "base/json/string_escape.h"
  11 #include "base/logging.h"
  12 #include "base/memory/scoped_ptr.h"
  13 #include "base/strings/string_number_conversions.h"
  14 #include "base/strings/string_util.h"
  15 #include "base/values.h"
  16
  17 namespace media {
  18
  19 const char kKeysTag[] = "keys";
  20 const char kKeyTypeTag[] = "kty";
  21 const char kKeyTypeOct[] = "oct";  // Octet sequence.
  22 const char kAlgTag[] = "alg";
  23 const char kAlgA128KW[] = "A128KW";  // AES key wrap using a 128-bit key.
  24 const char kKeyTag[] = "k";
  25 const char kKeyIdTag[] = "kid";
  26 const char kKeyIdsTag[] = "kids";
  27 const char kBase64Padding = '=';
  28 const char kBase64Plus[] = "+";
  29 const char kBase64UrlPlusReplacement[] = "-";
  30 const char kBase64Slash[] = "/";
  31 const char kBase64UrlSlashReplacement[] = "_";
  32 const char kBase64UrlInvalid[] = "+/=";
  33 const char kTypeTag[] = "type";
  34 const char kTemporarySession[] = "temporary";
  35 const char kPersistentLicenseSession[] = "persistent-license";
  36 const char kPersistentReleaseMessageSession[] = "persistent-release-message";
  37
  38 // Encodes |input| into a base64url string without padding.
  39 static std::string EncodeBase64Url(const uint8* input, int input_length) {
  40   std::string encoded_text;
  41   base::Base64Encode(
  42       std::string(reinterpret_cast<const char*>(input), input_length),
  43       &encoded_text);
  44
  45   // Remove any padding characters added by Base64Encode().
  46   size_t found = encoded_text.find_last_not_of(kBase64Padding);
  47   if (found != std::string::npos)
  48     encoded_text.erase(found + 1);
  49
  50   // base64url encoding means the characters '-' and '_' must be used
  51   // instead of '+' and '/', respectively.
  52   base::ReplaceChars(encoded_text, kBase64Plus, kBase64UrlPlusReplacement,
  53                      &encoded_text);
  54   base::ReplaceChars(encoded_text, kBase64Slash, kBase64UrlSlashReplacement,
  55                      &encoded_text);
  56
  57   return encoded_text;
  58 }
  59
  60 // Decodes a base64url string. Returns empty string on error.
  61 static std::string DecodeBase64Url(const std::string& encoded_text) {
  62   // EME spec doesn't allow '+', '/', or padding characters.
  63   if (encoded_text.find_first_of(kBase64UrlInvalid) != std::string::npos) {
  64     DVLOG(1) << "Invalid base64url format: " << encoded_text;
  65     return std::string();
  66   }
  67
  68   // Since base::Base64Decode() requires padding characters, add them so length
  69   // of |encoded_text| is exactly a multiple of 4.
  70   size_t num_last_grouping_chars = encoded_text.length() % 4;
  71   std::string modified_text = encoded_text;
  72   if (num_last_grouping_chars > 0)
  73     modified_text.append(4 - num_last_grouping_chars, kBase64Padding);
  74
  75   // base64url encoding means the characters '-' and '_' must be used
  76   // instead of '+' and '/', respectively, so replace them before calling
  77   // base::Base64Decode().
  78   base::ReplaceChars(modified_text, kBase64UrlPlusReplacement, kBase64Plus,
  79                      &modified_text);
  80   base::ReplaceChars(modified_text, kBase64UrlSlashReplacement, kBase64Slash,
  81                      &modified_text);
  82
  83   std::string decoded_text;
  84   if (!base::Base64Decode(modified_text, &decoded_text)) {
  85     DVLOG(1) << "Base64 decoding failed on: " << modified_text;
  86     return std::string();
  87   }
  88
  89   return decoded_text;
  90 }
  91
  92 static std::string ShortenTo64Characters(const std::string& input) {
  93   // Convert |input| into a string with escaped characters replacing any
  94   // non-ASCII characters. Limiting |input| to the first 65 characters so
  95   // we don't waste time converting a potentially long string and then
  96   // throwing away the excess.
  97   std::string escaped_str =
  98       base::EscapeBytesAsInvalidJSONString(input.substr(0, 65), false);
  99   if (escaped_str.length() <= 64u)
 100     return escaped_str;
 101
 102   // This may end up truncating an escaped character, but the first part of
 103   // the string should provide enough information.
 104   return escaped_str.substr(0, 61).append("...");
 105 }
 106
 107 std::string GenerateJWKSet(const uint8* key, int key_length,
 108                            const uint8* key_id, int key_id_length) {
 109   // Both |key| and |key_id| need to be base64 encoded strings in the JWK.
 110   std::string key_base64 = EncodeBase64Url(key, key_length);
 111   std::string key_id_base64 = EncodeBase64Url(key_id, key_id_length);
 112
 113   // Create the JWK, and wrap it into a JWK Set.
 114   scoped_ptr<base::DictionaryValue> jwk(new base::DictionaryValue());
 115   jwk->SetString(kKeyTypeTag, kKeyTypeOct);
 116   jwk->SetString(kAlgTag, kAlgA128KW);
 117   jwk->SetString(kKeyTag, key_base64);
 118   jwk->SetString(kKeyIdTag, key_id_base64);
 119   scoped_ptr<base::ListValue> list(new base::ListValue());
 120   list->Append(jwk.release());
 121   base::DictionaryValue jwk_set;
 122   jwk_set.Set(kKeysTag, list.release());
 123
 124   // Finally serialize |jwk_set| into a string and return it.
 125   std::string serialized_jwk;
 126   JSONStringValueSerializer serializer(&serialized_jwk);
 127   serializer.Serialize(jwk_set);
 128   return serialized_jwk;
 129 }
 130
 131 // Processes a JSON Web Key to extract the key id and key value. Sets |jwk_key|
 132 // to the id/value pair and returns true on success.
 133 static bool ConvertJwkToKeyPair(const base::DictionaryValue& jwk,
 134                                 KeyIdAndKeyPair* jwk_key) {
 135   std::string type;
 136   if (!jwk.GetString(kKeyTypeTag, &type) || type != kKeyTypeOct) {
 137     DVLOG(1) << "Missing or invalid '" << kKeyTypeTag << "': " << type;
 138     return false;
 139   }
 140
 141   std::string alg;
 142   if (!jwk.GetString(kAlgTag, &alg) || alg != kAlgA128KW) {
 143     DVLOG(1) << "Missing or invalid '" << kAlgTag << "': " << alg;
 144     return false;
 145   }
 146
 147   // Get the key id and actual key parameters.
 148   std::string encoded_key_id;
 149   std::string encoded_key;
 150   if (!jwk.GetString(kKeyIdTag, &encoded_key_id)) {
 151     DVLOG(1) << "Missing '" << kKeyIdTag << "' parameter";
 152     return false;
 153   }
 154   if (!jwk.GetString(kKeyTag, &encoded_key)) {
 155     DVLOG(1) << "Missing '" << kKeyTag << "' parameter";
 156     return false;
 157   }
 158
 159   // Key ID and key are base64-encoded strings, so decode them.
 160   std::string raw_key_id = DecodeBase64Url(encoded_key_id);
 161   if (raw_key_id.empty()) {
 162     DVLOG(1) << "Invalid '" << kKeyIdTag << "' value: " << encoded_key_id;
 163     return false;
 164   }
 165
 166   std::string raw_key = DecodeBase64Url(encoded_key);
 167   if (raw_key.empty()) {
 168     DVLOG(1) << "Invalid '" << kKeyTag << "' value: " << encoded_key;
 169     return false;
 170   }
 171
 172   // Add the decoded key ID and the decoded key to the list.
 173   *jwk_key = std::make_pair(raw_key_id, raw_key);
 174   return true;
 175 }
 176
 177 bool ExtractKeysFromJWKSet(const std::string& jwk_set,
 178                            KeyIdAndKeyPairs* keys,
 179                            MediaKeys::SessionType* session_type) {
 180   if (!base::IsStringASCII(jwk_set)) {
 181     DVLOG(1) << "Non ASCII JWK Set: " << jwk_set;
 182     return false;
 183   }
 184
 185   scoped_ptr<base::Value> root(base::JSONReader().ReadToValue(jwk_set));
 186   if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) {
 187     DVLOG(1) << "Not valid JSON: " << jwk_set << ", root: " << root.get();
 188     return false;
 189   }
 190
 191   // Locate the set from the dictionary.
 192   base::DictionaryValue* dictionary =
 193       static_cast<base::DictionaryValue*>(root.get());
 194   base::ListValue* list_val = NULL;
 195   if (!dictionary->GetList(kKeysTag, &list_val)) {
 196     DVLOG(1) << "Missing '" << kKeysTag
 197              << "' parameter or not a list in JWK Set";
 198     return false;
 199   }
 200
 201   // Create a local list of keys, so that |jwk_keys| only gets updated on
 202   // success.
 203   KeyIdAndKeyPairs local_keys;
 204   for (size_t i = 0; i < list_val->GetSize(); ++i) {
 205     base::DictionaryValue* jwk = NULL;
 206     if (!list_val->GetDictionary(i, &jwk)) {
 207       DVLOG(1) << "Unable to access '" << kKeysTag << "'[" << i
 208                << "] in JWK Set";
 209       return false;
 210     }
 211     KeyIdAndKeyPair key_pair;
 212     if (!ConvertJwkToKeyPair(*jwk, &key_pair)) {
 213       DVLOG(1) << "Error from '" << kKeysTag << "'[" << i << "]";
 214       return false;
 215     }
 216     local_keys.push_back(key_pair);
 217   }
 218
 219   // Successfully processed all JWKs in the set. Now check if "type" is
 220   // specified.
 221   base::Value* value = NULL;
 222   std::string session_type_id;
 223   if (!dictionary->Get(kTypeTag, &value)) {
 224     // Not specified, so use the default type.
 225     *session_type = MediaKeys::TEMPORARY_SESSION;
 226   } else if (!value->GetAsString(&session_type_id)) {
 227     DVLOG(1) << "Invalid '" << kTypeTag << "' value";
 228     return false;
 229   } else if (session_type_id == kTemporarySession) {
 230     *session_type = MediaKeys::TEMPORARY_SESSION;
 231   } else if (session_type_id == kPersistentLicenseSession) {
 232     *session_type = MediaKeys::PERSISTENT_LICENSE_SESSION;
 233   } else if (session_type_id == kPersistentReleaseMessageSession) {
 234     *session_type = MediaKeys::PERSISTENT_RELEASE_MESSAGE_SESSION;
 235   } else {
 236     DVLOG(1) << "Invalid '" << kTypeTag << "' value: " << session_type_id;
 237     return false;
 238   }
 239
 240   // All done.
 241   keys->swap(local_keys);
 242   return true;
 243 }
 244
 245 bool ExtractKeyIdsFromKeyIdsInitData(const std::string& input,
 246                                      KeyIdList* key_ids,
 247                                      std::string* error_message) {
 248   if (!base::IsStringASCII(input)) {
 249     error_message->assign("Non ASCII: ");
 250     error_message->append(ShortenTo64Characters(input));
 251     return false;
 252   }
 253
 254   scoped_ptr<base::Value> root(base::JSONReader().ReadToValue(input));
 255   if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) {
 256     error_message->assign("Not valid JSON: ");
 257     error_message->append(ShortenTo64Characters(input));
 258     return false;
 259   }
 260
 261   // Locate the set from the dictionary.
 262   base::DictionaryValue* dictionary =
 263       static_cast<base::DictionaryValue*>(root.get());
 264   base::ListValue* list_val = NULL;
 265   if (!dictionary->GetList(kKeyIdsTag, &list_val)) {
 266     error_message->assign("Missing '");
 267     error_message->append(kKeyIdsTag);
 268     error_message->append("' parameter or not a list");
 269     return false;
 270   }
 271
 272   // Create a local list of key ids, so that |key_ids| only gets updated on
 273   // success.
 274   KeyIdList local_key_ids;
 275   for (size_t i = 0; i < list_val->GetSize(); ++i) {
 276     std::string encoded_key_id;
 277     if (!list_val->GetString(i, &encoded_key_id)) {
 278       error_message->assign("'");
 279       error_message->append(kKeyIdsTag);
 280       error_message->append("'[");
 281       error_message->append(base::UintToString(i));
 282       error_message->append("] is not string.");
 283       return false;
 284     }
 285
 286     // Key ID is a base64-encoded string, so decode it.
 287     std::string raw_key_id = DecodeBase64Url(encoded_key_id);
 288     if (raw_key_id.empty()) {
 289       error_message->assign("'");
 290       error_message->append(kKeyIdsTag);
 291       error_message->append("'[");
 292       error_message->append(base::UintToString(i));
 293       error_message->append("] is not valid base64url encoded. Value: ");
 294       error_message->append(ShortenTo64Characters(encoded_key_id));
 295       return false;
 296     }
 297
 298     // Add the decoded key ID to the list.
 299     local_key_ids.push_back(std::vector<uint8>(
 300         raw_key_id.data(), raw_key_id.data() + raw_key_id.length()));
 301   }
 302
 303   // All done.
 304   key_ids->swap(local_key_ids);
 305   error_message->clear();
 306   return true;
 307 }
 308
 309 void CreateLicenseRequest(const KeyIdList& key_ids,
 310                           MediaKeys::SessionType session_type,
 311                           std::vector<uint8>* license) {
 312   // Create the license request.
 313   scoped_ptr<base::DictionaryValue> request(new base::DictionaryValue());
 314   scoped_ptr<base::ListValue> list(new base::ListValue());
 315   for (const auto& key_id : key_ids)
 316     list->AppendString(EncodeBase64Url(&key_id[0], key_id.size()));
 317   request->Set(kKeyIdsTag, list.release());
 318
 319   switch (session_type) {
 320     case MediaKeys::TEMPORARY_SESSION:
 321       request->SetString(kTypeTag, kTemporarySession);
 322       break;
 323     case MediaKeys::PERSISTENT_LICENSE_SESSION:
 324       request->SetString(kTypeTag, kPersistentLicenseSession);
 325       break;
 326     case MediaKeys::PERSISTENT_RELEASE_MESSAGE_SESSION:
 327       request->SetString(kTypeTag, kPersistentReleaseMessageSession);
 328       break;
 329   }
 330
 331   // Serialize the license request as a string.
 332   std::string json;
 333   JSONStringValueSerializer serializer(&json);
 334   serializer.Serialize(*request);
 335
 336   // Convert the serialized license request into std::vector and return it.
 337   std::vector<uint8> result(json.begin(), json.end());
 338   license->swap(result);
 339 }
 340
 341 bool ExtractFirstKeyIdFromLicenseRequest(const std::vector<uint8>& license,
 342                                          std::vector<uint8>* first_key) {
 343   const std::string license_as_str(
 344       reinterpret_cast<const char*>(!license.empty() ? &license[0] : NULL),
 345       license.size());
 346   if (!base::IsStringASCII(license_as_str)) {
 347     DVLOG(1) << "Non ASCII license: " << license_as_str;
 348     return false;
 349   }
 350
 351   scoped_ptr<base::Value> root(base::JSONReader().ReadToValue(license_as_str));
 352   if (!root.get() || root->GetType() != base::Value::TYPE_DICTIONARY) {
 353     DVLOG(1) << "Not valid JSON: " << license_as_str;
 354     return false;
 355   }
 356
 357   // Locate the set from the dictionary.
 358   base::DictionaryValue* dictionary =
 359       static_cast<base::DictionaryValue*>(root.get());
 360   base::ListValue* list_val = NULL;
 361   if (!dictionary->GetList(kKeyIdsTag, &list_val)) {
 362     DVLOG(1) << "Missing '" << kKeyIdsTag << "' parameter or not a list";
 363     return false;
 364   }
 365
 366   // Get the first key.
 367   if (list_val->GetSize() < 1) {
 368     DVLOG(1) << "Empty '" << kKeyIdsTag << "' list";
 369     return false;
 370   }
 371
 372   std::string encoded_key;
 373   if (!list_val->GetString(0, &encoded_key)) {
 374     DVLOG(1) << "First entry in '" << kKeyIdsTag << "' not a string";
 375     return false;
 376   }
 377
 378   std::string decoded_string = DecodeBase64Url(encoded_key);
 379   if (decoded_string.empty()) {
 380     DVLOG(1) << "Invalid '" << kKeyIdsTag << "' value: " << encoded_key;
 381     return false;
 382   }
 383
 384   std::vector<uint8> result(decoded_string.begin(), decoded_string.end());
 385   first_key->swap(result);
 386   return true;
 387 }
 388
 389 }  // namespace media