Updated to SecApi version 2.3.2.25

.gitignore

@@ -8,3 +8,4 @@ config.status
 configure
 Makefile
 Makefile.in
+.idea

CMakeLists.txt

@@ -0,0 +1,107 @@
+# If not stated otherwise in this file or this component's Licenses.txt file the
+# following copyright and licenses apply:
+#
+# Copyright 2022 RDK Management
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+cmake_minimum_required(VERSION 3.16)
+project(sec_api C CXX)
+
+set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})
+set(CMAKE_C_STANDARD 99)
+set(CMAKE_CXX_STANDARD 11)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
+# Set OPENSSL_ROOT_DIR if not found
+find_package(OpenSSL REQUIRED)
+# Set YAJL_ROOT if not found
+find_package(YAJL REQUIRED)
+
+enable_testing()
+
+include_directories(
+        ${OPENSSL_INCLUDE_DIR}
+        ${YAJL_INCLUDE_DIR}
+        src/headers
+        src
+)
+
+add_compile_options(-DSEC_TARGET_LOCAL
+        -Wall
+        -Werror
+        -Wfatal-errors
+        -Wno-unused-result
+        -Wno-unused-but-set-variable
+        -Wno-unused-value
+        -fPIC
+        -fdata-sections
+        -ffunction-sections
+        -pthread
+        -Os
+        -DSEC_PLATFORM_OPENSSL
+        -DYAJL_V2)
+
+add_library(sec_api STATIC
+        src/headers/sec_security.h
+        src/headers/sec_security_comcastids.h
+        src/headers/sec_security_common.h
+        src/headers/sec_security_datatype.h
+        src/outprot.cpp
+        src/outprot.h
+        src/outprot_mock.cpp
+        src/sec_pubops.h
+        src/sec_pubops_openssl.c
+        src/sec_security_asn1kc.c
+        src/sec_security_asn1kc.h
+        src/sec_security_buffer.c
+        src/sec_security_common.c
+        src/sec_security_endian.c
+        src/sec_security_engine.c
+        src/sec_security_json.h
+        src/sec_security_json_yajl.c
+        src/sec_security_jtype.c
+        src/sec_security_jtype.h
+        src/sec_security_logger.c
+        src/sec_security_mutex.c
+        src/sec_security_mutex.h
+        src/sec_security_openssl.c
+        src/sec_security_openssl.h
+        src/sec_security_outprot.c
+        src/sec_security_outprot.h
+        src/sec_security_shm.c
+        src/sec_security_shm.h
+        src/sec_security_store.c
+        src/sec_security_store.h
+        src/sec_security_strptime.c
+        src/sec_security_utils.c
+        src/sec_security_utils.h
+        src/sec_security_utils_b64.c
+        src/sec_security_utils_time.c
+        src/sec_version.h
+        )
+
+target_link_libraries(sec_api
+        PRIVATE
+        ${OPENSSL_CRYPTO_LIBRARY}
+        )
+
+# 'make install' to the correct locations (provided by GNUInstallDirs).
+install(TARGETS sec_api
+        ARCHIVE DESTINATION lib
+        LIBRARY DESTINATION lib
+        RUNTIME DESTINATION bin
+        )
+
+install(DIRECTORY headers/ DESTINATION include)

NOTICE

@@ -1,2 +1,8 @@
-Copyright 2019 RDK Management
-Licensed under the Apache License, Version 2.0
+This component contains software that is Copyright (c) 2019 RDK Management.
+The component is licensed to you under the Apache License, Version 2.0 (the "License").
+You may not use the component except in compliance with the License.
+
+The component may include material which is licensed under other licenses / copyrights as
+listed below. Your use of this material within the component is also subject to the terms and
+conditions of these licenses. The LICENSE file contains the text of all the licenses which apply
+within this component.

README.md

@@ -0,0 +1,54 @@
+# RDKCryptoAPI
+
+## Summary
+
+RDKCryptoAPI contains cryptographic APIs used in the RDK Software Stack and an OpenSSL reference implementation.
+
+## Building
+
+### Generate Build Files
+
+To build RDKCryptoAPI, first run cmake to generate build files.
+
+The build assumes that the following packages have already been installed:
+YAJL - include -DYAJL_ROOT=<directory> if not found
+OPENSSL - include -DOPENSSL_ROOT_DIR=<directory> if not found
+Add -DCMAKE_INSTALL_PREFIX=<directory> to install to a non-standard install directory.
+
+```
+cmake -S . -B cmake-build
+```
+
+### Build
+
+To build RDKCryptoAPI, run a cmake build
+
+```
+cmake --build cmake-build
+```
+
+This creates a library, libsec_api.(so/dll/dylib) containing the RDKCryptoAPI code (the extension .so/.dll/.dylib
+created depends on which platform you are building on). It also creates a test application, sec_api_test, to
+test the library.
+
+Run unit test suite
+
+```
+cmake-build/sec_api_test
+```
+
+### Install
+
+To install RDKCryptoAPI, run a cmake install
+
+```
+cmake --install cmake-build
+```
+
+This copies the include files, the library, libsec_api.(so/dll/dylib) containing the RDKCryptoAPI reference code (the
+extension .so/.dll/.dylib created depends on which platform you are building on), and the test application,
+sec_api_test, to their appropriate locations on the system.
+
+## Dependencies
+
+RDKCryptoAPI depends on OpenSSL 1.0.2 or 1.1.1 and YAJL version 1 or 2.

cmake/FindYAJL.cmake

@@ -0,0 +1,36 @@
+#
+# Copyright 2020-2022 Comcast Cable Communications Management, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Find libyajl
+
+FIND_PATH(YAJL_INCLUDE_DIR yajl/yajl_common.h)
+
+SET(YAJL_NAMES ${YAJL_NAMES} yajl libyajl)
+FIND_LIBRARY(YAJL_LIBRARY NAMES ${YAJL_NAMES} PATH)
+
+IF(YAJL_INCLUDE_DIR AND YAJL_LIBRARY)
+    SET(YAJL_FOUND TRUE)
+ENDIF(YAJL_INCLUDE_DIR AND YAJL_LIBRARY)
+
+IF(YAJL_FOUND)
+    IF(NOT Yajl_FIND_QUIETLY)
+        MESSAGE(STATUS "Found Yajl: ${YAJL_LIBRARY}")
+    ENDIF (NOT Yajl_FIND_QUIETLY)
+ELSE(YAJL_FOUND)
+    IF(Yajl_FIND_REQUIRED)
+        MESSAGE(FATAL_ERROR "Could not find yajl")
+    ENDIF(Yajl_FIND_REQUIRED)
+ENDIF(YAJL_FOUND)

src/headers/sec_security_comcastids.h

@@ -98,6 +98,7 @@ extern "C"
 
 #define SEC_OBJECTID_PLAYREADY_MODELCERT 0x0631000006310001ULL
 #define SEC_OBJECTID_PLAYREADY_MODELKEY 0x0331000003310001ULL
+#define SEC_OBJECTID_PLAYREADY_3K_MODELKEY 0x0331000003310003ULL
 
 #define SEC_OBJECTID_WV_KEY 0x0351000003510001ULL
 #define SEC_OBJECTID_WV_CERTBUNDLE 0x0651000006510001ULL

src/sec_pubops_openssl.c

@@ -414,6 +414,11 @@ Sec_Result _Pubops_VerifyWithPubRsa(Sec_RSARawPublicKey *pub_key, Sec_SignatureA
 Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureAlgorithm alg, SEC_BYTE *digest, SEC_SIZE digest_len, SEC_BYTE *sig, SEC_SIZE sig_len) {
 	EC_KEY *ec_key = _SecUtils_ECCFromPubBinary(pub_key);
 	Sec_Result res = SEC_RESULT_FAILURE;
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+    ECDSA_SIG* esig = NULL;
+    BIGNUM* esigr = NULL;
+    BIGNUM* esigs = NULL;
+#endif
 
 	if (NULL == ec_key)
 	{
@@ -426,6 +431,37 @@ Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureA
 		goto done;
 	}
 
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+    esig = ECDSA_SIG_new();
+    if (esig == NULL) {
+        SEC_LOG_ERROR("ECDSA_SIG_new failed");
+        goto done;
+    }
+
+    esigr = BN_new();
+    if (esigr == NULL) {
+        SEC_LOG_ERROR("BN_new failed");
+        goto done;
+    }
+
+    esigs = BN_new();
+    if (esigs == NULL) {
+        SEC_LOG_ERROR("BN_new failed");
+        goto done;
+    }
+
+    BN_bin2bn(&sig[0], SEC_ECC_NISTP256_KEY_LEN, esigr);
+    BN_bin2bn(&sig[SEC_ECC_NISTP256_KEY_LEN], SEC_ECC_NISTP256_KEY_LEN, esigs);
+
+    if (!ECDSA_SIG_set0(esig, esigr, esigs)) {
+        SEC_LOG_ERROR("ECDSA_SIG_set0 failed");
+        goto done;
+    }
+    esigr = NULL;
+    esigs = NULL;
+
+    int openssl_res = ECDSA_do_verify(digest, digest_len, esig, ec_key);
+#else
     ECDSA_SIG esig;
     esig.r = BN_new();
     esig.s = BN_new();
@@ -435,6 +471,7 @@ Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureA
     int openssl_res = ECDSA_do_verify(digest, digest_len, &esig, ec_key);
     BN_free(esig.r);
     BN_free(esig.s);
+#endif
 
     if (1 != openssl_res)
     {
@@ -450,6 +487,11 @@ Sec_Result _Pubops_VerifyWithPubEcc(Sec_ECCRawPublicKey *pub_key, Sec_SignatureA
 	res = SEC_RESULT_SUCCESS;
 
 done:
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+    BN_free(esigr);
+    BN_free(esigs);
+    ECDSA_SIG_free(esig);
+#endif
     SEC_ECC_FREE(ec_key);
 
     return res;
@@ -636,8 +678,16 @@ Sec_Result _Pubops_ExtractRSAPubFromX509Der(SEC_BYTE *cert, SEC_SIZE cert_len, S
     }
 
     Sec_Uint32ToBEBytes(RSA_size(rsa), pub->modulus_len_be);
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+    const BIGNUM* n;
+    const BIGNUM* e;
+    RSA_get0_key(rsa, &n, &e, NULL);
+    _SecUtils_BigNumToBuffer(n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be));
+    _SecUtils_BigNumToBuffer(e, pub->e, 4);
+#else
     _SecUtils_BigNumToBuffer(rsa->n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be));
     _SecUtils_BigNumToBuffer(rsa->e, pub->e, 4);
+#endif
 
     res = SEC_RESULT_SUCCESS;
 done:
@@ -814,8 +864,16 @@ Sec_Result _Pubops_ExtractRSAPubFromPUBKEYDer(SEC_BYTE *cert, SEC_SIZE cert_len,
 	}
 
     Sec_Uint32ToBEBytes(RSA_size(rsa), pub->modulus_len_be);
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+    const BIGNUM* n;
+    const BIGNUM* e;
+    RSA_get0_key(rsa, &n, &e, NULL);
+    _SecUtils_BigNumToBuffer(n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be));
+    _SecUtils_BigNumToBuffer(e, pub->e, 4);
+#else
     _SecUtils_BigNumToBuffer(rsa->n, pub->n, Sec_BEBytesToUint32(pub->modulus_len_be));
     _SecUtils_BigNumToBuffer(rsa->e, pub->e, 4);
+#endif
 
     res = SEC_RESULT_SUCCESS;
 
@@ -886,7 +944,7 @@ Sec_Result _Pubops_Random(SEC_BYTE* out, SEC_SIZE out_len) {
 }
 
 Sec_Result _Pubops_RandomPrng(SEC_BYTE* out, SEC_SIZE out_len) {
-	if (1 != RAND_pseudo_bytes(out, out_len)) {
+	if (1 != RAND_bytes(out, out_len)) {
 		SEC_LOG_ERROR();
 		return SEC_RESULT_FAILURE;
 	}