Detect when unable to meet policy requirements

[ Merge of http://go/wvgerrit/25781 ]

The security level (software/hardware, decryption/decode)
in the policy that specified how the key was to be used was
not being respected for L3. Playback would either continue or
a vendor specific error would be thrown.

If the device cannot use the key as permitted by the policy
CryptoException#ERROR_INSUFFICIENT_OUTPUT_PROTECTION will be thrown.

Test: Verified by WV unit+integration tests.
      Verified by WidevineDashPolicyTests
      Verified by WidevineDashPolicyTests#testL3SoftwareSecureDecoderRequired,
      testL3HardwareSecureCryptoRequired, testL3HardwareSecureDecodeRequired,
      testL3SecureVideoPathRequired.

b/31913737
b/31913439

Change-Id: Ibfc7f3dd6fc7264e8cf9b0d33f6f8d619eed6c00

libwvdrmengine/cdm/core/src/policy_engine.cpp

@@ -283,6 +283,32 @@ CdmResponseType PolicyEngine::QueryKeyAllowedUsage(
   return KEY_NOT_FOUND_1;
 }
 
+bool PolicyEngine::CanUseKey(
+    const KeyId& key_id,
+    CdmSecurityLevel security_level) {
+
+  if (security_level == kSecurityLevelL1) return true;
+
+  CdmKeyAllowedUsage key_usage;
+  CdmResponseType status = QueryKeyAllowedUsage(key_id, &key_usage);
+
+  if (status != NO_ERROR) return false;
+
+  // L1 has already been addressed so verify that L2/3 are allowed
+  switch (key_usage.key_security_level_) {
+    case kKeySecurityLevelUnset:
+      return true;
+    case kSoftwareSecureCrypto:
+      return security_level == kSecurityLevelL2 ||
+          security_level == kSecurityLevelL3;
+    case kSoftwareSecureDecode:
+    case kHardwareSecureCrypto:
+      return security_level == kSecurityLevelL2;
+    default:
+      return false;
+  }
+}
+
 bool PolicyEngine::GetSecondsSinceStarted(int64_t* seconds_since_started) {
   if (playback_start_time_ == 0) return false;