From d92d3a884df60544bd900bed1981d1c7de4fea2e Mon Sep 17 00:00:00 2001
From: Cong Lin <conglin@google.com>
Date: Mon, 9 Sep 2024 11:43:00 -0700
Subject: [PATCH] Add "bootCertificateChainSignature" to Drm plugin
 getPropertyByteArray()

This allows Widevine RKP HAL to query BCC signature via DRM interface
during BCC extraction for remote provisioning phase 3. The query returns
the "additional_signature" field from
OEMCrypto_GetBootCertificateChain().

Test: Manual BCC extraction on Pixel 9
Bug: 355160637
Change-Id: I1a310a80c0cfef82ee3697f06c1293d5c1c3896a
---
 .../cdm/core/include/wv_cdm_constants.h       |  2 ++
 libwvdrmengine/cdm/core/src/cdm_engine.cpp    | 20 +++++++++++++++++++
 .../cdm/test/request_license_test.cpp         |  6 ++++++
 libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp   | 12 +++++++++++
 libwvdrmengine/src/WVDrmFactory.cpp           |  2 ++
 5 files changed, 42 insertions(+)

diff --git a/libwvdrmengine/cdm/core/include/wv_cdm_constants.h b/libwvdrmengine/cdm/core/include/wv_cdm_constants.h
index c35236aa..8c73a4aa 100644
--- a/libwvdrmengine/cdm/core/include/wv_cdm_constants.h
+++ b/libwvdrmengine/cdm/core/include/wv_cdm_constants.h
@@ -124,6 +124,8 @@ static const std::string QUERY_KEY_PRODUCTION_READY = "ProductionReady";
 // Internal query key.  Should not be exposed to Android apps.
 static const std::string QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN =
     "DebugBootCertificateChain";
+static const std::string QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE =
+    "DebugBootCertificateChainSignature";
 static const std::string QUERY_KEY_DEVICE_INFORMATION = "DeviceInformation";
 
 static const std::string QUERY_VALUE_TRUE = "True";
diff --git a/libwvdrmengine/cdm/core/src/cdm_engine.cpp b/libwvdrmengine/cdm/core/src/cdm_engine.cpp
index d0e26d61..424e5755 100644
--- a/libwvdrmengine/cdm/core/src/cdm_engine.cpp
+++ b/libwvdrmengine/cdm/core/src/cdm_engine.cpp
@@ -903,6 +903,26 @@ CdmResponseType CdmEngine::QueryStatus(RequestedSecurityLevel security_level,
     LOGE("Failed to extract BCC: status = %d", status.ToInt());
     return status;
   }
+  if (query_token == QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE) {
+    std::string bcc_unused;
+    std::string signature;
+    const CdmResponseType status = crypto_session->GetBootCertificateChain(
+        security_level, &bcc_unused, &signature);
+    if (status == NO_ERROR) {
+      LOGV("BCC signature length: %zu", signature.size());
+      *query_response = std::move(signature);
+      return CdmResponseType(NO_ERROR);
+    }
+    if (status == NOT_IMPLEMENTED_ERROR ||
+        status == PROVISIONING_TYPE_IS_NOT_BOOT_CERTIFICATE_CHAIN_ERROR) {
+      LOGD("BCC signature not available: %s", status.ToString().c_str());
+      *query_response = QUERY_VALUE_NONE;
+      return CdmResponseType(NO_ERROR);
+    }
+    LOGE("Failed to extract BCC signature: status = %s",
+         status.ToString().c_str());
+    return status;
+  }
   if (query_token == QUERY_KEY_DEVICE_INFORMATION) {
     std::string device_info;
     const CdmResponseType status =
diff --git a/libwvdrmengine/cdm/test/request_license_test.cpp b/libwvdrmengine/cdm/test/request_license_test.cpp
index 6de975d1..b8048085 100644
--- a/libwvdrmengine/cdm/test/request_license_test.cpp
+++ b/libwvdrmengine/cdm/test/request_license_test.cpp
@@ -5388,6 +5388,12 @@ TEST_F(WvCdmRequestLicenseTest, QueryStatus) {
     // actual value.
     EXPECT_FALSE(value.empty()) << "BCC is empty";
     EXPECT_NE(value, wvcdm::QUERY_VALUE_NONE) << "BCC is none";
+    // BCC signature is optional. Do not validate the actual value.
+    EXPECT_EQ(
+        wvcdm::NO_ERROR,
+        decryptor_->QueryStatus(
+            kLevelDefault,
+            wvcdm::QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE, &value));
   } else {
     EXPECT_EQ(value, wvcdm::QUERY_VALUE_NONE);
   }
diff --git a/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp b/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
index 32d705e7..5ad1bc7b 100644
--- a/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
+++ b/libwvdrmengine/mediadrm/src/WVDrmPlugin.cpp
@@ -1296,6 +1296,18 @@ static WvStatus getDeviceSignedCsrPayload(
     } else {
       value = StrToVector(boot_certificate_chain);
     }
+  } else if (name == "bootCertificateChainSignature" && isCsrAccessAllowed()) {
+    std::string boot_certificate_chain_signature;
+    const CdmResponseType res = mCDM->QueryStatus(wvcdm::kLevelDefault,
+        wvcdm::QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE,
+        &boot_certificate_chain_signature);
+    if (res != wvcdm::NO_ERROR) {
+      ALOGE("Error querying CDM boot certificate chain signature: %d",
+            static_cast<int>(res));
+      status = mapCdmResponseType(res);
+    } else {
+      value = StrToVector(boot_certificate_chain_signature);
+    }
   } else if (name == "verifiedDeviceInfo" && isCsrAccessAllowed()) {
     std::string verified_device_info;
     CdmResponseType res = mCDM->QueryStatus(wvcdm::kLevelDefault,
diff --git a/libwvdrmengine/src/WVDrmFactory.cpp b/libwvdrmengine/src/WVDrmFactory.cpp
index b33c8442..17caffc2 100644
--- a/libwvdrmengine/src/WVDrmFactory.cpp
+++ b/libwvdrmengine/src/WVDrmFactory.cpp
@@ -346,6 +346,8 @@ void WVDrmFactory::printCdmProperties(int fd) {
       // Debug properties.  Not exposed to app.
       {"boot_certificate_chain",
        wvcdm::QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN},
+      {"boot_certificate_chain_signature",
+       wvcdm::QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE},
       {"device_information", wvcdm::QUERY_KEY_DEVICE_INFORMATION},
   };