Correct stability issues for SPOIDs for provisioning 4.0

[ Merge of http://go/wvgerrit/183472 ] For provisioning 4.0 devices, the DRM certificate serial number was changing on a reprovisioning attempt or factory reset. The app parameters sent up in the client identification name-value pair field were being filtered out in provisioning requests. This has been corrected for provisioning 4.0 stage 2 (DRM certificate request). There is no need to include them for stage 1 (OEM certificate request). The test case WvCdmRequestLicenseTest.ProvisioningSpoidTest was created earlier to ensure that SPOIDs and DRM certificates are stable. Unfortunately due to another bug b/250099615, the RKP service was holding a connection to the Widevine TA for provisioning 4.0 devices. When native tests ran as their own process, L1 would fail to load due to a connection failure and the test would run as L3. The tests passed for provisioning 4.0 devices Pixel 7 and 8 when they should have failed. This gave us a false sense of confidence that the SPOIDs were stable. For now a workaround is to run a shell command to kill the widevine TA before running native tests. $ adb shell pkill -f -9 widevine New tests have been introduced to provide integration coverage WVPluginTest at the WV plugin level and CoreIntegrationTest for core. GTS tests are also being written in b/295538002. Bug: 294451432 Bug: 293950895 Test: WVPluginTest.ProvisioningStableSpoidTestL1, WVTS tests Change-Id: Ib9ace4387866ea38bb1840feb69cea78d2d2c09c
2023-08-24 02:00:56 -07:00
parent be8b64a4e6
commit 2f83cd0e49
11 changed files with 669 additions and 24 deletions
--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -150,7 +150,12 @@ CdmResponseType CertificateProvisioning::SetSpoidParameter(
      return status;
    }
    request->set_stable_id(device_unique_id + origin);
-  }  // No else clause, by design. It is valid to do nothing.
+  } else {
+    // It is valid to do nothing for legacy devices. For most recently
+    // launched devices this is an error. For now, we will log
+    // but not return an error.
+    LOGE("No spoid/provider id/stable id set");
+  }
  return CdmResponseType(NO_ERROR);
 }

@@ -378,9 +383,8 @@ CdmResponseType CertificateProvisioning::GetProvisioning40RequestInternal(

    // Since |stored_oem_cert| is empty, the client identification token will be
    // retrieved from OEMCrypto, which is the BCC in this case.
-    status = FillEncryptedClientIdWithAdditionalParameter(
-        stored_oem_cert, additional_parameter, provisioning_request,
-        wv_service_cert);
+    status = FillEncryptedClientId(stored_oem_cert, provisioning_request,
+                                   wv_service_cert);
    if (status != NO_ERROR) return status;
  } else {
    // This is the second stage provisioning.
--- a/libwvdrmengine/cdm/core/src/client_identification.cpp
+++ b/libwvdrmengine/cdm/core/src/client_identification.cpp
@@ -150,7 +150,8 @@ CdmResponseType ClientIdentification::Prepare(
  }

  ClientIdentification_NameValue* client_info;
-  if (is_license_request_) {
+  // Include app parameters for license and provisioning requests
+  if (!is_okp_request_) {
    CdmAppParameterMap::const_iterator iter;
    for (iter = app_parameters.begin(); iter != app_parameters.end(); ++iter) {
      if (IsPropertyKeyReserved(iter->first)) {