Merges to android Pi release (part 2)

These are a set of CLs merged from the wv cdm repo to the android repo.

* Update service certificate.

  Author: Gene Morgan <gmorgan@google.com>

  [ Merge of http://go/wvgerrit/28065 ]

  The updated service certificate fixes a number of failing tests.
  There are still some that fail, apparently due to mismatches
  with key set IDs and usage tables.

  Also updated QA server URL to point to QA proxy (although neither
  can be used by this client).

  Also fixed segfault in CdmTest.ListUsageRecords.

* Add CDM APIs for Handling Service Certificates.

  Author: Gene Morgan <gmorgan@google.com>

  [ Merge of http://go/wvgerrit/28064 ]

  The responsibility for managing Service Certificates has been moved
  out of the CDM. Instead, provide CDM and CdmEngine methods to generate
  a service certificate request message, and handle a service certificate
  response. The API client can use these calls if it needs to get the
  service certificate from the License Server.

  These functions assume the request and response are base64 (web-safe)
  encoded (see b/37481392). Not all servers are operating this way yet.
  Any adaptations for non-compliant servers is handled outside the CDM.
  See test WvCdmEnginePreProvTest::ServiceCertificateRequestResponse in
  cdm_engine_test.cpp for an example of this.

  These changes also eliminate the stored init_data and deferred
  license type which were used to perform a service certificate request
  during a license request.

* Fix and rename ClosesSessionWithoutReturningError test.

  Author: Edwin Wong <edwinwong@google.com>

  [ Merge of http://go/wvgerrit/27880 ]

  ClosesSessionWithoutReturningError should not check for
  Status::OK since it is expecting an error code back.
  The test is renamed to ClosesSessionWithError.

  Test: libwvdrmdrmplugin_hidl_test

  BUG: 62205215

* Get rid of default service certificate.

  Author: Gene Morgan <gmorgan@google.com>

  [ Merge of http://go/wvgerrit/27981 ]

  Instead, we need at least two service certs - one for the QA/Test
  servers, and one for UAT (and prod?)

  There are still some issues around the signature verififcation
  of the service cert, and in license_unittest.cpp, the use
  of the default service cert has been commented out.  I don't know
  why this test needs a service cert.  If it really does, then the
  same mechanism that is used elsewhere for selecting a specific
  server type will be needed here.

BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
      commit in the chain.

Change-Id: Ieab815fb202c809ad5714cd0364c4bdfa068f77d

libwvdrmengine/cdm/core/include/cdm_engine.h

@@ -45,6 +45,20 @@ class CdmEngine {
   virtual CdmResponseType SetServiceCertificate(
       const std::string& certificate);
 
+  // Report whether the service certificate has been set.
+  virtual bool HasServiceCertificate();
+
+  // Generate and return a Service Certificate Request message.
+  // This message can be sent to the License Server to get a service
+  // certificate.
+  virtual bool GetServiceCertificateRequest(CdmKeyMessage* request);
+
+  // Parse the message returned by the License Server in response to a
+  // Service Certificate Request message. Return the service certificate
+  // from the parsed response.
+  virtual CdmResponseType ParseServiceCertificateResponse(
+      const std::string& response, std::string* certificate);
+
   // Session related methods
   virtual CdmResponseType OpenSession(
       const CdmKeySystem& key_system, CdmClientPropertySet* property_set,

libwvdrmengine/cdm/core/include/device_files.h

@@ -53,7 +53,9 @@ class DeviceFiles {
   virtual bool StoreCertificate(const std::string& certificate,
                                 const std::string& wrapped_private_key);
   virtual bool RetrieveCertificate(std::string* certificate,
-                                   std::string* wrapped_private_key);
+                                   std::string* wrapped_private_key,
+                                   std::string* serial_number,
+                                   uint32_t* system_id);
   virtual bool HasCertificate();
   virtual bool RemoveCertificate();
 
@@ -152,6 +154,11 @@ class DeviceFiles {
       std::vector<UsageEntryInfo>* usage_entry_info);
 
  private:
+  // Extract serial number and system ID from DRM Device certificate
+  bool ExtractDeviceInfo(const std::string& device_certificate,
+                         std::string* serial_number,
+                         uint32_t* system_id);
+
   // Helpers that wrap the File interface and automatically handle hashing, as
   // well as adding the device files base path to to the file name.
   bool StoreFileWithHash(const std::string& name,
@@ -175,7 +182,7 @@ class DeviceFiles {
 #if defined(UNIT_TEST)
   FRIEND_TEST(DeviceFilesSecurityLevelTest, SecurityLevel);
   FRIEND_TEST(DeviceCertificateStoreTest, StoreCertificate);
-  FRIEND_TEST(DeviceCertificateTest, ReadCertificate);
+  FRIEND_TEST(DeviceCertificateTest, DISABLED_ReadCertificate);
   FRIEND_TEST(DeviceCertificateTest, HasCertificate);
   FRIEND_TEST(DeviceFilesStoreTest, StoreLicense);
   FRIEND_TEST(DeviceFilesHlsAttributesTest, Delete);

libwvdrmengine/cdm/core/include/license.h

@@ -29,8 +29,8 @@ class CdmLicense {
 
   virtual bool Init(
       ServiceCertificate* service_certificate, const std::string& client_token,
-      CdmClientTokenType client_token_type, CryptoSession* session,
-      PolicyEngine* policy_engine);
+      CdmClientTokenType client_token_type, const std::string& device_id,
+      CryptoSession* session, PolicyEngine* policy_engine);
 
   virtual CdmResponseType PrepareKeyRequest(
       const InitializationData& init_data, CdmLicenseType license_type,
@@ -52,7 +52,6 @@ class CdmLicense {
       int64_t grace_period_end_time);
   virtual bool RestoreLicenseForRelease(const CdmKeyMessage& license_request,
                                         const CdmKeyResponse& license_response);
-  virtual bool HasInitData() { return stored_init_data_.get(); }
   virtual bool IsKeyLoaded(const KeyId& key_id);
 
   virtual std::string provider_session_token() {
@@ -89,8 +88,8 @@ class CdmLicense {
   std::string server_url_;
   std::string client_token_;
   CdmClientTokenType client_token_type_;
+  std::string device_id_;
   const CdmSessionId session_id_;
-  scoped_ptr<InitializationData> stored_init_data_;
   bool initialized_;
   std::set<KeyId> loaded_keys_;
   std::string provider_session_token_;

libwvdrmengine/cdm/core/include/service_certificate.h

@@ -11,13 +11,11 @@
 // Certificate Request to the target server to get one. Once the Service
 // Certificate is established for the session, it should not change.
 
-#include "license_protocol.pb.h"
-#include "wv_cdm_types.h"
+#include <memory>
 
-namespace video_widevine {
-class SignedMessage;
-class LicenseRequest;
-}  // namespace video_widevine
+#include "license_protocol.pb.h"
+#include "privacy_crypto.h"
+#include "wv_cdm_types.h"
 
 namespace wvcdm {
 
@@ -25,23 +23,16 @@ class CryptoSession;
 
 class ServiceCertificate {
  public:
-  ServiceCertificate() {}
+  ServiceCertificate() : has_certificate_(false) {}
   virtual ~ServiceCertificate() {}
 
   // Set up a new service certificate.
   // Accept a serialized video_widevine::SignedDrmDeviceCertificate message.
   virtual CdmResponseType Init(const std::string& signed_certificate);
 
-  // Initialize the service certificate.
-  // Set the certificate with no certificate and provider ID.
-  virtual void Clear();
-
-  // Current state of certificate.
-  // If !HasCertificate() and privacy mode is enabled, then should call
-  // PrepareRequest() and pass the request to the license server.
-  virtual bool HasCertificate() { return !certificate_.empty(); }
-  virtual bool HasProviderId() { return !provider_id_.empty(); }
-  virtual const std::string& provider_id() { return provider_id_; }
+  bool has_certificate() const { return has_certificate_; }
+  const std::string certificate() const { return certificate_; }
+  const std::string& provider_id() const { return provider_id_; }
 
   // Verify the signature for a message.
   virtual CdmResponseType VerifySignedMessage(const std::string& message,
@@ -58,29 +49,23 @@ class ServiceCertificate {
       const video_widevine::ClientIdentification* clear_client_id,
       video_widevine::EncryptedClientIdentification* encrypted_client_id);
 
-  // Construct service certificate request.
-  virtual bool PrepareRequest(CdmKeyMessage* signed_request);
-
-  // Parse service certificate response and make it usable.
-  virtual CdmResponseType HandleResponse(
-      const std::string& signed_respnse);
-
  private:
-  // Verify the signature on the signed service certificate.
-  // Extract and save the certificate and provider_id.
-  // Expected format: serialized video_widevine::SignedDrmDeviceCertificate.
-  virtual CdmResponseType VerifyAndExtract(
-      const std::string& raw_certificate);
 
-  // True while waiting for response to service certificate request.
-  bool fetch_in_progress_;
+  // Track whether object holds valid certificate
+  bool has_certificate_;
 
   // Certificate, verified and extracted from signed message.
   std::string certificate_;
 
+  // Certificate serial number.
+  std::string serial_number_;
+
   // Provider ID, extracted from certificate message.
   std::string provider_id_;
 
+  // Public key.
+  std::unique_ptr<RsaPublicKey> public_key_;
+
   CORE_DISALLOW_COPY_AND_ASSIGN(ServiceCertificate);
 };
 

libwvdrmengine/cdm/core/include/wv_cdm_types.h

@@ -179,9 +179,10 @@ enum CdmResponseType {
   UNPROVISION_ERROR_4,
   UNSUPPORTED_INIT_DATA,
   USAGE_INFO_NOT_FOUND,
-  LICENSE_RENEWAL_SERVICE_CERTIFICATE_GENERATION_ERROR, /* 140 */
+  UNUSED_8, /* 140 */
+  /* UNUSED_8 previously LICENSE_RENEWAL_SERVICE_CERTIFICATE_GENERATION_ERROR */
   PARSE_SERVICE_CERTIFICATE_ERROR,
-  SERVICE_CERTIFICATE_TYPE_ERROR,
+  UNUSED_10, /* previously SERVICE_CERTIFICATE_TYPE_ERROR */
   CLIENT_ID_GENERATE_RANDOM_ERROR,
   CLIENT_ID_AES_INIT_ERROR,
   CLIENT_ID_AES_ENCRYPT_ERROR, /* 145 */
@@ -196,7 +197,8 @@ enum CdmResponseType {
   UNUSED_2,  /* previously INVALID_PARAMETERS_LIC_5 */
   INVALID_PARAMETERS_LIC_6,
   INVALID_PARAMETERS_LIC_7, /* 155 */
-  LICENSE_REQUEST_SERVICE_CERTIFICATE_GENERATION_ERROR,
+  UNUSED_9,
+  /* UNUSED_9 previously LICENSE_REQUEST_SERVICE_CERTIFICATE_GENERATION_ERROR */
   CENC_INIT_DATA_UNAVAILABLE,
   PREPARE_CENC_CONTENT_ID_FAILED,
   WEBM_INIT_DATA_UNAVAILABLE,
@@ -303,6 +305,15 @@ enum CdmResponseType {
   DELETE_USAGE_ERROR_1, /* 260 */
   DELETE_USAGE_ERROR_2,
   DELETE_USAGE_ERROR_3,
+  PRIVACY_MODE_ERROR_1,
+  PRIVACY_MODE_ERROR_2,
+  PRIVACY_MODE_ERROR_3, /* 265 */
+  EMPTY_RESPONSE_ERROR_1,
+  INVALID_PARAMETERS_ENG_24,
+  PARSE_RESPONSE_ERROR_1,
+  PARSE_RESPONSE_ERROR_2,
+  PARSE_RESPONSE_ERROR_3, /* 270 */
+  PARSE_RESPONSE_ERROR_4,
 };
 
 enum CdmKeyStatus {
@@ -322,9 +333,6 @@ enum CdmLicenseType {
   kLicenseTypeOffline,
   kLicenseTypeStreaming,
   kLicenseTypeRelease,
-  // If the original request was saved to make a service certificate request,
-  // use Deferred for the license type in the subsequent request.
-  kLicenseTypeDeferred,
   // Like Streaming, but stricter.  Does not permit storage of any kind.
   // Named after the 'temporary' session type in EME, which has this behavior.
   kLicenseTypeTemporary,