Added an OTA keybox provisioner.

[ Merge of http://go/wvgerrit/133729 ]
[ Cherry pick of http://ag/15836224 ]

The OtaKeyboxProvisioner is a system-wide provisioner for sharing the
provisioning workflow between CDM engines.

Bug: 189232882
Test: GtsMediaTestCases
Change-Id: I873af3087cc05e1831bdd1d2c14fb002b73e6902

Added keybox provisioning proto fields.

[ Merge of http://go/wvgerrit/133730 and http://go/ag/15113032 ]

This CL copies over the required license_protocol.proto changes that
are required for OTA keybox provisioning.  These fields are defined in
the server-side certificate_provisioning.proto, defined in
http://cl/377533774.

Note, changes are slightly different from server proto due to the RVC
version of license_protocol.proto being out of date with SC and newer
changes.

Bug: 189232882
Test: run_x86_64_tests
Change-Id: I55fcf6a7ac2ba4b6026b9acc63e822ff33c431d9

Added OTA keybox provisioning device files.

[ Merge of http://go/wvgerrit/133743 and http://go/ag/15421141 ]

This change adds a new set of proto messages/fields the CDM's device
files for recording device and engine information around OTA keybox
provisioning (OKP).

To make cleanup and thread protection possible, there is a single file
which will contain all the information for the device as a whole and
each CDM engine tied to an app/origin.

Bug: 189232882
Test: Linux unit tests
Change-Id: Iaf80cd6342f32657e04416750d9b278d935821a5

Client ID for OKP requests.

[ Merge of http://go/wvgerrit/133744 and http://go/ag/15645331 ]

Extended the CDM ClientIdentification class to support a subset of
client info used for OKP requests.

Bug: 189232882
Test: Android unit tests
Change-Id: I6aafb4f2164efe69bc733ece0a912f0e91893b91

libwvdrmengine/cdm/core/src/certificate_provisioning.cpp

@@ -118,6 +118,16 @@ using video_widevine::SignedProvisioningMessage;
 using video_widevine::
     SignedProvisioningMessage_ProvisioningProtocolVersion_VERSION_1_1;
 
+// static
+void CertificateProvisioning::GetProvisioningServerUrl(
+    std::string* default_url) {
+  if (default_url == nullptr) {
+    LOGE("Output |default_url| is null");
+    return;
+  }
+  default_url->assign(kProvisioningServerUrl);
+}
+
 CdmResponseType CertificateProvisioning::Init(
     const std::string& service_certificate) {
   std::string certificate = service_certificate.empty()
@@ -221,7 +231,7 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequestInternal(
   ProvisioningRequest provisioning_request;
 
   wvcdm::ClientIdentification id;
-  status = id.Init(crypto_session_.get());
+  status = id.InitForProvisioning(crypto_session_.get());
   if (status != NO_ERROR) return status;
 
   video_widevine::ClientIdentification client_id;

libwvdrmengine/cdm/core/src/client_identification.cpp

@@ -66,35 +66,44 @@ using video_widevine::ProvisioningRequest;
 using video_widevine::ProvisioningResponse;
 using video_widevine::SignedProvisioningMessage;
 
-CdmResponseType ClientIdentification::Init(CryptoSession* crypto_session) {
+CdmResponseType ClientIdentification::InitForProvisioning(
+    CryptoSession* crypto_session) {
   if (crypto_session == nullptr) {
     LOGE("Crypto session not provided");
     return PARAMETER_NULL;
   }
-
   is_license_request_ = false;
   crypto_session_ = crypto_session;
   return NO_ERROR;
 }
 
-CdmResponseType ClientIdentification::Init(const std::string& client_token,
-                                           CryptoSession* crypto_session) {
+CdmResponseType ClientIdentification::InitForLicenseRequest(
+    const std::string& client_token, CryptoSession* crypto_session) {
   if (crypto_session == nullptr) {
     LOGE("Crypto session not provided");
     return PARAMETER_NULL;
   }
-
   if (client_token.empty()) {
     LOGE("Client token is empty");
     return PARAMETER_NULL;
   }
-
   is_license_request_ = true;
   client_token_ = client_token;
   crypto_session_ = crypto_session;
   return NO_ERROR;
 }
 
+CdmResponseType ClientIdentification::InitForOtaKeyboxProvisioning(
+    CryptoSession* crypto_session) {
+  if (crypto_session == nullptr) {
+    LOGE("Crypto session not provided");
+    return PARAMETER_NULL;
+  }
+  is_okp_request_ = true;
+  crypto_session_ = crypto_session;
+  return NO_ERROR;
+}
+
 /*
  * Return the ClientIdentification message token type for provisioning request.
  * NOTE: a DRM Cert should never be presented to the provisioning server.
@@ -107,7 +116,7 @@ CdmResponseType ClientIdentification::Prepare(
     client_id->set_type(
         video_widevine::ClientIdentification::DRM_DEVICE_CERTIFICATE);
     client_id->set_token(client_token_);
-  } else {
+  } else if (!is_okp_request_) {
     video_widevine::ClientIdentification::TokenType token_type;
     if (!GetProvisioningTokenType(&token_type)) {
       LOGE("Failed to get provisioning token type");
@@ -189,6 +198,11 @@ CdmResponseType ClientIdentification::Prepare(
     client_id->set_provider_client_token(provider_client_token);
   }
 
+  if (is_okp_request_) {
+    // Capabilities is not important for OTA keybox provisionining.
+    return NO_ERROR;
+  }
+
   ClientCapabilities* client_capabilities =
       client_id->mutable_client_capabilities();
 

libwvdrmengine/cdm/core/src/crypto_session.cpp

@@ -20,6 +20,7 @@
 #include "crypto_key.h"
 #include "entitlement_key_session.h"
 #include "log.h"
+#include "ota_keybox_provisioner.h"
 #include "platform.h"
 #include "privacy_crypto.h"
 #include "properties.h"
@@ -178,6 +179,7 @@ std::unique_ptr<UsageTableHeader> CryptoSession::usage_table_header_l1_;
 std::unique_ptr<UsageTableHeader> CryptoSession::usage_table_header_l3_;
 std::recursive_mutex CryptoSession::usage_table_mutex_;
 std::atomic<uint64_t> CryptoSession::request_id_index_source_(0);
+std::unique_ptr<OtaKeyboxProvisioner> CryptoSession::ota_keybox_provisioner_l1_;
 
 size_t GetOffset(std::string message, std::string field) {
   size_t pos = message.find(field);
@@ -360,8 +362,15 @@ void CryptoSession::Init() {
     LOGD("OEMCrypto version (L3 security level): %s.%s", api_version.c_str(),
          api_minor_version.c_str());
     if (needs_keybox_provisioning_) {
-      LOGE("OEMCrypto needs provisioning");
-      // TODO(fredgc,sigquit,rfrias): handle provisioning.
+      WithStaticFieldWriteLock("OtaKeyboxProvisioner", [&] {
+        if (!ota_keybox_provisioner_l1_) {
+          LOGD("OEMCrypto needs keybox provisioning");
+          // Only create once.  Possible that OEMCrypto is initialized
+          // and terminated many times over the life cycle of the OTA
+          // keybox provisioning process.
+          ota_keybox_provisioner_l1_ = OtaKeyboxProvisioner::Create();
+        }
+      });
     }
   }
 }
@@ -3011,11 +3020,20 @@ OEMCryptoResult CryptoSession::LegacyDecryptInChunks(
     remaining_input_data -= chunk_size;
     AdvanceDestBuffer(&fake_sample.buffers.output_descriptor, chunk_size);
   }
-
   return sts;
 }
 
-// TODO(sigquit): include rest of http://go/wvgerrit/126004
+OtaKeyboxProvisioner* CryptoSession::GetOtaKeyboxProvisioner() {
+  const auto getter = [&]() -> OtaKeyboxProvisioner* {
+    // If not set, then OTA keybox provisioning is not supported or
+    // not needed.
+    if (!ota_keybox_provisioner_l1_) return nullptr;
+    // May have already been initialized.
+    if (ota_keybox_provisioner_l1_->IsProvisioned()) return nullptr;
+    return ota_keybox_provisioner_l1_.get();
+  };
+  return WithStaticFieldReadLock("GetOtaKeyboxProvisioner", getter);
+}
 
 CdmResponseType CryptoSession::PrepareOtaProvisioningRequest(
     bool use_test_key, std::string* request) {
@@ -3026,17 +3044,25 @@ CdmResponseType CryptoSession::PrepareOtaProvisioningRequest(
   if (status != OEMCrypto_ERROR_SHORT_BUFFER)
     return MapOEMCryptoResult(status, UNKNOWN_ERROR,
                               "PrepareOtaProvisioningRequest");
-  std::string temp_buffer(buffer_length, '\0');
-  uint8_t* buf = reinterpret_cast<uint8_t*>(&temp_buffer[0]);
+  if (buffer_length == 0) {
+    LOGE("OTA request size is zero");
+    return UNKNOWN_ERROR;
+  }
+  request->resize(buffer_length);
+  uint8_t* buf = reinterpret_cast<uint8_t*>(&request->front());
   status = OEMCrypto_GenerateOTARequest(buf, &buffer_length, use_test_key);
-  if (OEMCrypto_SUCCESS == status) request->assign(temp_buffer);
+  if (OEMCrypto_SUCCESS != status) {
+    request->clear();
+  } else if (buffer_length != request->size()) {
+    request->resize(buffer_length);
+  }
   return MapOEMCryptoResult(status, UNKNOWN_ERROR,
                             "PrepareOtaProvisioningRequest");
 }
 
 CdmResponseType CryptoSession::LoadOtaProvisioning(
     bool use_test_key, const std::string& response) {
-  OEMCryptoResult status = OEMCrypto_ProcessOTAKeybox(
+  const OEMCryptoResult status = OEMCrypto_ProcessOTAKeybox(
       reinterpret_cast<const uint8_t*>(response.data()), response.size(),
       use_test_key);
   return MapOEMCryptoResult(status, UNKNOWN_ERROR, "LoadOtaProvisioning");

libwvdrmengine/cdm/core/src/device_files.proto

@@ -125,6 +125,71 @@ message UsageTableInfo {
   optional bool use_lru = 3 [default = false];
 }
 
+// Stores information related to a device's experience with OTA Keybox
+// Provisioning (OKP).  Only devices which both support OKP and require
+// OKP should create this file.  Otherwise, this information is not
+// needed.
+message OtaKeyboxProvisioningInfo {
+  // Engine-specific information about OKP.
+  message OkpEngineInfo {
+    // Engine identifier.
+    optional bytes app_id = 1;
+    optional bytes origin = 2;
+    reserved 3 to 5;  // Reserved for future engine composite keys.
+    // Counters for engine-specific OKP events.
+    // These counters are reset after a certain amount of time
+    // (OKP period) since the last event.
+    // Number of calls to openSession() where it is recommended
+    // to the app to try keybox provisioning.
+    optional uint32 try_okp_counter = 6;
+    // Number of calls to getProvisionRequest().
+    optional uint32 generate_request_counter = 7;
+    // Number of failed calls to provideProvisionRequest().
+    optional uint32 failed_response_counter = 8;
+
+    // The value of |last_event_time| and |backoff_start_time| are set
+    // using the system's wall-clock in epoch seconds.  A value of
+    // zero indicates it's not set.
+
+    // Time of the last engine OKP event (change of the above counters;
+    // the beginning of the current OKP period).
+    // Zero indicates no event has yet occurred.
+    optional int64 last_event_time = 9;
+    // Beginning of an app/origin backoff period.
+    // Zero indicates that engine is not in a backoff state.
+    optional int64 backoff_start_time = 10;
+    // Intended length of “backoff period”.  This will be assigned a
+    // random duration initially, then double each time an engine
+    // enters a backoff state.  This is base on Google's recommended
+    // exponential backoff rules.
+    // Value of 0 indicates that backoff has not yet occurred.
+    optional int64 backoff_duration = 11;
+  }
+
+  enum OkpDeviceState {
+    // Not yet checked for provisioning state.  This should be a
+    // transitory state only.  Device which do not need OTA Keybox
+    // Provisioning should simply not store this file.
+    OKP_UNKNOWN = 0;
+    // OEMCrypto has reported that keybox provisioning is required and
+    // that the device supports OKP.  Device may or may not be in the
+    // process of performing provisioning.
+    OKP_NEEDS_PROVISIONING = 1;
+    // The device has successfully provisioned its keybox.
+    OKP_PROVISIONED = 2;
+  }
+  // Device-wide OKP state.
+  optional OkpDeviceState state = 1;
+  // Time when the CDM service first discovers that it needs to
+  // provision the L1 keybox.
+  optional int64 first_checked_time = 2;
+  // System time of when a successful provisioning request has been
+  // received.  Only relevant if |state| is OKP_PROVISIONED.
+  optional int64 provisioning_time = 3;
+  // A list of all records for each identifiable engine.
+  repeated OkpEngineInfo engine_infos = 4;
+}
+
 message File {
   enum FileType {
     DEVICE_CERTIFICATE = 1;
@@ -132,6 +197,7 @@ message File {
     USAGE_INFO = 3;
     HLS_ATTRIBUTES = 4;
     USAGE_TABLE_INFO = 5;
+    OKP_INFO = 6;
   }
 
   enum FileVersion { VERSION_1 = 1; }
@@ -143,6 +209,7 @@ message File {
   optional UsageInfo usage_info = 5;
   optional HlsAttributes hls_attributes = 6;
   optional UsageTableInfo usage_table_info = 7;
+  optional OtaKeyboxProvisioningInfo okp_info = 8;
 }
 
 message HashedFile {

libwvdrmengine/cdm/core/src/license.cpp

@@ -1046,7 +1046,8 @@ CdmResponseType CdmLicense::PrepareClientId(
     return CLIENT_TOKEN_NOT_SET;
   }
 
-  CdmResponseType status = id.Init(client_token_, crypto_session_);
+  CdmResponseType status =
+      id.InitForLicenseRequest(client_token_, crypto_session_);
   if (status != NO_ERROR) return status;
 
   video_widevine::ClientIdentification* client_id =

libwvdrmengine/cdm/core/src/license_protocol.proto

@@ -532,6 +532,14 @@ message ProvisioningRequest {
     // Serialized, encrypted session keys.  Required.
     optional bytes encrypted_session_keys = 2;
   }
+  // This message contains the custom serialized message for OTA provisioning
+  // using Android Attestation and a device id as authentication.
+  message AndroidAttestationOtaKeyboxRequest {
+    // The request contains custom serialized and signed data for the
+    // Android Attestation OTA request.
+    optional bytes ota_request = 1;
+  }
+
   oneof clear_or_encrypted_client_id {
     // Device root of trust and other client identification. Required.
     ClientIdentification client_id = 1;
@@ -555,6 +563,8 @@ message ProvisioningRequest {
   // SessionKeys encrypted using a service cert public key.
   // Required for keybox provisioning.
   optional EncryptedSessionKeys encrypted_session_keys = 8;
+  // The custom request for Android Attestation OTA.
+  optional AndroidAttestationOtaKeyboxRequest android_ota_keybox_request = 9;
 }
 
 // Provisioning response sent by the provisioning server to client devices.
@@ -579,6 +589,14 @@ message ProvisioningResponse {
     // Devices in this series have been revoked. Provisioning is not possible.
     REVOKED_DEVICE_SERIES = 2;
   }
+  // This message contains the custom response for Android Attestation OTA
+  // provisioning which uses the Android Attestation keybox and a device id
+  // from the chip set.
+  message AndroidAttestationOtaKeyboxResponse {
+    // The response contains custom serialized and signed data for the
+    // Android Attestation OTA keybox provisioning.
+    optional bytes ota_response = 1;
+  }
 
   // AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
   // Required. For X.509 certificates, the private RSA key may also include
@@ -603,6 +621,9 @@ message ProvisioningResponse {
   // than |status| may be empty and should be ignored if the |status|
   // is present and not NO_ERROR
   optional ProvisioningStatus status = 7;
+  // The Android Attestation OTA response. Only populated if the request
+  // was an Android Attestation OTA request.
+  optional AndroidAttestationOtaKeyboxResponse android_ota_keybox_response = 8;
 }
 
 // Protocol-specific context data used to hold the state of the server in
@@ -654,6 +675,8 @@ message SignedProvisioningMessage {
     PROVISIONING_20 = 2;              // Keybox factory-provisioned devices.
     PROVISIONING_30 = 3;     // OEM certificate factory-provisioned devices.
     ARCPP_PROVISIONING = 4;  // ChromeOS/Arc++ devices.
+    // Android-Attestation-based OTA keyboxes.
+    ANDROID_ATTESTATION_KEYBOX_OTA = 6;
     INTEL_SIGMA_101 = 101;   // Intel Sigma 1.0.1 protocol.
   }
 

libwvdrmengine/cdm/core/src/ota_keybox_provisioner.cpp

@@ -0,0 +1,83 @@
+// Copyright 2021 Google LLC. All Rights Reserved. This file and proprietary
+// source code may only be used and distributed under the Widevine License
+// Agreement.
+#include "ota_keybox_provisioner.h"
+
+#include <utility>
+
+#include "crypto_session.h"
+#include "log.h"
+#include "string_conversions.h"
+
+namespace wvcdm {
+using UniqueLock = std::unique_lock<std::mutex>;
+namespace {
+// Indicates not to use the test keybox for OTA provisioning.
+constexpr bool kProductionKeybox = false;
+}  // namespace
+
+// static
+std::unique_ptr<OtaKeyboxProvisioner> OtaKeyboxProvisioner::Create() {
+  return std::unique_ptr<OtaKeyboxProvisioner>(new OtaKeyboxProvisioner());
+}
+
+OtaKeyboxProvisioner::OtaKeyboxProvisioner() : mutex_() {}
+
+OtaKeyboxProvisioner::~OtaKeyboxProvisioner() {}
+
+CdmResponseType OtaKeyboxProvisioner::GenerateProvisioningRequest(
+    CryptoSession* crypto_session, std::string* request) {
+  if (crypto_session == nullptr) {
+    LOGE("Input |crypto_session| is null");
+    return PARAMETER_NULL;
+  }
+  if (request == nullptr) {
+    LOGE("Output |request| is null");
+    return PARAMETER_NULL;
+  }
+  UniqueLock lock(mutex_);
+  // Do not generate new requests if already provisioned.
+  if (IsProvisioned()) {
+    LOGW("Already provisioned");
+    // TODO(sigquit): Use a response code that will indicate to the
+    // caller that the system is already provisioned.
+    return UNKNOWN_ERROR;
+  }
+  const CdmResponseType result =
+      crypto_session->PrepareOtaProvisioningRequest(kProductionKeybox, request);
+  if (result != NO_ERROR) {
+    return result;
+  }
+  LOGV("OTA request generated: request = %s", b2a_hex(*request).c_str());
+  request_count_++;
+  return NO_ERROR;
+}
+
+CdmResponseType OtaKeyboxProvisioner::HandleProvisioningResponse(
+    CryptoSession* crypto_session, const std::string& response) {
+  if (crypto_session == nullptr) {
+    LOGE("Input |crypto_session| is null");
+    return PARAMETER_NULL;
+  }
+  if (response.empty()) {
+    LOGE("OTA provisioning response is empty");
+    return EMPTY_PROVISIONING_RESPONSE;
+  }
+  UniqueLock lock(mutex_);
+  if (IsProvisioned()) {
+    // Response already received, silently dropping.
+    response_count_++;
+    return NO_ERROR;
+  }
+  const CdmResponseType result =
+      crypto_session->LoadOtaProvisioning(kProductionKeybox, response);
+  if (result != NO_ERROR) {
+    return result;
+  }
+  LOGD("OTA response successfully processed: response = %s",
+       b2a_hex(response).c_str());
+  is_provisioned_ = true;
+  response_count_ = 1;
+  return NO_ERROR;
+}
+}  // namespace wvcdm