Use InstallRootKeyCertificate for keybox and cert

Merge from Widevine repo of http://go/wvgerrit/55461

This CL allows provisioning 3.0 devices to install their OEM certs
from an initialization partition.  This method is already used for
keyboxes on Android -- we are just adding the ability to use it for
OEM certs, also.

Also, for v15, we require OEMCrypto to report a valid certificate in
the unit tests.

bug: 111725154
test: unit tests
Change-Id: I142c84a1a67bdb4cee943cfd12a632421901eb24

libwvdrmengine/cdm/core/include/oemcrypto_adapter.h

@@ -20,7 +20,7 @@ OEMCryptoResult OEMCrypto_CopyBuffer(
 OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
                                         size_t keyBoxLength,
                                         SecurityLevel level);
-OEMCryptoResult OEMCrypto_IsKeyboxValid(SecurityLevel level);
+OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(SecurityLevel level);
 OEMCryptoResult OEMCrypto_GetDeviceID(uint8_t* deviceID, size_t* idLength,
                                       SecurityLevel level);
 OEMCryptoResult OEMCrypto_GetKeyData(uint8_t* keyData, size_t* keyDataLength,

libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp

@@ -131,12 +131,12 @@ typedef OEMCryptoResult (*L1_WrapKeybox_t)(const uint8_t* keybox,
                                            size_t* wrappedKeyBoxLength,
                                            const uint8_t* transportKey,
                                            size_t transportKeyLength);
-typedef OEMCryptoResult (*L1_InstallKeybox_t)(const uint8_t* keybox,
+typedef OEMCryptoResult (*L1_InstallKeyboxOrOEMCert_t)(const uint8_t* keybox,
                                               size_t keyBoxLength);
 typedef OEMCryptoResult (*L1_LoadTestKeybox_t)(const uint8_t *buffer,
                                                size_t length);
 typedef OEMCryptoResult (*L1_LoadTestKeybox_V13_t)();
-typedef OEMCryptoResult (*L1_IsKeyboxValid_t)();
+typedef OEMCryptoResult (*L1_IsKeyboxOrOEMCertValid_t)();
 typedef OEMCryptoResult (*L1_GetDeviceID_t)(uint8_t* deviceID,
                                             size_t* idLength);
 typedef OEMCryptoResult (*L1_GetKeyData_t)(uint8_t* keyData,
@@ -282,9 +282,9 @@ struct FunctionPointers {
   L1_DecryptCENC_t DecryptCENC;
   L1_CopyBuffer_t CopyBuffer;
   L1_WrapKeybox_t WrapKeybox;
-  L1_InstallKeybox_t InstallKeybox;
+  L1_InstallKeyboxOrOEMCert_t InstallKeyboxOrOEMCert;
   L1_LoadTestKeybox_t LoadTestKeybox;
-  L1_IsKeyboxValid_t IsKeyboxValid;
+  L1_IsKeyboxOrOEMCertValid_t IsKeyboxOrOEMCertValid;
   L1_GetDeviceID_t GetDeviceID;
   L1_GetKeyData_t GetKeyData;
   L1_GetRandom_t GetRandom;
@@ -671,9 +671,9 @@ class Adapter {
     LOOKUP_ALL(12, GetOEMPublicCertificate,    OEMCrypto_GetOEMPublicCertificate);
     LOOKUP_ALL(12, GetProvisioningMethod,      OEMCrypto_GetProvisioningMethod);
     LOOKUP_ALL( 8, GetRandom,                  OEMCrypto_GetRandom);
-    LOOKUP_ALL( 8, InstallKeybox,            OEMCrypto_InstallKeybox);
+    LOOKUP_ALL( 8, InstallKeyboxOrOEMCert,  OEMCrypto_InstallKeyboxOrOEMCert);
     LOOKUP_ALL(10, IsAntiRollbackHwPresent,    OEMCrypto_IsAntiRollbackHwPresent);
-    LOOKUP_ALL( 8, IsKeyboxValid,            OEMCrypto_IsKeyboxValid);
+    LOOKUP_ALL( 8, IsKeyboxOrOEMCertValid,  OEMCrypto_IsKeyboxOrOEMCertValid);
     LOOKUP_ALL(13, IsSRMUpdateSupported,       OEMCrypto_IsSRMUpdateSupported);
     LOOKUP_ALL( 8, LoadDeviceRSAKey,           OEMCrypto_LoadDeviceRSAKey);
     LOOKUP( 8,  8, LoadKeys_V8,                OEMCrypto_LoadKeys_V8);
@@ -708,36 +708,23 @@ class Adapter {
     LOOKUP_ALL( 8, WrapKeybox,                 OEMCrypto_WrapKeybox);
     // clang-format on
 
-    // If we have a valid keybox, initialization is done. We're good.
+    // If the keybox or oem certificate is valid, we are done.
-    if (OEMCrypto_SUCCESS == level1_.IsKeyboxValid()) {
+    OEMCryptoResult root_valid = level1_.IsKeyboxOrOEMCertValid();
+    OEMCrypto_ProvisioningMethod provisioning_method =
+        level1_.GetProvisioningMethod();
+    if (root_valid == OEMCrypto_SUCCESS) {
       metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
-          wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_KEYBOX);
+          (provisioning_method == OEMCrypto_Keybox)
-      return true;
+              ? wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_KEYBOX
-    }
+              : wvcdm::metrics::
-    // If we use provisioning 3.0, initialization is done.  We may not
+                    OEMCrypto_INITIALIZED_USING_L1_WITH_PROVISIONING_3_0);
-    // be good, but there's no reason to try loading a keybox.  Any errors
-    // will have to be caught in the future when provisioning fails.
-    if (level1_.version > 11 &&
-        (level1_.GetProvisioningMethod() == OEMCrypto_OEMCertificate)) {
-      metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
-          wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_PROVISIONING_3_0);
-      return true;
-    }
-    uint8_t buffer[1];
-    size_t buffer_size = 0;
-    if (OEMCrypto_ERROR_NOT_IMPLEMENTED == level1_.GetKeyData(buffer,
-                                                              &buffer_size)){
-      // If GetKeyData is not implemented, then the device should only use a
-      // baked in certificate as identification.  We will assume that a device
-      // with a bad keybox returns a different error code.
-      metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
-          wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_CERTIFICATE);
       return true;
     }
+
     wvcdm::FileSystem file_system;
     std::string filename;
     if (!wvcdm::Properties::GetFactoryKeyboxPath(&filename)) {
-      LOGW("Bad Level 1 Keybox. Falling Back to L3.");
+      LOGW("Bad Level 1 Root of Trust. Falling Back to L3.");
       level1_.Terminate();
       metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
           wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L3_BAD_KEYBOX);
@@ -761,11 +748,12 @@ class Adapter {
               OEMCrypto_INITIALIZED_USING_L3_COULD_NOT_OPEN_FACTORY_KEYBOX);
       return false;
     }
-    std::vector<uint8_t> keybox(size);
+    std::vector<uint8_t> root_key(size);
-    ssize_t size_read = file->Read(reinterpret_cast<char*>(&keybox[0]), size);
+    ssize_t size_read = file->Read(reinterpret_cast<char*>(&root_key[0]), size);
     file->Close();
-    if (level1_.InstallKeybox(&keybox[0], size_read) != OEMCrypto_SUCCESS) {
+    if (level1_.InstallKeyboxOrOEMCert(&root_key[0], size_read) !=
-      LOGE("Could NOT install keybox from %s. Falling Back to L3.",
+        OEMCrypto_SUCCESS) {
+      LOGE("Could NOT install root key from %s. Falling Back to L3.",
            filename.c_str());
       level1_.Terminate();
       metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
@@ -773,7 +761,16 @@ class Adapter {
               OEMCrypto_INITIALIZED_USING_L3_COULD_NOT_INSTALL_KEYBOX);
       return false;
     }
-    LOGI("Installed keybox from %s", filename.c_str());
+    if (level1_.IsKeyboxOrOEMCertValid() != OEMCrypto_SUCCESS) {
+      LOGE("Installed bad key from %s. Falling Back to L3.",
+           filename.c_str());
+      level1_.Terminate();
+      metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
+          wvcdm::metrics::
+              OEMCrypto_INITIALIZED_USING_L3_COULD_NOT_INSTALL_KEYBOX);
+      return false;
+    }
+    LOGI("Installed root key from %s", filename.c_str());
     metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
         wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_INSTALLED_KEYBOX);
     return true;
@@ -795,9 +792,9 @@ class Adapter {
     level3_.DecryptCENC                = Level3_DecryptCENC;
     level3_.CopyBuffer                 = Level3_CopyBuffer;
     level3_.WrapKeybox                 = Level3_WrapKeybox;
-    level3_.InstallKeybox            = Level3_InstallKeybox;
+    level3_.InstallKeyboxOrOEMCert     = Level3_InstallKeybox;
     level3_.LoadTestKeybox             = Level3_LoadTestKeybox;
-    level3_.IsKeyboxValid            = Level3_IsKeyboxValid;
+    level3_.IsKeyboxOrOEMCertValid     = Level3_IsKeyboxValid;
     level3_.GetDeviceID                = Level3_GetDeviceID;
     level3_.GetKeyData                 = Level3_GetKeyData;
     level3_.GetRandom                  = Level3_GetRandom;
@@ -954,14 +951,15 @@ OEMCryptoResult OEMCrypto_CopyBuffer(
   return fcn->CopyBuffer(data_addr, data_length, out_buffer, subsample_flags);
 }
 
-OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
+OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox,
                                         size_t keyBoxLength,
                                         SecurityLevel level) {
   if (!kAdapter) return OEMCrypto_ERROR_UNKNOWN_FAILURE;
   const FunctionPointers* fcn = kAdapter->get(level);
   if (!fcn) return OEMCrypto_ERROR_INVALID_SESSION;
-  if (fcn->InstallKeybox == NULL) return OEMCrypto_ERROR_NOT_IMPLEMENTED;
+  if (fcn->InstallKeyboxOrOEMCert == NULL)
-  return fcn->InstallKeybox(keybox, keyBoxLength);
+    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
+  return fcn->InstallKeyboxOrOEMCert(keybox, keyBoxLength);
 }
 
 OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod(
@@ -974,12 +972,13 @@ OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod(
   return fcn->GetProvisioningMethod();
 }
 
-OEMCryptoResult OEMCrypto_IsKeyboxValid(SecurityLevel level) {
+OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(SecurityLevel level) {
   if (!kAdapter) return OEMCrypto_ERROR_UNKNOWN_FAILURE;
   const FunctionPointers* fcn = kAdapter->get(level);
   if (!fcn) return OEMCrypto_ERROR_INVALID_SESSION;
-  if (fcn->IsKeyboxValid == NULL) return OEMCrypto_ERROR_NOT_IMPLEMENTED;
+  if (fcn->IsKeyboxOrOEMCertValid == NULL)
-  return fcn->IsKeyboxValid();
+    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
+  return fcn->IsKeyboxOrOEMCertValid();
 }
 
 OEMCryptoResult OEMCrypto_GetDeviceID(uint8_t* deviceID, size_t* idLength,
@@ -1501,9 +1500,9 @@ extern "C" OEMCryptoResult OEMCrypto_WrapKeybox(const uint8_t* keybox,
                          wrappedKeyBoxLength, transportKey, transportKeyLength);
 }
 
-extern "C" OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
+extern "C" OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox,
                                                    size_t keyBoxLength) {
-  return OEMCrypto_InstallKeybox(keybox, keyBoxLength, kLevelDefault);
+  return OEMCrypto_InstallKeyboxOrOEMCert(keybox, keyBoxLength, kLevelDefault);
 }
 
 extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
@@ -1520,8 +1519,8 @@ extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
   return fcn->LoadTestKeybox(buffer, length);
 }
 
-extern "C" OEMCryptoResult OEMCrypto_IsKeyboxValid() {
+extern "C" OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid() {
-  return OEMCrypto_IsKeyboxValid(kLevelDefault);
+  return OEMCrypto_IsKeyboxOrOEMCertValid(kLevelDefault);
 }
 
 extern "C" OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod() {

libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h

@@ -373,14 +373,20 @@ typedef enum OEMCrypto_ProvisioningMethod {
 #define OEMCrypto_Initialize                 _oecc01
 #define OEMCrypto_Terminate                  _oecc02
 #define OEMCrypto_InstallKeybox              _oecc03
+// Rename InstallKeybox to InstallKeyboxOrOEMCert.
 #define OEMCrypto_InstallRootKeyCertificate  _oecc03
+#define OEMCrypto_InstallKeyboxOrOEMCert     _oecc03
 #define OEMCrypto_GetKeyData                 _oecc04
 #define OEMCrypto_IsKeyboxValid              _oecc05
+// Rename IsKeyboxValid to IsKeyboxOrOEMCertValid.
 #define OEMCrypto_IsRootKeyCertificateValid  _oecc05
+#define OEMCrypto_IsKeyboxOrOEMCertValid     _oecc05
 #define OEMCrypto_GetRandom                  _oecc06
 #define OEMCrypto_GetDeviceID                _oecc07
 #define OEMCrypto_WrapKeybox                 _oecc08
+// Rename WrapKeybox to WrapKeyboxOrOEMCert
 #define OEMCrypto_WrapRootKeyCertificate     _oecc08
+#define OEMCrypto_WrapKeyboxOrOEMCert        _oecc08
 #define OEMCrypto_OpenSession                _oecc09
 #define OEMCrypto_CloseSession               _oecc10
 #define OEMCrypto_DecryptCTR_V10             _oecc11
@@ -1498,7 +1504,7 @@ OEMCryptoResult OEMCrypto_CopyBuffer(const uint8_t* data_addr,
                                      uint8_t subsample_flags);
 
 /*
- * OEMCrypto_WrapRootKeyCertificate
+ * OEMCrypto_WrapKeyboxOrOEMCert
  *
  * Description:
  *
@@ -1507,13 +1513,13 @@ OEMCryptoResult OEMCrypto_CopyBuffer(const uint8_t* data_addr,
  *   manufacturing, the root of trust should be encrypted with the OEM root key
  *   and stored on the file system in a region that will not be erased during
  *   factory reset.  This function may be used by legacy systems that use the
- *   two-step WrapRootKeyCertificate/InstallRootKeyCertificate approach.  When
+ *   two-step WrapKeyboxOrOEMCert/InstallKeyboxOrOEMCert approach.  When
  *   the Widevine DRM plugin initializes, it will look for a wrapped root of
  *   trust in the file /factory/wv.keys and install it into the security
- *   processor by calling OEMCrypto_InstallRootKeyCertificate().
+ *   processor by calling OEMCrypto_InstallKeyboxOrOEMCert().
  *
- *   OEMCrypto_WrapRootKeyCertificate() is used to generate an OEM-encrypted
+ *   OEMCrypto_WrapKeyboxOrOEMCert() is used to generate an OEM-encrypted
- *   root of trust that may be passed to OEMCrypto_InstallRootKeyCertificate()
+ *   root of trust that may be passed to OEMCrypto_InstallKeyboxOrOEMCert()
  *   for provisioning.  The root of trust may be either passed in the clear or
  *   previously encrypted with a transport key.  If a transport key is supplied,
  *   the keybox is first decrypted with the transport key before being wrapped
@@ -1548,14 +1554,14 @@ OEMCryptoResult OEMCrypto_CopyBuffer(const uint8_t* data_addr,
  * Version:
  *   This method is supported by all API versions.
  */
-OEMCryptoResult OEMCrypto_WrapRootKeyCertificate(const uint8_t* rot, size_t rotLength,
+OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert(const uint8_t* rot, size_t rotLength,
                                                  uint8_t* wrappedRot,
                                                  size_t* wrappedRotLength,
                                                  const uint8_t* transportKey,
                                                  size_t transportKeyLength);
 
 /*
- * OEMCrypto_InstallRootKeyCertificate
+ * OEMCrypto_InstallKeyboxOrOEMCert
  *
  * Description:
  *
@@ -1564,7 +1570,7 @@ OEMCryptoResult OEMCrypto_WrapRootKeyCertificate(const uint8_t* rot, size_t rotL
  *   function is called from the Widevine DRM plugin at initialization time if
  *   there is no valid root of trust installed.  It looks for wrapped data in
  *   the file /factory/wv.keys and if it is present, will read the file and call
- *   OEMCrypto_InstallRootKeyCertificate() with the contents of the file.  This
+ *   OEMCrypto_InstallKeyboxOrOEMCert() with the contents of the file.  This
  *   function is only needed if the factory provisioning method involves saving
  *   the keybox to the file system.
  *
@@ -1585,7 +1591,7 @@ OEMCryptoResult OEMCrypto_WrapRootKeyCertificate(const uint8_t* rot, size_t rotL
  * Version:
  *   This method is supported in all API versions.
  */
-OEMCryptoResult OEMCrypto_InstallRootKeyCertificate(const uint8_t* rot,
+OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* rot,
                                                     size_t rotLength);
 
 /*
@@ -1681,7 +1687,7 @@ OEMCryptoResult OEMCrypto_GetOEMPublicCertificate(OEMCrypto_SESSION session,
 OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t *buffer, size_t length);
 
 /*
- * OEMCrypto_IsRootKeyCertificateValid
+ * OEMCrypto_IsKeyboxOrOEMCertValid
  *
  * Description:
  *
@@ -1713,7 +1719,7 @@ OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t *buffer, size_t length);
  * Version:
  *   This method is supported by all API versions.
  */
-OEMCryptoResult OEMCrypto_IsRootKeyCertificateValid(void);
+OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void);
 
 /*
  * OEMCrypto_GetDeviceID

libwvdrmengine/oemcrypto/ref/src/oemcrypto_ref.cpp

@@ -548,11 +548,9 @@ extern "C" OEMCryptoResult OEMCrypto_CopyBuffer(
   return crypto_engine->PushDestination(out_buffer, subsample_flags);
 }
 
-extern "C" OEMCryptoResult OEMCrypto_WrapKeybox(const uint8_t* keybox,
+extern "C" OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert(
-                                                size_t keyBoxLength,
+    const uint8_t* keybox, size_t keyBoxLength, uint8_t* wrappedKeybox,
-                                                uint8_t* wrappedKeybox,
+    size_t* wrappedKeyBoxLength, const uint8_t* transportKey,
-                                                size_t* wrappedKeyBoxLength,
-                                                const uint8_t* transportKey,
     size_t transportKeyLength) {
   if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) {
     return OEMCrypto_ERROR_NOT_IMPLEMENTED;
@@ -567,10 +565,10 @@ extern "C" OEMCryptoResult OEMCrypto_WrapKeybox(const uint8_t* keybox,
   return OEMCrypto_SUCCESS;
 }
 
-extern "C" OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
+extern "C" OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(
-                                                   size_t keyBoxLength) {
+    const uint8_t* keybox, size_t keyBoxLength) {
   if (!crypto_engine) {
-    LOGE("OEMCrypto_InstallKeybox: OEMCrypto Not Initialized.");
+    LOGE("OEMCrypto_InstallKeyboxOrOEMCert: OEMCrypto Not Initialized.");
     return OEMCrypto_ERROR_UNKNOWN_FAILURE;
   }
   if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) {
@@ -595,14 +593,15 @@ extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
   return OEMCrypto_SUCCESS;
 }
 
-extern "C" OEMCryptoResult OEMCrypto_IsKeyboxValid(void) {
+extern "C" OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void) {
   if (!crypto_engine) {
-    LOGE("OEMCrypto_IsKeyboxValid: OEMCrypto Not Initialized.");
+    LOGE("OEMCrypto_IsKeyboxOrOEMCertValid: OEMCrypto Not Initialized.");
     return OEMCrypto_ERROR_UNKNOWN_FAILURE;
   }
-  if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) {
+  switch (crypto_engine->config_provisioning_method()) {
-    return OEMCrypto_ERROR_NOT_IMPLEMENTED;
+    case OEMCrypto_DrmCertificate:
-  }
+      return OEMCrypto_SUCCESS;
+    case OEMCrypto_Keybox:
       switch (crypto_engine->ValidateKeybox()) {
         case NO_ERROR:
           return OEMCrypto_SUCCESS;
@@ -614,6 +613,16 @@ extern "C" OEMCryptoResult OEMCrypto_IsKeyboxValid(void) {
         case OTHER_ERROR:
           return OEMCrypto_ERROR_UNKNOWN_FAILURE;
       }
+      break;
+    case OEMCrypto_OEMCertificate:
+      // TODO(fredgc): verify that the certificate exists and is valid.
+      return OEMCrypto_SUCCESS;
+      break;
+    default:
+      LOGE("Invalid provisioning method: %d.",
+           crypto_engine->config_provisioning_method());
+      return OEMCrypto_ERROR_UNKNOWN_FAILURE;
+  }
 }
 
 extern "C" OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod() {

libwvdrmengine/oemcrypto/test/oec_device_features.cpp

@@ -143,6 +143,7 @@ std::string DeviceFeatures::RestrictFilter(const std::string& initial_filter) {
   if (api_version < 12)               FilterOut(&filter, "*API12*");
   if (api_version < 13)               FilterOut(&filter, "*API13*");
   if (api_version < 14)               FilterOut(&filter, "*API14*");
+  if (api_version < 15)               FilterOut(&filter, "*API15*");
   // Some tests may require root access. If user is not root, filter these tests
   // out.
   if (getuid()) {

libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp

@@ -538,6 +538,11 @@ TEST_F(OEMCryptoProv30Test, DeviceClaimsOEMCertificate) {
   ASSERT_EQ(OEMCrypto_OEMCertificate, OEMCrypto_GetProvisioningMethod());
 }
 
+// The OEM certificate must be valid.
+TEST_F(OEMCryptoProv30Test, CertValidAPI15) {
+  ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_IsKeyboxOrOEMCertValid());
+}
+
 TEST_F(OEMCryptoProv30Test, OEMCertValid) {
   Session s;
   ASSERT_NO_FATAL_FAILURE(s.open());