Use InstallRootKeyCertificate for keybox and cert
Merge from Widevine repo of http://go/wvgerrit/55461 This CL allows provisioning 3.0 devices to install their OEM certs from an initialization partition. This method is already used for keyboxes on Android -- we are just adding the ability to use it for OEM certs, also. Also, for v15, we require OEMCrypto to report a valid certificate in the unit tests. bug: 111725154 test: unit tests Change-Id: I142c84a1a67bdb4cee943cfd12a632421901eb24
This commit is contained in:
Fred Gylys-Colwell
@@ -20,7 +20,7 @@ OEMCryptoResult OEMCrypto_CopyBuffer(
|
||||
OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
|
||||
size_t keyBoxLength,
|
||||
SecurityLevel level);
|
||||
OEMCryptoResult OEMCrypto_IsKeyboxValid(SecurityLevel level);
|
||||
OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(SecurityLevel level);
|
||||
OEMCryptoResult OEMCrypto_GetDeviceID(uint8_t* deviceID, size_t* idLength,
|
||||
SecurityLevel level);
|
||||
OEMCryptoResult OEMCrypto_GetKeyData(uint8_t* keyData, size_t* keyDataLength,
|
||||
|
||||
@@ -131,12 +131,12 @@ typedef OEMCryptoResult (*L1_WrapKeybox_t)(const uint8_t* keybox,
|
||||
size_t* wrappedKeyBoxLength,
|
||||
const uint8_t* transportKey,
|
||||
size_t transportKeyLength);
|
||||
typedef OEMCryptoResult (*L1_InstallKeybox_t)(const uint8_t* keybox,
|
||||
typedef OEMCryptoResult (*L1_InstallKeyboxOrOEMCert_t)(const uint8_t* keybox,
|
||||
size_t keyBoxLength);
|
||||
typedef OEMCryptoResult (*L1_LoadTestKeybox_t)(const uint8_t *buffer,
|
||||
size_t length);
|
||||
typedef OEMCryptoResult (*L1_LoadTestKeybox_V13_t)();
|
||||
typedef OEMCryptoResult (*L1_IsKeyboxValid_t)();
|
||||
typedef OEMCryptoResult (*L1_IsKeyboxOrOEMCertValid_t)();
|
||||
typedef OEMCryptoResult (*L1_GetDeviceID_t)(uint8_t* deviceID,
|
||||
size_t* idLength);
|
||||
typedef OEMCryptoResult (*L1_GetKeyData_t)(uint8_t* keyData,
|
||||
@@ -282,9 +282,9 @@ struct FunctionPointers {
|
||||
L1_DecryptCENC_t DecryptCENC;
|
||||
L1_CopyBuffer_t CopyBuffer;
|
||||
L1_WrapKeybox_t WrapKeybox;
|
||||
L1_InstallKeybox_t InstallKeybox;
|
||||
L1_InstallKeyboxOrOEMCert_t InstallKeyboxOrOEMCert;
|
||||
L1_LoadTestKeybox_t LoadTestKeybox;
|
||||
L1_IsKeyboxValid_t IsKeyboxValid;
|
||||
L1_IsKeyboxOrOEMCertValid_t IsKeyboxOrOEMCertValid;
|
||||
L1_GetDeviceID_t GetDeviceID;
|
||||
L1_GetKeyData_t GetKeyData;
|
||||
L1_GetRandom_t GetRandom;
|
||||
@@ -671,9 +671,9 @@ class Adapter {
|
||||
LOOKUP_ALL(12, GetOEMPublicCertificate, OEMCrypto_GetOEMPublicCertificate);
|
||||
LOOKUP_ALL(12, GetProvisioningMethod, OEMCrypto_GetProvisioningMethod);
|
||||
LOOKUP_ALL( 8, GetRandom, OEMCrypto_GetRandom);
|
||||
LOOKUP_ALL( 8, InstallKeybox, OEMCrypto_InstallKeybox);
|
||||
LOOKUP_ALL( 8, InstallKeyboxOrOEMCert, OEMCrypto_InstallKeyboxOrOEMCert);
|
||||
LOOKUP_ALL(10, IsAntiRollbackHwPresent, OEMCrypto_IsAntiRollbackHwPresent);
|
||||
LOOKUP_ALL( 8, IsKeyboxValid, OEMCrypto_IsKeyboxValid);
|
||||
LOOKUP_ALL( 8, IsKeyboxOrOEMCertValid, OEMCrypto_IsKeyboxOrOEMCertValid);
|
||||
LOOKUP_ALL(13, IsSRMUpdateSupported, OEMCrypto_IsSRMUpdateSupported);
|
||||
LOOKUP_ALL( 8, LoadDeviceRSAKey, OEMCrypto_LoadDeviceRSAKey);
|
||||
LOOKUP( 8, 8, LoadKeys_V8, OEMCrypto_LoadKeys_V8);
|
||||
@@ -708,36 +708,23 @@ class Adapter {
|
||||
LOOKUP_ALL( 8, WrapKeybox, OEMCrypto_WrapKeybox);
|
||||
// clang-format on
|
||||
|
||||
// If we have a valid keybox, initialization is done. We're good.
|
||||
if (OEMCrypto_SUCCESS == level1_.IsKeyboxValid()) {
|
||||
// If the keybox or oem certificate is valid, we are done.
|
||||
OEMCryptoResult root_valid = level1_.IsKeyboxOrOEMCertValid();
|
||||
OEMCrypto_ProvisioningMethod provisioning_method =
|
||||
level1_.GetProvisioningMethod();
|
||||
if (root_valid == OEMCrypto_SUCCESS) {
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_KEYBOX);
|
||||
return true;
|
||||
}
|
||||
// If we use provisioning 3.0, initialization is done. We may not
|
||||
// be good, but there's no reason to try loading a keybox. Any errors
|
||||
// will have to be caught in the future when provisioning fails.
|
||||
if (level1_.version > 11 &&
|
||||
(level1_.GetProvisioningMethod() == OEMCrypto_OEMCertificate)) {
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_PROVISIONING_3_0);
|
||||
return true;
|
||||
}
|
||||
uint8_t buffer[1];
|
||||
size_t buffer_size = 0;
|
||||
if (OEMCrypto_ERROR_NOT_IMPLEMENTED == level1_.GetKeyData(buffer,
|
||||
&buffer_size)){
|
||||
// If GetKeyData is not implemented, then the device should only use a
|
||||
// baked in certificate as identification. We will assume that a device
|
||||
// with a bad keybox returns a different error code.
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_CERTIFICATE);
|
||||
(provisioning_method == OEMCrypto_Keybox)
|
||||
? wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_WITH_KEYBOX
|
||||
: wvcdm::metrics::
|
||||
OEMCrypto_INITIALIZED_USING_L1_WITH_PROVISIONING_3_0);
|
||||
return true;
|
||||
}
|
||||
|
||||
wvcdm::FileSystem file_system;
|
||||
std::string filename;
|
||||
if (!wvcdm::Properties::GetFactoryKeyboxPath(&filename)) {
|
||||
LOGW("Bad Level 1 Keybox. Falling Back to L3.");
|
||||
LOGW("Bad Level 1 Root of Trust. Falling Back to L3.");
|
||||
level1_.Terminate();
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L3_BAD_KEYBOX);
|
||||
@@ -761,11 +748,12 @@ class Adapter {
|
||||
OEMCrypto_INITIALIZED_USING_L3_COULD_NOT_OPEN_FACTORY_KEYBOX);
|
||||
return false;
|
||||
}
|
||||
std::vector<uint8_t> keybox(size);
|
||||
ssize_t size_read = file->Read(reinterpret_cast<char*>(&keybox[0]), size);
|
||||
std::vector<uint8_t> root_key(size);
|
||||
ssize_t size_read = file->Read(reinterpret_cast<char*>(&root_key[0]), size);
|
||||
file->Close();
|
||||
if (level1_.InstallKeybox(&keybox[0], size_read) != OEMCrypto_SUCCESS) {
|
||||
LOGE("Could NOT install keybox from %s. Falling Back to L3.",
|
||||
if (level1_.InstallKeyboxOrOEMCert(&root_key[0], size_read) !=
|
||||
OEMCrypto_SUCCESS) {
|
||||
LOGE("Could NOT install root key from %s. Falling Back to L3.",
|
||||
filename.c_str());
|
||||
level1_.Terminate();
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
@@ -773,7 +761,16 @@ class Adapter {
|
||||
OEMCrypto_INITIALIZED_USING_L3_COULD_NOT_INSTALL_KEYBOX);
|
||||
return false;
|
||||
}
|
||||
LOGI("Installed keybox from %s", filename.c_str());
|
||||
if (level1_.IsKeyboxOrOEMCertValid() != OEMCrypto_SUCCESS) {
|
||||
LOGE("Installed bad key from %s. Falling Back to L3.",
|
||||
filename.c_str());
|
||||
level1_.Terminate();
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
wvcdm::metrics::
|
||||
OEMCrypto_INITIALIZED_USING_L3_COULD_NOT_INSTALL_KEYBOX);
|
||||
return false;
|
||||
}
|
||||
LOGI("Installed root key from %s", filename.c_str());
|
||||
metrics->OemCryptoDynamicAdapterMetrics::SetInitializationMode(
|
||||
wvcdm::metrics::OEMCrypto_INITIALIZED_USING_L1_INSTALLED_KEYBOX);
|
||||
return true;
|
||||
@@ -795,9 +792,9 @@ class Adapter {
|
||||
level3_.DecryptCENC = Level3_DecryptCENC;
|
||||
level3_.CopyBuffer = Level3_CopyBuffer;
|
||||
level3_.WrapKeybox = Level3_WrapKeybox;
|
||||
level3_.InstallKeybox = Level3_InstallKeybox;
|
||||
level3_.InstallKeyboxOrOEMCert = Level3_InstallKeybox;
|
||||
level3_.LoadTestKeybox = Level3_LoadTestKeybox;
|
||||
level3_.IsKeyboxValid = Level3_IsKeyboxValid;
|
||||
level3_.IsKeyboxOrOEMCertValid = Level3_IsKeyboxValid;
|
||||
level3_.GetDeviceID = Level3_GetDeviceID;
|
||||
level3_.GetKeyData = Level3_GetKeyData;
|
||||
level3_.GetRandom = Level3_GetRandom;
|
||||
@@ -954,14 +951,15 @@ OEMCryptoResult OEMCrypto_CopyBuffer(
|
||||
return fcn->CopyBuffer(data_addr, data_length, out_buffer, subsample_flags);
|
||||
}
|
||||
|
||||
OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
|
||||
OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox,
|
||||
size_t keyBoxLength,
|
||||
SecurityLevel level) {
|
||||
if (!kAdapter) return OEMCrypto_ERROR_UNKNOWN_FAILURE;
|
||||
const FunctionPointers* fcn = kAdapter->get(level);
|
||||
if (!fcn) return OEMCrypto_ERROR_INVALID_SESSION;
|
||||
if (fcn->InstallKeybox == NULL) return OEMCrypto_ERROR_NOT_IMPLEMENTED;
|
||||
return fcn->InstallKeybox(keybox, keyBoxLength);
|
||||
if (fcn->InstallKeyboxOrOEMCert == NULL)
|
||||
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
|
||||
return fcn->InstallKeyboxOrOEMCert(keybox, keyBoxLength);
|
||||
}
|
||||
|
||||
OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod(
|
||||
@@ -974,12 +972,13 @@ OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod(
|
||||
return fcn->GetProvisioningMethod();
|
||||
}
|
||||
|
||||
OEMCryptoResult OEMCrypto_IsKeyboxValid(SecurityLevel level) {
|
||||
OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(SecurityLevel level) {
|
||||
if (!kAdapter) return OEMCrypto_ERROR_UNKNOWN_FAILURE;
|
||||
const FunctionPointers* fcn = kAdapter->get(level);
|
||||
if (!fcn) return OEMCrypto_ERROR_INVALID_SESSION;
|
||||
if (fcn->IsKeyboxValid == NULL) return OEMCrypto_ERROR_NOT_IMPLEMENTED;
|
||||
return fcn->IsKeyboxValid();
|
||||
if (fcn->IsKeyboxOrOEMCertValid == NULL)
|
||||
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
|
||||
return fcn->IsKeyboxOrOEMCertValid();
|
||||
}
|
||||
|
||||
OEMCryptoResult OEMCrypto_GetDeviceID(uint8_t* deviceID, size_t* idLength,
|
||||
@@ -1501,9 +1500,9 @@ extern "C" OEMCryptoResult OEMCrypto_WrapKeybox(const uint8_t* keybox,
|
||||
wrappedKeyBoxLength, transportKey, transportKeyLength);
|
||||
}
|
||||
|
||||
extern "C" OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
|
||||
extern "C" OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox,
|
||||
size_t keyBoxLength) {
|
||||
return OEMCrypto_InstallKeybox(keybox, keyBoxLength, kLevelDefault);
|
||||
return OEMCrypto_InstallKeyboxOrOEMCert(keybox, keyBoxLength, kLevelDefault);
|
||||
}
|
||||
|
||||
extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
|
||||
@@ -1520,8 +1519,8 @@ extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
|
||||
return fcn->LoadTestKeybox(buffer, length);
|
||||
}
|
||||
|
||||
extern "C" OEMCryptoResult OEMCrypto_IsKeyboxValid() {
|
||||
return OEMCrypto_IsKeyboxValid(kLevelDefault);
|
||||
extern "C" OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid() {
|
||||
return OEMCrypto_IsKeyboxOrOEMCertValid(kLevelDefault);
|
||||
}
|
||||
|
||||
extern "C" OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod() {
|
||||
|
||||
@@ -373,14 +373,20 @@ typedef enum OEMCrypto_ProvisioningMethod {
|
||||
#define OEMCrypto_Initialize _oecc01
|
||||
#define OEMCrypto_Terminate _oecc02
|
||||
#define OEMCrypto_InstallKeybox _oecc03
|
||||
// Rename InstallKeybox to InstallKeyboxOrOEMCert.
|
||||
#define OEMCrypto_InstallRootKeyCertificate _oecc03
|
||||
#define OEMCrypto_InstallKeyboxOrOEMCert _oecc03
|
||||
#define OEMCrypto_GetKeyData _oecc04
|
||||
#define OEMCrypto_IsKeyboxValid _oecc05
|
||||
// Rename IsKeyboxValid to IsKeyboxOrOEMCertValid.
|
||||
#define OEMCrypto_IsRootKeyCertificateValid _oecc05
|
||||
#define OEMCrypto_IsKeyboxOrOEMCertValid _oecc05
|
||||
#define OEMCrypto_GetRandom _oecc06
|
||||
#define OEMCrypto_GetDeviceID _oecc07
|
||||
#define OEMCrypto_WrapKeybox _oecc08
|
||||
// Rename WrapKeybox to WrapKeyboxOrOEMCert
|
||||
#define OEMCrypto_WrapRootKeyCertificate _oecc08
|
||||
#define OEMCrypto_WrapKeyboxOrOEMCert _oecc08
|
||||
#define OEMCrypto_OpenSession _oecc09
|
||||
#define OEMCrypto_CloseSession _oecc10
|
||||
#define OEMCrypto_DecryptCTR_V10 _oecc11
|
||||
@@ -1498,7 +1504,7 @@ OEMCryptoResult OEMCrypto_CopyBuffer(const uint8_t* data_addr,
|
||||
uint8_t subsample_flags);
|
||||
|
||||
/*
|
||||
* OEMCrypto_WrapRootKeyCertificate
|
||||
* OEMCrypto_WrapKeyboxOrOEMCert
|
||||
*
|
||||
* Description:
|
||||
*
|
||||
@@ -1507,13 +1513,13 @@ OEMCryptoResult OEMCrypto_CopyBuffer(const uint8_t* data_addr,
|
||||
* manufacturing, the root of trust should be encrypted with the OEM root key
|
||||
* and stored on the file system in a region that will not be erased during
|
||||
* factory reset. This function may be used by legacy systems that use the
|
||||
* two-step WrapRootKeyCertificate/InstallRootKeyCertificate approach. When
|
||||
* two-step WrapKeyboxOrOEMCert/InstallKeyboxOrOEMCert approach. When
|
||||
* the Widevine DRM plugin initializes, it will look for a wrapped root of
|
||||
* trust in the file /factory/wv.keys and install it into the security
|
||||
* processor by calling OEMCrypto_InstallRootKeyCertificate().
|
||||
* processor by calling OEMCrypto_InstallKeyboxOrOEMCert().
|
||||
*
|
||||
* OEMCrypto_WrapRootKeyCertificate() is used to generate an OEM-encrypted
|
||||
* root of trust that may be passed to OEMCrypto_InstallRootKeyCertificate()
|
||||
* OEMCrypto_WrapKeyboxOrOEMCert() is used to generate an OEM-encrypted
|
||||
* root of trust that may be passed to OEMCrypto_InstallKeyboxOrOEMCert()
|
||||
* for provisioning. The root of trust may be either passed in the clear or
|
||||
* previously encrypted with a transport key. If a transport key is supplied,
|
||||
* the keybox is first decrypted with the transport key before being wrapped
|
||||
@@ -1548,14 +1554,14 @@ OEMCryptoResult OEMCrypto_CopyBuffer(const uint8_t* data_addr,
|
||||
* Version:
|
||||
* This method is supported by all API versions.
|
||||
*/
|
||||
OEMCryptoResult OEMCrypto_WrapRootKeyCertificate(const uint8_t* rot, size_t rotLength,
|
||||
OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert(const uint8_t* rot, size_t rotLength,
|
||||
uint8_t* wrappedRot,
|
||||
size_t* wrappedRotLength,
|
||||
const uint8_t* transportKey,
|
||||
size_t transportKeyLength);
|
||||
|
||||
/*
|
||||
* OEMCrypto_InstallRootKeyCertificate
|
||||
* OEMCrypto_InstallKeyboxOrOEMCert
|
||||
*
|
||||
* Description:
|
||||
*
|
||||
@@ -1564,7 +1570,7 @@ OEMCryptoResult OEMCrypto_WrapRootKeyCertificate(const uint8_t* rot, size_t rotL
|
||||
* function is called from the Widevine DRM plugin at initialization time if
|
||||
* there is no valid root of trust installed. It looks for wrapped data in
|
||||
* the file /factory/wv.keys and if it is present, will read the file and call
|
||||
* OEMCrypto_InstallRootKeyCertificate() with the contents of the file. This
|
||||
* OEMCrypto_InstallKeyboxOrOEMCert() with the contents of the file. This
|
||||
* function is only needed if the factory provisioning method involves saving
|
||||
* the keybox to the file system.
|
||||
*
|
||||
@@ -1585,7 +1591,7 @@ OEMCryptoResult OEMCrypto_WrapRootKeyCertificate(const uint8_t* rot, size_t rotL
|
||||
* Version:
|
||||
* This method is supported in all API versions.
|
||||
*/
|
||||
OEMCryptoResult OEMCrypto_InstallRootKeyCertificate(const uint8_t* rot,
|
||||
OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* rot,
|
||||
size_t rotLength);
|
||||
|
||||
/*
|
||||
@@ -1681,7 +1687,7 @@ OEMCryptoResult OEMCrypto_GetOEMPublicCertificate(OEMCrypto_SESSION session,
|
||||
OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t *buffer, size_t length);
|
||||
|
||||
/*
|
||||
* OEMCrypto_IsRootKeyCertificateValid
|
||||
* OEMCrypto_IsKeyboxOrOEMCertValid
|
||||
*
|
||||
* Description:
|
||||
*
|
||||
@@ -1713,7 +1719,7 @@ OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t *buffer, size_t length);
|
||||
* Version:
|
||||
* This method is supported by all API versions.
|
||||
*/
|
||||
OEMCryptoResult OEMCrypto_IsRootKeyCertificateValid(void);
|
||||
OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void);
|
||||
|
||||
/*
|
||||
* OEMCrypto_GetDeviceID
|
||||
|
||||
@@ -548,11 +548,9 @@ extern "C" OEMCryptoResult OEMCrypto_CopyBuffer(
|
||||
return crypto_engine->PushDestination(out_buffer, subsample_flags);
|
||||
}
|
||||
|
||||
extern "C" OEMCryptoResult OEMCrypto_WrapKeybox(const uint8_t* keybox,
|
||||
size_t keyBoxLength,
|
||||
uint8_t* wrappedKeybox,
|
||||
size_t* wrappedKeyBoxLength,
|
||||
const uint8_t* transportKey,
|
||||
extern "C" OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert(
|
||||
const uint8_t* keybox, size_t keyBoxLength, uint8_t* wrappedKeybox,
|
||||
size_t* wrappedKeyBoxLength, const uint8_t* transportKey,
|
||||
size_t transportKeyLength) {
|
||||
if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) {
|
||||
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
|
||||
@@ -567,10 +565,10 @@ extern "C" OEMCryptoResult OEMCrypto_WrapKeybox(const uint8_t* keybox,
|
||||
return OEMCrypto_SUCCESS;
|
||||
}
|
||||
|
||||
extern "C" OEMCryptoResult OEMCrypto_InstallKeybox(const uint8_t* keybox,
|
||||
size_t keyBoxLength) {
|
||||
extern "C" OEMCryptoResult OEMCrypto_InstallKeyboxOrOEMCert(
|
||||
const uint8_t* keybox, size_t keyBoxLength) {
|
||||
if (!crypto_engine) {
|
||||
LOGE("OEMCrypto_InstallKeybox: OEMCrypto Not Initialized.");
|
||||
LOGE("OEMCrypto_InstallKeyboxOrOEMCert: OEMCrypto Not Initialized.");
|
||||
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
|
||||
}
|
||||
if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) {
|
||||
@@ -595,14 +593,15 @@ extern "C" OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer,
|
||||
return OEMCrypto_SUCCESS;
|
||||
}
|
||||
|
||||
extern "C" OEMCryptoResult OEMCrypto_IsKeyboxValid(void) {
|
||||
extern "C" OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void) {
|
||||
if (!crypto_engine) {
|
||||
LOGE("OEMCrypto_IsKeyboxValid: OEMCrypto Not Initialized.");
|
||||
LOGE("OEMCrypto_IsKeyboxOrOEMCertValid: OEMCrypto Not Initialized.");
|
||||
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
|
||||
}
|
||||
if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) {
|
||||
return OEMCrypto_ERROR_NOT_IMPLEMENTED;
|
||||
}
|
||||
switch (crypto_engine->config_provisioning_method()) {
|
||||
case OEMCrypto_DrmCertificate:
|
||||
return OEMCrypto_SUCCESS;
|
||||
case OEMCrypto_Keybox:
|
||||
switch (crypto_engine->ValidateKeybox()) {
|
||||
case NO_ERROR:
|
||||
return OEMCrypto_SUCCESS;
|
||||
@@ -614,6 +613,16 @@ extern "C" OEMCryptoResult OEMCrypto_IsKeyboxValid(void) {
|
||||
case OTHER_ERROR:
|
||||
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
|
||||
}
|
||||
break;
|
||||
case OEMCrypto_OEMCertificate:
|
||||
// TODO(fredgc): verify that the certificate exists and is valid.
|
||||
return OEMCrypto_SUCCESS;
|
||||
break;
|
||||
default:
|
||||
LOGE("Invalid provisioning method: %d.",
|
||||
crypto_engine->config_provisioning_method());
|
||||
return OEMCrypto_ERROR_UNKNOWN_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
extern "C" OEMCrypto_ProvisioningMethod OEMCrypto_GetProvisioningMethod() {
|
||||
|
||||
@@ -143,6 +143,7 @@ std::string DeviceFeatures::RestrictFilter(const std::string& initial_filter) {
|
||||
if (api_version < 12) FilterOut(&filter, "*API12*");
|
||||
if (api_version < 13) FilterOut(&filter, "*API13*");
|
||||
if (api_version < 14) FilterOut(&filter, "*API14*");
|
||||
if (api_version < 15) FilterOut(&filter, "*API15*");
|
||||
// Some tests may require root access. If user is not root, filter these tests
|
||||
// out.
|
||||
if (getuid()) {
|
||||
|
||||
@@ -538,6 +538,11 @@ TEST_F(OEMCryptoProv30Test, DeviceClaimsOEMCertificate) {
|
||||
ASSERT_EQ(OEMCrypto_OEMCertificate, OEMCrypto_GetProvisioningMethod());
|
||||
}
|
||||
|
||||
// The OEM certificate must be valid.
|
||||
TEST_F(OEMCryptoProv30Test, CertValidAPI15) {
|
||||
ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_IsKeyboxOrOEMCertValid());
|
||||
}
|
||||
|
||||
TEST_F(OEMCryptoProv30Test, OEMCertValid) {
|
||||
Session s;
|
||||
ASSERT_NO_FATAL_FAILURE(s.open());
|
||||
|
||||
Reference in New Issue
Block a user