Use license.widevine.com cert for provisioning server

Merge from Widevine repo of http://go/wvgerrit/44505

This CL changes the certificate provisioning code to verify the
provisioning message using a cert from license.widevine.com instead of
the staging certificate.

It also adjusts the certificates in config_test_env.cpp because the
license and provisioning servers are different and may probably have
different certs.

bug: 73031756
test: unit tests with mock oemcrypto, and read oemcrypto on sailfish
Change-Id: I4b457a369a49ef07bda9e5632ab59e5f621ec966

libwvdrmengine/cdm/core/src/certificate_provisioning.cpp

@@ -21,32 +21,29 @@ const std::string kProvisioningServerUrl =
     "certificateprovisioning/v1/devicecertificates/create"
     "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
 
-// NOTE: Provider ID = staging.google.com
+// TODO(b/69133499): update to new default cert.
+// NOTE: Provider ID = license.widevine.com
 const std::string kCpProductionServiceCertificate = wvcdm::a2bs_hex(
-    "0ABF020803121028703454C008F63618ADE7443DB6C4C8188BE7F9900522"
-    "8E023082010A0282010100B52112B8D05D023FCC5D95E2C251C1C649B417"
-    "7CD8D2BEEF355BB06743DE661E3D2ABC3182B79946D55FDC08DFE9540781"
-    "5E9A6274B322A2C7F5E067BB5F0AC07A89D45AEA94B2516F075B66EF811D"
-    "0D26E1B9A6B894F2B9857962AA171C4F66630D3E4C602718897F5E1EF9B6"
-    "AAF5AD4DBA2A7E14176DF134A1D3185B5A218AC05A4C41F081EFFF80A3A0"
-    "40C50B09BBC740EEDCD8F14D675A91980F92CA7DDC646A06ADAD5101F74A"
-    "0E498CC01F00532BAC217850BD905E90923656B7DFEFEF42486767F33EF6"
-    "283D4F4254AB72589390BEE55808F1D668080D45D893C2BCA2F74D60A0C0"
-    "D0A0993CEF01604703334C3638139486BC9DAF24FD67A07F9AD943020301"
-    "00013A1273746167696E672E676F6F676C652E636F6D128003983E303526"
-    "75F40BA715FC249BDAE5D4AC7249A2666521E43655739529721FF880E0AA"
-    "EFC5E27BC980DAEADABF3FC386D084A02C82537848CC753FF497B011A7DA"
-    "97788A00E2AA6B84CD7D71C07A48EBF61602CCA5A3F32030A7295C30DA91"
-    "5B91DC18B9BC9593B8DE8BB50F0DEDC12938B8E9E039CDDE18FA82E81BB0"
-    "32630FE955D85A566CE154300BF6D4C1BD126966356B287D657B18CE63D0"
-    "EFD45FC5269E97EAB11CB563E55643B26FF49F109C2101AFCAF35B832F28"
-    "8F0D9D45960E259E85FB5D24DBD2CF82764C5DD9BF727EFBE9C861F86932"
-    "1F6ADE18905F4D92F9A6DA6536DB8475871D168E870BB2303CF70C6E9784"
-    "C93D2DE845AD8262BE7E0D4E2E4A0759CEF82D109D2592C72429F8C01742"
-    "BAE2B3DECADBC33C3E5F4BAF5E16ECB74EADBAFCB7C6705F7A9E3B6F3940"
-    "383F9C5116D202A20C9229EE969C2519718303B50D0130C3352E06B014D8"
-    "38540F8A0C227C0011E0F5B38E4E298ED2CB301EB4564965F55C5D79757A"
-    "250A4EB9C84AB3E6539F6B6FDF56899EA29914");
+    "0ac102080312101705b917cc1204868b06333a2f772a8c1882b4829205228e023082010a02"
+    "8201010099ed5b3b327dab5e24efc3b62a95b598520ad5bccb37503e0645b814d876b8df40"
+    "510441ad8ce3adb11bb88c4e725a5e4a9e0795291d58584023a7e1af0e38a9127939300861"
+    "0b6f158c878c7e21bffbfeea77e1019e1e5781e8a45f46263d14e60e8058a8607adce04fac"
+    "8457b137a8d67ccdeb33705d983a21fb4eecbd4a10ca47490ca47eaa5d438218ddbaf1cade"
+    "3392f13d6ffb6442fd31e1bf40b0c604d1c4ba4c9520a4bf97eebd60929afceef55bbaf564"
+    "e2d0e76cd7c55c73a082b996120b8359edce24707082680d6f67c6d82c4ac5f3134490a74e"
+    "ec37af4b2f010c59e82843e2582f0b6b9f5db0fc5e6edf64fbd308b4711bcf1250019c9f5a"
+    "0902030100013a146c6963656e73652e7769646576696e652e636f6d128003ae347314b5a8"
+    "35297f271388fb7bb8cb5277d249823cddd1da30b93339511eb3ccbdea04b944b927c12134"
+    "6efdbdeac9d413917e6ec176a10438460a503bc1952b9ba4e4ce0fc4bfc20a9808aaaf4bfc"
+    "d19c1dcfcdf574ccac28d1b410416cf9de8804301cbdb334cafcd0d40978423a642e54613d"
+    "f0afcf96ca4a9249d855e42b3a703ef1767f6a9bd36d6bf82be76bbf0cba4fde59d2abcc76"
+    "feb64247b85c431fbca52266b619fc36979543fca9cbbdbbfafa0e1a55e755a3c7bce655f9"
+    "646f582ab9cf70aa08b979f867f63a0b2b7fdb362c5bc4ecd555d85bcaa9c593c383c857d4"
+    "9daab77e40b7851ddfd24998808e35b258e75d78eac0ca16f7047304c20d93ede4e8ff1c6f"
+    "17e6243e3f3da8fc1709870ec45fba823a263f0cefa1f7093b1909928326333705043a29bd"
+    "a6f9b4342cc8df543cb1a1182f7c5fff33f10490faca5b25360b76015e9c5a06ab8ee02f00"
+    "d2e8d5986104aacc4dd475fd96ee9ce4e326f21b83c7058577b38732cddabc6a6bed13fb0d"
+    "49d38a45eb87a5f4");
 
 /*
  * Provisioning response is a base64-encoded protobuf, optionally within a
@@ -356,6 +353,7 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
   if (crypto_session_.GetPreProvisionTokenType() == kClientTokenOemCert) {
     if (service_certificate_->VerifySignedMessage(signed_message, signature)
         != NO_ERROR) {
+      // TODO(b/69562876): if the cert is bad, request a new one.
       LOGE("HandleProvisioningResponse: message not properly signed");
       return CERT_PROVISIONING_RESPONSE_ERROR_6;
     }

libwvdrmengine/cdm/core/src/service_certificate.cpp

@@ -11,7 +11,9 @@
 #include "wv_cdm_constants.h"
 
 namespace {
-// Service certificate for Google/Widevine Provisioning and License servers.
+// Root certificate for all Google/Widevine certificates.  I.e. all service
+// certificates and DRM certificates are signed by this cert, or have this cert
+// as the root of a signing chain.
 static const unsigned char kRootCertForProd[] = {
   0x0a, 0x9c, 0x03, 0x08, 0x00, 0x12, 0x01, 0x00,
   0x18, 0xdd, 0x94, 0x88, 0x8b, 0x05, 0x22, 0x8e,

libwvdrmengine/cdm/core/test/cdm_engine_test.cpp

@@ -213,14 +213,15 @@ class WvCdmEnginePreProvTest : public testing::Test {
     url_request.PostCertRequestInQueryString(prov_request);
     std::string http_message;
     bool ok = url_request.GetResponse(&http_message);
-    EXPECT_TRUE(ok);
+    EXPECT_TRUE(ok) << http_message;
 
     LOGV("WvCdmEnginePreProvTest::Provision: http_message: \n%s\n",
          http_message.c_str());
 
     ASSERT_EQ(NO_ERROR,
               cdm_engine_.HandleProvisioningResponse(http_message,
-                                                     &cert, &wrapped_key));
+                                                     &cert, &wrapped_key))
+        << "message = " << http_message;
   }
 
   FileSystem file_system_;

libwvdrmengine/cdm/core/test/config_test_env.cpp

@@ -15,13 +15,78 @@ namespace {
 
 const std::string kWidevineKeySystem = "com.widevine.alpha";
 
-// Content Protection license server (Production) data
-const std::string kCpProductionLicenseServer =
-    "https://widevine-proxy.appspot.com/proxy";
+// -----------------------------------------------------------------------------
+// Below are two choices for provisioning servers: production and staging.
+// -----------------------------------------------------------------------------
+
+// Production Provisioning Server
 const std::string kCpProductionProvisioningServerUrl =
     "https://www.googleapis.com/"
     "certificateprovisioning/v1/devicecertificates/create"
     "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
+// TODO(b/69133499): update to new default cert.
+// NOTE: Provider ID = license.widevine.com
+const std::string kCpProductionProvisioningServiceCertificate =
+    "0ac102080312101705b917cc1204868b06333a2f772a8c1882b4829205228e023082010a02"
+    "8201010099ed5b3b327dab5e24efc3b62a95b598520ad5bccb37503e0645b814d876b8df40"
+    "510441ad8ce3adb11bb88c4e725a5e4a9e0795291d58584023a7e1af0e38a9127939300861"
+    "0b6f158c878c7e21bffbfeea77e1019e1e5781e8a45f46263d14e60e8058a8607adce04fac"
+    "8457b137a8d67ccdeb33705d983a21fb4eecbd4a10ca47490ca47eaa5d438218ddbaf1cade"
+    "3392f13d6ffb6442fd31e1bf40b0c604d1c4ba4c9520a4bf97eebd60929afceef55bbaf564"
+    "e2d0e76cd7c55c73a082b996120b8359edce24707082680d6f67c6d82c4ac5f3134490a74e"
+    "ec37af4b2f010c59e82843e2582f0b6b9f5db0fc5e6edf64fbd308b4711bcf1250019c9f5a"
+    "0902030100013a146c6963656e73652e7769646576696e652e636f6d128003ae347314b5a8"
+    "35297f271388fb7bb8cb5277d249823cddd1da30b93339511eb3ccbdea04b944b927c12134"
+    "6efdbdeac9d413917e6ec176a10438460a503bc1952b9ba4e4ce0fc4bfc20a9808aaaf4bfc"
+    "d19c1dcfcdf574ccac28d1b410416cf9de8804301cbdb334cafcd0d40978423a642e54613d"
+    "f0afcf96ca4a9249d855e42b3a703ef1767f6a9bd36d6bf82be76bbf0cba4fde59d2abcc76"
+    "feb64247b85c431fbca52266b619fc36979543fca9cbbdbbfafa0e1a55e755a3c7bce655f9"
+    "646f582ab9cf70aa08b979f867f63a0b2b7fdb362c5bc4ecd555d85bcaa9c593c383c857d4"
+    "9daab77e40b7851ddfd24998808e35b258e75d78eac0ca16f7047304c20d93ede4e8ff1c6f"
+    "17e6243e3f3da8fc1709870ec45fba823a263f0cefa1f7093b1909928326333705043a29bd"
+    "a6f9b4342cc8df543cb1a1182f7c5fff33f10490faca5b25360b76015e9c5a06ab8ee02f00"
+    "d2e8d5986104aacc4dd475fd96ee9ce4e326f21b83c7058577b38732cddabc6a6bed13fb0d"
+    "49d38a45eb87a5f4";
+
+// Staging Provisioning Server
+const std::string kCpStagingProvisioningServerUrl =
+      "https://staging-www.sandbox.googleapis.com/"
+      "certificateprovisioning/v1/devicecertificates/create"
+      "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
+// TODO(b/69133499): update to new default cert.
+// NOTE: This is currently the same as the Production Service Cert.
+// NOTE: Provider ID = license.widevine.com
+const std::string kCpStagingProvisioningServiceCertificate =
+    "0ac102080312101705b917cc1204868b06333a2f772a8c1882b4829205228e023082010a02"
+    "8201010099ed5b3b327dab5e24efc3b62a95b598520ad5bccb37503e0645b814d876b8df40"
+    "510441ad8ce3adb11bb88c4e725a5e4a9e0795291d58584023a7e1af0e38a9127939300861"
+    "0b6f158c878c7e21bffbfeea77e1019e1e5781e8a45f46263d14e60e8058a8607adce04fac"
+    "8457b137a8d67ccdeb33705d983a21fb4eecbd4a10ca47490ca47eaa5d438218ddbaf1cade"
+    "3392f13d6ffb6442fd31e1bf40b0c604d1c4ba4c9520a4bf97eebd60929afceef55bbaf564"
+    "e2d0e76cd7c55c73a082b996120b8359edce24707082680d6f67c6d82c4ac5f3134490a74e"
+    "ec37af4b2f010c59e82843e2582f0b6b9f5db0fc5e6edf64fbd308b4711bcf1250019c9f5a"
+    "0902030100013a146c6963656e73652e7769646576696e652e636f6d128003ae347314b5a8"
+    "35297f271388fb7bb8cb5277d249823cddd1da30b93339511eb3ccbdea04b944b927c12134"
+    "6efdbdeac9d413917e6ec176a10438460a503bc1952b9ba4e4ce0fc4bfc20a9808aaaf4bfc"
+    "d19c1dcfcdf574ccac28d1b410416cf9de8804301cbdb334cafcd0d40978423a642e54613d"
+    "f0afcf96ca4a9249d855e42b3a703ef1767f6a9bd36d6bf82be76bbf0cba4fde59d2abcc76"
+    "feb64247b85c431fbca52266b619fc36979543fca9cbbdbbfafa0e1a55e755a3c7bce655f9"
+    "646f582ab9cf70aa08b979f867f63a0b2b7fdb362c5bc4ecd555d85bcaa9c593c383c857d4"
+    "9daab77e40b7851ddfd24998808e35b258e75d78eac0ca16f7047304c20d93ede4e8ff1c6f"
+    "17e6243e3f3da8fc1709870ec45fba823a263f0cefa1f7093b1909928326333705043a29bd"
+    "a6f9b4342cc8df543cb1a1182f7c5fff33f10490faca5b25360b76015e9c5a06ab8ee02f00"
+    "d2e8d5986104aacc4dd475fd96ee9ce4e326f21b83c7058577b38732cddabc6a6bed13fb0d"
+    "49d38a45eb87a5f4";
+
+// -----------------------------------------------------------------------------
+// Below are several choices for licenseing servers: production, UAT, staging
+// and staging and maybe Google Play.  We haven't tested with Google Play in a
+// long time.
+// -----------------------------------------------------------------------------
+
+// Content Protection license server (Production) data
+const std::string kCpProductionLicenseServer =
+    "https://widevine-proxy.appspot.com/proxy";
 // NOTE: Provider ID = staging.google.com
 const std::string kCpProductionServiceCertificate =
     "0ABF020803121028703454C008F63618ADE7443DB6C4C8188BE7F9900522"
@@ -52,11 +117,6 @@ const std::string kCpProductionServiceCertificate =
 // Content Protection license server (UAT) data
 const std::string kCpUatLicenseServer =
     "https://proxy.uat.widevine.com/proxy";
-// TODO(rfrias): replace when b62880305 is addressed. For now use production URL
-const std::string kCpUatProvisioningServerUrl =
-    "https://www.googleapis.com/"
-    "certificateprovisioning/v1/devicecertificates/create"
-    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
 // NOTE: Provider ID = staging.google.com
 const std::string kCpUatServiceCertificate =
     "0ABF020803121028703454C008F63618ADE7443DB6C4C8188BE7F9900522"
@@ -83,6 +143,10 @@ const std::string kCpUatServiceCertificate =
     "383F9C5116D202A20C9229EE969C2519718303B50D0130C3352E06B014D8"
     "38540F8A0C227C0011E0F5B38E4E298ED2CB301EB4564965F55C5D79757A"
     "250A4EB9C84AB3E6539F6B6FDF56899EA29914";
+const std::string kCpUatProvisioningServerUrl =
+    kCpProductionProvisioningServerUrl;
+const std::string kCpUatProvisioningServiceCertificate =
+    kCpProductionServiceCertificate;
 const std::string kCpClientAuth = "";
 const std::string kCpKeyId =
     "00000042"                          // blob size
@@ -107,10 +171,6 @@ const std::string kCpOfflineKeyId =
 // Content Protection license server (staging) data
 const std::string kCpStagingLicenseServer =
     "https://proxy.staging.widevine.com/proxy";
-const std::string kCpStagingProvisioningServerUrl =
-    "https://staging-www.sandbox.googleapis.com/"
-    "certificateprovisioning/v1/devicecertificates/create"
-    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
 // NOTE: Provider ID = license.widevine.com
 const std::string kCpStagingServiceCertificate =
     "0ac102080312101705b917cc1204868b06333a2f772a8c1882b482920522"
@@ -197,17 +257,19 @@ const std::string kWrongKeyId =
 
 const ConfigTestEnv::LicenseServerConfiguration license_servers[] = {
     {kGooglePlayServer, kGpLicenseServer, "", kGpClientAuth, kGpKeyId,
-        kGpOfflineKeyId, kCpProductionProvisioningServerUrl, ""},
+     kGpOfflineKeyId, kCpProductionProvisioningServerUrl, ""},
     {kContentProtectionUatServer, kCpUatLicenseServer, kCpUatServiceCertificate,
-        kCpClientAuth, kCpKeyId, kCpOfflineKeyId, kCpUatProvisioningServerUrl,
-        kCpUatServiceCertificate},
+     kCpClientAuth, kCpKeyId, kCpOfflineKeyId,
+     // TODO(rfrias): replace when b/62880305 is addressed. For now use production
+     kCpProductionProvisioningServerUrl,
+     kCpProductionProvisioningServiceCertificate},
     {kContentProtectionStagingServer, kCpStagingLicenseServer,
-        kCpStagingServiceCertificate, kCpClientAuth, kCpKeyId, kCpOfflineKeyId,
-        kCpStagingProvisioningServerUrl, kCpStagingServiceCertificate},
+     kCpStagingServiceCertificate, kCpClientAuth, kCpKeyId, kCpOfflineKeyId,
+     kCpStagingProvisioningServerUrl, kCpStagingProvisioningServiceCertificate},
     {kContentProtectionProductionServer, kCpProductionLicenseServer,
-          kCpProductionServiceCertificate, kCpClientAuth, kCpKeyId,
-          kCpOfflineKeyId, kCpProductionProvisioningServerUrl,
-          kCpProductionServiceCertificate},
+     kCpProductionServiceCertificate, kCpClientAuth, kCpKeyId, kCpOfflineKeyId,
+     kCpProductionProvisioningServerUrl,
+     kCpProductionProvisioningServiceCertificate},
 };
 
 }  // namespace

libwvdrmengine/cdm/core/test/http_socket.cpp

@@ -8,6 +8,7 @@
 #include <netdb.h>
 #include <netinet/in.h>
 #include <stdlib.h>
+#include <string.h>
 #include <sys/socket.h>
 #include <unistd.h>
 
@@ -323,7 +324,7 @@ int HttpSocket::Read(char* data, int len, int timeout_in_ms) {
       // The connection has been closed.  No more data.
       break;
     } else {
-      LOGE("recv returned %d, errno = %d", read, errno);
+      LOGE("recv returned %d, errno = %d = %s", read, errno, strerror(errno));
       return -1;
     }
   }

libwvdrmengine/cdm/core/test/url_request.cpp

@@ -112,7 +112,7 @@ bool UrlRequest::GetResponse(std::string* message) {
   }
 
   ConcatenateChunkedResponse(response, message);
-  LOGV("HTTP response: (%d): %s", message->size(), b2a_hex(*message).c_str());
+  LOGV("HTTP response: (%d): %s", message->size(), message->c_str());
   return true;
 }
 

libwvdrmengine/mediadrm/include_hidl/WVDrmPlugin.h

@@ -267,6 +267,7 @@ struct WVDrmPlugin : public IDrmPlugin, IDrmPluginListener,
     virtual void set_device_provisioning_service_certificate(
         const std::string& ) {
       // Ignore. Android does not support service certificates for provisioning
+      // TODO(b/69562876): Android SHOULD support service cert for provisioning
     }
 
     virtual bool is_session_sharing_enabled() const {