Throw DeniedByServerException when provisioning detects a revoked device

[ Merge of http://go/wvgerrit/117267 ] The client will now advertise the ability to handle provisioning errors by a minor version updated to the provisioning protocol version. The provisioning service may indicate that the individual device is revoked or all devices with the same make/model have been revoked. If the provisoning service has not been upgraded, the protocol version field in the request will be ignored. The provisioning service/SDK will respond with an HTTP 400 error to a provisioning request from a revoked device. Bug: 174174765 Test: WvCdmRequestLicenseTest.ProvisioningRevocationTest, WV unit/integration tests Change-Id: I5ff61496685f310de6704a90452b8b76b3505cbb
2021-02-18 03:27:27 -08:00
parent 41ecde78cc
commit 64d5b38ff5
7 changed files with 149 additions and 1 deletions
--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -118,6 +118,7 @@ using video_widevine::ProvisioningRequest;
 using video_widevine::ProvisioningResponse;
 using video_widevine::SignedDrmDeviceCertificate;
 using video_widevine::SignedProvisioningMessage;
+using video_widevine::SignedProvisioningMessage_ProvisioningProtocolVersion_VERSION_1_1;

 CdmResponseType CertificateProvisioning::Init(
    const std::string& service_certificate) {
@@ -298,6 +299,8 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
  } else {
    signed_provisioning_msg.set_oemcrypto_core_message(core_message);
  }
+  signed_provisioning_msg.set_protocol_version(
+      SignedProvisioningMessage_ProvisioningProtocolVersion_VERSION_1_1);

  std::string serialized_request;
  signed_provisioning_msg.SerializeToString(&serialized_request);
@@ -393,6 +396,22 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
    return CERT_PROVISIONING_RESPONSE_ERROR_4;
  }

+  if (provisioning_response.has_status()) {
+    if (provisioning_response.status() != ProvisioningResponse::NO_ERROR) {
+      LOGE("Provisioning Response status: %d", provisioning_response.status());
+    }
+
+    switch (provisioning_response.status()) {
+      case ProvisioningResponse::NO_ERROR:
+        break;
+      case ProvisioningResponse::REVOKED_DEVICE_CREDENTIALS:
+      case ProvisioningResponse::REVOKED_DEVICE_SERIES:
+        return DEVICE_REVOKED;
+       default:
+         return CERT_PROVISIONING_RESPONSE_ERROR_10;
+    }
+  }
+
  CryptoWrappedKey private_key;
  const CdmResponseType status = crypto_session_->LoadProvisioning(
      signed_message, core_message, signature, &private_key.key());