From 7bb0b06c03cb6287cd64672bf2e3ffe6fa4ca594 Mon Sep 17 00:00:00 2001 From: Fred Gylys-Colwell Date: Mon, 21 Aug 2023 21:35:05 -0700 Subject: [PATCH] Refactor provisioning unit tests There was some confusion about which tests loaded a cert and which ones just used a cert. This distinction is important when testing devices with a baked-in-cert. Merged from https://widevine-internal-review.googlesource.com/183333 Change-Id: I3c2b119c3355b3a9190799637ff0860b6153b35b --- .../oemcrypto/test/oemcrypto_cast_test.cpp | 8 +- .../oemcrypto/test/oemcrypto_cast_test.h | 30 --- .../oemcrypto/test/oemcrypto_license_test.cpp | 9 +- .../oemcrypto/test/oemcrypto_license_test.h | 4 +- .../test/oemcrypto_provisioning_test.cpp | 67 +++--- .../test/oemcrypto_provisioning_test.h | 193 +++++++++++------- 6 files changed, 151 insertions(+), 160 deletions(-) diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.cpp index 4c397b6b..e430061f 100644 --- a/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.cpp +++ b/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.cpp @@ -22,7 +22,7 @@ TEST_F(OEMCryptoLoadsCertificateAlternates, DisallowForbiddenPaddingAPI09) { } LoadWithAllowedSchemes(kSign_RSASSA_PSS, true); // Use default padding scheme - DisallowForbiddenPadding(kSign_PKCS1_Block1, 50); + DisallowForbiddenPaddingDRMKey(kSign_PKCS1_Block1, 50); } // The alternate padding is only required for cast receivers, but if a device @@ -46,7 +46,7 @@ TEST_F(OEMCryptoLoadsCertificateAlternates, TestSignaturePKCS1) { // for forbidden padding schemes. if (key_loaded_) { // The other padding scheme should fail. - DisallowForbiddenPadding(kSign_RSASSA_PSS, 83); + DisallowForbiddenPaddingDRMKey(kSign_RSASSA_PSS, 83); DisallowDeriveKeys(); if (global_features.cast_receiver) { // A signature with a valid size should succeed. @@ -54,7 +54,7 @@ TEST_F(OEMCryptoLoadsCertificateAlternates, TestSignaturePKCS1) { TestSignature(kSign_PKCS1_Block1, 50); } // A signature with padding that is too big should fail. - DisallowForbiddenPadding(kSign_PKCS1_Block1, 84); // too big. + DisallowForbiddenPaddingDRMKey(kSign_PKCS1_Block1, 84); // too big. } } @@ -986,4 +986,4 @@ TEST_P(OEMCryptoSessionTestLoadCasKeysWithHDCP, CasOnlyLoadCasKeysAPI17) { } INSTANTIATE_TEST_SUITE_P(TestHDCP, OEMCryptoSessionTestLoadCasKeysWithHDCP, Range(1, 6)); -} // namespace wvoec \ No newline at end of file +} // namespace wvoec diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.h b/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.h index b6e2116c..fe18672d 100644 --- a/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.h +++ b/libwvdrmengine/oemcrypto/test/oemcrypto_cast_test.h @@ -25,36 +25,6 @@ std::string MaybeHex(const std::vector& data); // This test attempts to use alternate algorithms for loaded device certs. class OEMCryptoLoadsCertificateAlternates : public OEMCryptoLoadsCertificate { protected: - void DisallowForbiddenPadding(RSA_Padding_Scheme scheme, size_t size) { - OEMCryptoResult sts; - Session s; - ASSERT_NO_FATAL_FAILURE(s.open()); - ASSERT_NO_FATAL_FAILURE(s.LoadWrappedRsaDrmKey(wrapped_drm_key_)); - - // Sign a Message - vector licenseRequest(size); - GetRandBytes(licenseRequest.data(), licenseRequest.size()); - size_t signature_length = 256; - vector signature(signature_length); - sts = OEMCrypto_GenerateRSASignature( - s.session_id(), licenseRequest.data(), licenseRequest.size(), - signature.data(), &signature_length, scheme); - // Allow OEMCrypto to request a full buffer. - if (sts == OEMCrypto_ERROR_SHORT_BUFFER) { - ASSERT_NE(static_cast(0), signature_length); - signature.assign(signature_length, 0); - sts = OEMCrypto_GenerateRSASignature( - s.session_id(), licenseRequest.data(), licenseRequest.size(), - signature.data(), &signature_length, scheme); - } - - EXPECT_NE(OEMCrypto_SUCCESS, sts) - << "Signed with forbidden padding scheme=" << (int)scheme - << ", size=" << (int)size; - const vector zero(signature.size(), 0); - ASSERT_EQ(zero, signature); // signature should not be computed. - } - void TestSignature(RSA_Padding_Scheme scheme, size_t size) { Session s; ASSERT_NO_FATAL_FAILURE(s.open()); diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.cpp index 9ff2f649..93065b22 100644 --- a/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.cpp +++ b/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.cpp @@ -84,13 +84,6 @@ void TestMaxKeys(SessionUtil* util, size_t num_keys_per_session) { } } -TEST_F(OEMCryptoSessionTestKeyboxTest, TestKeyboxIsValid) { - if (global_features.provisioning_method != OEMCrypto_Keybox) { - GTEST_SKIP() << "Test for Prov 2.0 devices only."; - } - ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_IsKeyboxValid()); -} - TEST_F(OEMCryptoSessionTests, OEMCryptoMemoryPrepareLicenseRequestForHugeRequestMessageLength) { TestPrepareLicenseRequestForHugeBufferLengths( @@ -970,4 +963,4 @@ INSTANTIATE_TEST_SUITE_P(TestAPI16, OEMCryptoRefreshTestAPI16, Range(kCoreMessagesAPI, kCurrentAPI + 1)); /// @} -} // namespace wvoec \ No newline at end of file +} // namespace wvoec diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.h b/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.h index 66ef2cbf..8d7339b2 100644 --- a/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.h +++ b/libwvdrmengine/oemcrypto/test/oemcrypto_license_test.h @@ -96,8 +96,6 @@ class OEMCryptoSessionTests : public OEMCryptoClientTest { } }; -class OEMCryptoSessionTestKeyboxTest : public OEMCryptoSessionTests {}; - // This class is for testing a single license with the default API version // of 16. class OEMCryptoLicenseTestAPI16 : public OEMCryptoSessionTests { @@ -411,4 +409,4 @@ class OEMCryptoRefreshTestAPI16 : public OEMCryptoRefreshTest {}; } // namespace wvoec -#endif // CDM_OEMCRYPTO_LICENSE_TEST_ \ No newline at end of file +#endif // CDM_OEMCRYPTO_LICENSE_TEST_ diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.cpp index 2486f9ff..2763c3c2 100644 --- a/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.cpp +++ b/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.cpp @@ -539,7 +539,7 @@ TEST_F(OEMCryptoProv40Test, InstallOemPrivateKeyCanBeUsed) { * cert. */ TEST_F(OEMCryptoProv40Test, OEMPrivateKeyCannotBeDRMKey) { - // Create an OEM Cert and save it for alter. + // Create an OEM Cert and save it for later. Session s1; ASSERT_NO_FATAL_FAILURE(s1.open()); ASSERT_NO_FATAL_FAILURE(CreateProv4OEMKey(&s1)); @@ -657,8 +657,7 @@ INSTANTIATE_TEST_SUITE_P(Prov4CastProvisioningBasic, OEMCryptoProv40CastTest, TEST_F(OEMCryptoLoadsCertificate, PrepAndSignLicenseRequestCounterAPI18) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey()); @@ -683,8 +682,7 @@ TEST_F(OEMCryptoLoadsCertificate, PrepAndSignLicenseRequestCounterAPI18) { TEST_F(OEMCryptoLoadsCertificate, LoadRSASessionKey) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey()); @@ -696,8 +694,7 @@ TEST_F(OEMCryptoLoadsCertificate, LoadRSASessionKey) { TEST_F(OEMCryptoLoadsCertificate, SignProvisioningRequest) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -716,8 +713,7 @@ TEST_F(OEMCryptoLoadsCertificate, SignProvisioningRequest) { TEST_F(OEMCryptoLoadsCertificate, SignLargeProvisioningRequestAPI16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -740,8 +736,7 @@ TEST_F(OEMCryptoLoadsCertificate, SignLargeProvisioningRequestAPI16) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvision) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -762,8 +757,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvision) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange1_API16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -785,8 +779,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange1_API16) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange2_API16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -808,8 +801,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange2_API16) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange3_API16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -833,8 +825,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange3_API16) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange4_API16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -858,8 +849,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange4_API16) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange5Prov30_API16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } if (global_features.provisioning_method != OEMCrypto_OEMCertificate) { @@ -890,8 +880,7 @@ TEST_F(OEMCryptoLoadsCertificate, } // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } if (global_features.provisioning_method != OEMCrypto_Keybox) { @@ -913,8 +902,7 @@ TEST_F(OEMCryptoLoadsCertificate, TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadNonce_API16) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -933,8 +921,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadNonce_API16) { TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRSAKey) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -960,8 +947,7 @@ TEST_F(OEMCryptoLoadsCertificate, } // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -985,8 +971,7 @@ TEST_F(OEMCryptoLoadsCertificate, TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionLargeBuffer) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } Session s; @@ -1008,8 +993,7 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionLargeBuffer) { TEST_F(OEMCryptoLoadsCertificate, LoadWrappedRSAKey) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey()); @@ -1024,8 +1008,7 @@ class OEMCryptoLoadsCertVariousKeys : public OEMCryptoLoadsCertificate { OEMCryptoLoadsCertificate::SetUp(); // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } } @@ -1107,8 +1090,7 @@ TEST_F(OEMCryptoLoadsCertVariousKeys, TestEulerZeroNormalDer) { TEST_F(OEMCryptoLoadsCertificate, TestMultipleRSAKeys) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey()); @@ -1149,8 +1131,7 @@ TEST_F(OEMCryptoLoadsCertificate, TestMultipleRSAKeys) { TEST_F(OEMCryptoLoadsCertificate, TestMaxDRMKeys) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } const size_t max_total_keys = GetResourceValue(kMaxTotalDRMPrivateKeys); @@ -1222,8 +1203,7 @@ TEST_F(OEMCryptoLoadsCertificate, TestMaxDRMKeys) { TEST_F(OEMCryptoLoadsCertificate, SupportsCertificatesAPI13) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } ASSERT_NE(0u, @@ -1236,8 +1216,7 @@ TEST_F(OEMCryptoLoadsCertificate, SupportsCertificatesAPI13) { TEST_F(OEMCryptoLoadsCertificate, RSAPerformance) { // TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for // provisioning 4. Disabled here temporarily. - if (!global_features.loads_certificate || - global_features.provisioning_method == OEMCrypto_BootCertificateChain) { + if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) { GTEST_SKIP() << "Test for non Prov 4.0 devices only."; } const std::chrono::milliseconds kTestDuration(5000); @@ -1369,4 +1348,4 @@ TEST_F(OEMCryptoUsesCertificate, GenerateDerivedKeysLargeBuffer) { enc_context.data(), enc_context.size())); } -} // namespace wvoec \ No newline at end of file +} // namespace wvoec diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.h b/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.h index 18634036..8877b175 100644 --- a/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.h +++ b/libwvdrmengine/oemcrypto/test/oemcrypto_provisioning_test.h @@ -17,65 +17,84 @@ namespace wvoec { -// Tests using this class are only used for devices with a keybox. They are not -// run for devices with an OEM Certificate. -class OEMCryptoKeyboxTest : public OEMCryptoClientTest { - void SetUp() override { - OEMCryptoClientTest::SetUp(); - if (global_features.provisioning_method != OEMCrypto_Keybox) { - GTEST_SKIP() << "Test for Prov 2.0 devices only."; - } - OEMCryptoResult sts = OEMCrypto_IsKeyboxValid(); - // If the production keybox is valid, use it for these tests. Most of the - // other tests will use a test keybox anyway, but it's nice to check the - // device ID for the real keybox if we can. - if (sts == OEMCrypto_SUCCESS) return; - printf("Production keybox is NOT valid. All tests use test keybox.\n"); - ASSERT_EQ( - OEMCrypto_SUCCESS, - OEMCrypto_LoadTestKeybox(reinterpret_cast(&kTestKeybox), - sizeof(kTestKeybox))); - } -}; - -// This class is for tests that have an OEM Certificate instead of a keybox. -class OEMCryptoProv30Test : public OEMCryptoClientTest { - void SetUp() override { - OEMCryptoClientTest::SetUp(); - if (global_features.provisioning_method != OEMCrypto_OEMCertificate) { - GTEST_SKIP() << "Test for Prov 3.0 devices only."; - } - } -}; - -// This class is for tests that have boot certificate chain instead of a keybox. -class OEMCryptoProv40Test : public OEMCryptoClientTest { - void SetUp() override { - OEMCryptoClientTest::SetUp(); - if (global_features.provisioning_method != OEMCrypto_BootCertificateChain) { - GTEST_SKIP() << "Test for Prov 4.0 devices only."; - } - } -}; - -class OEMCryptoProv40CastTest : public OEMCryptoClientTest, - public testing::WithParamInterface { - void SetUp() override { - OEMCryptoClientTest::SetUp(); - if (!global_features.cast_receiver) { - GTEST_SKIP() << "Test for cast devices only."; - } - if (global_features.provisioning_method != OEMCrypto_BootCertificateChain) { - GTEST_SKIP() << "Test for Prov 4.0 devices only."; - } - } -}; - // // Certificate Root of Trust Tests // -class OEMCryptoLoadsCertificate : public OEMCryptoSessionTestKeyboxTest { +// These tests are run by all L1 devices that load and use certificates. It is +// also run by a few L3 devices that use a baked in certificate, but cannot load +// a certificate. +class OEMCryptoUsesCertificate : public OEMCryptoSessionTests { protected: + void SetUp() override { + OEMCryptoSessionTests::SetUp(); + ASSERT_NO_FATAL_FAILURE(session_.open()); + if (global_features.derive_key_method == + DeviceFeatures::LOAD_TEST_RSA_KEY) { + ASSERT_NO_FATAL_FAILURE(session_.SetRsaPublicKeyFromPrivateKeyInfo( + encoded_rsa_key_.data(), encoded_rsa_key_.size())); + } else { + InstallTestDrmKey(&session_); + } + } + + void TearDown() override { + ASSERT_NO_FATAL_FAILURE(session_.close()); + OEMCryptoSessionTests::TearDown(); + } + + Session session_; +}; + +/** These tests cover all systems that can load a DRM Certificate. That includes + * Provisioning 2, 3 and 4. */ +class OEMCryptoLoadsCertificate : public OEMCryptoUsesCertificate { + protected: + void SetUp() override { + OEMCryptoUsesCertificate::SetUp(); + if (!global_features.loads_certificate) { + GTEST_SKIP() << "Test for devices that load a DRM certificate only."; + } + } + + /** Verify that the specified padding scheme does not work with the DRM + * key and the function OEMCrypto_GenerateRSASignature. */ + void DisallowForbiddenPaddingDRMKey(RSA_Padding_Scheme scheme, size_t size) { + Session s; + ASSERT_NO_FATAL_FAILURE(s.open()); + ASSERT_NO_FATAL_FAILURE(s.LoadWrappedRsaDrmKey(wrapped_drm_key_)); + DisallowForbiddenPadding(s.session_id(), scheme, size); + } + + /** Verify that the specified padding scheme does not work with whichever key + * is currently loaded into the specified session and the function + * OEMCrypto_GenerateRSASignature. */ + void DisallowForbiddenPadding(OEMCrypto_SESSION session, + RSA_Padding_Scheme scheme, size_t size) { + OEMCryptoResult sts; + // Sign a Message + vector message(size); + GetRandBytes(message.data(), message.size()); + size_t signature_length = 256; + vector signature(signature_length); + sts = OEMCrypto_GenerateRSASignature(session, message.data(), + message.size(), signature.data(), + &signature_length, scheme); + // Allow OEMCrypto to request a full buffer. + if (sts == OEMCrypto_ERROR_SHORT_BUFFER) { + ASSERT_NE(static_cast(0), signature_length); + signature.assign(signature_length, 0); + sts = OEMCrypto_GenerateRSASignature(session, message.data(), + message.size(), signature.data(), + &signature_length, scheme); + } + + EXPECT_NE(OEMCrypto_SUCCESS, sts) + << "Signed with forbidden padding scheme=" << (int)scheme + << ", size=" << (int)size; + const vector zero(signature.size(), 0); + ASSERT_EQ(zero, signature); // signature should not be computed. + } + void TestPrepareProvisioningRequestForHugeBufferLengths( const std::function f, bool check_status) { @@ -142,31 +161,63 @@ class OEMCryptoLoadsCertificate : public OEMCryptoSessionTestKeyboxTest { } }; -// These tests are run by all L1 devices that load and use certificates. It is -// also run by a few L3 devices that use a baked in certificate, but cannot load -// a certificate. -class OEMCryptoUsesCertificate : public OEMCryptoLoadsCertificate { +// Tests using this class are only used for devices with a keybox. They are not +// run for devices with an OEM Certificate. +class OEMCryptoKeyboxTest : public OEMCryptoLoadsCertificate { protected: void SetUp() override { OEMCryptoLoadsCertificate::SetUp(); - ASSERT_NO_FATAL_FAILURE(session_.open()); - if (global_features.derive_key_method == - DeviceFeatures::LOAD_TEST_RSA_KEY) { - ASSERT_NO_FATAL_FAILURE(session_.SetRsaPublicKeyFromPrivateKeyInfo( - encoded_rsa_key_.data(), encoded_rsa_key_.size())); - } else { - InstallTestDrmKey(&session_); + if (global_features.provisioning_method != OEMCrypto_Keybox) { + GTEST_SKIP() << "Test for Prov 2.0 devices only."; + } + OEMCryptoResult sts = OEMCrypto_IsKeyboxValid(); + // If the production keybox is valid, use it for these tests. Most of the + // other tests will use a test keybox anyway, but it's nice to check the + // device ID for the real keybox if we can. + if (sts == OEMCrypto_SUCCESS) return; + printf("Production keybox is NOT valid. All tests use test keybox.\n"); + ASSERT_EQ( + OEMCrypto_SUCCESS, + OEMCrypto_LoadTestKeybox(reinterpret_cast(&kTestKeybox), + sizeof(kTestKeybox))); + ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_IsKeyboxValid()) + << "After loading Test keybox, the keybox was still not valid."; + } +}; + +// This class is for tests that have an OEM Certificate instead of a keybox. +class OEMCryptoProv30Test : public OEMCryptoLoadsCertificate { + protected: + void SetUp() override { + OEMCryptoLoadsCertificate::SetUp(); + if (global_features.provisioning_method != OEMCrypto_OEMCertificate) { + GTEST_SKIP() << "Test for Prov 3.0 devices only."; } } +}; - void TearDown() override { - ASSERT_NO_FATAL_FAILURE(session_.close()); - OEMCryptoLoadsCertificate::TearDown(); +// This class is for tests that have boot certificate chain instead of a keybox. +class OEMCryptoProv40Test : public OEMCryptoLoadsCertificate { + protected: + void SetUp() override { + OEMCryptoLoadsCertificate::SetUp(); + if (global_features.provisioning_method != OEMCrypto_BootCertificateChain) { + GTEST_SKIP() << "Test for Prov 4.0 devices only."; + } } +}; - Session session_; +class OEMCryptoProv40CastTest : public OEMCryptoProv40Test, + public testing::WithParamInterface { + protected: + void SetUp() override { + OEMCryptoProv40Test::SetUp(); + if (!global_features.cast_receiver) { + GTEST_SKIP() << "Test for cast devices only."; + } + } }; } // namespace wvoec -#endif // CDM_OEMCRYPTO_PROVISIONING_TEST_ \ No newline at end of file +#endif // CDM_OEMCRYPTO_PROVISIONING_TEST_