Support provisioning 3.0

[ Merge of http://go/wvgerrit/29004 ] Enable support for provisioning with OEM certificates as root of trust. b/62972441 Test: WV unit/intgration test and cdm_feature_test Change-Id: I30576fc0bb68a873eeaaca03f6b9c89fa6a14327
2017-07-17 02:40:50 -07:00
parent f90e8e0027
commit 7e2e90841e
13 changed files with 506 additions and 61 deletions
--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -55,7 +55,8 @@ void CertificateProvisioning::ComposeJsonRequestAsQueryString(
 */
 bool CertificateProvisioning::GetProvisioningTokenType(
    ClientIdentification::TokenType* token_type) {
-  switch (crypto_session_.GetPreProvisionTokenType()) {
+  CdmClientTokenType token = crypto_session_.GetPreProvisionTokenType();
+  switch (token) {
    case kClientTokenKeybox:
      *token_type = ClientIdentification::KEYBOX;
      return true;
@@ -65,22 +66,23 @@ bool CertificateProvisioning::GetProvisioningTokenType(
    case kClientTokenDrmCert:
    default:
      // shouldn't happen
+      LOGE("CertificateProvisioning::GetProvisioningTokenType: unexpected "
+           "provisioning type: %d", token);
      return false;
  }
 }

 /*
- * Fill in the appropriate field relating to stable IDs in the provisioning
- * request, no more than one of |stable_id|, |provider_id|, and |spoid|. It is
- * also valid (though deprecated) to fill in none of these in order to leave the
- * stable ID behavior up to the provisioning server.
+ * Fill in the appropriate SPOID (Stable Per-Origin IDentifier) option.
+ * One of spoid, provider_id or stable_id will be passed to the provisioning
+ * server for determining a unique per origin ID for the device.
+ * It is also valid (though deprecated) to leave the settings unset.
 */
-bool CertificateProvisioning::FillStableIdField(
-    const std::string& origin,
-    const std::string& spoid,
+bool CertificateProvisioning::SetSpoidParameter(
+    const std::string& origin, const std::string& spoid,
    ProvisioningRequest* request) {
  if (!request) {
-    LOGE("CertificateProvisioning::FillStableIdField : No request buffer "
+    LOGE("CertificateProvisioning::SetSpoidParameter: No request buffer "
         "passed to method.");
    return false;
  }
@@ -160,21 +162,6 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
  client_id->set_token(token);
  client_id->set_type(token_type);

-#if 0  // TODO(gmorgan) in progress - encrypt ClientIdentification.
-  if (encrypt) {
-    EncryptedClientIdentification* encrypted_client_id =
-        provisioning_request->mutable_encrypted_client_id();
-    CdmResponseType sts;
-    sts = EncryptClientId(client_id, encrypted_client_id, certificate);
-    if (NO_ERROR == sts) {
-      provisioning_request->clear_client_id();
-    } else {
-      provisioning_request->clear_encrypted_client_id();
-    }
-    return sts;
-  }
-#endif
-
  uint32_t nonce;
  if (!crypto_session_.GenerateNonce(&nonce)) {
    LOGE("GetProvisioningRequest: fails to generate a nonce");
@@ -204,7 +191,7 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
  cert_type_ = cert_type;
  options->set_certificate_authority(cert_authority);

-  if (!FillStableIdField(origin, spoid, &provisioning_request)) {
+  if (!SetSpoidParameter(origin, spoid, &provisioning_request)) {
    return CERT_PROVISIONING_GET_KEYBOX_ERROR_2;
  }

@@ -326,11 +313,13 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
  const std::string& enc_rsa_key = provisioning_response.device_rsa_key();
  const std::string& nonce = provisioning_response.nonce();
  const std::string& rsa_key_iv = provisioning_response.device_rsa_key_iv();
+  const std::string& wrapping_key = (provisioning_response.has_wrapping_key()) ?
+            provisioning_response.wrapping_key() : std::string();
  const std::string& signature = signed_response.signature();
  std::string wrapped_rsa_key;
-  if (!crypto_session_.RewrapDeviceRSAKey(signed_message, signature, nonce,
-                                          enc_rsa_key, rsa_key_iv,
-                                          &wrapped_rsa_key)) {
+  if (!crypto_session_.RewrapCertificate(signed_message, signature, nonce,
+                                         enc_rsa_key, rsa_key_iv, wrapping_key,
+                                         &wrapped_rsa_key)) {
    LOGE("HandleProvisioningResponse: RewrapDeviceRSAKey fails");
    return CERT_PROVISIONING_RESPONSE_ERROR_6;
  }