widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed Prov4.0 handler to accept only recent requests.

Browse Source 
[ Cherry-pick of v19 http://go/wvgerrit/219291 ]
[ Merge of http://go/wvgerrit/219432 ]

If the same app/origin generates multiple provisioning 4.0
requests it is possible that a mismatch between the OEM/DRM
certificate and the wrapped OEM/DRM private key occurs.  The CDM
would use the OEM/DRM certificate of the first response one
received, and the wrapped private key of the last request generated.

To avoid this issue, the public key from the most recent request
is cached and checked against the responses received.  If the
keys match, that response is accepted; if the keys don't match
than the response is assumed "stale" and the response is dropped.

In an attempt to maintain existing behavior of the CDM, "stale"
responses will return NO_ERROR to the app.

Note: This was tested using both RSA and ECC cert key types.

VIC-specific: Needed to add implementation of StringContains() and
StringEndsWith().

Bug: 391469176
Test: run_prov40_tests
Change-Id: Id45d40d9af355c46a61c3cc2c19c252cf17c7489
This commit is contained in:
Alex Dale
2025-04-21 17:04:07 -07:00
parent daf291955f
commit a2cdce4296
7 changed files with 795 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libwvdrmengine/include/mapErrors-inl.h
View File

@@ -270,6 +270,8 @@ static inline WvStatus mapCdmResponseType(wvcdm::CdmResponseType res) {
case wvcdm::USAGE_INVALID_PARAMETERS_2:
case wvcdm::USAGE_STORE_ENTRY_RETRIEVE_INVALID_STORAGE_TYPE:
case wvcdm::CLIENT_TOKEN_NOT_SET:
// Stale responses should have been caught by the CDM engine.
case wvcdm::PROVISIONING_4_STALE_RESPONSE:
err = Status::GENERAL_PLUGIN_ERROR;
break;
case wvcdm::CLIENT_ID_GENERATE_RANDOM_ERROR:
@@ -403,6 +405,9 @@ static inline WvStatus mapCdmResponseType(wvcdm::CdmResponseType res) {
case wvcdm::CERT_PROVISIONING_RESPONSE_ERROR_4:
case wvcdm::CERT_PROVISIONING_RESPONSE_ERROR_9:
case wvcdm::LOAD_PROVISIONING_ERROR:
// Failure to verify provisioning cert key is always
// due to a malformed response.
case wvcdm::PROVISIONING_4_FAILED_TO_VERIFY_CERT_KEY:
err = Status::PROVISIONING_PARSE_ERROR;
break;
case wvcdm::CERT_PROVISIONING_RESPONSE_ERROR_10: