Provisioning 3.0: Changes to Provisioning and Service Certs.
[ Merge of http://go/wvgerrit/23360 ] Service Certificates are used in two places, provisioning and licensing. The service certificate code depended on a session_id to get and set the service certificate properties, but the session_id was not available in the provisioning path. This patch pulls out the property lookup by session_id dependency, and passes the CdmImpl's property_set into the provisioning code, so the service certificate can be read and written there. Bug: 62972441 Test: WV unit/integration tests. This introduces three test failures * WvCdmRequestLicenseTest.PrivacyModeWithServiceCertificateTest * Cdm/WvCdmStreamingLicenseRenewalTest.WithClientId/4 * Cdm/WvCdmOfflineLicenseReleaseTest.WithClientId/3 Change-Id: I6e9d4e23a9e7e81a63a994db8ec0b443893449a6
This commit is contained in:
Rahul Frias
@@ -5,12 +5,11 @@
|
||||
|
||||
// Service Certificates are used to encrypt the ClientIdentification message
|
||||
// that is part of Device Provisioning, License, Renewal, and Release requests.
|
||||
// They may be supplied by the application, or a default certificate may be
|
||||
// configured into the CDM, or the CDM may send a Service Certificate Request
|
||||
// to the target server to get one. Separate certificates are maintained for
|
||||
// the License and Provisioning Servers (the default service certificates
|
||||
// are currently identical for both servers). Once the Service Certificates are
|
||||
// established for the session, they should not change.
|
||||
// It also supplies a provider_id setting used in device provisioning.
|
||||
// Service Certificates are typically supplied by the application. If one
|
||||
// is not supplied and privacy mode is enabled, the CDM will send a Service
|
||||
// Certificate Request to the target server to get one. Once the Service
|
||||
// Certificate is established for the session, it should not change.
|
||||
|
||||
#include "license_protocol.pb.h"
|
||||
#include "wv_cdm_types.h"
|
||||
@@ -26,51 +25,56 @@ class CryptoSession;
|
||||
|
||||
class ServiceCertificate {
|
||||
public:
|
||||
ServiceCertificate();
|
||||
virtual ~ServiceCertificate();
|
||||
ServiceCertificate() {}
|
||||
virtual ~ServiceCertificate() {}
|
||||
|
||||
virtual bool Init(const CdmSessionId& session_id, CryptoSession* session);
|
||||
// Set up a new service certificate.
|
||||
// Accept a serialized video_widevine::SignedDrmDeviceCertificate message.
|
||||
virtual CdmResponseType Init(const std::string& signed_certificate);
|
||||
|
||||
virtual bool IsRequired();
|
||||
virtual bool IsAvailable();
|
||||
virtual bool PrepareServiceCertificateRequest(CdmKeyMessage* signed_request);
|
||||
// Initialize the service certificate.
|
||||
// Set the certificate with no certificate and provider ID.
|
||||
virtual void Clear();
|
||||
|
||||
virtual CdmResponseType VerifyAndSet(
|
||||
const std::string& signed_service_certificate);
|
||||
// Current state of certificate.
|
||||
// If !HasCertificate() and privacy mode is enabled, then should call
|
||||
// PrepareRequest() and pass the request to the license server.
|
||||
virtual bool HasCertificate() { return !certificate_.empty(); }
|
||||
virtual bool HasProviderId() { return !provider_id_.empty(); }
|
||||
virtual const std::string& provider_id() { return provider_id_; }
|
||||
|
||||
// Encrypt the ClientIdentification message for a provisioning or
|
||||
// licensing request. Encryption is performed using the current
|
||||
// service certificate. Return a failure if the service certificate is
|
||||
// not present, not valid, or if some other error occurs.
|
||||
// The routine should not be called if privacy mode is off or if the
|
||||
// certificate is empty.
|
||||
virtual CdmResponseType EncryptClientId(
|
||||
CryptoSession* crypto_session,
|
||||
const video_widevine::ClientIdentification* clear_client_id,
|
||||
video_widevine::EncryptedClientIdentification* encrypted_client_id);
|
||||
|
||||
static CdmResponseType VerifySignedServiceCertificate(
|
||||
const std::string& signed_certificate) {
|
||||
bool has_provider_id;
|
||||
return VerifyAndExtractFromSignedCertificate(signed_certificate, NULL,
|
||||
&has_provider_id, NULL);
|
||||
}
|
||||
// Construct service certificate request.
|
||||
virtual bool PrepareRequest(CdmKeyMessage* signed_request);
|
||||
|
||||
// Parse service certificate response and make it usable.
|
||||
virtual CdmResponseType HandleResponse(
|
||||
const std::string& signed_respnse);
|
||||
|
||||
private:
|
||||
// Take a signed certificate, parse it, and verify it.
|
||||
// If a pointer to a string object is passed in, the certificate
|
||||
// will be copied to it.
|
||||
static CdmResponseType VerifyAndExtractFromSignedCertificate(
|
||||
const std::string& signed_service_certificate,
|
||||
std::string* service_certificate, bool* has_provider_id,
|
||||
std::string* provider_id);
|
||||
// Verify the signature on the signed service certificate.
|
||||
// Extract and save the certificate and provider_id.
|
||||
// Expected format: serialized video_widevine::SignedDrmDeviceCertificate.
|
||||
virtual CdmResponseType VerifyAndExtract(
|
||||
const std::string& raw_certificate);
|
||||
|
||||
virtual bool SetupServiceCertificate();
|
||||
|
||||
CryptoSession* crypto_session_;
|
||||
CdmSessionId session_id_;
|
||||
bool privacy_mode_enabled_;
|
||||
bool valid_;
|
||||
bool initialized_;
|
||||
// True while waiting for response to service certificate request.
|
||||
bool fetch_in_progress_;
|
||||
|
||||
// Certificate, verified and extracted from signed message.
|
||||
std::string certificate_;
|
||||
|
||||
// Provider ID, extracted from certificate message.
|
||||
bool has_provider_id_;
|
||||
std::string provider_id_;
|
||||
|
||||
CORE_DISALLOW_COPY_AND_ASSIGN(ServiceCertificate);
|
||||
|
||||
Reference in New Issue
Block a user