widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes from topic "entitlement_license"

Browse Source 
* changes:
  Fix some unit tests
  Add basic handling for entitlement keys in a license.
  Refactor key sessions to move them out of crypto session.
  Fix entitlement keys encryption and content key loading.
This commit is contained in:
Fred Gylys-Colwell
2018-01-30 20:17:32 +00:00
committed by Android (Google) Code Review
parent f6c12c465c 8230484de2
commit c45384bf00
29 changed files with 1456 additions and 993 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
libwvdrmengine/cdm/core/include/content_key_session.h Normal file
View File

@@ -0,0 +1,63 @@
#ifndef WVCDM_CORE_CONTENT_KEY_SESSSION_H_
#define WVCDM_CORE_CONTENT_KEY_SESSSION_H_
#include "key_session.h"
#include "timer_metric.h"
namespace wvcdm {
class ContentKeySession : public KeySession {
public:
ContentKeySession(CryptoSessionId oec_session_id,
metrics::CryptoMetrics* metrics)
: KeySession(metrics), oec_session_id_(oec_session_id) {}
virtual ~ContentKeySession() {}
KeySessionType Type() { return kDefault; }
// Generate Derived Keys for ContentKeySession
bool GenerateDerivedKeys(const std::string& message);
// Generate Derived Keys (from session key) for ContentKeySession
bool GenerateDerivedKeys(const std::string& message,
const std::string& session_key);
// Load Keys for ContentKeySession
OEMCryptoResult LoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token,
CdmCipherMode* cipher_mode,
const std::string& srm_requirement);
OEMCryptoResult LoadEntitledContentKeys(const std::vector<CryptoKey>& keys) {
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
// Select Key for ContentKeySession
OEMCryptoResult SelectKey(const std::string& key_id,
CdmCipherMode cipher_mode);
// Decrypt for ContentKeySession
OEMCryptoResult Decrypt(const CdmDecryptionParameters& params,
OEMCrypto_DestBufferDesc& buffer_descriptor,
OEMCrypto_CENCEncryptPatternDesc& pattern_descriptor);
protected:
OEMCryptoResult LoadKeys(
const std::string& message, const std::string& signature,
const std::string& mac_key_iv, const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token, CdmCipherMode* cipher_mode,
const std::string& srm_requirement, OEMCrypto_LicenseType license_type);
CryptoSessionId oec_session_id_;
private:
KeyId cached_key_id_;
};
} // namespace wvcdm
#endif // WVCDM_CORE_CONTENT_KEY_SESSSION_H_

5
libwvdrmengine/cdm/core/include/crypto_key.h
View File

@@ -19,6 +19,7 @@ class CryptoKey {
const std::string& key_control_iv() const { return key_control_iv_; }
const std::string& sub_session_key_id() const {return sub_session_key_id_;}
const std::string& sub_session_key() const {return sub_session_key_;}
const std::string& entitlement_key_id() const {return entitlement_key_id_;}
const std::string& track_label() const { return track_label_; }
CdmCipherMode cipher_mode() const { return cipher_mode_; }
void set_key_id(const std::string& key_id) { key_id_ = key_id; }
@@ -40,6 +41,9 @@ class CryptoKey {
void set_track_label(const std::string& track_label) {
track_label_ = track_label;
}
void set_entitlement_key_id(const std::string& entitlement_key_id) {
entitlement_key_id_ = entitlement_key_id;
}
bool HasKeyControl() const { return key_control_.size() >= 16; }
@@ -52,6 +56,7 @@ class CryptoKey {
std::string sub_session_key_id_;
std::string track_label_;
std::string sub_session_key_;
std::string entitlement_key_id_;
CdmCipherMode cipher_mode_;
};

92
libwvdrmengine/cdm/core/include/crypto_session.h
View File

@@ -8,10 +8,10 @@
#include <vector>
#include "OEMCryptoCENC.h"
#include "key_session.h"
#include "lock.h"
#include "metrics_collections.h"
#include "oemcrypto_adapter.h"
#include "OEMCryptoCENC.h"
#include "scoped_ptr.h"
#include "timer_metric.h"
#include "wv_cdm_types.h"
@@ -22,37 +22,13 @@ class CryptoKey;
class UsageTableHeader;
typedef std::map<std::string, CryptoKey*> CryptoKeyMap;
typedef std::map<std::string, CryptoSessionId> SubLicenseSessionMap;
class KeySession {
protected:
KeySession(metrics::CryptoMetrics* metrics) : metrics_(metrics) {}
public:
typedef enum { kDefault, kSubLicense } KeySessionType;
virtual ~KeySession() {}
virtual KeySessionType Type() = 0;
virtual bool GenerateDerivedKeys(const std::string& message) = 0;
virtual bool GenerateDerivedKeys(const std::string& message,
const std::string& session_key) = 0;
virtual OEMCryptoResult LoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token,
CdmCipherMode* cipher_mode,
const std::string& srm_requirement) = 0;
virtual OEMCryptoResult SelectKey(const std::string& key_id,
CdmCipherMode cipher_mode) = 0;
virtual OEMCryptoResult Decrypt(
const CdmDecryptionParameters& params,
OEMCrypto_DestBufferDesc& buffer_descriptor,
OEMCrypto_CENCEncryptPatternDesc& pattern_descriptor) = 0;
protected:
metrics::CryptoMetrics* metrics_;
};
// Crypto session utility functions used by KeySession implementations.
void GenerateMacContext(const std::string& input_context,
std::string* deriv_context);
void GenerateEncryptContext(const std::string& input_context,
std::string* deriv_context);
size_t GetOffset(std::string message, std::string field);
class CryptoSession {
public:
@@ -100,13 +76,15 @@ class CryptoSession {
bool is_provisioning, std::string* signature);
virtual bool PrepareRenewalRequest(const std::string& message,
std::string* signature);
virtual CdmResponseType LoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& key_array,
const std::string& provider_session_token,
const std::string& srm_requirement);
virtual CdmResponseType LoadKeys(
const std::string& message, const std::string& signature,
const std::string& mac_key_iv, const std::string& mac_key,
const std::vector<CryptoKey>& key_array,
const std::string& provider_session_token,
const std::string& srm_requirement,
CdmLicenseKeyType key_type);
virtual CdmResponseType LoadEntitledContentKeys(
const std::vector<CryptoKey>& key_array);
virtual bool LoadCertificatePrivateKey(std::string& wrapped_key);
virtual bool RefreshKeys(const std::string& message,
const std::string& signature, int num_keys,
@@ -192,19 +170,17 @@ class CryptoSession {
virtual CdmResponseType LoadUsageEntry(uint32_t entry_number,
const CdmUsageEntry& usage_entry);
virtual CdmResponseType UpdateUsageEntry(
CdmUsageTableHeader* usage_table_header,
CdmUsageEntry* usage_entry);
CdmUsageTableHeader* usage_table_header, CdmUsageEntry* usage_entry);
virtual CdmResponseType ShrinkUsageTableHeader(
uint32_t new_entry_count, CdmUsageTableHeader* usage_table_header);
virtual CdmResponseType MoveUsageEntry(uint32_t new_entry_number);
virtual bool CreateOldUsageEntry(
uint64_t time_since_license_received,
uint64_t time_since_first_decrypt,
uint64_t time_since_last_decrypt,
UsageDurationStatus status,
const std::string& server_mac_key,
const std::string& client_mac_key,
const std::string& provider_session_token);
virtual bool CreateOldUsageEntry(uint64_t time_since_license_received,
uint64_t time_since_first_decrypt,
uint64_t time_since_last_decrypt,
UsageDurationStatus status,
const std::string& server_mac_key,
const std::string& client_mac_key,
const std::string& provider_session_token);
virtual CdmResponseType CopyOldUsageEntry(
const std::string& provider_session_token);
virtual bool GetAnalogOutputCapabilities(bool* can_support_output,
@@ -235,15 +211,19 @@ class CryptoSession {
bool SetDestinationBufferType();
bool RewrapDeviceRSAKey(
const std::string& message, const std::string& signature,
const std::string& nonce, const std::string& enc_rsa_key,
const std::string& rsa_key_iv, std::string* wrapped_rsa_key);
bool RewrapDeviceRSAKey(const std::string& message,
const std::string& signature,
const std::string& nonce,
const std::string& enc_rsa_key,
const std::string& rsa_key_iv,
std::string* wrapped_rsa_key);
bool RewrapDeviceRSAKey30(
const std::string& message, const std::string& nonce,
const std::string& private_key, const std::string& iv,
const std::string& wrapping_key, std::string* wrapped_private_key);
bool RewrapDeviceRSAKey30(const std::string& message,
const std::string& nonce,
const std::string& private_key,
const std::string& iv,
const std::string& wrapping_key,
std::string* wrapped_private_key);
CdmResponseType SelectKey(const std::string& key_id,
CdmCipherMode cipher_mode);

34
libwvdrmengine/cdm/core/include/entitlement_key_session.h Normal file
View File

@@ -0,0 +1,34 @@
#ifndef WVCDM_CORE_ENTITLEMENT_KEY_SESSSION_H_
#define WVCDM_CORE_ENTITLEMENT_KEY_SESSSION_H_
#include "content_key_session.h"
#include "key_session.h"
namespace wvcdm {
class EntitlementKeySession : public ContentKeySession {
public:
EntitlementKeySession(CryptoSessionId oec_session_id,
metrics::CryptoMetrics* metrics);
virtual ~EntitlementKeySession() {}
KeySessionType Type() { return kEntitlement; }
// Load Keys for ContentKeySession
OEMCryptoResult LoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token,
CdmCipherMode* cipher_mode,
const std::string& srm_requirement);
OEMCryptoResult LoadEntitledContentKeys(const std::vector<CryptoKey>& keys);
private:
std::vector<CryptoKey> keys_;
};
} // namespace wvcdm
#endif // WVCDM_CORE_ENTITLEMENT_KEY_SESSSION_H_

6
libwvdrmengine/cdm/core/include/initialization_data.h
View File

@@ -28,8 +28,10 @@ class InitializationData {
const CdmInitData& data() const { return data_; }
std::vector<uint8_t> hls_iv() const { return hls_iv_; }
CdmHlsMethod hls_method() const { return hls_method_; }
std::vector<video_widevine::SubLicense> ExtractEmbeddedKeys() const;
const std::string ExtractGroupMasterKeyId() const;
// TODO(jfore): Perhaps this should be a generic structure with the ids for
// any type of licensing?
std::vector<video_widevine::SubLicense> ExtractSublicenseKeys() const;
std::vector<video_widevine::WrappedKey> ExtractWrappedKeys() const;
private:
// Parse a blob of multiple concatenated PSSH atoms to extract the first

46
libwvdrmengine/cdm/core/include/key_session.h Normal file
View File

@@ -0,0 +1,46 @@
#ifndef WVCDM_CORE_KEY_SESSSION_H_
#define WVCDM_CORE_KEY_SESSSION_H_
#include "metrics_collections.h"
namespace wvcdm {
class CryptoKey;
class KeySession {
protected:
KeySession(metrics::CryptoMetrics* metrics) : metrics_(metrics) {}
public:
typedef enum { kDefault, kSubLicense, kEntitlement } KeySessionType;
virtual ~KeySession() {}
virtual KeySessionType Type() = 0;
virtual bool GenerateDerivedKeys(const std::string& message) = 0;
virtual bool GenerateDerivedKeys(const std::string& message,
const std::string& session_key) = 0;
virtual OEMCryptoResult LoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token,
CdmCipherMode* cipher_mode,
const std::string& srm_requirement) = 0;
virtual OEMCryptoResult LoadEntitledContentKeys(
const std::vector<CryptoKey>& keys) = 0;
virtual OEMCryptoResult SelectKey(const std::string& key_id,
CdmCipherMode cipher_mode) = 0;
virtual OEMCryptoResult Decrypt(
const CdmDecryptionParameters& params,
OEMCrypto_DestBufferDesc& buffer_descriptor,
OEMCrypto_CENCEncryptPatternDesc& pattern_descriptor) = 0;
protected:
metrics::CryptoMetrics* metrics_;
};
typedef std::map<std::string, CryptoSessionId> SubLicenseSessionMap;
} // namespace wvcdm
#endif // WVCDM_CORE_KEY_SESSSION_H_

40
libwvdrmengine/cdm/core/include/license.h
View File

@@ -29,11 +29,11 @@ class CdmLicense {
CdmLicense(const CdmSessionId& session_id);
virtual ~CdmLicense();
virtual bool Init(
const std::string& client_token, CdmClientTokenType client_token_type,
const std::string& device_id, bool use_privacy_mode,
const std::string& signed_service_certificate, CryptoSession* session,
PolicyEngine* policy_engine);
virtual bool Init(const std::string& client_token,
CdmClientTokenType client_token_type,
const std::string& device_id, bool use_privacy_mode,
const std::string& signed_service_certificate,
CryptoSession* session, PolicyEngine* policy_engine);
virtual CdmResponseType PrepareKeyRequest(
const InitializationData& init_data, CdmLicenseType license_type,
@@ -64,16 +64,13 @@ class CdmLicense {
return provider_session_token_;
}
virtual bool is_offline() {
return is_offline_;
}
virtual bool is_offline() { return is_offline_; }
static bool ExtractProviderSessionToken(
const CdmKeyResponse& license_response,
std::string* provider_session_token);
private:
CdmResponseType HandleKeyErrorResponse(
const video_widevine::SignedMessage& signed_message);
@@ -86,9 +83,24 @@ class CdmLicense {
const std::string& request_id,
video_widevine::LicenseRequest* license_request);
CdmResponseType HandleContentKeyResponse(
const std::string& msg, const std::string& signature,
const std::string& mac_key_iv, const std::string& mac_key,
const std::vector<CryptoKey>& key_array,
const video_widevine::License& license);
// HandleEntitlementKeyResponse loads the entitlement keys in |key_array| into
// the crypto session. In addition, it also extracts content keys from
// |wrapped_keys_| and loads them for use.
CdmResponseType HandleEntitlementKeyResponse(
const std::string& msg, const std::string& signature,
const std::string& mac_key_iv, const std::string& mac_key,
const std::vector<CryptoKey>& key_array,
const video_widevine::License& license);
template <typename T>
bool SetTypeAndId(CdmLicenseType license_type,
const std::string& request_id, T* content_id);
bool SetTypeAndId(CdmLicenseType license_type, const std::string& request_id,
T* content_id);
CryptoSession* crypto_session_;
PolicyEngine* policy_engine_;
@@ -121,6 +133,12 @@ class CdmLicense {
// sub session keys we may have received in a license response. These keys
// may be used to support key rotation.
std::vector<CryptoKey> sub_session_key_array_;
// For entitlement key licensing. This holds the keys from the init_data.
// These keys are extracted from the pssh when we generate a license request.
// It is used to load content keys after we have received a license and
// entitelement keys. It is also used in updating the key status info.
std::vector<video_widevine::WrappedKey> wrapped_keys_;
#if defined(UNIT_TEST)
friend class CdmLicenseTest;
#endif

95
libwvdrmengine/cdm/core/include/sublicense_key_session.h Normal file
View File

@@ -0,0 +1,95 @@
#ifndef WVCDM_CORE_SUBLICENSE_KEY_SESSSION_H_
#define WVCDM_CORE_SUBLICENSE_KEY_SESSSION_H_
#include "crypto_key.h"
#include "key_session.h"
namespace wvcdm {
class SubLicenseKeySession : public KeySession {
typedef enum {
kInitializing,
kInitialLicenseLoaded,
kInitialLicenseFailed,
} SubLicenseState;
public:
SubLicenseKeySession(SubLicenseSessionMap& sub_license_oec_sessions,
metrics::CryptoMetrics* metrics,
const std::string& wrapped_private_device_key,
SecurityLevel requested_security_level,
const std::string& group_id);
virtual ~SubLicenseKeySession();
KeySessionType Type() { return kSubLicense; }
// This version of GenerateDerivedKeys is for devices using keyboxes. It is
// not supported using sub licenses.
bool GenerateDerivedKeys(const std::string&) { return false; }
// GenerateDerivedKeys is called for each open oemcrypto session and is only
// called once.
bool GenerateDerivedKeys(const std::string& message,
const std::string& session_key);
// Load the keys in |keys|. The initial keys are saved for key rotation.
OEMCryptoResult LoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token,
CdmCipherMode* cipher_mode,
const std::string& srm_requirement);
OEMCryptoResult LoadEntitledContentKeys(const std::vector<CryptoKey>& keys) {
return OEMCrypto_ERROR_INVALID_CONTEXT;
}
// Each oemcrypto session contains a single key. Find the right sub session
// and save it's id as the selected oemcrypto session.
OEMCryptoResult SelectKey(const std::string& key_id,
CdmCipherMode cipher_mode);
// Decrypt performs the decryption using the selected oemcrypto session.
// TODO(jfore): Support DecryptInChunks.
OEMCryptoResult Decrypt(const CdmDecryptionParameters& params,
OEMCrypto_DestBufferDesc& buffer_descriptor,
OEMCrypto_CENCEncryptPatternDesc& pattern_descriptor);
private:
// Destroy each open oemcrypto session and relace them with new ones.
OEMCryptoResult ResetCryptoSessions();
// DoLoadKeys loads a single key into each oemcrypto session.
OEMCryptoResult DoLoadKeys(const std::string& message,
const std::string& signature,
const std::string& mac_key_iv,
const std::string& mac_key,
const std::vector<CryptoKey>& keys,
const std::string& provider_session_token,
CdmCipherMode* cipher_mode,
const std::string& srm_requirement);
// DoLoadKeys loads a single key into each oemcrypto session.
OEMCryptoResult DoSubLicenseLoadKeys(
const std::string& message, const std::string& signature,
const std::string& mac_key_iv, const std::string& mac_key,
const CryptoKey& key, const std::string& provider_session_token,
CdmCipherMode*, const std::string& srm_requirement);
SubLicenseState state_;
std::string cached_sub_session_key_id_;
std::string wrapped_private_device_key_;
std::string message_;
std::string session_key_;
std::vector<CryptoKey> keys_;
SubLicenseSessionMap& sub_license_oec_sessions_;
SecurityLevel requested_security_level_;
KeyId group_id_;
};
} // namespace wvcdm
#endif // WVCDM_CORE_SUBLICENSE_KEY_SESSSION_H_

5
libwvdrmengine/cdm/core/include/wv_cdm_types.h
View File

@@ -345,6 +345,11 @@ enum CdmLicenseType {
kLicenseTypeSubSession
};
enum CdmLicenseKeyType {
kLicenseKeyTypeContent,
kLicenseKeyTypeEntitlement
};
enum SecurityLevel {
kLevelDefault,
kLevel3