Detect when unable to meet policy requirements

[ Merged of http://go/wvgerrit/39766 ] The security level (software/hardware, decryption/decode) in the policy that specified how the key was to be used was not being respected for L3. Playback would either continue or a vendor specific error would be thrown. If the device cannot use the key as permitted by the policy CryptoException#ERROR_INSUFFICIENT_OUTPUT_PROTECTION will be thrown. Bug: 31913737 Bug: 31913439 Test: WV unit/integration tests Test: Playback using playmovies and netflix. Cast playback using playmovies. Change-Id: If25735ab0f789108431115623cb236687c5ef818
2018-02-05 23:26:19 -08:00
parent 91efb844a1
commit c78ce178d4
10 changed files with 167 additions and 20 deletions
--- a/libwvdrmengine/cdm/core/src/policy_engine.cpp
+++ b/libwvdrmengine/cdm/core/src/policy_engine.cpp
@@ -309,6 +309,32 @@ CdmResponseType PolicyEngine::QueryKeyAllowedUsage(
  return KEY_NOT_FOUND_1;
 }

+bool PolicyEngine::CanUseKey(
+    const KeyId& key_id,
+    CdmSecurityLevel security_level) {
+
+  if (security_level == kSecurityLevelL1) return true;
+
+  CdmKeyAllowedUsage key_usage;
+  CdmResponseType status = QueryKeyAllowedUsage(key_id, &key_usage);
+
+  if (status != NO_ERROR) return false;
+
+  // L1 has already been addressed so verify that L2/3 are allowed
+  switch (key_usage.key_security_level_) {
+    case kKeySecurityLevelUnset:
+      return true;
+    case kSoftwareSecureCrypto:
+    case kSoftwareSecureDecode:
+      return security_level == kSecurityLevelL2 ||
+          security_level == kSecurityLevelL3;
+    case kHardwareSecureCrypto:
+      return security_level == kSecurityLevelL2;
+    default:
+      return false;
+  }
+}
+
 bool PolicyEngine::GetSecondsSinceStarted(int64_t* seconds_since_started) {
  if (playback_start_time_ == 0) return false;