Merge changes from topics "presubmit-am-0d92e9728c2d40da892bd450843310cb", "presubmit-am-11f8881adcb544ca8682231293b0f1c7", "presubmit-am-30bc14671b7b4b309e57b8600f46b32b", "presubmit-am-35012549d66140dd9d446b5eedf6e274", "presubmit-am-374672395de04b7b8f697a54e16be928", "presubmit-am-48d77602d3694ced89dd6e82a89fa646", "presubmit-am-4f8d5681247e4064a298d1e5263c41be", "presubmit-am-89930436636343d5a779bc06ccc307dc", "presubmit-am-904492a27e4449e78cf21dd9f4ab8ff0", "presubmit-am-90646715a3284730bf356bb6f4634729", "presubmit-am-a1ae313a0fde4696b7fb8c4390d3a94c", "presubmit-am-ae051fae1d06485ca7f12bcf265e8328", "presubmit-am-b4e6ace5be72409aab8e328c6f2a0288", "presubmit-am-dd16b680e0454031b2213179b22df7d7", "presubmit-am-e249264532da4839841f4cab3675fa61", "presubmit-am-e3a2f43ba2f84f429536270e16d0d251", "presubmit-am-e5f2e7a319d04b89950c63471d7f2458", "presubmit-am-ea47ff378925466c8c92e2ed9b58c461", "presubmit-am-f582c497c3274c7e84606cf3da4b09df" into tm-dev

* changes:
  Change the signature format requirement of OEMCrypto_GenerateCertificateKeyPair
  Fix EnsureProvisioned for double provisioning
  Update fuzz tests to match output desriptor struct
  Use default url to inform app of prov40 stages
  Fix key_control_iv in OEMCrypto tests
  Fix jenkins/opk_optee after v17 merge
  Remove old test license holder
  Generic crypto tests: use license holder
  Reboot tests: verify offline license is valid after reboot
  Policy integration tests: use license holder
  Integration tests: add license holder
  Reboot test: Initialize fake clock
  Reboot test: save large files
  Test max number of DRM private keys
  Merge oemcrypto-v17 to master
  Update cipher mode elsewhere
  Fix 1 ClangTidyBuild finding:
  Add out of bounds testing for LoadKeys()
  Separate invalid session test for ReuseUsageEntry

libwvdrmengine/oemcrypto/include/OEMCryptoCENC.h

@@ -2116,7 +2116,7 @@ OEMCryptoResult OEMCrypto_QueryKeyControl(OEMCrypto_SESSION session,
  * 256 bits it will be used for OEMCrypto_Generic_Sign() or
  * OEMCrypto_Generic_Verify() as specified in the key control block. If the key
  * will be used for OEMCrypto_Generic_Encrypt() or OEMCrypto_Generic_Decrypt()
- * then the cipher mode will always be OEMCrypto_CipherMode_CBC. Continue to
+ * then the cipher mode will always be OEMCrypto_CipherMode_CBCS. Continue to
  * use this key for this session until OEMCrypto_SelectKey() is called again,
  * or until OEMCrypto_CloseSession() is called.
  *
@@ -2292,15 +2292,15 @@ OEMCryptoResult OEMCrypto_SelectKey(OEMCrypto_SESSION session,
  * 'cbcs'. Starting with v16, OEMCrypto only supports 'cenc' and 'cbcs'. The
  * schemes 'cens' and 'cbc1' are not supported.
  *
- * The decryption mode, either OEMCrypto_CipherMode_CTR or
- * OEMCrypto_CipherMode_CBC, was already specified in the call to
+ * The decryption mode, either OEMCrypto_CipherMode_CENC or
+ * OEMCrypto_CipherMode_CBCS, was already specified in the call to
  * OEMCrypto_SelectKey(). The encryption pattern is specified by the fields in
  * the parameter pattern. A description of partial encryption patterns for
  * 'cbcs' can be found in the ISO-CENC standard, section 10.4.
  *
  * 'cenc' SCHEME:
  *
- * The 'cenc' scheme is OEMCrypto_CipherMode_CTR without an encryption
+ * The 'cenc' scheme is OEMCrypto_CipherMode_CENC without an encryption
  * pattern. All the bytes in the encrypted portion of each subsample are
  * encrypted. In the pattern parameter, both the encrypt and skip fields will
  * be zero.
@@ -2323,7 +2323,7 @@ OEMCryptoResult OEMCrypto_SelectKey(OEMCrypto_SESSION session,
  *
  * 'cbcs' SCHEME:
  *
- * The 'cbcs' scheme is OEMCrypto_CipherMode_CBC with an encryption pattern.
+ * The 'cbcs' scheme is OEMCrypto_CipherMode_CBCS with an encryption pattern.
  * Only some of the bytes in the encrypted portion of each subsample are
  * encrypted. In the pattern parameter, the encrypt and skip fields will
  * usually be non-zero. This mode allows devices to decrypt FMP4 HLS content,
@@ -4811,9 +4811,11 @@ OEMCryptoResult OEMCrypto_GetBootCertificateChain(
  * @param[in,out] public_key_size: on input, size of the caller's public_key
  *    buffer. On output, the number of bytes written into the buffer.
  * @param[out] public_key_signature: pointer to the buffer that receives the
- *    signature of the public key. If an OEM private key is unavailable, it is
- *    signed by the device private key; otherwise is signed by the OEM private
- *    key.
+ *    signature of the public key.
+ *    If an OEM private key is unavailable: it is signed by the device private
+ *    key. The signature must be in COSE_SIGN1 format as specified in RFC 8152.
+ *    If an OEM private key is available: it is signed by the OEM private key.
+ *    The signature must be raw signature bytes.
  * @param[in,out] public_key_signature_size: on input, size of the caller's
  *    public_key_signature buffer. On output, the number of bytes written into
  *    the buffer.

libwvdrmengine/oemcrypto/include/OEMCryptoCENCCommon.h

@@ -1 +1 @@
-../odk/include/OEMCryptoCENCCommon.h
+../../oemcrypto/odk/include/OEMCryptoCENCCommon.h

libwvdrmengine/oemcrypto/odk/include/core_message_features.h

@@ -30,13 +30,13 @@ struct CoreMessageFeatures {
   uint32_t maximum_major_version = 17;
   uint32_t maximum_minor_version = 0;
 
-  bool operator==(const CoreMessageFeatures &other) const;
-  bool operator!=(const CoreMessageFeatures &other) const {
+  bool operator==(const CoreMessageFeatures& other) const;
+  bool operator!=(const CoreMessageFeatures& other) const {
     return !(*this == other);
   }
 };
 
-std::ostream &operator<<(std::ostream &os, const CoreMessageFeatures &features);
+std::ostream& operator<<(std::ostream& os, const CoreMessageFeatures& features);
 
 }  // namespace features
 }  // namespace oemcrypto_core_message

libwvdrmengine/oemcrypto/odk/include/odk_message.h

@@ -35,10 +35,10 @@ extern "C" {
  */
 
 #if defined(__GNUC__) || defined(__clang__)
-#define ALIGNED __attribute__((aligned))
+#  define ALIGNED __attribute__((aligned))
 #else
-#define ALIGNED
-#error ODK_Message must be aligned to the maximum useful alignment of the \
+#  define ALIGNED
+#  error ODK_Message must be aligned to the maximum useful alignment of the \
   machine you are compiling for. Define the ALIGNED macro accordingly.
 #endif
 

libwvdrmengine/oemcrypto/odk/include/odk_structs.h

@@ -19,7 +19,7 @@ extern "C" {
 #define ODK_MINOR_VERSION 0
 
 /* ODK Version string. Date changed automatically on each release. */
-#define ODK_RELEASE_DATE "ODK v17.0 2022-01-24"
+#define ODK_RELEASE_DATE "ODK v17.0 2022-02-15"
 
 /* The lowest version number for an ODK message. */
 #define ODK_FIRST_VERSION 16

libwvdrmengine/oemcrypto/odk/src/core_message_features.cpp

@@ -8,7 +8,7 @@ namespace oemcrypto_core_message {
 namespace features {
 const CoreMessageFeatures CoreMessageFeatures::kDefaultFeatures;
 
-bool CoreMessageFeatures::operator==(const CoreMessageFeatures &other) const {
+bool CoreMessageFeatures::operator==(const CoreMessageFeatures& other) const {
   return maximum_major_version == other.maximum_major_version &&
          maximum_minor_version == other.maximum_minor_version;
 }
@@ -31,8 +31,8 @@ CoreMessageFeatures CoreMessageFeatures::DefaultFeatures(
   return features;
 }
 
-std::ostream &operator<<(std::ostream &os,
-                         const CoreMessageFeatures &features) {
+std::ostream& operator<<(std::ostream& os,
+                         const CoreMessageFeatures& features) {
   return os << "v" << features.maximum_major_version << "."
             << features.maximum_minor_version;
 }

libwvdrmengine/oemcrypto/odk/test/fuzzing/odk_fuzz_helper.cpp

@@ -3,6 +3,8 @@
 // License Agreement.
 #include "fuzzing/odk_fuzz_helper.h"
 
+#include <string>
+
 #include "odk.h"
 
 namespace oemcrypto_core_message {

libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_copy_buffer_fuzz.cc

@@ -14,7 +14,7 @@ void FreeOutputBuffers(OEMCrypto_SESSION session_id,
                        int* secure_fd) {
   switch (output_descriptor.type) {
     case OEMCrypto_BufferType_Clear: {
-      delete[] output_descriptor.buffer.clear.address;
+      delete[] output_descriptor.buffer.clear.clear_buffer;
       break;
     }
     case OEMCrypto_BufferType_Secure: {
@@ -32,7 +32,7 @@ bool InitializeOutputBuffers(OEMCrypto_SESSION session_id,
                              int* secure_fd, size_t input_buffer_size) {
   switch (output_descriptor.type) {
     case OEMCrypto_BufferType_Clear: {
-      output_descriptor.buffer.clear.address =
+      output_descriptor.buffer.clear.clear_buffer =
           new OEMCrypto_SharedMemory[input_buffer_size];
       return true;
     }

libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc

@@ -42,7 +42,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   license_api_fuzz.LoadLicense();
   OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
                       session->license().keys[0].key_id_length,
-                      OEMCrypto_CipherMode_CTR);
+                      OEMCrypto_CipherMode_CENC);
   // Calculate signature for in buffer.
   size_t signature_length = 0;
   OEMCrypto_Generic_Sign(session->session_id(), in_buffer.data(),

libwvdrmengine/oemcrypto/test/oec_session_util.cpp

@@ -749,9 +749,15 @@ void LicenseRoundTrip::FillCoreResponseSubstrings() {
     core_response_.key_array[i].key_data =
         FindSubstring(response_data_.keys[i].key_data,
                       response_data_.keys[i].key_data_length);
-    core_response_.key_array[i].key_control_iv =
-        FindSubstring(response_data_.keys[i].control_iv,
-                      sizeof(response_data_.keys[i].control_iv));
+    if (core_request().api_major_version < kClearControlBlockAPIMajor ||
+        (core_request().api_major_version == kClearControlBlockAPIMajor &&
+         core_request().api_minor_version < kClearControlBlockAPIMinor)) {
+      core_response_.key_array[i].key_control_iv =
+          FindSubstring(response_data_.keys[i].control_iv,
+                        sizeof(response_data_.keys[i].control_iv));
+    } else {
+      core_response_.key_array[i].key_control_iv = FindSubstring(nullptr, 0);
+    }
     core_response_.key_array[i].key_control =
         FindSubstring(&response_data_.keys[i].control,
                       sizeof(response_data_.keys[i].control));

libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp

@@ -172,6 +172,7 @@ const size_t kMaxConcurrentSession[] = {  10,      20,      30,     40};
 const size_t kMaxKeysPerSession[] = {      4,      20,      20,     30};
 const size_t kMaxTotalKeys[] = {          16,      40,      80,     90};
 const size_t kLargeMessageSize[] = {   8*KiB,   8*KiB,  16*KiB, 32*KiB};
+const size_t kMaxTotalDRMPrivateKeys[] = { 2,       4,       6,      8};
 // Note: Frame rate and simultaneous playback are specified by resource rating,
 // but are tested at the system level, so there are no unit tests for frame
 // rate. Similarly, number of subsamples for AV1
@@ -265,7 +266,7 @@ TEST_F(OEMCryptoClientTest, FreeUnallocatedSecureBufferNoFailure) {
  */
 TEST_F(OEMCryptoClientTest, VersionNumber) {
   const std::string log_message =
-      "OEMCrypto unit tests for API 17.0. Tests last updated 2021-12-03";
+      "OEMCrypto unit tests for API 17.0. Tests last updated 2022-02-18";
   cout << "             " << log_message << "\n";
   cout << "             "
        << "These tests are part of Android T."
@@ -1569,59 +1570,6 @@ class OEMCryptoSessionTests : public OEMCryptoClientTest {
     license_messages.EncryptAndSignResponse();
     return license_messages.LoadResponse();
   }
-
-  void TestLoadLicenseForHugeBufferLengths(
-      const std::function<void(size_t, LicenseRoundTrip*)> f, bool check_status,
-      bool update_core_message_substring_values) {
-    auto oemcrypto_function = [&](size_t message_length) {
-      Session s;
-      LicenseRoundTrip license_messages(&s);
-      s.open();
-      InstallTestRSAKey(&s);
-      bool verify_keys_loaded = true;
-      license_messages.SignAndVerifyRequest();
-      license_messages.CreateDefaultResponse();
-      if (update_core_message_substring_values) {
-        // Make the license message big enough so that updated core message
-        // substring offset and length values from tests are still able to read
-        // data from license_message buffer rather than reading some garbage
-        // data.
-        license_messages.set_message_size(
-            sizeof(license_messages.response_data()) + message_length);
-      }
-      f(message_length, &license_messages);
-      if (update_core_message_substring_values) {
-        // We will be updating offset for these tests, which will cause verify
-        // keys to fail with an assertion. Hence skipping verification.
-        verify_keys_loaded = false;
-      }
-      license_messages.EncryptAndSignResponse();
-      OEMCryptoResult result =
-          license_messages.LoadResponse(&s, verify_keys_loaded);
-      s.close();
-      return result;
-    };
-    TestHugeLengthDoesNotCrashAPI(oemcrypto_function, check_status);
-  }
-
-  void TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
-      const std::function<void(size_t, LicenseRoundTrip*)> f) {
-    Session s;
-    LicenseRoundTrip license_messages(&s);
-    s.open();
-    InstallTestRSAKey(&s);
-    license_messages.SignAndVerifyRequest();
-    license_messages.CreateDefaultResponse();
-    size_t message_length = sizeof(license_messages.response_data());
-    f(message_length, &license_messages);
-    license_messages.EncryptAndSignResponse();
-    OEMCryptoResult result = license_messages.LoadResponse();
-    s.close();
-    // Verifying error is not due to signature failure which can be caused due
-    // to test code.
-    ASSERT_NE(OEMCrypto_ERROR_SIGNATURE_FAILURE, result);
-    ASSERT_NE(OEMCrypto_SUCCESS, result);
-  }
 };
 
 TEST_F(OEMCryptoSessionTests,
@@ -1695,6 +1643,77 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus);
 }
 
+class OEMCryptoLicenseOverflowTest : public OEMCryptoSessionTests,
+                                     public WithParamInterface<uint32_t> {
+ public:
+  OEMCryptoLicenseOverflowTest() : license_api_version_(kCurrentAPI) {}
+
+  void SetUp() override {
+    OEMCryptoSessionTests::SetUp();
+    license_api_version_ = GetParam();
+  }
+
+  void TearDown() override { OEMCryptoSessionTests::TearDown(); }
+
+  void TestLoadLicenseForHugeBufferLengths(
+      const std::function<void(size_t, LicenseRoundTrip*)> f, bool check_status,
+      bool update_core_message_substring_values) {
+    auto oemcrypto_function = [&](size_t message_length) {
+      Session s;
+      LicenseRoundTrip license_messages(&s);
+      license_messages.set_api_version(license_api_version_);
+      s.open();
+      InstallTestRSAKey(&s);
+      bool verify_keys_loaded = true;
+      license_messages.SignAndVerifyRequest();
+      license_messages.CreateDefaultResponse();
+      if (update_core_message_substring_values) {
+        // Make the license message big enough so that updated core message
+        // substring offset and length values from tests are still able to read
+        // data from license_message buffer rather than reading some garbage
+        // data.
+        license_messages.set_message_size(
+            sizeof(license_messages.response_data()) + message_length);
+      }
+      f(message_length, &license_messages);
+      if (update_core_message_substring_values) {
+        // We will be updating offset for these tests, which will cause verify
+        // keys to fail with an assertion. Hence skipping verification.
+        verify_keys_loaded = false;
+      }
+      license_messages.EncryptAndSignResponse();
+      OEMCryptoResult result =
+          license_messages.LoadResponse(&s, verify_keys_loaded);
+      s.close();
+      return result;
+    };
+    TestHugeLengthDoesNotCrashAPI(oemcrypto_function, check_status);
+  }
+
+  void TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
+      const std::function<void(size_t, LicenseRoundTrip*)> f) {
+    Session s;
+    LicenseRoundTrip license_messages(&s);
+    license_messages.set_api_version(license_api_version_);
+    s.open();
+    InstallTestRSAKey(&s);
+    license_messages.SignAndVerifyRequest();
+    license_messages.CreateDefaultResponse();
+    size_t message_length = sizeof(license_messages.response_data());
+    OEMCryptoResult result = license_messages.LoadResponse();
+    f(message_length, &license_messages);
+    license_messages.EncryptAndSignResponse();
+    s.close();
+    // Verifying error is not due to signature failure which can be caused due
+    // to test code.
+    ASSERT_NE(OEMCrypto_ERROR_SIGNATURE_FAILURE, result);
+    ASSERT_NE(OEMCrypto_SUCCESS, result);
+  }
+
+ protected:
+  uint32_t license_api_version_;
+};
+
 // This class is for testing a single license with the default API version
 // of 16. Used for buffer overflow tests.
 class OEMCryptoMemoryLicenseTest : public OEMCryptoLicenseTestAPI16 {
@@ -3424,7 +3443,7 @@ TEST_F(OEMCryptoSessionTests,
   TestHugeLengthDoesNotCrashAPI(oemcrypto_function, !kCheckStatus);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyIdLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3434,7 +3453,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyIdOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3443,7 +3462,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyIdLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3452,7 +3471,7 @@ TEST_F(OEMCryptoSessionTests,
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyIdOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3461,7 +3480,7 @@ TEST_F(OEMCryptoSessionTests,
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyDataIvLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3471,7 +3490,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyDataIvOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3481,8 +3500,8 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyDataIvLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3492,8 +3511,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyDataIvOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3503,7 +3522,7 @@ TEST_F(
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyDataLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3513,7 +3532,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyDataOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3522,8 +3541,8 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyDataLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3533,8 +3552,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyDataOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3544,8 +3563,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyControlIvLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3555,8 +3574,8 @@ TEST_F(
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyControlIvOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3566,8 +3585,8 @@ TEST_F(
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlIvLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3578,8 +3597,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlIvOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3590,7 +3609,7 @@ TEST_F(
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyControlLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3600,7 +3619,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringKeyControlOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3610,8 +3629,8 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3621,8 +3640,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringKeyControlOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3632,7 +3651,7 @@ TEST_F(
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringEncMacKeyIvLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3641,7 +3660,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringEncMacKeyIvOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3650,8 +3669,8 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringEncMacKeyIvLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3662,8 +3681,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringEncMacKeyIvOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3674,7 +3693,7 @@ TEST_F(
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringEncMacKeyLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3683,7 +3702,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringEncMacKeyOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3692,8 +3711,8 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringEncMacKeyLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3702,8 +3721,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringEncMacKeyOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3712,7 +3731,7 @@ TEST_F(
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringPstLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3721,7 +3740,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringPstOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3730,7 +3749,7 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringPstLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3739,7 +3758,7 @@ TEST_F(OEMCryptoSessionTests,
       });
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringPstOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3748,8 +3767,8 @@ TEST_F(OEMCryptoSessionTests,
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringSrmRestrictionDataLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t length, LicenseRoundTrip* license_messages) {
@@ -3758,8 +3777,8 @@ TEST_F(
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForHugeCoreMessageSubstringSrmRestrictionDataOffset) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t offset, LicenseRoundTrip* license_messages) {
@@ -3768,8 +3787,8 @@ TEST_F(
       !kCheckStatus, kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringSrmRestrictionDataLength) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3780,8 +3799,8 @@ TEST_F(
       });
 }
 
-TEST_F(
-    OEMCryptoSessionTests,
+TEST_P(
+    OEMCryptoLicenseOverflowTest,
     OEMCryptoMemoryLoadLicenseForOutOfRangeCoreMessageSubstringSrmRestrictionDataOffset) {
   TestLoadLicenseForOutOfRangeSubStringOffSetAndLengths(
       [](size_t response_message_length, LicenseRoundTrip* license_messages) {
@@ -3792,7 +3811,8 @@ TEST_F(
       });
 }
 
-TEST_F(OEMCryptoSessionTests, OEMCryptoMemoryLoadLicenseForHugeResponseLength) {
+TEST_P(OEMCryptoLicenseOverflowTest,
+       OEMCryptoMemoryLoadLicenseForHugeResponseLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t message_size, LicenseRoundTrip* license_messages) {
         license_messages->set_message_size(message_size);
@@ -3800,7 +3820,7 @@ TEST_F(OEMCryptoSessionTests, OEMCryptoMemoryLoadLicenseForHugeResponseLength) {
       !kCheckStatus, !kUpdateCoreMessageSubstringValues);
 }
 
-TEST_F(OEMCryptoSessionTests,
+TEST_P(OEMCryptoLicenseOverflowTest,
        OEMCryptoMemoryLoadLicenseForHugeCoreMessageLength) {
   TestLoadLicenseForHugeBufferLengths(
       [](size_t message_size, LicenseRoundTrip* license_messages) {
@@ -3809,6 +3829,9 @@ TEST_F(OEMCryptoSessionTests,
       !kCheckStatus, !kUpdateCoreMessageSubstringValues);
 }
 
+INSTANTIATE_TEST_SUITE_P(TestAll, OEMCryptoLicenseOverflowTest,
+                         Range<uint32_t>(kCurrentAPI - 1, kCurrentAPI + 1));
+
 TEST_F(OEMCryptoSessionTests, OEMCryptoMemoryLoadRenewalForHugeResponseLength) {
   auto oemcrypto_function = [&](size_t message_size) {
     Session s;
@@ -5880,6 +5903,55 @@ TEST_F(OEMCryptoLoadsCertificate, TestMultipleRSAKeys) {
   ASSERT_NO_FATAL_FAILURE(s1.TestDecryptCTR());
 }
 
+// This tests the maximum number of DRM private keys that OEMCrypto can load
+TEST_F(OEMCryptoLoadsCertificate, TestMaxDRMKeys) {
+  const size_t max_total_keys = GetResourceValue(kMaxTotalDRMPrivateKeys);
+  std::vector<std::unique_ptr<Session>> sessions;
+  std::vector<std::unique_ptr<LicenseRoundTrip>> licenses;
+
+  // It should be able to load up to kMaxTotalDRMPrivateKeys keys
+  for (size_t i = 0; i < max_total_keys; i++) {
+    sessions.push_back(std::unique_ptr<Session>(new Session()));
+    licenses.push_back(std::unique_ptr<LicenseRoundTrip>(
+        new LicenseRoundTrip(sessions[i].get())));
+    const size_t key_index = i % kTestRSAPKCS8PrivateKeys_2048.size();
+    encoded_rsa_key_.assign(kTestRSAPKCS8PrivateKeys_2048[key_index].begin(),
+                            kTestRSAPKCS8PrivateKeys_2048[key_index].end());
+    ASSERT_NO_FATAL_FAILURE(CreateWrappedRSAKey());
+    ASSERT_NO_FATAL_FAILURE(sessions[i]->open());
+    ASSERT_NO_FATAL_FAILURE(sessions[i]->PreparePublicKey(
+        encoded_rsa_key_.data(), encoded_rsa_key_.size()));
+    ASSERT_NO_FATAL_FAILURE(
+        sessions[i]->InstallRSASessionTestKey(wrapped_rsa_key_));
+  }
+
+  // Attempts to load one more key than the kMaxTotalDRMPrivateKeys
+  Session s;
+  encoded_rsa_key_.assign(kTestRSAPKCS8PrivateKeyInfo3_3072,
+                          kTestRSAPKCS8PrivateKeyInfo3_3072 +
+                              sizeof(kTestRSAPKCS8PrivateKeyInfo3_3072));
+  Session ps;
+  ProvisioningRoundTrip provisioning_messages(&ps, encoded_rsa_key_);
+  provisioning_messages.PrepareSession(keybox_);
+  ASSERT_NO_FATAL_FAILURE(provisioning_messages.SignAndVerifyRequest());
+  ASSERT_NO_FATAL_FAILURE(provisioning_messages.CreateDefaultResponse());
+  ASSERT_NO_FATAL_FAILURE(provisioning_messages.EncryptAndSignResponse());
+  OEMCryptoResult result = provisioning_messages.LoadResponse();
+  // Key loading is allowed to fail due to resource restriction
+  if (result != OEMCrypto_SUCCESS) {
+    ASSERT_TRUE(result == OEMCrypto_ERROR_INSUFFICIENT_RESOURCES ||
+                result == OEMCrypto_ERROR_TOO_MANY_KEYS);
+  }
+  // Verifies that the DRM keys which are already loaded should still function
+  for (size_t i = 0; i < licenses.size(); i++) {
+    ASSERT_NO_FATAL_FAILURE(licenses[i]->SignAndVerifyRequest());
+    ASSERT_NO_FATAL_FAILURE(licenses[i]->CreateDefaultResponse());
+    ASSERT_NO_FATAL_FAILURE(licenses[i]->EncryptAndSignResponse());
+    ASSERT_EQ(OEMCrypto_SUCCESS, licenses[i]->LoadResponse());
+    ASSERT_NO_FATAL_FAILURE(sessions[i]->TestDecryptCTR());
+  }
+}
+
 // Devices that load certificates, should at least support RSA 2048 keys.
 TEST_F(OEMCryptoLoadsCertificate, SupportsCertificatesAPI13) {
   ASSERT_NE(0u,
@@ -10030,7 +10102,7 @@ TEST_P(OEMCryptoUsageTableTest, PSTLargeBuffer) {
 }
 
 // Verify that a usage entry with an invalid session cannot be used.
-TEST_P(OEMCryptoUsageTableTest, UsageEntryWithInvalidSessionAPI17) {
+TEST_P(OEMCryptoUsageTableTest, UsageEntryWithInvalidSession) {
   std::string pst("pst");
   LicenseWithUsageEntry entry;
   entry.license_messages().set_pst(pst);
@@ -10048,6 +10120,13 @@ TEST_P(OEMCryptoUsageTableTest, UsageEntryWithInvalidSessionAPI17) {
   entry.session().close();
   ASSERT_EQ(OEMCrypto_ERROR_INVALID_SESSION,
             OEMCrypto_MoveEntry(entry.session().session_id(), 0));
+}
+
+// Verify that a usage entry with an invalid session cannot be used.
+TEST_P(OEMCryptoUsageTableTest, ReuseUsageEntryWithInvalidSessionAPI17) {
+  std::string pst("pst");
+  LicenseWithUsageEntry entry;
+  entry.license_messages().set_pst(pst);
 
   entry.session().open();
   ASSERT_NO_FATAL_FAILURE(entry.session().CreateNewUsageEntry());