widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Force a reprovisioning on device renewal

Browse Source 
[ Merge of http://go/wvgerrit/169374 ]

Device renewals used to require that OEMs remove provisioning
certificates as part of the OTA update process. Instead, a change
in system ID is relied upon to indicate a change in root of trust.
If a change in System ID is detected, reprovisioning will be forced.

This is not enabled for ATSC devices or L3 devices. For the latter a
change in system ID may occurs without a change in RoT.

Bug: 258361396
Test: GtsMediaTestCases
Change-Id: I6e8b0b2149fc2ed5362a32bb6e869826f5fa8ef7
This commit is contained in:
Rahul Frias
2023-03-30 10:57:05 -07:00
parent 0ab8f029a0
commit d31a4dec56
3 changed files with 196 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
libwvdrmengine/cdm/core/test/cdm_session_unittest.cpp
View File

@@ -15,6 +15,7 @@
#include "properties.h"
#include "service_certificate.h"
#include "string_conversions.h"
#include "system_id_extractor.h"
#include "test_base.h"
#include "test_printers.h"
#include "wv_cdm_constants.h"
@@ -36,6 +37,8 @@ namespace wvcdm {
namespace {
const std::string kEmptyString;
const uint32_t kSystemId = 1234;
const uint32_t kUpdatedSystemId = 5678;
const std::string kToken = wvutil::a2bs_hex(
"0AAE02080212107E0A892DEEB021E7AF696B938BB1D5B1188B85AD9D05228E023082010A02"
@@ -121,6 +124,7 @@ class MockDeviceFiles : public DeviceFiles {
(bool, std::string*, CryptoWrappedKey*, std::string*, uint32_t*),
(override));
MOCK_METHOD(bool, HasCertificate, (bool), (override));
MOCK_METHOD(bool, RemoveCertificate, (), (override));
};
class MockCdmUsageTable : public CdmUsageTable {
@@ -159,6 +163,27 @@ class MockCryptoSession : public TestCryptoSession {
}
};
class TestCdmClientPropertySet : public CdmClientPropertySet {
public:
TestCdmClientPropertySet(bool atsc_mode) : atsc_mode_(atsc_mode) {}
~TestCdmClientPropertySet() override {}
const std::string& security_level() const override { return kEmptyString; }
bool use_privacy_mode() const override { return false; }
const std::string& service_certificate() const override {
return kEmptyString;
}
void set_service_certificate(const std::string& /* cert */) override {}
bool is_session_sharing_enabled() const override { return false; }
uint32_t session_sharing_id() const override { return 1; }
void set_session_sharing_id(uint32_t /* id */) override {}
const std::string& app_id() const override { return kEmptyString; }
bool use_atsc_mode() const override { return atsc_mode_; }
private:
bool atsc_mode_;
};
class MockPolicyEngine : public PolicyEngine {
public:
MockPolicyEngine(CryptoSession* crypto_session)
@@ -177,6 +202,14 @@ class MockCdmLicense : public CdmLicense {
MOCK_METHOD(std::string, provider_session_token, (), (override));
};
class MockSystemIdExtractor : public SystemIdExtractor {
public:
MockSystemIdExtractor(CryptoSession* crypto_session, wvutil::FileSystem* fs)
: SystemIdExtractor(kLevelDefault, crypto_session, fs) {}
MOCK_METHOD(bool, ExtractSystemId, (uint32_t*), (override));
};
} // namespace
class CdmSessionTest : public WvCdmTestBase {
@@ -194,6 +227,9 @@ class CdmSessionTest : public WvCdmTestBase {
cdm_session_->set_policy_engine(policy_engine_);
file_handle_ = new MockDeviceFiles();
cdm_session_->set_file_handle(file_handle_);
system_id_extractor_ =
new MockSystemIdExtractor(crypto_session_, &global_file_system_);
cdm_session_->set_system_id_extractor(system_id_extractor_);
}
void TearDown() override {
@@ -210,24 +246,32 @@ class CdmSessionTest : public WvCdmTestBase {
MockPolicyEngine* policy_engine_;
MockDeviceFiles* file_handle_;
MockCdmUsageTable usage_table_;
MockSystemIdExtractor* system_id_extractor_;
wvutil::FileSystem global_file_system_;
};
TEST_F(CdmSessionTest, InitWithBuiltInCertificate) {
Sequence crypto_session_seq;
CdmSecurityLevel level = kSecurityLevelL1;
EXPECT_CALL(*crypto_session_, Open(Eq(kLevelDefault)))
.InSequence(crypto_session_seq)
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.InSequence(crypto_session_seq)
.WillOnce(Return(level));
.WillRepeatedly(Return(level));
EXPECT_CALL(*crypto_session_, HasUsageTableSupport(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(true), Return(true)));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(false)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RetrieveCertificate(false, NotNull(), _, _, _))
.WillOnce(DoAll(SetArgPointee<4>(kSystemId),
Return(DeviceFiles::kCertificateValid)));
EXPECT_CALL(*file_handle_, RemoveCertificate()).Times(0);
EXPECT_CALL(*license_parser_, Init(false, Eq(kEmptyString),
Eq(crypto_session_), Eq(policy_engine_)))
.WillOnce(Return(true));
EXPECT_CALL(*license_parser_, provider_session_token())
.WillRepeatedly(Return("Mock provider session token"));
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(kSystemId), Return(true)));
ASSERT_EQ(NO_ERROR, cdm_session_->Init(nullptr));
}
@@ -236,13 +280,20 @@ TEST_F(CdmSessionTest, InitWithCertificate) {
Sequence crypto_session_seq;
CdmSecurityLevel level = kSecurityLevelL1;
EXPECT_CALL(*crypto_session_, Open(Eq(kLevelDefault)))
.InSequence(crypto_session_seq)
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.InSequence(crypto_session_seq)
.WillOnce(Return(level));
.WillRepeatedly(Return(level));
EXPECT_CALL(*crypto_session_, HasUsageTableSupport(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(true), Return(true)));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(false)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RetrieveCertificate(false, NotNull(), _, _, _))
.WillOnce(DoAll(SetArgPointee<4>(kSystemId),
Return(DeviceFiles::kCertificateValid)));
EXPECT_CALL(*file_handle_, RemoveCertificate()).Times(0);
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(kSystemId), Return(true)));
EXPECT_CALL(*license_parser_, Init(false, Eq(kEmptyString),
Eq(crypto_session_), Eq(policy_engine_)))
.WillOnce(Return(true));
@@ -260,14 +311,19 @@ TEST_F(CdmSessionTest, ReInitFail) {
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.InSequence(crypto_session_seq)
.WillOnce(Return(level));
.WillRepeatedly(Return(level));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(false)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RetrieveCertificate(false, NotNull(), _, _, _))
.WillOnce(DoAll(SetArgPointee<4>(kSystemId),
Return(DeviceFiles::kCertificateValid)));
EXPECT_CALL(*license_parser_, Init(false, Eq(kEmptyString),
Eq(crypto_session_), Eq(policy_engine_)))
.WillOnce(Return(true));
EXPECT_CALL(*license_parser_, provider_session_token())
.WillRepeatedly(Return("Mock provider session token"));
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(kSystemId), Return(true)));
ASSERT_EQ(NO_ERROR, cdm_session_->Init(nullptr));
ASSERT_NE(NO_ERROR, cdm_session_->Init(nullptr));
@@ -282,6 +338,77 @@ TEST_F(CdmSessionTest, InitFailCryptoError) {
ASSERT_EQ(UNKNOWN_ERROR, cdm_session_->Init(nullptr));
}
TEST_F(CdmSessionTest, Init_SystemIdChanged_NeedsProvisioning) {
Sequence crypto_session_seq;
CdmSecurityLevel level = kSecurityLevelL1;
EXPECT_CALL(*crypto_session_, Open(Eq(kLevelDefault)))
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.WillRepeatedly(Return(level));
EXPECT_CALL(*crypto_session_, HasUsageTableSupport(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(true), Return(true)));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(false)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RetrieveCertificate(false, NotNull(), _, _, _))
.WillOnce(DoAll(SetArgPointee<4>(kSystemId),
Return(DeviceFiles::kCertificateValid)));
EXPECT_CALL(*file_handle_, RemoveCertificate()).WillOnce(Return(true));
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(kUpdatedSystemId), Return(true)));
EXPECT_CALL(*license_parser_, provider_session_token())
.WillRepeatedly(Return("Mock provider session token"));
ASSERT_EQ(NEED_PROVISIONING, cdm_session_->Init(nullptr));
}
TEST_F(CdmSessionTest, Init_AtscSystemIdChanged_NoReProvisionNeeded) {
Sequence crypto_session_seq;
CdmSecurityLevel level = kSecurityLevelL3;
EXPECT_CALL(*crypto_session_, Open(Eq(kLevelDefault)))
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.WillRepeatedly(Return(level));
EXPECT_CALL(*crypto_session_, HasUsageTableSupport(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(true), Return(true)));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(true)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RemoveCertificate()).Times(0);
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull())).Times(0);
EXPECT_CALL(*license_parser_, Init(false, Eq(kEmptyString),
Eq(crypto_session_), Eq(policy_engine_)))
.WillOnce(Return(true));
EXPECT_CALL(*license_parser_, provider_session_token())
.WillRepeatedly(Return("Mock provider session token"));
TestCdmClientPropertySet atsc_property_set(true);
ASSERT_EQ(NO_ERROR, cdm_session_->Init(&atsc_property_set));
}
TEST_F(CdmSessionTest, Init_L3SystemIdChanged_NoReProvisionNeeded) {
Sequence crypto_session_seq;
CdmSecurityLevel level = kSecurityLevelL3;
EXPECT_CALL(*crypto_session_, Open(Eq(kLevelDefault)))
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.WillRepeatedly(Return(level));
EXPECT_CALL(*crypto_session_, HasUsageTableSupport(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(true), Return(true)));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(false)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RemoveCertificate()).Times(0);
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull())).Times(0);
EXPECT_CALL(*license_parser_, Init(false, Eq(kEmptyString),
Eq(crypto_session_), Eq(policy_engine_)))
.WillOnce(Return(true));
EXPECT_CALL(*license_parser_, provider_session_token())
.WillRepeatedly(Return("Mock provider session token"));
ASSERT_EQ(NO_ERROR, cdm_session_->Init(nullptr));
}
TEST_F(CdmSessionTest, UpdateUsageEntry) {
// Setup common expectations for initializing the CdmSession object.
Sequence crypto_session_seq;
@@ -291,14 +418,19 @@ TEST_F(CdmSessionTest, UpdateUsageEntry) {
.WillOnce(Return(CdmResponseType(NO_ERROR)));
EXPECT_CALL(*crypto_session_, GetSecurityLevel())
.InSequence(crypto_session_seq)
.WillOnce(Return(level));
.WillRepeatedly(Return(level));
EXPECT_CALL(*file_handle_, Init(Eq(level))).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, HasCertificate(false)).WillOnce(Return(true));
EXPECT_CALL(*file_handle_, RetrieveCertificate(false, NotNull(), _, _, _))
.WillOnce(DoAll(SetArgPointee<4>(kSystemId),
Return(DeviceFiles::kCertificateValid)));
EXPECT_CALL(*crypto_session_, GetUsageTable())
.WillOnce(Return(&usage_table_));
EXPECT_CALL(*license_parser_, Init(false, Eq(kEmptyString),
Eq(crypto_session_), Eq(policy_engine_)))
.WillOnce(Return(true));
EXPECT_CALL(*system_id_extractor_, ExtractSystemId(NotNull()))
.WillOnce(DoAll(SetArgPointee<0>(kSystemId), Return(false)));
// Set up mocks and expectations for the UpdateUsageEntryInformation call.
EXPECT_CALL(*crypto_session_, HasUsageTableSupport(_))