Merge "Enable encryption of client ID for provisioning" into pi-dev
am: d873f40d80
Change-Id: I4f2e613570b16e97141b9e4b8843f78e6123d92c
This commit is contained in:
Rahul Frias
@@ -52,6 +52,9 @@ class CertificateProvisioning {
|
|||||||
video_widevine::SignedProvisioningMessage::ProtocolVersion
|
video_widevine::SignedProvisioningMessage::ProtocolVersion
|
||||||
GetProtocolVersion();
|
GetProtocolVersion();
|
||||||
|
|
||||||
|
bool GetProvisioningTokenType(
|
||||||
|
video_widevine::ClientIdentification::TokenType* token_type);
|
||||||
|
|
||||||
CryptoSession crypto_session_;
|
CryptoSession crypto_session_;
|
||||||
CdmCertificateType cert_type_;
|
CdmCertificateType cert_type_;
|
||||||
scoped_ptr<ServiceCertificate> service_certificate_;
|
scoped_ptr<ServiceCertificate> service_certificate_;
|
||||||
|
|||||||
@@ -192,32 +192,51 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
|
|||||||
// Prepare device provisioning request.
|
// Prepare device provisioning request.
|
||||||
ProvisioningRequest provisioning_request;
|
ProvisioningRequest provisioning_request;
|
||||||
|
|
||||||
|
video_widevine::ClientIdentification::TokenType token_type;
|
||||||
|
if (!GetProvisioningTokenType(&token_type)) {
|
||||||
|
LOGE("GetProvisioningRequest: failure getting provisioning token type");
|
||||||
|
return CLIENT_IDENTIFICATION_TOKEN_ERROR_1;
|
||||||
|
}
|
||||||
|
|
||||||
wvcdm::ClientIdentification id;
|
wvcdm::ClientIdentification id;
|
||||||
status = id.Init(&crypto_session_);
|
status = id.Init(&crypto_session_);
|
||||||
if (status != NO_ERROR) return status;
|
if (status != NO_ERROR) return status;
|
||||||
|
|
||||||
video_widevine::ClientIdentification* client_id =
|
video_widevine::ClientIdentification* client_id =
|
||||||
provisioning_request.mutable_client_id();
|
provisioning_request.mutable_client_id();
|
||||||
CdmAppParameterMap app_parameter;
|
|
||||||
status = id.Prepare(app_parameter, client_id);
|
|
||||||
if (status != NO_ERROR) return status;
|
|
||||||
|
|
||||||
if (!service_certificate_->has_certificate()) {
|
if (token_type == video_widevine::ClientIdentification::KEYBOX) {
|
||||||
LOGE("CertificateProvisioning::GetProvisioningRequest: Service Certificate "
|
CdmAppParameterMap app_parameter;
|
||||||
"not staged");
|
status = id.Prepare(app_parameter, client_id);
|
||||||
return CERT_PROVISIONING_EMPTY_SERVICE_CERTIFICATE;
|
if (status != NO_ERROR) return status;
|
||||||
|
|
||||||
|
if (!service_certificate_->has_certificate()) {
|
||||||
|
LOGE("CertificateProvisioning::GetProvisioningRequest: Service "
|
||||||
|
"Certificate not staged");
|
||||||
|
return CERT_PROVISIONING_EMPTY_SERVICE_CERTIFICATE;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt client identification
|
||||||
|
EncryptedClientIdentification* encrypted_client_id =
|
||||||
|
provisioning_request.mutable_encrypted_client_id();
|
||||||
|
status = service_certificate_->EncryptClientId(&crypto_session_, client_id,
|
||||||
|
encrypted_client_id);
|
||||||
|
provisioning_request.clear_client_id();
|
||||||
|
} else {
|
||||||
|
// TODO(rfrias,juce,b/78303730) provide encrypted client identification
|
||||||
|
// for devices whose root of trust is OEM_DEVICE_CERTIFICATES.
|
||||||
|
// Prerequisite is that apps need to transition to sending the
|
||||||
|
// provisioning request in the HTTP POST body.
|
||||||
|
client_id->set_type(token_type);
|
||||||
|
|
||||||
|
std::string token;
|
||||||
|
if (!crypto_session_.GetProvisioningToken(&token)) {
|
||||||
|
LOGE("GetProvisioningRequest: failure getting provisioning token");
|
||||||
|
return CLIENT_IDENTIFICATION_TOKEN_ERROR_2;
|
||||||
|
}
|
||||||
|
client_id->set_token(token);
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO(rfrias): Uncomment when b/69427217 is addressed
|
|
||||||
/*
|
|
||||||
EncryptedClientIdentification* encrypted_client_id =
|
|
||||||
provisioning_request->mutable_encrypted_client_id();
|
|
||||||
CdmResponseType status =
|
|
||||||
service_certificate_->EncryptClientId(&crypto_session_, client_id,
|
|
||||||
encrypted_client_id);
|
|
||||||
provisioning_request->clear_client_id();
|
|
||||||
*/
|
|
||||||
|
|
||||||
uint32_t nonce;
|
uint32_t nonce;
|
||||||
if (!crypto_session_.GenerateNonce(&nonce)) {
|
if (!crypto_session_.GenerateNonce(&nonce)) {
|
||||||
LOGE("GetProvisioningRequest: fails to generate a nonce");
|
LOGE("GetProvisioningRequest: fails to generate a nonce");
|
||||||
@@ -405,4 +424,24 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
|
|||||||
return NO_ERROR;
|
return NO_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool CertificateProvisioning::GetProvisioningTokenType(
|
||||||
|
video_widevine::ClientIdentification::TokenType* token_type) {
|
||||||
|
CdmClientTokenType token = crypto_session_.GetPreProvisionTokenType();
|
||||||
|
switch (token) {
|
||||||
|
case kClientTokenKeybox:
|
||||||
|
*token_type = video_widevine::ClientIdentification::KEYBOX;
|
||||||
|
return true;
|
||||||
|
case kClientTokenOemCert:
|
||||||
|
*token_type =
|
||||||
|
video_widevine::ClientIdentification::OEM_DEVICE_CERTIFICATE;
|
||||||
|
return true;
|
||||||
|
case kClientTokenDrmCert:
|
||||||
|
default:
|
||||||
|
// shouldn't happen
|
||||||
|
LOGE("CertificateProvisioning::GetProvisioningTokenType: unexpected "
|
||||||
|
"provisioning type: %d", token);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
} // namespace wvcdm
|
} // namespace wvcdm
|
||||||
|
|||||||
Reference in New Issue
Block a user