Support provisioning 3.0

[ Merge of http://go/wvgerrit/29004 ] Enable support for provisioning with OEM certificates as root of trust. b/62972441 Test: WV unit/intgration test, cdm_feature_test and GTSMediaTestCases Change-Id: I30576fc0bb68a873eeaaca03f6b9c89fa6a14327
2017-07-17 02:40:50 -07:00
parent a81caa5bf1
commit e61259e075
13 changed files with 506 additions and 61 deletions
--- a/libwvdrmengine/cdm/core/include/certificate_provisioning.h
+++ b/libwvdrmengine/cdm/core/include/certificate_provisioning.h
@@ -42,7 +42,7 @@ class CertificateProvisioning {
  bool GetProvisioningTokenType(
      video_widevine::ClientIdentification::TokenType* token_type);

-  bool FillStableIdField(const std::string& origin, const std::string& spoid,
+  bool SetSpoidParameter(const std::string& origin, const std::string& spoid,
                         video_widevine::ProvisioningRequest* request);

  video_widevine::SignedProvisioningMessage::ProtocolVersion
--- a/libwvdrmengine/cdm/core/include/crypto_session.h
+++ b/libwvdrmengine/cdm/core/include/crypto_session.h
@@ -83,12 +83,13 @@ class CryptoSession {
  virtual bool GenerateDerivedKeys(const std::string& message);
  virtual bool GenerateDerivedKeys(const std::string& message,
                                   const std::string& session_key);
-  virtual bool RewrapDeviceRSAKey(const std::string& message,
-                                  const std::string& signature,
-                                  const std::string& nonce,
-                                  const std::string& enc_rsa_key,
-                                  const std::string& rsa_key_iv,
-                                  std::string* wrapped_rsa_key);
+  virtual bool RewrapCertificate(const std::string& signed_message,
+                                 const std::string& signature,
+                                 const std::string& nonce,
+                                 const std::string& private_key,
+                                 const std::string& iv,
+                                 const std::string& wrapping_key,
+                                 std::string* wrapped_private_key);

  // Media data path
  virtual CdmResponseType Decrypt(const CdmDecryptionParameters& parameters);
@@ -181,6 +182,17 @@ class CryptoSession {
  bool GenerateRsaSignature(const std::string& message, std::string* signature);
  size_t GetOffset(std::string message, std::string field);
  bool SetDestinationBufferType();
+
+  bool RewrapDeviceRSAKey(
+      const std::string& message, const std::string& signature,
+      const std::string& nonce, const std::string& enc_rsa_key,
+      const std::string& rsa_key_iv, std::string* wrapped_rsa_key);
+
+  bool RewrapDeviceRSAKey30(
+      const std::string& message, const std::string& nonce,
+      const std::string& private_key, const std::string& iv,
+      const std::string& wrapping_key, std::string* wrapped_private_key);
+
  CdmResponseType SelectKey(const std::string& key_id);

  static const OEMCrypto_Algorithm kInvalidAlgorithm =
@@ -214,6 +226,7 @@ class CryptoSession {

  bool open_;
  CdmClientTokenType pre_provision_token_type_;
+  std::string oem_token_;  // Cached OEMCrypto Public Key
  bool update_usage_table_after_close_session_;
  CryptoSessionId oec_session_id_;

--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -55,7 +55,8 @@ void CertificateProvisioning::ComposeJsonRequestAsQueryString(
 */
 bool CertificateProvisioning::GetProvisioningTokenType(
    ClientIdentification::TokenType* token_type) {
-  switch (crypto_session_.GetPreProvisionTokenType()) {
+  CdmClientTokenType token = crypto_session_.GetPreProvisionTokenType();
+  switch (token) {
    case kClientTokenKeybox:
      *token_type = ClientIdentification::KEYBOX;
      return true;
@@ -65,22 +66,23 @@ bool CertificateProvisioning::GetProvisioningTokenType(
    case kClientTokenDrmCert:
    default:
      // shouldn't happen
+      LOGE("CertificateProvisioning::GetProvisioningTokenType: unexpected "
+           "provisioning type: %d", token);
      return false;
  }
 }

 /*
- * Fill in the appropriate field relating to stable IDs in the provisioning
- * request, no more than one of |stable_id|, |provider_id|, and |spoid|. It is
- * also valid (though deprecated) to fill in none of these in order to leave the
- * stable ID behavior up to the provisioning server.
+ * Fill in the appropriate SPOID (Stable Per-Origin IDentifier) option.
+ * One of spoid, provider_id or stable_id will be passed to the provisioning
+ * server for determining a unique per origin ID for the device.
+ * It is also valid (though deprecated) to leave the settings unset.
 */
-bool CertificateProvisioning::FillStableIdField(
-    const std::string& origin,
-    const std::string& spoid,
+bool CertificateProvisioning::SetSpoidParameter(
+    const std::string& origin, const std::string& spoid,
    ProvisioningRequest* request) {
  if (!request) {
-    LOGE("CertificateProvisioning::FillStableIdField : No request buffer "
+    LOGE("CertificateProvisioning::SetSpoidParameter: No request buffer "
         "passed to method.");
    return false;
  }
@@ -160,21 +162,6 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
  client_id->set_token(token);
  client_id->set_type(token_type);

-#if 0  // TODO(gmorgan) in progress - encrypt ClientIdentification.
-  if (encrypt) {
-    EncryptedClientIdentification* encrypted_client_id =
-        provisioning_request->mutable_encrypted_client_id();
-    CdmResponseType sts;
-    sts = EncryptClientId(client_id, encrypted_client_id, certificate);
-    if (NO_ERROR == sts) {
-      provisioning_request->clear_client_id();
-    } else {
-      provisioning_request->clear_encrypted_client_id();
-    }
-    return sts;
-  }
-#endif
-
  uint32_t nonce;
  if (!crypto_session_.GenerateNonce(&nonce)) {
    LOGE("GetProvisioningRequest: fails to generate a nonce");
@@ -204,7 +191,7 @@ CdmResponseType CertificateProvisioning::GetProvisioningRequest(
  cert_type_ = cert_type;
  options->set_certificate_authority(cert_authority);

-  if (!FillStableIdField(origin, spoid, &provisioning_request)) {
+  if (!SetSpoidParameter(origin, spoid, &provisioning_request)) {
    return CERT_PROVISIONING_GET_KEYBOX_ERROR_2;
  }

@@ -326,11 +313,13 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
  const std::string& enc_rsa_key = provisioning_response.device_rsa_key();
  const std::string& nonce = provisioning_response.nonce();
  const std::string& rsa_key_iv = provisioning_response.device_rsa_key_iv();
+  const std::string& wrapping_key = (provisioning_response.has_wrapping_key()) ?
+            provisioning_response.wrapping_key() : std::string();
  const std::string& signature = signed_response.signature();
  std::string wrapped_rsa_key;
-  if (!crypto_session_.RewrapDeviceRSAKey(signed_message, signature, nonce,
-                                          enc_rsa_key, rsa_key_iv,
-                                          &wrapped_rsa_key)) {
+  if (!crypto_session_.RewrapCertificate(signed_message, signature, nonce,
+                                         enc_rsa_key, rsa_key_iv, wrapping_key,
+                                         &wrapped_rsa_key)) {
    LOGE("HandleProvisioningResponse: RewrapDeviceRSAKey fails");
    return CERT_PROVISIONING_RESPONSE_ERROR_6;
  }
--- a/libwvdrmengine/cdm/core/src/crypto_session.cpp
+++ b/libwvdrmengine/cdm/core/src/crypto_session.cpp
@@ -162,7 +162,15 @@ bool CryptoSession::GetTokenFromKeybox(std::string* token) {
 }

 bool CryptoSession::GetTokenFromOemCert(std::string* token) {
+  if (token == NULL) {
+    LOGE("CryptoSession::GetTokenFromOemCert: token not provided ");
+    return false;
+  }
  OEMCryptoResult status;
+  if (!oem_token_.empty()) {
+    token->assign(oem_token_);
+    return true;
+  }
  std::string temp_buffer(CERTIFICATE_DATA_SIZE, '\0');
  // lock is held by caller
  bool retrying = false;
@@ -171,7 +179,9 @@ bool CryptoSession::GetTokenFromOemCert(std::string* token) {
    uint8_t* buf = reinterpret_cast<uint8_t*>(&temp_buffer[0]);
    status = OEMCrypto_GetOEMPublicCertificate(oec_session_id_, buf, &buf_size);
    if (OEMCrypto_SUCCESS == status) {
-      token->swap(temp_buffer);
+      temp_buffer.resize(buf_size);
+      oem_token_.assign(temp_buffer);
+      token->assign(temp_buffer);
      return true;
    }
    if (OEMCrypto_ERROR_SHORT_BUFFER && !retrying) {
@@ -568,8 +578,8 @@ bool CryptoSession::PrepareRequest(const std::string& message,
    return false;
  }

-  // TODO(gmorgan): rework this for OEM certs.
-  if (!Properties::use_certificates_as_identification() || is_provisioning) {
+  if (!Properties::use_certificates_as_identification() ||
+      (is_provisioning && (pre_provision_token_type_ == kClientTokenKeybox))) {
    if (!GenerateDerivedKeys(message)) return false;

    if (!GenerateSignature(message, signature)) return false;
@@ -739,8 +749,15 @@ bool CryptoSession::LoadCertificatePrivateKey(std::string& wrapped_key) {
  LOGV("CryptoSession::LoadCertificatePrivateKey: Lock");
  AutoLock auto_lock(crypto_lock_);

+  // Call OEMCrypto_GetOEMPublicCertificate before OEMCrypto_LoadDeviceRSAKey
+  // so it caches the OEMCrypto Public Key and then throw away result
+  std::string temp_buffer(CERTIFICATE_DATA_SIZE, '\0');
+  size_t buf_size = temp_buffer.size();
+  uint8_t* buf = reinterpret_cast<uint8_t*>(&temp_buffer[0]);
+  OEMCryptoResult sts =
+    OEMCrypto_GetOEMPublicCertificate(oec_session_id_, buf, &buf_size);
+
  LOGV("LoadDeviceRSAKey: id=%ld", (uint32_t)oec_session_id_);
-  OEMCryptoResult sts;
  M_TIME(
      sts = OEMCrypto_LoadDeviceRSAKey(
          oec_session_id_,
@@ -1458,6 +1475,34 @@ bool CryptoSession::SetDestinationBufferType() {
  return true;
 }

+bool CryptoSession::RewrapCertificate(const std::string& signed_message,
+                                      const std::string& signature,
+                                      const std::string& nonce,
+                                      const std::string& private_key,
+                                      const std::string& iv,
+                                      const std::string& wrapping_key,
+                                      std::string* wrapped_private_key) {
+  LOGV("CryptoSession::RewrapCertificate, session id=%ld",
+       static_cast<uint32_t>(oec_session_id_));
+
+  if (pre_provision_token_type_ == kClientTokenKeybox) {
+
+    return RewrapDeviceRSAKey(signed_message, signature, nonce, private_key,
+                              iv, wrapped_private_key);
+
+  } else if (pre_provision_token_type_ == kClientTokenOemCert) {
+
+    return RewrapDeviceRSAKey30(signed_message, nonce, private_key, iv,
+                                wrapping_key, wrapped_private_key);
+
+  } else {
+    LOGE("CryptoSession::RewrapCertificate, Bad pre-provision type=%d: "
+         "session id=%ld", pre_provision_token_type_,
+         static_cast<uint32_t>(oec_session_id_));
+    return false;
+  }
+}
+
 bool CryptoSession::RewrapDeviceRSAKey(const std::string& message,
                                       const std::string& signature,
                                       const std::string& nonce,
@@ -1531,6 +1576,57 @@ bool CryptoSession::RewrapDeviceRSAKey(const std::string& message,
  return true;
 }

+bool CryptoSession::RewrapDeviceRSAKey30(const std::string& message,
+                                         const std::string& nonce,
+                                         const std::string& private_key,
+                                         const std::string& iv,
+                                         const std::string& wrapping_key,
+                                         std::string* wrapped_private_key) {
+  LOGV("CryptoSession::RewrapDeviceRSAKey30, session id=%ld",
+       static_cast<uint32_t>(oec_session_id_));
+
+  const uint8_t* signed_msg = reinterpret_cast<const uint8_t*>(message.data());
+  const uint8_t* msg_private_key = NULL;
+  const uint8_t* msg_iv = NULL;
+  const uint32_t* msg_nonce = NULL;
+  const uint8_t* msg_wrapping_key = NULL;
+  if (private_key.size() >= MAC_KEY_SIZE && iv.size() >= KEY_IV_SIZE) {
+    msg_private_key = signed_msg + GetOffset(message, private_key);
+    msg_iv = signed_msg + GetOffset(message, iv);
+    msg_nonce = reinterpret_cast<const uint32_t*>(signed_msg +
+                                                  GetOffset(message, nonce));
+    msg_wrapping_key = signed_msg + GetOffset(message, wrapping_key);
+  }
+
+  // Gets wrapped_rsa_key_length by passing NULL as uint8_t* wrapped_rsa_key
+  // and 0 as wrapped_rsa_key_length.
+  size_t wrapped_private_key_length = 0;
+  OEMCryptoResult status = OEMCrypto_RewrapDeviceRSAKey30(
+      oec_session_id_, msg_nonce, msg_wrapping_key, wrapping_key.size(),
+      msg_private_key, private_key.size(), msg_iv, NULL,
+      &wrapped_private_key_length);
+
+  if (status != OEMCrypto_ERROR_SHORT_BUFFER) {
+    LOGE("OEMCrypto_RewrapDeviceRSAKey30 failed getting wrapped key length");
+    return false;
+  }
+
+  wrapped_private_key->resize(wrapped_private_key_length);
+  status = OEMCrypto_RewrapDeviceRSAKey30(
+      oec_session_id_, msg_nonce, msg_wrapping_key, wrapping_key.size(),
+      msg_private_key, private_key.size(), msg_iv,
+      reinterpret_cast<uint8_t*>(&(*wrapped_private_key)[0]),
+      &wrapped_private_key_length);
+
+  wrapped_private_key->resize(wrapped_private_key_length);
+
+  if (OEMCrypto_SUCCESS != status) {
+    LOGE("OEMCrypto_RewrapDeviceRSAKey fails with %d", status);
+    return false;
+  }
+  return true;
+}
+
 bool CryptoSession::GetHdcpCapabilities(HdcpCapability* current,
                                        HdcpCapability* max) {
  LOGV("GetHdcpCapabilities: id=%ld", (uint32_t)oec_session_id_);
--- a/libwvdrmengine/cdm/core/test/cdm_engine_test.cpp
+++ b/libwvdrmengine/cdm/core/test/cdm_engine_test.cpp
@@ -51,7 +51,7 @@ class WvCdmEngineTest : public testing::Test {
    g_client_auth.assign(config.client_auth());
    g_key_system.assign(config.key_system());
    g_wrong_key_id.assign(config.wrong_key_id());
-    g_license_server.assign(config.license_server());
+    g_license_server.assign(config.license_server_url());
    g_key_id_pssh.assign(a2bs_hex(config.key_id()));

    // Extract the key ID from the PSSH box.
--- a/libwvdrmengine/cdm/core/test/config_test_env.cpp
+++ b/libwvdrmengine/cdm/core/test/config_test_env.cpp
@@ -11,6 +11,10 @@ const std::string kWidevineKeySystem = "com.widevine.alpha";
 // Content Protection license server (UAT) data
 const std::string kCpUatLicenseServer =
    "http://widevine-proxy.appspot.com/proxy";
+const std::string kUatProvisioningServerUrl =
+    "https://staging-www.sandbox.googleapis.com/"
+    "certificateprovisioning/v1/devicecertificates/create"
+    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
 const std::string kCpClientAuth = "";
 const std::string kCpKeyId =
    "00000042"                          // blob size
@@ -53,9 +57,46 @@ const std::string kCpUatServiceCertificate =
    "7C0011E0F5B38E4E298ED2CB301EB4564965F55C5D79757A250A4EB9C84AB3E6539F6B6FDF"
    "56899EA29914";

+const std::string kCpProductionLicenseServer =
+        "https://widevine-proxy.appspot.com/proxy";
+const std::string kProductionProvisioningServerUrl =
+    "https://www.googleapis.com/"
+    "certificateprovisioning/v1/devicecertificates/create"
+    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
+// NOTE: Provider ID = staging.google.com
+const std::string kCpProductionServiceCertificate =
+    "0ABF020803121028703454C008F63618ADE7443DB6C4C8188BE7F9900522"
+    "8E023082010A0282010100B52112B8D05D023FCC5D95E2C251C1C649B417"
+    "7CD8D2BEEF355BB06743DE661E3D2ABC3182B79946D55FDC08DFE9540781"
+    "5E9A6274B322A2C7F5E067BB5F0AC07A89D45AEA94B2516F075B66EF811D"
+    "0D26E1B9A6B894F2B9857962AA171C4F66630D3E4C602718897F5E1EF9B6"
+    "AAF5AD4DBA2A7E14176DF134A1D3185B5A218AC05A4C41F081EFFF80A3A0"
+    "40C50B09BBC740EEDCD8F14D675A91980F92CA7DDC646A06ADAD5101F74A"
+    "0E498CC01F00532BAC217850BD905E90923656B7DFEFEF42486767F33EF6"
+    "283D4F4254AB72589390BEE55808F1D668080D45D893C2BCA2F74D60A0C0"
+    "D0A0993CEF01604703334C3638139486BC9DAF24FD67A07F9AD943020301"
+    "00013A1273746167696E672E676F6F676C652E636F6D128003983E303526"
+    "75F40BA715FC249BDAE5D4AC7249A2666521E43655739529721FF880E0AA"
+    "EFC5E27BC980DAEADABF3FC386D084A02C82537848CC753FF497B011A7DA"
+    "97788A00E2AA6B84CD7D71C07A48EBF61602CCA5A3F32030A7295C30DA91"
+    "5B91DC18B9BC9593B8DE8BB50F0DEDC12938B8E9E039CDDE18FA82E81BB0"
+    "32630FE955D85A566CE154300BF6D4C1BD126966356B287D657B18CE63D0"
+    "EFD45FC5269E97EAB11CB563E55643B26FF49F109C2101AFCAF35B832F28"
+    "8F0D9D45960E259E85FB5D24DBD2CF82764C5DD9BF727EFBE9C861F86932"
+    "1F6ADE18905F4D92F9A6DA6536DB8475871D168E870BB2303CF70C6E9784"
+    "C93D2DE845AD8262BE7E0D4E2E4A0759CEF82D109D2592C72429F8C01742"
+    "BAE2B3DECADBC33C3E5F4BAF5E16ECB74EADBAFCB7C6705F7A9E3B6F3940"
+    "383F9C5116D202A20C9229EE969C2519718303B50D0130C3352E06B014D8"
+    "38540F8A0C227C0011E0F5B38E4E298ED2CB301EB4564965F55C5D79757A"
+    "250A4EB9C84AB3E6539F6B6FDF56899EA29914";
+
 // Content Protection license server (staging) data
 const std::string kCpStagingLicenseServer =
    "http://wv-staging-proxy.appspot.com/proxy";
+const std::string kStagingProvisioningServerUrl =
+    "https://staging-www.sandbox.googleapis.com/"
+    "certificateprovisioning/v1/devicecertificates/create"
+    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
 const std::string kCpStagingServiceCertificate =
    "0AC102080312101705B917CC1204868B06333A2F772A8C1882B4829205228E023082010A02"
    "8201010099ED5B3B327DAB5E24EFC3B62A95B598520AD5BCCB37503E0645B814D876B8DF40"
@@ -116,19 +157,17 @@ const std::string kWrongKeyId =
    "0901121094889920e8d6520098577df8"
    "f2dd5546";

-// URL of provisioning server (returned by GetProvisioningRequest())
-const std::string kProductionProvisioningServerUrl =
-    "https://www.googleapis.com/"
-    "certificateprovisioning/v1/devicecertificates/create"
-    "?key=AIzaSyB-5OLKTx2iU5mko18DfdwK5611JIjbUhE";
-
 const ConfigTestEnv::LicenseServerConfiguration license_servers[] = {
-    {kGooglePlayServer, kGpLicenseServer, kGpClientAuth, kGpKeyId,
-     kGpOfflineKeyId, ""},
-    {kContentProtectionUatServer, kCpUatLicenseServer, kCpClientAuth,
-     kCpKeyId, kCpOfflineKeyId, kCpUatServiceCertificate},
+    {kGooglePlayServer, kGpLicenseServer, "", kGpClientAuth, kGpKeyId,
+     kGpOfflineKeyId, kProductionProvisioningServerUrl},
+    {kContentProtectionProductionServer, kCpProductionLicenseServer,
+      kCpProductionServiceCertificate, kCpClientAuth, kCpKeyId, kCpOfflineKeyId,
+      kProductionProvisioningServerUrl},
+    {kContentProtectionUatServer, kCpUatLicenseServer, kCpUatServiceCertificate,
+      kCpClientAuth, kCpKeyId, kCpOfflineKeyId, kUatProvisioningServerUrl},
    {kContentProtectionStagingServer, kCpStagingLicenseServer,
-     kCpClientAuth, kCpKeyId, kCpOfflineKeyId, kCpStagingServiceCertificate},
+      kCpStagingServiceCertificate, kCpClientAuth, kCpKeyId, kCpOfflineKeyId,
+      kStagingProvisioningServerUrl},
 };

 }  // namespace
@@ -162,9 +201,9 @@ void ConfigTestEnv::Init(LicenseServerId server_id) {
  client_auth_ = license_servers[server_id].client_tag;
  key_id_ = license_servers[server_id].key_id;
  key_system_ = kWidevineKeySystem;
-  license_server_ = license_servers[server_id].url;
-  provisioning_server_url_ = kProductionProvisioningServerUrl;
-  service_certificate_ = license_servers[server_id].service_certificate;
+  license_server_url_ = license_servers[server_id].license_server_url;
+  provisioning_server_url_ = license_servers[server_id].provisioning_server_url;
+  service_certificate_ = license_servers[server_id].license_service_certificate;
  wrong_key_id_ = kWrongKeyId;
 }

--- a/libwvdrmengine/cdm/core/test/config_test_env.h
+++ b/libwvdrmengine/cdm/core/test/config_test_env.h
@@ -11,6 +11,7 @@ typedef enum {
  kGooglePlayServer,
  kContentProtectionUatServer,
  kContentProtectionStagingServer,
+  kContentProtectionProductionServer,
 } LicenseServerId;

 // Configures default test environment.
@@ -18,11 +19,12 @@ class ConfigTestEnv {
 public:
  typedef struct {
    LicenseServerId id;
-    std::string url;
+    std::string license_server_url;
+    std::string license_service_certificate;
    std::string client_tag;
    std::string key_id;
    std::string offline_key_id;
-    std::string service_certificate;
+    std::string provisioning_server_url;
  } LicenseServerConfiguration;

  explicit ConfigTestEnv(LicenseServerId server_id);
@@ -34,7 +36,7 @@ class ConfigTestEnv {
  const std::string& client_auth() const { return client_auth_; }
  const KeyId& key_id() const { return key_id_; }
  const CdmKeySystem& key_system() const { return key_system_; }
-  const std::string& license_server() const { return license_server_; }
+  const std::string& license_server_url() const { return license_server_url_; }
  const std::string& provisioning_server_url() const {
    return provisioning_server_url_;
  }
@@ -48,7 +50,10 @@ class ConfigTestEnv {
    key_system_.assign(key_system);
  }
  void set_license_server(std::string& license_server) {
-    license_server_.assign(license_server);
+    license_server_url_.assign(license_server);
+  }
+  void set_provisioning_server(std::string& provisioning_server) {
+    provisioning_server_url_.assign(provisioning_server);
  }

 private:
@@ -57,7 +62,7 @@ class ConfigTestEnv {
  std::string client_auth_;
  KeyId key_id_;
  CdmKeySystem key_system_;
-  std::string license_server_;
+  std::string license_server_url_;
  std::string provisioning_server_url_;
  std::string service_certificate_;
  KeyId wrong_key_id_;