Widevine CENC drm engine update

bug: 8601053

This import syncs to the widevine git repository change
commit 6a99ad1b59ad39495f62954b3065ddc22b78da49

It includes the following changes from the widevine git
repository, which complete the jb-mr2 features

    Fix Unit Test Makefile
    Adds support for device certificate provisioning.
    Support application parameters
    Certificate based licensing
    Proto for client files
    Implement Property Query API
    Add Device Query For Unique ID
    Implement Generic Crypto in DrmEngine
    Do not validate Key IDs on clear playback
    Allow OEMCrypto_DecryptCTR with clear content and no key
    Add a case to the MediaDrm API test to repro b/8594163
    Implement requiresSecureDecoderComponent
    Implement Eventing API
    Add end-to-end decryption test with vectors
    Refactoring of properties class
    Refactor OEMCrypto unittest.
    Fix for b/8567853: License renewal doesn't renew license.
    Add KEY_ERROR callback to WvContentDecryptionModule() ctor.
    Merged certificate_provisioning.proto and
      client_identification.proto to license_protocol.proto.
    Fix nonce check failure after a malformed key in OEC Mock.
    asynchronize decryption
    Allow querying of control information
    make debugging AddKey & Decrypt statuses easier
    Revert "Revert "Send KEY_ERROR event to app on license
      expiration or failure""
    Revert "Send KEY_ERROR event to app on license expiration
      or failure"
    Send KEY_ERROR event to app on license expiration or failure
    remove extra session id copy
    use KeyError constants directly
    replace variable-length arrays with std::vector and fixed-sized array
    pass session ids as const references
    refactor key extraction and update keys on renewal
    Updates to enable renewals and signaling license expiration.
    fix error constant in OEMCrypto_DecryptCTR

Change-Id: I5f7236c7bdff1d5ece6115fd2893f8a1e1e07c50

libwvdrmengine/cdm/core/src/cdm_engine.cpp

@@ -7,7 +7,10 @@
 #include "buffer_reader.h"
 #include "cdm_session.h"
 #include "crypto_engine.h"
+#include "license_protocol.pb.h"
 #include "log.h"
+#include "properties.h"
+#include "string_conversions.h"
 #include "wv_cdm_constants.h"
 #include "wv_cdm_event_listener.h"
 
@@ -17,7 +20,17 @@
 
 namespace wvcdm {
 
-typedef std::map<CdmSessionId,CdmSession*>::iterator CdmSessionIter;
+// Protobuf generated classes.
+using video_widevine_server::sdk::ClientIdentification;
+using video_widevine_server::sdk::ProvisioningRequest;
+using video_widevine_server::sdk::ProvisioningResponse;
+using video_widevine_server::sdk::SignedProvisioningMessage;
+
+typedef std::map<CdmSessionId,CdmSession*>::const_iterator CdmSessionIter;
+
+CdmEngine::CdmEngine() {
+  Properties::Init();
+}
 
 CdmEngine::~CdmEngine() {
   CancelSessions();
@@ -57,10 +70,11 @@ CdmResponseType CdmEngine::OpenSession(
 
   CdmSessionId new_session_id = new_session->session_id();
 
-  if (!new_session->Init()) {
+  CdmResponseType sts = new_session->Init();
+  if (sts != NO_ERROR) {
     LOGE("CdmEngine::OpenSession: bad session init");
     delete(new_session);
-    return UNKNOWN_ERROR;
+    return sts;
   }
 
   sessions_[new_session_id] = new_session;
@@ -68,7 +82,7 @@ CdmResponseType CdmEngine::OpenSession(
   return NO_ERROR;
 }
 
-CdmResponseType CdmEngine::CloseSession(CdmSessionId& session_id) {
+CdmResponseType CdmEngine::CloseSession(const CdmSessionId& session_id) {
   LOGI("CdmEngine::CloseSession");
 
   CdmSessionIter iter = sessions_.find(session_id);
@@ -123,6 +137,8 @@ CdmResponseType CdmEngine::GenerateKeyRequest(
 
   // TODO(edwinwong, rfrias): need to pass in license type and app parameters
   CdmResponseType sts = iter->second->GenerateKeyRequest(extracted_pssh,
+                                                         license_type,
+                                                         app_parameters,
                                                          key_request);
 
   if (KEY_MESSAGE != sts) {
@@ -168,7 +184,7 @@ CdmResponseType CdmEngine::AddKey(
   if (KEY_ADDED != sts) {
     LOGE("CdmEngine::AddKey: keys not added, result = %d", (int)sts);
   }
-
+  EnablePolicyTimer();
   return sts;
 }
 
@@ -195,7 +211,7 @@ CdmResponseType CdmEngine::CancelKeyRequest(
   }
 
   // TODO(edwinwong, rfrias): unload keys here
-
+  DisablePolicyTimer();
   return NO_ERROR;
 }
 
@@ -299,6 +315,8 @@ CdmResponseType CdmEngine::QueryStatus(CdmQueryMap* key_info) {
       return KEY_ERROR;
   }
 
+  (*key_info)[QUERY_KEY_DEVICE_ID] = crypto_engine->GetDeviceUniqueId();
+
   return NO_ERROR;
 }
 
@@ -314,16 +332,313 @@ CdmResponseType CdmEngine::QueryKeyStatus(
   return iter->second->QueryKeyStatus(key_info);
 }
 
+CdmResponseType CdmEngine::QueryKeyControlInfo(
+    const CdmSessionId& session_id,
+    CdmQueryMap* key_info) {
+  LOGI("CdmEngine::QueryKeyControlInfo");
+  CdmSessionIter iter = sessions_.find(session_id);
+  if (iter == sessions_.end()) {
+    LOGE("CdmEngine::QueryKeyControlInfo: session_id not found = %s", session_id.c_str());
+    return KEY_ERROR;
+  }
+  return iter->second->QueryKeyControlInfo(key_info);
+}
+
+void CdmEngine::CleanupProvisioingSessions(
+    CdmSession* cdm_session,
+    CryptoEngine* crypto_engine,
+    const CdmSessionId& cdm_session_id) {
+  if (NULL == cdm_session) return;
+
+  cdm_session->DestroySession();
+  if (crypto_engine) crypto_engine->DestroySession(cdm_session_id);
+  delete cdm_session;
+}
+
+/*
+ * This function converts message and signature into base64 format.
+ * It then wraps it in JSON format expected by the Apiary frontend.
+ * Apiary requires the base64 encoding to replace '+' with minus '-',
+ * and '/' with underscore '_'; opposite to stubby's.
+ *
+ * Returns the JSON formated string in *request.
+ * The JSON formated request takes the following format:
+ * {
+ *   'signedRequest': {
+ *     'message': 'base64 encoded message',
+ *     'signature': 'base64 encoded signature'
+ *   }
+ * }
+ */
+void CdmEngine::ComposeJsonRequest(
+    const std::string& message,
+    const std::string& signature,
+    CdmProvisioningRequest* request) {
+
+  // performs base64 encoding for message
+  std::vector<uint8_t> message_vector(message.begin(), message.end());
+  std::string message_b64 = Base64SafeEncode(message_vector);
+  LOGD("b64 serialized req:\r\n%s", message_b64.data());
+
+  // performs base64 encoding for signature
+  std::vector<uint8_t> signature_vector(signature.begin(), signature.end());
+  std::string signature_b64 = Base64SafeEncode(signature_vector);
+  LOGD("b64 signature:\r\n%s", signature_b64.data());
+
+  // TODO(edwinwong): write a function to escape JSON output
+  request->assign("{'signedRequest':{'message':'");
+  request->append(message_b64);
+  request->append("','signature':'");
+  request->append(signature_b64);
+  request->append("'}}");
+  LOGD("json str:\r\n%s", request->c_str());
+
+}
+
+/*
+ * Composes a device provisioning request and output the request in JSON format
+ * in *request. It also returns the default url for the provisioning server
+ * in *default_url.
+ *
+ * Returns NO_ERROR for success and UNKNOWN_ERROR if fails.
+ */
 CdmResponseType CdmEngine::GetProvisioningRequest(
     CdmProvisioningRequest* request,
     std::string* default_url) {
-  // TODO(edwinwong, rfrias): add implementation
+  if (!request || !default_url) {
+    LOGE("CdmEngine::GetProvisioningRequest: invalid input parameters");
+    return UNKNOWN_ERROR;
+  }
+
+  //
+  //---------------------------------------------------------------------------
+  // This function can be called before a cdm session is created.
+  // First creates a cdm session, then creates a crypto session.
+  //
+  CdmSession* cdm_session = new CdmSession();
+  if (!cdm_session) {
+    LOGE("CdmEngine::GetProvisioningRequest: fails to create a cdm session");
+    return UNKNOWN_ERROR;
+  }
+
+  if (cdm_session->session_id().empty()) {
+    LOGE("CdmEngine::GetProvisioningRequest: fails to generate session ID");
+    delete cdm_session;
+    return UNKNOWN_ERROR;
+  }
+
+  CryptoEngine* crypto_engine = CryptoEngine::GetInstance();
+  if (!crypto_engine) {
+    LOGE("CdmEngine::GetProvisioningRequest: fails to create a crypto engine");
+    delete cdm_session;
+    return UNKNOWN_ERROR;
+  }
+
+  CdmSessionId cdm_session_id = cdm_session->session_id();
+  CryptoSession* crypto_session = crypto_engine->CreateSession(cdm_session_id);
+  if (!crypto_session) {
+    LOGE("CdmEngine::GetProvisioningRequest: fails to create a crypto session");
+    delete cdm_session;
+    return UNKNOWN_ERROR;
+  }
+
+  //
+  //---------------------------------------------------------------------------
+  // Prepares device provisioning request.
+  //
+  ProvisioningRequest provisioning_request;
+  ClientIdentification* client_id = provisioning_request.mutable_client_id();
+  client_id->set_type(ClientIdentification::KEYBOX);
+  std::string token;
+  if (!crypto_engine->GetToken(&token)) {
+    LOGE("CdmEngine::GetProvisioningRequest: fails to get token");
+    CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+    return UNKNOWN_ERROR;
+  }
+  client_id->set_token(token);
+
+  uint32_t nonce;
+  if (!crypto_session->GenerateNonce(&nonce)) {
+    LOGE("CdmEngine::GetProvisioningRequest: fails to generate a nonce");
+    crypto_engine->DestroySession(cdm_session_id);
+    CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+    return UNKNOWN_ERROR;
+  }
+  provisioning_request.set_nonce(UintToString(nonce));
+
+  // Serializes the provisioning request.
+  std::string serialized_request;
+  provisioning_request.SerializeToString(&serialized_request);
+
+  // Derives signing and encryption keys and constructs signature.
+  std::string request_signature;
+  if (!crypto_session->PrepareRequest(serialized_request, &request_signature)) {
+    request->clear();
+    CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+    return UNKNOWN_ERROR;
+  }
+
+  if (request_signature.empty()) {
+    request->clear();
+    CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+    return UNKNOWN_ERROR;
+  }
+
+  // converts request into JSON string
+  ComposeJsonRequest(serialized_request, request_signature, request);
+
+  // TODO(edwinwong): returns default provisioning server url
+  default_url->clear();
+
+  //
+  //---------------------------------------------------------------------------
+  // Closes the cdm session.
+  //
+  CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
   return NO_ERROR;
 }
 
+/*
+ * Parses the input json_str and locates substring using start_substr and
+ * end_stubstr. The found base64 substring is then decoded and returns
+ * in *result.
+ *
+ * Returns true for success and false if fails.
+ */
+bool CdmEngine::ParseJsonResponse(
+    const CdmProvisioningResponse& json_str,
+    const std::string& start_substr,
+    const std::string& end_substr,
+    std::string* result) {
+  std::string b64_string;
+  size_t start = json_str.find(start_substr);
+  if (start == json_str.npos) {
+    LOGE("ParseJsonResponse: cannot find start substring");
+    return false;
+  } else {
+    size_t end = json_str.find(end_substr, start + start_substr.length());
+    if (end == json_str.npos) {
+      LOGE("ParseJsonResponse cannot locate end substring");
+      return false;
+    }
+
+    size_t b64_string_size = end - start - start_substr.length();
+    b64_string.assign(json_str, start + start_substr.length(), b64_string_size);
+
+    // Due to the size of the message, debug string cannot dump out the
+    // entire string. Dump the beginning and end to verify instead.
+    LOGD("size=%u, b64_string start=%s, end=%s", b64_string.length(),
+         b64_string.substr(0, 16).c_str(),
+         b64_string.substr(b64_string_size - 16).c_str());
+  }
+
+  // Decodes base64 substring and returns it in *result
+  std::vector<uint8_t> result_vector = Base64SafeDecode(b64_string);
+  result->assign(result_vector.begin(), result_vector.end());
+
+  return true;
+}
+
+/*
+ * The response message consists of a device certificate and the device RSA key.
+ * The device RSA key is stored in the T.E.E. The device certificate is stored
+ * in the device.
+ *
+ * Returns NO_ERROR for success and UNKNOWN_ERROR if fails.
+ */
 CdmResponseType CdmEngine::HandleProvisioningResponse(
     CdmProvisioningResponse& response) {
-  // TODO(edwinwong, rfrias): add implementation
+  if (response.empty()) {
+    LOGE("CdmEngine::HandleProvisioningResponse: Empty provisioning response.");
+    return UNKNOWN_ERROR;
+  }
+
+  //---------------------------------------------------------------------------
+  // Extracts response from JSON string, decodes base64 signed message
+  const std::string kMessageStart = "\"message\": \"";
+  const std::string kMessageEnd = "\",";
+  std::string signed_message;
+  if (!ParseJsonResponse(response, kMessageStart, kMessageEnd, &signed_message)) {
+    LOGE("Fails to extract signed message from JSON response");
+    return UNKNOWN_ERROR;
+  }
+
+  // Extracts signature from JSON string, decodes base64 signature
+  const std::string kSignatureStart = "\"signature\": \"";
+  const std::string kSignatureEnd = "\"";
+  std::string signature;
+  if (!ParseJsonResponse(response, kSignatureStart, kSignatureEnd, &signature)) {
+    LOGE("Fails to extract signature from JSON response");
+    return UNKNOWN_ERROR;
+  }
+
+  //
+  //---------------------------------------------------------------------------
+  // First creates a cdm session, then creates a crypto session.
+  //
+  CdmSession* cdm_session = new CdmSession();
+  if (!cdm_session) {
+    LOGE("CdmEngine::HandleProvisioningResponse: fails to create a cdm session");
+    return UNKNOWN_ERROR;
+  }
+
+  if (cdm_session->session_id().empty()) {
+    LOGE("CdmEngine::HandleProvisioningResponse: fails to generate session ID");
+    delete cdm_session;
+    return UNKNOWN_ERROR;
+  }
+
+  CryptoEngine* crypto_engine = CryptoEngine::GetInstance();
+  if (!crypto_engine) {
+    LOGE("CdmEngine::HandleProvisioningResponse: fails to create a crypto engine");
+    delete cdm_session;
+    return UNKNOWN_ERROR;
+  }
+
+  CdmSessionId cdm_session_id = cdm_session->session_id();
+  CryptoSession* crypto_session = crypto_engine->CreateSession(cdm_session_id);
+  if (!crypto_session) {
+    LOGE("CdmEngine::HandleProvisioningResponse: fails to create a crypto session");
+    delete cdm_session;
+    return UNKNOWN_ERROR;
+  }
+
+  //---------------------------------------------------------------------------
+  // Authenticates provisioning response using D1s (server key derived from
+  // the provisioing request's input). Validate provisioning response and
+  // stores private device RSA key and certificate.
+  ProvisioningResponse provisioning_response;
+  if (!provisioning_response.ParseFromString(signed_message)) {
+    LOGE("CdmEngine::HandleProvisioningResponse: fails to parse signed message");
+    CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+    return UNKNOWN_ERROR;
+  }
+  const std::string& enc_rsa_key = provisioning_response.device_rsa_key();
+  const std::string& enc_rsa_key_iv = provisioning_response.device_rsa_key_iv();
+  uint32_t nonce = strtoul(provisioning_response.nonce().data(), NULL, 10);
+  std::vector<uint8_t> wrapped_rsa_key;
+  size_t wrapped_rsa_key_length = 0;
+  if (!crypto_session->RewrapDeviceRSAKey(response,
+                                     &nonce,
+                                     reinterpret_cast<const uint8_t*>(enc_rsa_key.data()),
+                                     enc_rsa_key.length(),
+                                     reinterpret_cast<const uint8_t*>(enc_rsa_key_iv.data()),
+                                     &wrapped_rsa_key[0],
+                                     &wrapped_rsa_key_length)) {
+    LOGE("CdmEngine::HandleProvisioningResponse: RewrapDeviceRSAKey fails");
+    CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+    return UNKNOWN_ERROR;
+  }
+
+  // TODO(edwinwong): stores private device RSA key and cert
+  const std::string&  device_certificate = provisioning_response.device_certificate();
+
+  //
+  //---------------------------------------------------------------------------
+  // Closes the cdm session.
+  //
+  CleanupProvisioingSessions(cdm_session, crypto_engine, cdm_session_id);
+
   return NO_ERROR;
 }
 
@@ -371,7 +686,7 @@ bool CdmEngine::IsKeyValid(const KeyId& key_id) {
 }
 
 bool CdmEngine::AttachEventListener(
-    CdmSessionId& session_id,
+    const CdmSessionId& session_id,
     WvCdmEventListener* listener) {
 
   CdmSessionIter iter = sessions_.find(session_id);
@@ -383,7 +698,7 @@ bool CdmEngine::AttachEventListener(
 }
 
 bool CdmEngine::DetachEventListener(
-    CdmSessionId& session_id,
+    const CdmSessionId& session_id,
     WvCdmEventListener* listener) {
 
   CdmSessionIter iter = sessions_.find(session_id);