Widevine CENC drm engine update

bug: 8601053 This import syncs to the widevine git repository change commit 6a99ad1b59ad39495f62954b3065ddc22b78da49 It includes the following changes from the widevine git repository, which complete the jb-mr2 features Fix Unit Test Makefile Adds support for device certificate provisioning. Support application parameters Certificate based licensing Proto for client files Implement Property Query API Add Device Query For Unique ID Implement Generic Crypto in DrmEngine Do not validate Key IDs on clear playback Allow OEMCrypto_DecryptCTR with clear content and no key Add a case to the MediaDrm API test to repro b/8594163 Implement requiresSecureDecoderComponent Implement Eventing API Add end-to-end decryption test with vectors Refactoring of properties class Refactor OEMCrypto unittest. Fix for b/8567853: License renewal doesn't renew license. Add KEY_ERROR callback to WvContentDecryptionModule() ctor. Merged certificate_provisioning.proto and client_identification.proto to license_protocol.proto. Fix nonce check failure after a malformed key in OEC Mock. asynchronize decryption Allow querying of control information make debugging AddKey & Decrypt statuses easier Revert "Revert "Send KEY_ERROR event to app on license expiration or failure"" Revert "Send KEY_ERROR event to app on license expiration or failure" Send KEY_ERROR event to app on license expiration or failure remove extra session id copy use KeyError constants directly replace variable-length arrays with std::vector and fixed-sized array pass session ids as const references refactor key extraction and update keys on renewal Updates to enable renewals and signaling license expiration. fix error constant in OEMCrypto_DecryptCTR Change-Id: I5f7236c7bdff1d5ece6115fd2893f8a1e1e07c50
2013-04-12 14:12:16 -07:00
parent 2f980d7d7e
commit e6b1fedc4c
63 changed files with 2885 additions and 1134 deletions
--- a/libwvdrmengine/cdm/core/src/license.cpp
+++ b/libwvdrmengine/cdm/core/src/license.cpp
@@ -2,26 +2,62 @@

 #include "license.h"

+#include <vector>
+
 #include "crypto_session.h"
 #include "log.h"
 #include "policy_engine.h"
+#include "properties.h"
 #include "string_conversions.h"
 #include "wv_cdm_constants.h"

 namespace wvcdm {

 // Protobuf generated classes.
+using video_widevine_server::sdk::ClientIdentification;
+using video_widevine_server::sdk::ClientIdentification_NameValue;
 using video_widevine_server::sdk::LicenseRequest;
-using video_widevine_server::sdk::LicenseRequest_ClientIdentification;
-using video_widevine_server::sdk::LicenseRequest_ClientIdentification_NameValue;
 using video_widevine_server::sdk::LicenseRequest_ContentIdentification;
 using video_widevine_server::sdk::LicenseRequest_ContentIdentification_CENC;
 using video_widevine_server::sdk::License;
 using video_widevine_server::sdk::License_KeyContainer;
+using video_widevine_server::sdk::LicenseError;
 using video_widevine_server::sdk::SignedMessage;
 using video_widevine_server::sdk::STREAMING;
 using video_widevine_server::sdk::LicenseRequest_ContentIdentification_ExistingLicense;

+static std::vector<CryptoKey> ExtractContentKeys(const License& license) {
+  std::vector<CryptoKey> key_array;
+
+  // Extract content key(s)
+  for (int i = 0; i < license.key_size(); ++i) {
+    // TODO(kqyang): Key ID size is not fixed in spec, but conventionally we
+    // always use 16 bytes key id. We'll need to update oemcrypto to support
+    // variable size key id.
+    if (license.key(i).id().size() == KEY_ID_SIZE &&
+        license.key(i).key().size() == KEY_SIZE + KEY_PAD_SIZE &&
+        license.key(i).type() == License_KeyContainer::CONTENT) {
+
+      CryptoKey key;
+      key.set_key_id(license.key(i).id());
+      // Strip off PKCS#5 padding
+      key.set_key_data(
+          license.key(i).key().substr(0, KEY_SIZE));
+      key.set_key_data_iv(license.key(i).iv());
+      if (license.key(i).has_key_control()) {
+        key.set_key_control(
+            license.key(i).key_control().key_control_block());
+        key.set_key_control_iv(
+            license.key(i).key_control().iv());
+      }
+
+      key_array.push_back(key);
+    }
+  }
+
+  return key_array;
+}
+
 CdmLicense::CdmLicense(): session_(NULL) {}

 CdmLicense::~CdmLicense() {}
@@ -40,6 +76,8 @@ bool CdmLicense::Init(const std::string& token,
 }

 bool CdmLicense::PrepareKeyRequest(const CdmInitData& init_data,
+                                   const CdmLicenseType license_type,
+                                   CdmAppParameterMap& app_parameters,
                                   CdmKeyMessage* signed_request) {
  if (!session_ ||
      token_.empty()) {
@@ -59,12 +97,22 @@ bool CdmLicense::PrepareKeyRequest(const CdmInitData& init_data,
  session_->GenerateRequestId(request_id);

  LicenseRequest license_request;
-  LicenseRequest_ClientIdentification* client_id =
-      license_request.mutable_client_id();
+  ClientIdentification* client_id = license_request.mutable_client_id();

-  client_id->set_type(LicenseRequest_ClientIdentification::KEYBOX);
+  if (Properties::use_certificates_as_identification())
+    client_id->set_type(ClientIdentification::DEVICE_CERTIFICATE);
+  else
+    client_id->set_type(ClientIdentification::KEYBOX);
  client_id->set_token(token_);

+  ClientIdentification_NameValue client_info;
+  CdmAppParameterMap::const_iterator iter;
+  for (iter = app_parameters.begin(); iter != app_parameters.end(); iter++) {
+    ClientIdentification_NameValue* client_info = client_id->add_client_info();
+    client_info->set_name(iter->first);
+    client_info->set_value(iter->second);
+  }
+
  // Content Identification may be a cenc_id, a webm_id or a license_id
  LicenseRequest_ContentIdentification* content_id =
      license_request.mutable_content_id();
@@ -115,6 +163,9 @@ bool CdmLicense::PrepareKeyRequest(const CdmInitData& init_data,

  signed_message.SerializeToString(signed_request);

+  if (Properties::use_certificates_as_identification())
+    key_request_ = *signed_request;
+
  return true;
 }

@@ -166,25 +217,39 @@ bool CdmLicense::PrepareKeyRenewalRequest(CdmKeyMessage* signed_request) {
  return true;
 }

-bool CdmLicense::HandleKeyResponse(const CdmKeyResponse& license_response) {
+CdmResponseType CdmLicense::HandleKeyResponse(
+    const CdmKeyResponse& license_response) {
  if (!session_) {
-    return false;
+    return KEY_ERROR;
  }
  if (license_response.empty()) {
    LOGE("CdmLicense::HandleKeyResponse : Empty license response.");
-    return false;
+    return KEY_ERROR;
  }

  SignedMessage signed_response;
  if (!signed_response.ParseFromString(license_response))
-    return false;
+    return KEY_ERROR;
+
+  if (signed_response.type() == SignedMessage::ERROR) {
+    return HandleKeyErrorResponse(signed_response);
+  }

  if (!signed_response.has_signature())
-    return false;
+    return KEY_ERROR;

  License license;
  if (!license.ParseFromString(signed_response.msg()))
-    return false;
+    return KEY_ERROR;
+
+  if (Properties::use_certificates_as_identification()) {
+    if (!signed_response.has_session_key())
+      return KEY_ERROR;
+
+    if (!session_->GenerateDerivedKeys(key_request_,
+                                       signed_response.session_key()))
+      return KEY_ERROR;
+  }

  // Extract mac key
  std::string mac_key_iv;
@@ -201,98 +266,105 @@ bool CdmLicense::HandleKeyResponse(const CdmKeyResponse& license_response) {
    }

    if (mac_key_iv.size() != KEY_IV_SIZE ||
-        mac_key.size() != MAC_KEY_SIZE)
-    {
-      return false;
+        mac_key.size() != MAC_KEY_SIZE) {
+      return KEY_ERROR;
    }

    // License Id should not be empty for renewable license
-    if (!license.has_id()) return false;
+    if (!license.has_id()) return KEY_ERROR;

    license_id_.CopyFrom(license.id());
  }

-  CryptoKey* key_array = new CryptoKey[license.key_size()];
-  if (key_array == NULL) return false;
-
-  // Extract content key(s)
-  int num_keys = 0;
-  for (int i = 0; i < license.key_size(); ++i) {
-    // TODO(kqyang): Key ID size is not fixed in spec, but conventionally we
-    // always use 16 bytes key id. We'll need to update oemcrypto to support
-    // variable size key id.
-    if (license.key(i).id().size() == KEY_ID_SIZE &&
-        license.key(i).key().size() == KEY_SIZE + KEY_PAD_SIZE &&
-        license.key(i).type() == License_KeyContainer::CONTENT) {
-
-      key_array[num_keys].set_key_id(license.key(i).id());
-
-      // Strip off PKCS#5 padding
-      key_array[num_keys].set_key_data(
-          license.key(i).key().substr(0, KEY_SIZE));
-      key_array[num_keys].set_key_data_iv(license.key(i).iv());
-      if (license.key(i).has_key_control()) {
-        key_array[num_keys].set_key_control(
-            license.key(i).key_control().struct_());
-        key_array[num_keys].set_key_control_iv(
-            license.key(i).key_control().iv());
-      }
-      num_keys++;
-    }
+  std::vector<CryptoKey> key_array = ExtractContentKeys(license);
+  if (!key_array.size()) {
+    LOGE("CdmLicense::HandleKeyResponse : No content keys.");
+    return KEY_ERROR;
  }

-  if (num_keys == 0) return false;
-
  policy_engine_->SetLicense(license);

-  bool status = session_->LoadKeys(signed_response.msg(),
-                                   signed_response.signature(),
-                                   mac_key_iv,
-                                   mac_key,
-                                   num_keys,
-                                   key_array);
-  delete[] key_array;
-  return status;
+  if (session_->LoadKeys(signed_response.msg(),
+                         signed_response.signature(),
+                         mac_key_iv,
+                         mac_key,
+                         key_array.size(),
+                         &key_array[0])) {
+    return KEY_ADDED;
+  }
+  else {
+    return KEY_ERROR;
+  }
 }

-bool CdmLicense::HandleKeyRenewalResponse(
+CdmResponseType CdmLicense::HandleKeyRenewalResponse(
    const CdmKeyResponse& license_response) {
  if (!session_) {
-    return false;
+    return KEY_ERROR;
  }
  if (license_response.empty()) {
    LOGE("CdmLicense::HandleKeyRenewalResponse : Empty license response.");
-    return false;
+    return KEY_ERROR;
  }

  SignedMessage signed_response;
  if (!signed_response.ParseFromString(license_response))
-    return false;
+    return KEY_ERROR;
+
+  if (signed_response.type() == SignedMessage::ERROR) {
+    return HandleKeyErrorResponse(signed_response);
+  }

  if (!signed_response.has_signature())
-    return false;
-
-  // TODO(jfore): refresh the keys in oemcrypto
+    return KEY_ERROR;

  License license;
  if (!license.ParseFromString(signed_response.msg()))
-    return false;
+    return KEY_ERROR;

-  if (!license.has_id()) return false;
+  if (!license.has_id()) return KEY_ERROR;

  if (license.id().version() > license_id_.version()) {
-    //This is the normal case.
+    // This is the normal case.
    license_id_.CopyFrom(license.id());

    policy_engine_->UpdateLicense(license);
-  } else {
-    // This isn't supposed to happen.
-    // TODO(jfore): Handle wrap? We can miss responses and that should be
-    // considered normal until retries are exhausted.
-    // policy_.set_can_play(false);
+
+    std::vector<CryptoKey> key_array = ExtractContentKeys(license);
+
+    if (session_->RefreshKeys(signed_response.msg(),
+                              signed_response.signature(),
+                              key_array.size(),
+                              &key_array[0])) {
+      return KEY_ADDED;
+    }
+    else {
+      return KEY_ERROR;
+    }
  }

-  return true;
+  // This isn't supposed to happen.
+  // TODO(jfore): Handle wrap? We can miss responses and that should be
+  // considered normal until retries are exhausted.
+  return KEY_ERROR;
+}
+
+CdmResponseType CdmLicense::HandleKeyErrorResponse(
+    const SignedMessage& signed_message) {
+
+  LicenseError license_error;
+  if (!license_error.ParseFromString(signed_message.msg()))
+    return KEY_ERROR;
+
+  switch (license_error.error_code()) {
+    case LicenseError::INVALID_CREDENTIALS:
+      return NEED_PROVISIONING;
+    case LicenseError::REVOKED_CREDENTIALS:
+      return DEVICE_REVOKED;
+    case LicenseError::SERVICE_UNAVAILABLE:
+    default:
+      return KEY_ERROR;
+  }
 }

 }  // namespace wvcdm