From e70c7a116eaa1922de45b4ee0047eb0859f88b9a Mon Sep 17 00:00:00 2001 From: Alex Dale Date: Wed, 27 Jan 2021 11:37:21 -0800 Subject: [PATCH] Report OEMCrypto's ECC capabilities. [ Merge of http://go/wvgerrit/110824 ] When generating a provisioning request, the CDM includes the different certificate key types that are supported. This change will enable the reporting of ECC certificate types if OEMCrypto supports them. Test: Linux unit tests and Android integration test Bug: 140813486 Change-Id: I713ff1c469dff5c8a41461727ce63486d962575e (cherry picked from commit 547d2f8775b04984a1826438933cee713b892b4c) Merged-In: I713ff1c469dff5c8a41461727ce63486d962575e --- .../cdm/core/include/crypto_session.h | 3 + .../cdm/core/src/client_identification.cpp | 69 +++++++++---------- .../cdm/core/src/crypto_session.cpp | 12 ++-- .../cdm/core/test/license_unittest.cpp | 67 +++++++++--------- 4 files changed, 78 insertions(+), 73 deletions(-) diff --git a/libwvdrmengine/cdm/core/include/crypto_session.h b/libwvdrmengine/cdm/core/include/crypto_session.h index b9a56391..d5907dcc 100644 --- a/libwvdrmengine/cdm/core/include/crypto_session.h +++ b/libwvdrmengine/cdm/core/include/crypto_session.h @@ -54,6 +54,9 @@ class CryptoSession { bool rsa_2048_bit; bool rsa_3072_bit; bool rsa_cast; + bool ecc_secp256r1; + bool ecc_secp384r1; + bool ecc_secp521r1; }; // Creates an instance of CryptoSession with the given |crypto_metrics|. diff --git a/libwvdrmengine/cdm/core/src/client_identification.cpp b/libwvdrmengine/cdm/core/src/client_identification.cpp index a3404297..519fdf39 100644 --- a/libwvdrmengine/cdm/core/src/client_identification.cpp +++ b/libwvdrmengine/cdm/core/src/client_identification.cpp @@ -56,7 +56,9 @@ bool IsPropertyKeyReserved(const std::string& prop_name) { } // namespace // Protobuf generated classes. -using video_widevine::ClientIdentification_ClientCapabilities; +using ClientCapabilities = + video_widevine::ClientIdentification::ClientCapabilities; +using AnalogOutputCapabilities = ClientCapabilities::AnalogOutputCapabilities; using video_widevine::ClientIdentification_NameValue; using video_widevine::EncryptedClientIdentification; using video_widevine::ProvisioningOptions; @@ -187,7 +189,7 @@ CdmResponseType ClientIdentification::Prepare( client_id->set_provider_client_token(provider_client_token); } - ClientIdentification_ClientCapabilities* client_capabilities = + ClientCapabilities* client_capabilities = client_id->mutable_client_capabilities(); client_capabilities->set_client_token(true); @@ -214,38 +216,31 @@ CdmResponseType ClientIdentification::Prepare( switch (max_version) { case HDCP_NONE: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_NONE); + ClientCapabilities::HDCP_NONE); break; case HDCP_V1: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V1); + ClientCapabilities::HDCP_V1); break; case HDCP_V2: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V2); + ClientCapabilities::HDCP_V2); break; case HDCP_V2_1: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V2_1); + ClientCapabilities::HDCP_V2_1); break; case HDCP_V2_2: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V2_2); + ClientCapabilities::HDCP_V2_2); break; case HDCP_V2_3: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V2_3); + ClientCapabilities::HDCP_V2_3); break; case HDCP_NO_DIGITAL_OUTPUT: client_capabilities->set_max_hdcp_version( - video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_NO_DIGITAL_OUTPUT); + ClientCapabilities::HDCP_NO_DIGITAL_OUTPUT); break; default: LOGW("Unexpected HDCP max capability version: max_version = %d", @@ -258,13 +253,23 @@ CdmResponseType ClientIdentification::Prepare( if (crypto_session_->GetSupportedCertificateTypes(&supported_certs)) { if (supported_certs.rsa_2048_bit) { client_capabilities->add_supported_certificate_key_type( - video_widevine:: - ClientIdentification_ClientCapabilities_CertificateKeyType_RSA_2048); + ClientCapabilities::RSA_2048); } if (supported_certs.rsa_3072_bit) { client_capabilities->add_supported_certificate_key_type( - video_widevine:: - ClientIdentification_ClientCapabilities_CertificateKeyType_RSA_3072); + ClientCapabilities::RSA_3072); + } + if (supported_certs.ecc_secp256r1) { + client_capabilities->add_supported_certificate_key_type( + ClientCapabilities::ECC_SECP256R1); + } + if (supported_certs.ecc_secp384r1) { + client_capabilities->add_supported_certificate_key_type( + ClientCapabilities::ECC_SECP384R1); + } + if (supported_certs.ecc_secp521r1) { + client_capabilities->add_supported_certificate_key_type( + ClientCapabilities::ECC_SECP521R1); } } @@ -280,33 +285,27 @@ CdmResponseType ClientIdentification::Prepare( bool can_support_cgms_a; if (crypto_session_->GetAnalogOutputCapabilities( &can_support_output, &can_disable_output, &can_support_cgms_a)) { - video_widevine::ClientIdentification_ClientCapabilities_AnalogOutputCapabilities - capabilities = video_widevine:: - ClientIdentification_ClientCapabilities_AnalogOutputCapabilities_ANALOG_OUTPUT_NONE; + AnalogOutputCapabilities capabilities = + ClientCapabilities::ANALOG_OUTPUT_NONE; if (can_support_output) { if (can_support_cgms_a) { - capabilities = video_widevine:: - ClientIdentification_ClientCapabilities_AnalogOutputCapabilities_ANALOG_OUTPUT_SUPPORTS_CGMS_A; + capabilities = ClientCapabilities::ANALOG_OUTPUT_SUPPORTS_CGMS_A; } else { - capabilities = video_widevine:: - ClientIdentification_ClientCapabilities_AnalogOutputCapabilities_ANALOG_OUTPUT_SUPPORTED; + capabilities = ClientCapabilities::ANALOG_OUTPUT_SUPPORTED; } } client_capabilities->set_analog_output_capabilities(capabilities); client_capabilities->set_can_disable_analog_output(can_disable_output); } else { client_capabilities->set_analog_output_capabilities( - video_widevine:: - ClientIdentification_ClientCapabilities_AnalogOutputCapabilities_ANALOG_OUTPUT_UNKNOWN); + ClientCapabilities::ANALOG_OUTPUT_UNKNOWN); } - uint32_t version, tier; - if (crypto_session_->GetApiVersion(&version)) { - if (version >= OEM_CRYPTO_API_VERSION_SUPPORTS_RESOURCE_RATING_TIER) { - if (crypto_session_->GetResourceRatingTier(&tier)) { - client_capabilities->set_resource_rating_tier(tier); - } + if (api_version >= OEM_CRYPTO_API_VERSION_SUPPORTS_RESOURCE_RATING_TIER) { + uint32_t tier; + if (crypto_session_->GetResourceRatingTier(&tier)) { + client_capabilities->set_resource_rating_tier(tier); } } diff --git a/libwvdrmengine/cdm/core/src/crypto_session.cpp b/libwvdrmengine/cdm/core/src/crypto_session.cpp index 43509f23..97e9a144 100644 --- a/libwvdrmengine/cdm/core/src/crypto_session.cpp +++ b/libwvdrmengine/cdm/core/src/crypto_session.cpp @@ -1888,14 +1888,16 @@ bool CryptoSession::GetSupportedCertificateTypes( LOGV("Getting supported certificate types: id = %u", oec_session_id_); RETURN_IF_UNINITIALIZED(false); RETURN_IF_NULL(support, false); - - uint32_t oec_support; - WithOecReadLock("GetSupportedCertificateTypes", [&] { - oec_support = OEMCrypto_SupportedCertificates(requested_security_level_); - }); + const uint32_t oec_support = + WithOecReadLock("GetSupportedCertificateTypes", [&] { + return OEMCrypto_SupportedCertificates(requested_security_level_); + }); support->rsa_2048_bit = oec_support & OEMCrypto_Supports_RSA_2048bit; support->rsa_3072_bit = oec_support & OEMCrypto_Supports_RSA_3072bit; support->rsa_cast = oec_support & OEMCrypto_Supports_RSA_CAST; + support->ecc_secp256r1 = oec_support & OEMCrypto_Supports_ECC_secp256r1; + support->ecc_secp384r1 = oec_support & OEMCrypto_Supports_ECC_secp384r1; + support->ecc_secp521r1 = oec_support & OEMCrypto_Supports_ECC_secp521r1; return true; } diff --git a/libwvdrmengine/cdm/core/test/license_unittest.cpp b/libwvdrmengine/cdm/core/test/license_unittest.cpp index 84e39dff..cf22f709 100644 --- a/libwvdrmengine/cdm/core/test/license_unittest.cpp +++ b/libwvdrmengine/cdm/core/test/license_unittest.cpp @@ -116,7 +116,10 @@ const std::string kLicenseRequestSignature = a2bs_hex( const std::string kFakeCoreMessage = a2bs_hex("DEADBEEF"); const CryptoSession::SupportedCertificateTypes kDefaultSupportedCertTypes = { - true, true, true}; + /* RSA 2048 */ true, /* RSA 3072 */ true, + /* RSA CAST */ false, + /* ECC 256 */ true, /* ECC 384 */ true, + /* ECC 521 */ true}; const std::string kFakeEntitlementKeyId = a2bs_hex("2a538231c616c67143032a645f9c545d"); @@ -171,6 +174,8 @@ class MockInitializationData : public InitializationData { } // namespace // Protobuf generated classes +using ClientCapabilities = + video_widevine::ClientIdentification::ClientCapabilities; using video_widevine::ClientIdentification; using video_widevine::License; using video_widevine::License_KeyContainer; @@ -304,7 +309,7 @@ TEST_F(CdmLicenseTest, PrepareKeyRequestValidation) { bool usage_information_support = true; CryptoSession::HdcpCapability current_hdcp_version = HDCP_NO_DIGITAL_OUTPUT; CryptoSession::HdcpCapability max_hdcp_version = HDCP_V2_1; - uint32_t crypto_session_api_version = 9; + const uint32_t crypto_session_api_version = 16; EXPECT_CALL(*crypto_session_, IsOpen()).WillOnce(Return(true)); EXPECT_CALL(*crypto_session_, request_id()) @@ -315,10 +320,10 @@ TEST_F(CdmLicenseTest, PrepareKeyRequestValidation) { EXPECT_CALL(*crypto_session_, GetHdcpCapabilities(NotNull(), NotNull())) .WillOnce(DoAll(SetArgPointee<0>(current_hdcp_version), SetArgPointee<1>(max_hdcp_version), Return(NO_ERROR))); + // Supported certificates set by SetUp(). EXPECT_CALL(*crypto_session_, GetSupportedCertificateTypes(NotNull())); EXPECT_CALL(*crypto_session_, GetApiVersion(NotNull())) - .Times(2) - .WillRepeatedly( + .WillOnce( DoAll(SetArgPointee<0>(crypto_session_api_version), Return(true))); EXPECT_CALL(*clock_, GetCurrentTime()).WillOnce(Return(kLicenseStartTime)); EXPECT_CALL(*crypto_session_, GenerateNonce(NotNull())) @@ -379,24 +384,22 @@ TEST_F(CdmLicenseTest, PrepareKeyRequestValidation) { EXPECT_FALSE(client_id.has_provider_client_token()); EXPECT_FALSE(client_id.has_license_counter()); - const ::video_widevine::ClientIdentification_ClientCapabilities& - client_capabilities = client_id.client_capabilities(); + const ClientCapabilities& client_capabilities = + client_id.client_capabilities(); EXPECT_TRUE(client_capabilities.has_client_token()); EXPECT_TRUE(client_capabilities.has_session_token()); EXPECT_FALSE(client_capabilities.video_resolution_constraints()); - EXPECT_EQ(video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V2_1, + EXPECT_EQ(ClientCapabilities::HDCP_V2_1, client_capabilities.max_hdcp_version()); EXPECT_EQ(crypto_session_api_version, client_capabilities.oem_crypto_api_version()); - EXPECT_THAT( - client_capabilities.supported_certificate_key_type(), - UnorderedElementsAre( - video_widevine:: - ClientIdentification_ClientCapabilities_CertificateKeyType_RSA_2048, - video_widevine:: - ClientIdentification_ClientCapabilities_CertificateKeyType_RSA_3072)); + EXPECT_THAT(client_capabilities.supported_certificate_key_type(), + UnorderedElementsAre(ClientCapabilities::RSA_2048, + ClientCapabilities::RSA_3072, + ClientCapabilities::ECC_SECP256R1, + ClientCapabilities::ECC_SECP384R1, + ClientCapabilities::ECC_SECP521R1)); EXPECT_FALSE(client_capabilities.has_resource_rating_tier()); // Verify Content Identification @@ -425,11 +428,12 @@ TEST_F(CdmLicenseTest, PrepareKeyRequestValidation) { } TEST_F(CdmLicenseTest, PrepareKeyRequestValidationV15) { - bool usage_information_support = true; - CryptoSession::HdcpCapability current_hdcp_version = HDCP_NO_DIGITAL_OUTPUT; - CryptoSession::HdcpCapability max_hdcp_version = HDCP_V2_1; - uint32_t crypto_session_api_version = 15; - uint32_t resource_rating_tier = RESOURCE_RATING_TIER_LOW; + const bool usage_information_support = true; + const CryptoSession::HdcpCapability current_hdcp_version = + HDCP_NO_DIGITAL_OUTPUT; + const CryptoSession::HdcpCapability max_hdcp_version = HDCP_V2_1; + const uint32_t crypto_session_api_version = 15; + const uint32_t resource_rating_tier = RESOURCE_RATING_TIER_LOW; EXPECT_CALL(*crypto_session_, IsOpen()).WillOnce(Return(true)); EXPECT_CALL(*crypto_session_, request_id()) @@ -442,8 +446,7 @@ TEST_F(CdmLicenseTest, PrepareKeyRequestValidationV15) { SetArgPointee<1>(max_hdcp_version), Return(NO_ERROR))); EXPECT_CALL(*crypto_session_, GetSupportedCertificateTypes(NotNull())); EXPECT_CALL(*crypto_session_, GetApiVersion(NotNull())) - .Times(2) - .WillRepeatedly( + .WillOnce( DoAll(SetArgPointee<0>(crypto_session_api_version), Return(true))); EXPECT_CALL(*crypto_session_, GetResourceRatingTier(NotNull())) .WillOnce(DoAll(SetArgPointee<0>(resource_rating_tier), Return(true))); @@ -506,24 +509,22 @@ TEST_F(CdmLicenseTest, PrepareKeyRequestValidationV15) { EXPECT_FALSE(client_id.has_provider_client_token()); EXPECT_FALSE(client_id.has_license_counter()); - const ::video_widevine::ClientIdentification_ClientCapabilities& - client_capabilities = client_id.client_capabilities(); + const ClientCapabilities& client_capabilities = + client_id.client_capabilities(); EXPECT_TRUE(client_capabilities.has_client_token()); EXPECT_TRUE(client_capabilities.has_session_token()); EXPECT_FALSE(client_capabilities.video_resolution_constraints()); - EXPECT_EQ(video_widevine:: - ClientIdentification_ClientCapabilities_HdcpVersion_HDCP_V2_1, + EXPECT_EQ(ClientCapabilities::HDCP_V2_1, client_capabilities.max_hdcp_version()); EXPECT_EQ(crypto_session_api_version, client_capabilities.oem_crypto_api_version()); - EXPECT_THAT( - client_capabilities.supported_certificate_key_type(), - UnorderedElementsAre( - video_widevine:: - ClientIdentification_ClientCapabilities_CertificateKeyType_RSA_2048, - video_widevine:: - ClientIdentification_ClientCapabilities_CertificateKeyType_RSA_3072)); + EXPECT_THAT(client_capabilities.supported_certificate_key_type(), + UnorderedElementsAre(ClientCapabilities::RSA_2048, + ClientCapabilities::RSA_3072, + ClientCapabilities::ECC_SECP256R1, + ClientCapabilities::ECC_SECP384R1, + ClientCapabilities::ECC_SECP521R1)); EXPECT_EQ(resource_rating_tier, client_capabilities.resource_rating_tier()); // Verify Content Identification