[ Merge of https://go/wvgerrit/16940 ]
An alternate scenario to renewing keys is to load the same keys in
a separate session and make use of them by using the session sharing
feature.
Session sharing involves iterating through a map of sessions and
returning the first session that contains the Key ID. In certain cases
(license about to expire) we might prefer an alternate session
be chosen.
Licenses may expire in two ways. Policy engine, driven by a 1 second
timer may detect expiry and send an asynchronous event. OEMCrypto may
also detect expiry based on information in the key control block
and return an error during decryption. It is possible that these
may differ by upto a second. This can lead to issues where decryption
fails but EVENT_KEY_EXPIRED is not generated till later.
It is possible to address this by using information from both timers
to notify the app about expiry. To implement this correctly will
add complexity and require synchronization between threads. To avoid
this an alternate solution is, if session sharing is used, to pick
the session that has a license with the longest remaining validity.
b/27041140
Change-Id: I398cc4c10ee3a2f192d4a0befe7c8a469dd5bf86
[ Merge of http://go/wvgerrit/16625 and http://go/wvgerrit/16633 ]
Reduce the number of parameters needed by GenerateKeyRequest.
Combining all output values into a single struct.
BUG: 26162546
Change-Id: Ibeb3f4df4a8e877511f8ab2e6c543001a921f285
This is a merge of squashed CLs.
* Cdm Session and Engine interface clean up
[ Merge of http://go/wvgerrit/16387 ]
Key Set Ids have been removed from the CdmSession interface
(GenerateKeyRequest, Addkey) as they can be queried by an accessor.
The CdmEngine interface now allows one to specify or retrieve a session ID,
since both were not being used in a single call. Key set IDs are no longer
returned though GenerateKeyRequest as they was not being used.
* Generate key set ID when session is initialized
[ Merge of http://go/wvgerrit/16370 ]
Key set IDs are currently generated at different times in the
CdmSession lifecycle. Android generates key set IDs when the license
is received, while the CE CDM generates (or overrides them)
when the session is constructed.
The key set IDs are now generated when the session is initialized.
Key set generation cannot occur earlier as it has a dependency on
security level and in turn on crypto session initialization which
occurs when the session is initialized.
Depenencies on Session ID has caused other activities, construction of
PolicyEngine, CdmLicense, setting property CDM client sets to be
deferred from CdmSession constructor to Init().
Android will still retrieve the key set IDs after the offline license is
processed. For streaming requests, the key set will be
unreserved and discarded when the session is terminated.
Change-Id: Ib802d1c043742d62efa9a2c901fcd113e836c33d
[ Merge of http://go/wvgerrit/16241 and http://go/wvgerrit/16364 ]
This will allow a usage session to be loaded later by key set ID.
This is needed for EME-style secure stop in the new CE CDM API.
b/25816911
Change-Id: I916340047492fbc0556d0e90bd2eac0f3eafe597
(This is a merge of http://go/wvgerrit/16162)
Usage tables on L3 devices are stored under IDM*. They will be removed
upon factory reset. However, we need to call OEMCrypto_DeleteUsageTable
for L1 devices because the usage tables are stored in secure storage.
bug: 25597957
Change-Id: I8533dfac60fad6ce7ddfd026a283633d6875dcf3
[ Merge of http://go/wvgerrit/15780 ]
Android mediaDrm allows callers to serially query status information through a
property API. CDM however retrieves all status information in a map and
filters out all but the relevent one. This leads to delays in Netflix app
startup. Rewriting the CDM interface to return only the queried value.
b/24181894
Change-Id: Ie9ed6288524e3a7e03b83aa55ef3531dd52a0dfb
* Extend CdmLicense's stored_init_data_
[ Merge of http://go/wvgerrit/14661 ]
CdmLicense will store init data when a server cert must be
provisioned. After provisioning, the original init data can be used
to generate the originally-intended license request.
To do this before, the caller had to call CdmSession's
GenerateKeyRequest with an empty InitializationData object. However,
the init data's type still had to be set, as did the license type.
This CL allows the caller to use a truly empty InitializationData
without a type. To permit this, CdmLicense now stores a full
InitializationData object, rather than just a copy of it's data field.
With this CL, the caller also avoid storing the original license type.
To accomplish this, CdmSession uses the already-set is_offline_ and
is_release_ flags from the original call to reconstruct the intended
license type. The caller uses the new type kLicenseTypeDeferred.
To facilitate storing whole InitializationData objects, they are now
copyable.
This ultimately simplifies server cert code for the new CE CDM.
* Store service certs in Properties
[ Merge of http://go/wvgerrit/14664 ]
This allows CE devices to mimic the Chrome CDM's behavior of sharing
server certs between sessions.
This also affects Android behavior. Previously, provisioned service
certificates were per-session, while explicitly-set service certs
were per-DRM-plugin. Now, both are per-DRM-plugin.
A DRM plugin is associated with a mediaDrm object. Content
providers will still be able to retrieve and use different
certificates. The change here requires an app, that wishes to use
different provisioned service certificates will have to use
multiple mediaDrm objects. This is an unlikely scenario.
Change-Id: If2586932784ed046ecab72b5720ff30547e84b97
* Add CE test for incomplete remove()
[ Merge of http://go/wvgerrit/14658 ]
This depends on I064c053dd986a432865163aed5c9c3493f14340b to get
PolicyEngine to implement the EME semantics expressed in this test.
This also excludes another error code from causing an error log in
CdmEngine::AddKey, because this is actually an expected, handled
error in the CE CDM and it causes some confusing noise during testing
and development.
* Drop CdmEngine test main
[ Merge of http://go/wvgerrit/14693 ]
The command-line arguments are no longer in use anywhere, and
dropping the CdmEngine test's main allows me to add those tests to
the CE test suite.
* Add PolicyEngine::SetLicenseForRelease()
[ Merge of http://go/wvgerrit/14651 ]
In order to implement the EME-specified behaviors for load() &
remove(), some small changes are required in PolicyEngine.
According to EME, you should be able to remove() an active session.
This means that releasing a persistent session is not a separate load
operation. EME also states that the keys should be expired when this
is done.
Remove() is implemented using GenerateKeyRequest(type=release). This
leads to CdmLicense::RestoreLicenseForRelease, which in turn calls
PolicyEngine::SetLicense. When removing an active session, the policy
engine will have keys already loaded. The old behavior would cause
these keys to be reloaded. We need them to be expired, instead.
Once a remove() has been started, the keys should never be loadable
again. If a release confirmation is not received by the CDM, the
session should still be loadable. EME states that once a session has
had remove() called, then is loaded again later, there should be no
keys. Not that they should be expired, but not present. The old
behavior would cause these keys to be reloaded as usable.
This new method allows EME remove() and load() behaviors to be
faithfully implemented in the CE CDM. When removing an active
session, the old keys become expired. When removing a partially-
removed, newly-loaded session, no keys will be loaded at all.
This change does not affect any existing tests in core/.
New tests have been added in PolicyEngineTest to cover the behavior
of the new method.
Change-Id: Idd61487c277c9eadb4a044cb2a563e151442a548
* Reject session clobbering.
[ Merge of http://go/wvgerrit/14634 ]
This fixes a bug in I17de92b3e682c9c731f755e69466bdae7f560393 in which
sessions can be clobbered by a forced session ID. This bug manifested
in subtle test failures which involved repeatedly creating sessions.
This was traced to OEMCrypto not being terminated, then upward to a
leaked CryptoSession and CdmSession, and then finally to clobbered
session IDs.
To avoid the bug in future, first, reject duplicate session IDs.
Second, change the OpenSession API to make forced IDs explicit.
* Fix unit test namespaces.
[ Merge of http://go/wvgerrit/14622 ]
This fixes some odd errors that occur when linking multiple test
suites into one executable. When two object files both contain
a definition of wvcdm::MockCryptoSession, for example, one will win
silently and cause the other's tests to misbehave and/or crash.
The solution is to put all mocks into an anonymous namespace, since
each wvcdm::(anonymous)::MockCryptoSession is separate.
In order to avoid lots of repetitions of wvcdm:: in the anonymous
namespaces, all anonymous namespaces in unit tests now live inside
or the wvcdm namespace. This has been done even for tests which
are not currently using mocks.
* Move timer and timer_unittest to Android.
[ Merge of http://go/wvgerrit/14619 ]
These are not used anywhere else.
Change-Id: I234f31e9b5c79061205728783596ebaff65e0aff
* Make CdmProvisioningResponse const.
[ Merge of http://go/wvgerrit/14618 ]
The lack of const on this reference seems to be a mistake, since the
responses is never modified. This also allows the new CE CDM to pass
responses directly through from the caller.
* Let Properties determine DeviceFiles level support
[ Merge of http://go/wvgerrit/14620 ]
Non-Android platforms do not have multiple security levels, and so do
not use the security level to construct a base path.
Instead of requiring a known "security level" to construct a file,
accept anything that platform Properties will accept as a base path.
* Drop Properties::GetSecurityLevel().
[ Merge of http://go/wvgerrit/14617 ]
This seems to be dead code.
Change-Id: I94a970279213100730d6e6c763558dbe386f936a
* Expose release and offline statuses in CdmEngine.
[ Merge of http://go/wvgerrit/14616 ]
This will allow me to make some intelligent decisions in the new CE
CDM implementation without having to duplicate all the information
known in the lower levels.
* Account for backward compat support in tests
[ Merge of http://go/wvgerrit/14621 ]
One test ensures that device path backward compatibility is working,
while another assumes it is used.
This fixes test results when
Properties::security_level_path_backward_compatibility_support()
is false.
Previously, the CE CDM did not run these tests, and so this went
unnoticed.
* Remove Lock::Try, which is not used.
[ Merge of http://go/wvgerrit/14624 ]
Change-Id: Id18cf1f5b18c7322b8b636819276361af225734f
* Move Properties::Init into platform-specific code
This enables a refactor where property initialization for CE CDM will
use values provided by the application during library initialization.
[ Merge of http://go/wvgerrit/14510/ ]
* Add Properties::AlwaysUseKeySetIds().
When true, all sessions will have key set IDs and all session IDs
will be the same as the corresponding key set ID.
This will help the new CDM interface stick more closely to the EME
APIs, in which there are no such things as key set IDs and sessions
only have a single, random ID used for both streaming and offline.
[ Merge of http://go/wvgerrit/14521/ ]
* Reserve key set IDs in memory, rather than on the file system.
This makes it more efficient to use key set IDs for non-offline
sessions.
[ Merge of http://go/wvgerrit/14535/ ]
Change-Id: I765c3519619b17cc3c4ef95b1a6b125f479ee1d0
[ Merge of http://go/wvgerrit/15474 ]
Changes to releaseAllSecureStops made use of a session that was
initialized only if getSecureStops had been previously called. If it was not,
accessing the session resulted in a segfault. This was uncovered by a change
in how the Netflix app invoked mediaDrm.
b/23498809
Change-Id: Ib426ae1830c3a42c5e0849f1b6e8bbfe0d2c74ff
merge of http://go/wvgerrit/14807 from the widevine repo.
The mediaDrm API only allows for a single provisioning attempt at a time.
If concurrent provisioning attempts occur, resources are released from
all but the last request, in order to allow at least that one to be successful.
Any provisioning responses received before one from the last request will
be rejected. A side-effect was that all provisioning resources would
then be released. This caused a provisioning response from the last attempt
to be rejected as well. This CL corrects this behavior and releases resources
only if a provisioning attempt is successful.
The side-effect is that, if the response to the last request is not received
or failure occurs while processing, a crypto session may be held until the
next provisioning attempt.
In other cases of concurrency, provisioning responses to requests other than
the last which are received after the last response will be declared successful.
b/21879484
Change-Id: I3a840ceda1a16ee6adb40c2dbca6c4adf3da12c3
[ Merge from http://go/wvgerrit/14670 ]
Concurrent provisioning attempts are declared successful if any one of them
succeeds. Earlier only the successful ones were declared as such.
b/21727698
Change-Id: I67dedca44790a4ae236e14f90a8fc91775273905
[ Merge from go/wvgerrit/14286 ]
CDM now reports status information associated with the specified security level.
Earlier information would be reported from the default security level.
b/18709693
Change-Id: I7a01e8ea9773b56951c207437ce85e567fd32b09
The errors in the range ERROR_DRM_VENDOR_MIN to ERROR_DRM_VENDOR_MAX are
reflected in the message that is reported to the app, which is
MediaDrmStateException.getDiagnosticInfo().
Many errors map to kErrorCDMGeneric, especially KEY_ERROR is used as a
generic error in CDM. This fix defines more specific error codes in the
CDM for places where KEY_ERROR is returned.
Merge from http://go/wvgerrit/14071
bug: 19244061
Change-Id: I688bf32828f997000fea041dd29567dde18ac677
Implements the optional setMediaDrmSession() method. To enble this,
support was added to the core to report if a session ID is valid.
As a consequence of this, in the tests for the CryptoPlugin,
construction of the plugin must be deferred until all gMock
expectations are set, as construction now calls into the CDM core.
This is a merge of two changes from the Widevine CDM repo:
http://go/wvgerrit/14083
Allow Setting of Session ID
http://go/wvgerrit/14085
Check If Session ID Is Valid When Changing CryptoPlugin IDs
Bug: 19570317
Change-Id: I7dbd777ce6efebd71fdb5e602663a0e35a48a9c4
This is a merge of several Widevine-side commits that, cumulatively,
allow callers to specify an origin to be used to isolate data storage
as specified in the W3C Encrypted Media Extension specification.
Separate origins have separate certificates, and consequently cannot
share device identifiers with each other.
The changes included in this are:
Add Ability to Check for Existing Certificates
http://go/wvgerrit/13974
Add Ability to Remove the Certificate
http://go/wvgerrit/13975
Make CDM Origin-Aware
http://go/wvgerrit/13977
Add Per-Origin Storage to Widevine CDM on Android
http://go/wvgerrit/14026
Remove Automatic Origin Generation
http://go/wvgerrit/14031
Bug: 19771858
Change-Id: I6a01c705d9b6b4887a9c7e6ff4399a125f781569
This is a merge of http://go/wvgerrit/13751 from the widevine
repository.
The CryptoSession had an enumeration for HDCP levels that was copied
from OEMCryptoCENC.h by hand. Since that header is included, there is
no need to have two enumerations.
b/16303994
Change-Id: Ief16ba62163776f9ca80375f3638ef4c7770e742
This is a merge of http://go/wvgerrit/13693 in the Widevine
repository.
This adds level 3 and mock implementation and unit tests for the
OEMCrypto function OEMCrypto_ForceDeleteUsageEntry. It also plumbs
this function up into CdmEngine, CdmSession, and CryptoSession so that
deleting all usage information for a given app id will now delete the
entries in OEMCrypto, too.
b/18194071
Change-Id: Iaea4034a507b323878657215784edfe95876386a
Back when we were being proactive about merging LMP changes to master
in the Widevine repository, there were a few changes that got merged
in a different form than what got checked into the Android repository.
Mostly, this happened due to several large core changes that were
brought over to the master branch in multiple parts so as not to break
other teams using the Widevine repository. This patch brings the two
trees in sync.
Change-Id: I4e56a742686d73d1c6ace209684ce0e8542fd93f
Due to merges happening out-of-order, some formatting fixes that had
previously been merged from the Widevine repository were subsequently
wiped out by later merges.
Change-Id: I9f02d281d276b0f5b5f93b02a699144400db7520
This merges several small changes that were made in response to
comments that arose when LMP changes were merged into the Widevine
repository's master branch.
Change-Id: Ifec968af54dbc3288f24654ec0c6ca9b5962e1aa
(This is a merge of http://go/wvgerrit/13400 from the Widevine CDM
repository.)
Replace "}; // namespace" with "} // namespace":
ag -l --ignore-dir third_party "}; //" | \
while read f; do sed -r -i 's/\}; \/\//} \/\//' $f ; done
Replace "// unnamed namespace" with "// namespace":
ag -l --ignore-dir third_party "unnamed namespace" | \
while read f; do sed -r -i 's/unnamed namespace/namespace/' $f ; done
Change-Id: I50ece9a127ce669f15cd532dfae1dd741338a075
This copies over formatting changes from the Widevine CDM repository
that resulted from running clang-format with Google style on the
shared core/ directory. It also copies over some rewordings of log
messages that were made at the same time.
Aside from the changed log messages, this should not affect behavior
or functionality.
Change-Id: I69c57c188f7a79f30fa3517afeed17365929b6b6
(This is a merge of http://go/wvgerrit/11285 from the Widevine CDM
repository.)
The key set ID is now available earlier, in order to support the CE
CDM 4.5 interface, which needs it at key request generation time, not
later at key response receipt time. It is still possible to receive
the key set ID at key response time, for Android's purposes. Either
API may now be passed a pointer to store the ID in, which may also be
left NULL if this is not needed.
Change-Id: I47e80ea4005c80282e36cfae92cb91142208f624
(This is a merge of http://go/wvgerrit/10674 from the Widevine CDM
repository.)
Now that the CE CDM has CloseSession to handle closing sessions, we
can rename CancelKeyRequest on the CDM Engine & CDM Session to better
resemble its purpose and the name it is known by on Android.
Change-Id: I68d55b3be733579e5875ab33d8e94a62fe1f651d
This is a copy of the widevine CL:
https://widevine-internal-review.googlesource.com/#/c/12742/
If a session is closed at the same time as an OnTimerEvent is
processing an event, there could be a race condition between the two
threads. This CL adds a lock that prevents a session from being
removed from the list while the timer is currently processing an
event.
If CloseSession is called while the OnTimerEvent method is active, the
session will be added to a dead list, and deleted when the timer event
has finished.
This CL does not address the main problem in bug 19252886, but
one bugreport, netflix_log_3.txt, indicates there may have been
a problem with the CDM timer.
bug: 19252886
Change-Id: I17190edaeb3eef1295d4d204232cc4262cb5fa9b
Our recommendation to OEMs is that they support a table of at least 50
usage entries in OEMCrypto. If more usage entries are stored, the PSTs get
added to the CDM but are LRU'ed out of the OEMCrypto usage table. When the
CDM queries those usage entries, OEMCrypto will return a
OEMCrypto_ERROR_INVALID_CONTEXT. Rather than return an error and have
MediaDrm throw an exception, CDM should delete this PST and return the
next usage entry, when queried.
[ Merge of https://widevine-internal-review.googlesource.com/#/c/11457/
from Widevine cdm repo ]
b/17994711
Change-Id: I00e3f93000096fb434d94333e22958de795a4bb5
(This is a port of http://go/wvgerrit/11556 from the Widevine CDM
repo.)
This wires up the new method on the crypto interface with the core
code that handles the max-res decode.
Bug: 16034599
Change-Id: Id2ea5635bf732eabf1fd33712ff8bab6cf1a1745
When falling back to L3, release requests were failing. Information
requesting falling back to L3 is passed along when the session is opened.
Licenses however are released using the key set ID and information
requesting fallback to L3(CdmClientPropertySet) at that point is
unavailable. The release was actually attempting to release a license
at the default security level which is incorrect.
In addition, the mac keys were not being setup correctly and the release
message was signed with keys derived from the license request and not the
response. Both these issues have been addressed and unit tests added
to track release of offline licenses and usage reporting scenarios.
[ Merge of https://widevine-internal-review.googlesource.com/#/c/11062
from wv cdm repo ]
b/17073910
Change-Id: I5cd95a7dfe58ebae7ae27ece6c92e67755c1d665
* The Usage APIs return usage reports from either L1 or L3 (if available).
* Correction to when usage reports are saved. In addition to other events
they are now saved when keys are loaded, usage reports are released and soon
after first decryption and periodically (60 seconds) after that,
if decryption takes place.
* Usage reports now get deleted on an unprovision request.
* Policy timer is now started when offline licenses are restored.
* Usage session is now released, when a usage response is received.
* Usage tests ahev been enabled.
* Added CDM extended duration (integration) tests to test usage reporting
and querying. These need to be run manually as they take a while (currently
half an hour).
b/15592374
[ Merge of https://widevine-internal-review.googlesource.com/#/c/10800
from the Widevine CDM repo ]
Change-Id: Ia817e03ebbe880e08ba7b4a235ecb82b3ff35fbf
A bug prevented regenerating license release requests. This has
been corrected. A crash due to a formatting error has been addressed.
Clean up of logging and additional logging for open session failures
have been included.
b/16197822
Merge of https://widevine-internal-review.googlesource.com/#/c/10806
from the widevine cdm repo.
Change-Id: I854ead388f311d00b1cd700dfa1b2f58322c2dd4
[ Merge of https://widevine-internal-review.googlesource.com/#/c/10659/
from the widevine cdm repo. ]
CdmEngine::CancelKeyRequest would earlier release keys by closing and
reopening a crypto session. Behavior has been changed to just close
the session.
b/15984869
Change-Id: I92a1f82fd4a97b5510596d4bc69bf07406cee606
