[ Merge of http://go/wvgerrit/191113 ]
Rikers will replace haystack for L3 protection. Haystack will still
be present to support offline licenses that were downloaded using
haystack in prior releases.
Bug: 262635528
Test: WVTS and unit tests
Change-Id: Idffa0002b2c7694df595fa9cac694806673377b8
[ Merge of http://go/wvgerrit/191139 ]
Adding an initial flag that include identifiable differences when
the feature is enabled or disabled.
Bug: 311951236
Test: WVTS tests
Change-Id: I57a8e05d3b7c0cb6b43cbef022b436330985fe11
[ Partial cherry-pick of http://go/wvgerrit/186230 ]
The removeOfflineLicense() API in the Media DRM plug would attempt
to remove the specified license from L1, then retry L3 if L1 failed
for any reason. This causes error emitted by L1 to be masked by
errors emitted from L3. In particular, if an internal error occurs
on L1 when removing the license, because the plugin would then
try L3 which does not contain the license, the app will receive either
a "does not exist" or "needs provisioning" error from L3.
This CL changes the plugin to first determines which security level
the license exists for. Then only attempts removal on that security
level.
Bug: 301910628
Bug: 291181955
Bug: 296300842
Bug: 302612540
Test: MediaDrmParameterizedTests GTS on bluejay
Merged from https://widevine-internal-review.googlesource.com/187611
Merged from https://widevine-internal-review.googlesource.com/187832
Change-Id: I3d3975f945d2e97cfa9d866baf6ca5cf901f8af5
[ Partial cherry-pick of http://go/wvgerrit/185854 ]
Certain GTS tests do not fully consider restrictions on ATSC devices.
In particular, GTS assumes if there are any key set IDs returned to
the app via the MediaDrm API, then the device must already be
provisioned. ATSC license are special in that they may be available,
but the CDM is not provisioned while outside of ATCS mode.
To work around this assumption made by GTS, we filter out ATSC licenses
returned by getOfflineLicenseKeySetIds() when the device is not in
ATSC mode, and filter out non-ATSC license when it is in ATSC mode.
This is only a soft enforcement mechanism as calling the API with a
valid ATSC license while outside ATSC mode (or a non-TSC license in
ATSC mode) will continue to result in the failures experienced by
certain OEMs.
Bug: 301910628
Bug: 291181955
Bug: 296300842
Bug: 302612540
Test: MediaDrmParameterizedTests GTS on oriole
Merged from https://widevine-internal-review.googlesource.com/187610
Merged from https://widevine-internal-review.googlesource.com/187831
Change-Id: Id1508571ebb5c466f43bca99a2d79dc402a2134f
String obfuscation hides string literals from static analysis but
requires string literals be used inside protected functions.
- Enable string obfuscation for all function groups.
- Change some global `std::string` to `const char[]` to ensure that
the `std::string` is constructed inside a protected function so
that string obfuscation correctly applies to the string literal.
Bug: 270566889
Merged from https://widevine-internal-review.googlesource.com/168485
Merge conflicts were caused by formating changes. Resolved by taking
the newer version.
Merged from https://widevine-internal-review.googlesource.com/169511
Change-Id: Ie7f3e94f89671a34e4792efa174f96a17d713f9e
membarrier_function() for clearing cache in L3 is optional and good to
have. Currently we log it as error if it is not available, which caused
some confusion for CE CDM L3 partners building their own L3.
Also corrected a typo in the function name.
Test: build L3 and run dynamic level3 tests
Change-Id: If20bcb1fe2bace33c43aa178af699f3b190a1fd2
Plugin to provide getPropertyByteArray("deviceSignedCsrPayload")
which returns the signed CSR payload for device registration. It
queries both BCC and device info to be set in plugin before calling this
getPropertyByteArray("deviceSignedCsrPayload") method. The returned csr
payload will be used by assemble the device CSR by the caller for device
registration.
Bug: 286556950
Test: build WV DRM plugin
Merged from https://widevine-internal-review.googlesource.com/178891
Merged from https://widevine-internal-review.googlesource.com/179731
Change-Id: I65d89ed998dd292fc656af2f91f4472c1b5ec33c
This patch adds a new interface that partners must provide to
Cdm::initialize(), ILogger. ILogger replaces stderr as the sink to which
logging messages are sent. For partners that still want to log to
stderr, a reference implementation that logs to stderr is provided.
As a side-effect of this, many test-related source files had to be
updated to thread the new parameter to Cdm::initialize() through them.
This also necessitated adding a new variant of FormatString() that can
be called with a va_list directly so it can be called from other
functions that take varargs.
Bug: 201446862
Merged from https://widevine-internal-review.googlesource.com/177270
Change-Id: Ie31a10162773883b337f3a6144cf180a2b100139
- Initialize allowed_schemes_ since it is used by CreateDefaultResponse.
- Issue was detected by Coverity.
Change-Id: I368c4773f6316b65196aaa39e23e70717299c570
OEMCrypto_ERROR_INVALID_RSA_KEY is deprecated in v17. But
v16 oemcrypto can still return it. Unit test should allow
this error for now.
Test: run_dynamic_oemcrypto_v16.4, run_dynamic_oemcrypto_v16.3
Bug: 307668988
Change-Id: I950b62c8b3e02ea09d4795839a3d69573ab718aa
This CL adds unit tests to verify that the following
forbidden uses of an RSA private key do not work:
- ForbidPrepAndSign -- A cast cert key cannot sign a license
request.
- ForbidUseAsDRMCert -- A cast cert cannot be used with the
DRM cert's padding scheme and it cannot be used to derive
keys from a session key.
- *ForbidRSASignatureForDRMKey* -- A DRM cert key cannot be
used with GenerateRSASignature.
- *OEMCertForbidGenerateRSASignature* -- An OEM cert key
cannot be used with GenerateRSASignature.
Bug: 251875110
Change-Id: Ic2b23e3fd279e878c190a8294078a8d092126a29
This tool will soon be used in LUCI tests. It seemed necessary to
clean it up to make the build cop's job easier if there is a problem.
The following was completed:
* Removed stub for install XML based keyboxes
* This is handled externally
* Improved error checking
* Replace C-style prints with C++ styled prints
* Keybox information is still printed to stdout
* Major erros are printed to stderr
* Updated to follow Google style guide
* Fixed header includes
* Removed unused headers
* Added headers that are used, but were included indirectly
* Ensures OEMCrypto_Terminate() is called
* Particularly if there is an error encountered.
Bug: 299108238
Test: Tested in later CL
Change-Id: Ie6dafc44d050d0c6ae288f88cd5d6f3737d4a88c
The unit test helper function LoadWithAllowedSchemes should
only be used to load a Cast Certificate. So it has been
renamed to make that clear.
The only unit test that used the old function with the
non-cast padding scheme has been removed. A replacement will
be added in the next CL of the chain.
Change-Id: Id4aa2f420435baff664324ee4b3dcb74ab9ffe8a
There was some confusion about which tests loaded a cert and
which ones just used a cert. This distinction is important
when testing devices with a baked-in-cert.
Merged from https://widevine-internal-review.googlesource.com/183333
Change-Id: I3c2b119c3355b3a9190799637ff0860b6153b35b
This adds an install keybox tool to the OEMCrypto unit test
directory. It is built when we build the OPK w/linux IPC.
This CL also adds some scripts to use this tool when running
the OPK Linux TA, and then runs the standard tests.
Bug: 295371549
Change-Id: I11e59faa3b24d906f573bcd3f4855e73a4aa5fdf
Adds a new `cas` directory to the ports/linux project. This contains
an end-to-end demo of OEMCrypto CAS functionality, using the Linux
tee_simulator as a base.
Test: from ports/linux/cas dir: `CDM_DIR=~/work/cdm-dupe ./scripts/build.sh && CDM_DIR=~/work/cdm-dupe ./scripts/run.sh`
Merged from https://widevine-internal-review.googlesource.com/178250
Change-Id: I781b403100ad2e069d99650d9ddae8e7acbc309a
We want to transition to using GTEST_SKIP to skip unit tests instead of
modifying the GTEST_FILTER variable. This does so for tests that require
RSA 3072 support.
Bug: 251240681
Change-Id: I048d31e25316d621771efb5d472f651bff40bf75
