[ Merge of http://go/wvgerrit/160000 ]
OEMCrypto v15 licenses made use of several now-obsolete API functions
of OEMCrypto (mainly LoadKeys and RefreshKeys). All license handled
by the CDM must be v16 or newer. The CDM can now rely on all license
requests/responses containing a core message, using v16 policy timers,
and requires loading using LoadLicense() / LoadRenewal().
Bug: 252670759
Test: run_x86_64_tests and policy_engine_unittest
Change-Id: I3f65a6ec0326b4c89d1919b8911e065079cb90d2
[ Cherry-pick of http://ag/19216679 ]
[ Merge of http://go/wvgerrit/155370 ]
There is a rare race condition experienced by some Android devices
where the a new client property set is being added while another is
being removed. The C++ stl library does not provided thread
protection by default.
This CL adds a new mutex for the client property set map which prevents
multiple threads accessing the property sets concurrently.
Bug: 235238226
Test: GtsMediaTestCases on redfin
Change-Id: I32cf11bfb1332295ba1245071102ff0adc35259d
(cherry picked from commit aaa97a5d60)
(This is a merge of http://go/wvgerrit/153551.)
On CE CDM, storage is split between global and per-origin storage, and
one type of storage cannot be used to access the other. (Though, until
an upcoming commit lands, the tests will allow it.) On Android, both
types of storage access the same filesystem. This means that code may
run fine on Android but fail on CE CDM.
The Usage Table Header code normally, explicitly accesses the header
file via global storage. However, a few code paths would try to access
it inconsistently via per-origin storage. This patch updates
StoreTable() to always use the global storage, similar to how
RestoreTable() already functions.
Test: x86-64 w/ storage separated
Test: build_and_run_all_unit_tests.sh
Bug: 236400786
Bug: 192297621
Change-Id: Ie84cef43a7ad169ca8ab701d73c087294ee29705
(This is a merge of http://go/wvgerrit/153550.)
On CE CDM, storage is split between global and per-origin storage, and
one type of storage cannot be used to access the other. (Though, until
an upcoming commit lands, the tests will allow it.) On Android, both
types of storage access the same filesystem. This means that code may
run fine on Android but fail on CE CDM.
The OEM Cert in Provisioning 4.0 is a global file that should only
exist once, but it was being accessed through the per-origin storage,
which would result in a separate OEM Cert being provisioned for each app
& origin on CE CDM. This patch changes the Prov 4.0 code to access it
through the global storage, using techniques similar to how the Usage
Table Header code does this.
Test: x86-64 w/ storage separated
Test: build_and_run_all_unit_tests.sh
Bug: 236400627
Change-Id: I301d250fc9543e62949a4d9fdcbdd109bd941384
(This is a merge of http://go/wvgerrit/151891.)
A previous patch changed how we skip padding when extracting keys from
key containers in license.cpp. Unfortunately, this broke generic
signing when an ODK core message is not in use:
1) "Content" keys for signing are 32 bytes long, but content keys were
assumed to be 16 bytes long.
2) When an ODK core message IS in use, the result of the extraction in
license.cpp is ignored.
The only way to know the correct length of a content key container in
License Protocol 2.1 is to leverage the knowledge that it will always be
padded by exactly 16 bytes. This will have to change if we ever
implement support for License Protocol 2.2, as all key containers are
unpadded in that version.
Bug: 231439638
Bug: 114159862
Test: oemcrypto_dynamic_v15
Change-Id: I1d6c24b3a922247b970fd1517c6f23aded570adf
[ Merge of http://go/wvgerrit/151391 ]
This CL moves the logic for extracting the system ID from keybox or
OEM certificate (from OEMCrypto or device files) to a dedicated
SystemIdExtractor.
Before Provisioning 4.0, the system ID could only be found from data
returned by OEMCrypto. However, with provisioning 4.0, the system ID
can now be found in the OEM certificate that is stored on the device
files.
Bug: 232020319
Test: system_id_extractor_unittest
Test: Forest L37800000954493485
Change-Id: Ie1b7987906e2e4fef015cd659a947b6dbb7594b1
[ Merge of http://go/wvgerrit/151518 ]
Extended the CDM layer to report OEMCrypto's production readiness
via string property query.
If OEMCrypto implementents OEMCrypto_ProductionReady(), then the
reported readiness by the CDM will report "True" or "False".
If OEMCrypto does not implement OEMCrypto_ProductionReady() then no
level of readiness is assumed, and the CDM will report "Unknown".
Bug: 231655151
Test: run_prov30_tests and request_license_test
Change-Id: I6afe481ef00ac129d02b004eca89a65810bfbff8
[ Merge of http://go/wvgerrit/151512 ]
Parameterizing GtsMediaDrm tests exposed a few issues. If secure stops
were stored at L3 security level, retrieval would fail. This CL
checks L3 if the secure stop was not found at the default security
level.
Bug: 221249079
Test: GtsMediaTestCases
Change-Id: Ie88197f8e29457981d782199a76d38774f6faa67
Merged from https://widevine-internal-review.googlesource.com/148554
This change was merged to master but missed in tm-dev when we stopped
the auto merging to tm-dev. Manually cherry picked it.
Test: ran OPK unit tests
Bug: 230820162
Bug: 180530495
Change-Id: Ib23f07f84096650beb4dd1950105db01e004d484
(This is a merge of http://go/wvgerrit/151112.)
The Widevine CDMs have never validated the padding on AES keys. However,
the code to ignore the padding was unusual and based on the assumption
the keys would always have either 0 or 16 bytes of padding and did not
handle other cases correctly. This patch updates the padding-ignoring
code to just do the obvious thing: Reject keys that are too small and
ignore all extra bytes regardless of count.
Bug: 114159862
Test: x86-64
Change-Id: Ic48010477e4cb5f7d2afbde25cf2f098e3470089
[ Merge of http://go/wvgerrit/149690 ]
This changes extends the CryptoSession logging to include the OEMCrypto
session ID in its decrypt failure logs, and adds a new CdmSession
decrypt failure log which includes the CDM session ID. The CDM session
directly maps to the MediaDRM session ID, making app debugging easier.
The Decrypt() code pathway is one of the most frequently called
portions of the CDM code, and the pathway attempts to make as few
logging calls as possible in order to keep latency low and log
verbosity to a minimum. It is anticiapted that when a call to
Decrypt() fails, there will be a burst of failures as the app may
make several calls to Decrypt() before handling the first decrypt
error.
To keep logging low, the following rules are followed:
- CryptoSession: decrypt errors are only logged when the decrypt error
changes.
- CdmSession: decrypt errors are only logged when the last call to
decrypt had succeeded.
Bug: 183984396
Test: MediaGTS with decrypt failures
Change-Id: Ic6124646d129efbc8a690b5bfd4dc422e04e677b
(This is a merge of http://go/wvgerrit/150131 to the Android repo.)
This patch changes the code path in the CDM so that the first-stage
provisioning request for Provisioning 4.0 is always encrypted with the
Widevine service certificate instead of the client-set service
certificate, reflecting that the first-stage provisioning is always
handled by Widevine.
This patch also makes several methods on the ServiceCertificate class
const. This has no impact on their behavior.
Bug: 221443151
Test: prov40 tests
Change-Id: Ide4c3927afadcd45ae7fb629b99e2f55cc29d56e
[ Merge of http://go/wvgerrit/150630 ]
DeviceFiles uses a static variable for tracking license IDs which
have been reserved by a CDM session before officially storing the
license on the device. This variable was not protected by a mutex,
and a rare race condition would arise, either crashing the service
or getting it stuck in a loop.
This CL adds a mutex for protecting the set of reserved IDs.
Bug: 226555704
Test: device_files_unittest
Change-Id: Icdea88673c76c267b4b7db79697ec52ae8e2581e
[ Merge of http://go/wvgerrit/148552 ]
Extended the CDM layer to report OEMCrypto's watermarking support.
The reporting of watermarking comes in three (3) mechanisms:
1) ClientCapabilities in license requests
2) CryptoSession metrics when queried to OEMCrypto
3) String property query by apps
If OEMCrypto implementents OEMCrypto_GetWatermarkingSupport(), then
the reported watermarking support by the CDM will match that of
OEMCrypto.
If OEMCrypto does not implement OEMCrypto_GetWatermarkingSupport()
or an error occurs, it is assumed that OEMCrypto does not support
watermarking, and the CDM will report "Not Supported".
Bug: 226443788
Test: run_x86_64_tests request_license_test and license_unittest
Change-Id: Id929a356c395e6bcf45d371ee6887eec40d35329
[ Merge of http://go/wvgerrit/148450 ]
This CL adds threading requirements to the method doc-comments of
UsageTableHeader.
Bug: 189366337
Test: usage_table_header_unittest
Change-Id: I671f702d3e8ec219cc8daaa220133cb8cec183c8
The interface is defined in
hardware/interfaces/drm/aidl(http://go/ag/15329852).
Test: build
m android.hardware.drm-service.widevine -j128
Test: build_and_run_all_unit_tests.sh
for hidl tests
Test: atest VtsAidlHalDrmTargetTest
Bug: 200055138
Bug: 170964303
Change-Id: If2f2a129914436ba5cef1c46f6cb9415e12c3d1c
Merge from Widevine repo of http://go/wvgerrit/142150 (part 2)
For an EVT device, without a keybox or with a test keybox, we want it
to fall back to L3. However, when running the unit or integration
tests it should continue running tests with test keybox. This will
allow us to test L1 oemcrypto on an EVT device, while still using an
EVT device for dogfooding video content at the L3 level.
Bug: 210807585
Bug: 210823889
Change-Id: I30c35134239db35bb39f11f75220063181987763
Merge from Widevine repo of http://go/wvgerrit/142149
This CL updates the TestCryptoSession so that it will recover from
initializing without a keybox. This allows unit and integration tests
to be run using a test keybox on a device that does not have any
keybox.
Bug: 210807585
Bug: 161925952
Change-Id: I8639bd733a50ae5af3a7c786347b5a06a9d783ce
Merge from Widevine repo of http://go/wvgerrit/139372
Revert workaround for falling back to L3
(Partially merged previously)
Merge from Widevine repo of http://go/wvgerrit/139498
Guard against double initialize
(Partially merged previously)
Merge from Widevine repo of http://go/wvgerrit/139343
Use a placeholder ID for devices missing a system ID
Merge from Widevine repo of http://go/wvgerrit/140934
Check security-level during OpenSession.
Merge from Widevine repo of https://go/wvgerrit/141469
Make OTAKeyboxSupported handle the short buffer return
code
Bug: 187646550
Bug: 206670307
Bug: 206570220
Bug: 205896558
Bug: 205041153
Test: Manual test on flame
Change-Id: I71f5faf6b611337b82d8b6179251f6b0224780e6
(This is a merge of http://go/wvgerrit/139629.)
This patch fixes several places where the override keyword was missing.
These were found when future patches that enable stricter checking of
the override keyword were enabled. There are two basic categories of
missing override:
* Destructors found to be overriding a virtual destructor without using
the override keyword.
* Test methods overriding methods on test-only or mock objects.
Some of these were previously marked as virtual, following our pre-C++11
style guidelines, but this is not necessary now that we have override.
Bug: 207684988
Test: x86-64 build
Change-Id: I09aa499bd3ea80d925e2fc422290d61eb005a769
(This is a merge of http://go/wvgerrit/138969.)
Provisioning 4.0 on CE CDM requires not only the make & model but the
model year in order to relate a device back to its system ID. This patch
adds model year to the list of properties that partners must provide as
client identification.
As no equivalent field exists for Android, this property is not
provided on Android platforms.
Bug: 206453352
Test: x86-64
Change-Id: I0764d67fec54fa9a0c65074e68f3ee02de1e7820
[ Merge of http://go/wvgerrit/137811 ]
Renamed TimerMetric to Timer. Timer is used to generate durations
included in metrics, but is not a metric itself. The method of
getting the current time did not require creating an instance of
std::steady_clock.
Updated Distribution and Timer to use default initializers instead of
constructor initialization list.
Bug: 204946540
Test: Metric unit tests
Change-Id: I7ed291b586347dd0b7ab305960883bec04637315
[ Cherry-pick of http://ag/16087795 ]
[ Merge of http://go/wvgerrit/136432 ]
Once OTA keybox succeeds, the |needs_keybox_provisioning_| flag is
cleared. Access to the system fallback policy is allowed after
provisioning to check status.
Bug: 203177668
Test: ExoPlayer test
Change-Id: I2d28c896c554cfbc9b008340bb415d4c7fac62f2
(cherry picked from commit cac2dcaa6c)
[ Cherry-pick of http://ag/16064434 ]
[ Merge of http://go/wvgerrit/136330 ]
This changes adds a custom debug property for changing the fallback
policy used for the system. Depending on the value set, the device
will either use a "fast" fallback (30 seconds) or "default" fallback
(~1 day with exponential backoff). Setting this property to either
"fast" or "default" will end the current fallback if it has been
triggered.
Bug: 187646550
Test: Android unit tests
Change-Id: I5271f96139c1e468242f7fa742668cc791ffcf91
[ Cherry-pick of http://ag/16064433 ]
[ Merge of http://go/wvgerrit/136329 ]
CDM core has been updated to support very short fallback durations in
the case of failures during OTA keybox provisioning. This is intended
to be used during testing via specialized developer apps or GTS tests.
Bug: 187646550
Test: Android unit tests
Change-Id: I8a75d2e1c404d6caed535b087e8dd29da5c21b83
Merge from Widevine repo of http://go/wvgerrit/135984
If the MediaDrm property string debugIgnoreKeyboxCount is set to 1,
then the keybox will be ignored on the next initialization. This will
force an OTA keybox reprovisioning.
Equivalently, a 1 may be written to the file
L1/debug_ignore_keybox_count.txt.
In order to test a failed reprovisioning step, a value of 2 may be
used.
Bug: 187646550
Merged-In: Ie7d34a8b355398855f4ec43dd95dd73c5907bdeb
Change-Id: Ie7d34a8b355398855f4ec43dd95dd73c5907bdeb
Adjust OTA code to account for some design changes and
add integration tests.
Merge from Widevine repo of http://go/wvgerrit/133775
Change use_test_key to uint32_t type
Merge from Widevine repo of http://go/wvgerrit/133774
Cleanup CDM OKP info before tests.
Merge from Widevine repo of http://go/wvgerrit/133773
Change context for derivation in OTA keybox solution
Merge from Widevine repo of http://go/wvgerrit/133772
Updated OTA keybox key derivation.
Merge from Widevine repo of http://go/wvgerrit/133771
Use double provisioning step in integration tests
Merge from Widevine repo of http://go/wvgerrit/133770
Erase keybox on initialization for OEMCrypto testbed
Merge from Widevine repo of http://go/wvgerrit/133769
Add session id to OEMCrypto OTA functions
Merge from Widevine repo of http://go/wvgerrit/133768
Integration test for OTA Keybox reprovisioning
Merge from Widevine repo of http://go/wvgerrit/133767
Add test x509 cert for testing
Merge from Widevine repo of http://go/wvgerrit/133766
OTA Keybox basic functionality in testbed
Merge from Widevine repo of http://go/wvgerrit/133765
Update OTA test script to use newer build scripts
Merge from Widevine repo of http://go/wvgerrit/133764
Adjust comment stype for doxygen
Test: Test: unit/integration/GtsMediaTestCases
Bug: 190505461
Bug: 190505461
Bug: 190505461
bug: 187646550
Bug: 187646550
Bug: 187646550
Bug: 187646550
Bug: 190505461
Bug: 187646550
Bug: 188228998
Bug: 190505461
Bug: 187646550
Merged-In: I41ff819a1fd8aca2e20adb25127fa0d9c4879b01
Change-Id: I41ff819a1fd8aca2e20adb25127fa0d9c4879b01
[ Merge of http://go/wvgerrit/133744 ]
This changes adds several small classes which contain and manage
system and engine information related to OTA keybox provisioning.
These classes closely map to the OKP device file messages.
Bug: 189232882
Test: Linux unit tests
Change-Id: Ia9334c38f9d7ea89b30d9ad05f0595570bb38658
Storing and loading OKP info.
[ Merge of http://go/wvgerrit/133763 and http://go/ag/15645333 ]
This change extends the DeviceFiles module to be able to store and
load OKP info. Mild data validation is performed when storing and
loading the information.
Bug: 189232882
Test: Android unit tests
Change-Id: I077de3234157252f2255a4389bf82a8d5344a355
System OKP fallback policy.
[ Merge of http://go/wvgerrit/133783 and http://go/ag/15645334 ]
SystemFallbackPolicy provides a thread-safe interface for accessing
and modifying OKP info.
Bug: 189232882
Test: Android unit tests
Change-Id: I4e43e3bc047ed5fb6cb517b53e4094e812b70e1e
Engine OKP provisioner.
[ Merge of http://go/wvgerrit/133803 and http://go/ag/15645335 ]
The OtaKeyboxProvisioner provides a CdmEngine-specific context for
performing OTA keybox provisioning. Utilizes the system-wide
SystemFallbackPolicy to relay provisioning status between engines.
The provisioner will handle message wrapping and unwrapping of the
raw OTA keybox request / response into the SignedProvisioningMessage
which is sent to/received from the provisioning server.
[ Partial merge of http://go/wvgerrit/125844 ]
Note: Includes partial CryptoSession changes from various CLs.
CryptoSession functionality has been stripped to reduce impact of
this CL.
Bug: 189232882
Test: Android unit tests
Change-Id: I282bf7d1887daefb2250af1bd595c4dc3dfcfb29
Integrated OKP into CDM Engine
[ Merge of http://go/wvgerrit/133804 and http://go/ag/15646376 ]
Extended the functionality of the CdmEngine to check if the device
requires OKP and to initialize OKP resources if required. The
functionality of OpenSession() and GetProvisioningRequest() have been
the most affected. If OKP is required, these methods will signal to
the app that provisioning is required and will return an OKP request.
Once a device is provisioned, the OKP data is cleared away and the
CdmEngine will resume normal operation. Engines created after a
device is provisioned will immediately enter normal operations.
The exception is for CdmEngines which failed to perform OKP for some
reason and are still running. Those apps will need to restart before
gaining access to L1 operations.
Bug: 187646550
Test: Android integration tests
Merged-In: Ia572a66a7b73479355758aa3d0c682691eaca0fc
Change-Id: Ia572a66a7b73479355758aa3d0c682691eaca0fc
