[ Cherry-pick of v19 http://go/wvgerrit/219351 ]
[ Merge of http://go/wvgerrit/219455 ]
Coverity discovered an oppertunity to use the C++'s move semantics
for the prov 4.0 keys. A similar possibility was available for the
matching wrapped key. The CryptoWrappedKey class was updated to
enable moving of the wrapped key as well.
Bug: 406539167
Bug: 391469176
Change-Id: I7d76013638c220fc81d6d9c42add2516abd7374a
[ Cherry-pick of v19 http://go/wvgerrit/219291 ]
[ Merge of http://go/wvgerrit/219432 ]
If the same app/origin generates multiple provisioning 4.0
requests it is possible that a mismatch between the OEM/DRM
certificate and the wrapped OEM/DRM private key occurs. The CDM
would use the OEM/DRM certificate of the first response one
received, and the wrapped private key of the last request generated.
To avoid this issue, the public key from the most recent request
is cached and checked against the responses received. If the
keys match, that response is accepted; if the keys don't match
than the response is assumed "stale" and the response is dropped.
In an attempt to maintain existing behavior of the CDM, "stale"
responses will return NO_ERROR to the app.
Note: This was tested using both RSA and ECC cert key types.
VIC-specific: Needed to add implementation of StringContains() and
StringEndsWith().
Bug: 391469176
Test: run_prov40_tests
Change-Id: Id45d40d9af355c46a61c3cc2c19c252cf17c7489
[ Cherry-pick of v19 http://go/wvgerrit/219330 ]
[ Merge of http://go/wvgerrit/219454 ]
For two-staged provisioning devices, the behavior of
CdmEngine::Unprovision() varied by platform and context.
For production Android, unprovisioning would remove both;
for production and testing CE CDM it would only remove
DRM provisioning; for testing Android may remove both or
remove everything (both certs and licenses).
This behavior was not documented, making use of the
CdmEngine::Unprovision() API rather unpredictable.
This change attempts to document the unpredictable behavior
and add a way to explicitly remove the OEM certificate
in the core code.
The new CdmEngine::UnprovisionOemCert() will remove only
the OEM certificate.
Bug: 391469176
Test: run_x86_64_tests
Test: WvTs on oriole
Change-Id: Ib2f6ef61f45b5320c71d7e8e8460f7fe8e0e2248
[ Cherry-pick of v19 http://go/wvgerrit/219310 ]
[ Merge of http://go/wvgerrit/219453 ]
To enable the CDM to determine between OEM vs DRM responses,
a state variable was needed in CertificateProvisioning.
Previously, the presence/absence of the OEM certificate in the
file system was used; however, if two apps (or single app with
multiple origins) attempts provisioning simultaneously, the
later response would trigger unexpected failures.
The main functional changes this provides is that a more informative
error will be returned to the app if they provide a provisioning
response without ever creating a provisioning request; and that
if multiple clients attempted first-stage provisioning simultaneously,
fewer errors will occur.
Bug: 391469176
Test: run_prov40_tests
Change-Id: I51a118ce73aa809bad6ecee640139a92d8518575
[ Merge of http://go/wvgerrit/219452 ]
Allow ProvisioningHolder to load the a provisioning response
without triggering test failure if the CDM rejects the response.
This is to allow testing cases where we expect the CDM to
reject the response.
VIC-specific: No specialized provisioning dump call.
Bug: 391469176
Change-Id: Ief1791f23035fe9b554f8e82e049343aa7e97362
[ Merge of http://go/wvgerrit/219451 ]
An upcoming provisioning test requires the ability to perform
generate, fetch and load operations separately (similar to the
current behavior of LicenseHolder).
This CL separates the 3 operations into different methods and
documents the pre/post conditions of each. The original API
is maintained for backwards compatibility.
VIC-specific: Excludes Golden-data refactoring and merges main
change (216510) and typo fix (216570).
Bug: 391469176
Test: run_x86_64_tests
Change-Id: Iec83dfce9d235eedf04ed32d98f7700de4bade12
In some rare cases when |oec_session| was already closed, |key_session|
with the same session id will not exist any longer. This is a fix to
allow such case to not return an error.
Test: run opk tests
Bug: 343093320
Change-Id: I3218145ee8c1047a5cc756560e448b178c2c7a93
[ Cherry-pick of http://go/wvgerrit/212250 ]
Certain OEMCrypto implementations are returning build info with
trailing C-string null bytes; others are returning all null bytes.
This change attempts to trim any trailing zeros. For build info
with a single trailing zero, this should fix the format; for those
containing all zeros, this will indicate a failure on OEMCrypto's part
for returning all zeros. The CDM will not prevent request generation,
but will omit the result in the ClientIdentification. The server
will decide whether to provide a response or not.
Bug: 348497732
Bug: 348498112
Bug: 366819137
Change-Id: I281ab14e0e46116825321a7965d971b9d68c49fc
(cherry picked from commit 7c81f7bed4fec8199f7fbdb5e95452eacdf3b3c7)
[ Merge of http://go/wvgerrit/210652 ]
The CDM API RemoveOfflineLicense() is used to remove an offline
license by key set ID. From the app's perspective, removing the
offline license should not depend on an app to be provisioned, or
the license being loadable. However, internally, the CDM attempts
to restore the license to lock out its usage entry.
An issue arises when the license is not able to be restored, which
will cause errors related to the restoration to be returned to the
app. The license is still deleted in case of errors, but certain
partners have experienced GTS failures when using the MediaDRM API
removeOfflineLicense().
This change attempts to catch some of the common errors, but not all.
If certain errors are encountered during the restoration process, the
are not returned to the app.
Additional error cases may be added later, depending on vendor
feedback.
Bug: 319055420
Bug: 357863269
Bug: 370195605
Bug: 288118860
Bug: 302049654
Bug: 346845333
Bug: 312595506
Bug: 345232142
Bug: 303261245
Bug: 287735498
Bug: 372105842
Test: WVTS on Oriole
Change-Id: I020bbea30e5f6e0ae2777d8a1d4858c4f2af107b
[ Merge of http://go/wvgerrit/210651 ]
The Android FileSystem implementation for List() would return an error
if the directory does not exist. This creates an issue for the case
where the CDM attempts to list offline licenses after clearing all
data. This typically won't effect a regular user, it causes
integration tests which re-provision to fail.
Bug: 372105842
Test: file_store_unittest on Oriole
Change-Id: I121b52ab95e36249ae5b196e987bc950a278131f
[ Merge of http://go/wvgerrit/209871 ]
The filestore unit tests have not been updated in a while, and
contained several test statements which could crash the test
when failed (accessing elements in a vector or characters in a
string without proper size checks). Other parts of the tests
had non-obvious purposes without detailed knowledge of how the
file system works on the different platforms.
Significant parts of the tests have been refactored to include
better checking and to add error messages to explain the
expectations. Several of the tests have been documented, and the
FileSystem header has been updated to explain what the API does.
Bug: 376533901
Test: file_store_unittest on Oriole
Change-Id: I5af9fd2a2ed01aa6186026761c9e0814604ec610
(cherry picked from commit bc4382b075)
[ Merge of http://go/wvgerrit/209611 ]
[Reset crypto session pointers on RemoveKeys](http://go/wvgerrit/189590)
changed the plugin behavior. When RemoveKeys are called the
Provider Session Token present in the license is cleared when
CdmLicense object is reset. This causes a test expectation to
fail. Since SecureStop are slated for removal, we will introduce
a workaround to avoid this expectation check. The work around is to
not expect usage information.
Bug: 339917270
Test: request_license_test (WvCdmRequestLicenseTest.SecureStop_RecoveryTest)
Flag: Test only code
Change-Id: Ib6922372faf0a38b7bf131f699c4626cb2b533d0
[ Merge of http://go/wvgerrit/207457 ]
When parsing Widevine's HLS key data, the key details are contained
in a data URI in the HLS X-KEY URI field. The data of the URI is a
base64 encoded JSON object, containing the information required to
generate the license request. The "content_id" field of the JSON
object is expected to be a base64 encoded; however, the HLS parser
did not verify that the decoding was successful. In the event that
was not successful, the decoder would return an empty string, which
the parser would attempt to access the first element by reference
which may be a null reference.
In C++, creating a reference from a null point (without actually
accessing the value) is undefined; however most C++ implemenations
will not cause a segment fault; but it is not guarenteed by the
standard.
This change checks if the decoding was successful before attempting
to store the decoded "content_id" value.
A unit test is added to ensure that a parser fails gracefully.
Bug: 356210640
Test: HlsParseTest.BadHlsData_InvalidContentId
Change-Id: Ie2ad42d69953258659178dd1464d830b2723c6c7
This allows Widevine RKP HAL to query BCC signature via DRM interface
during BCC extraction for remote provisioning phase 3. The query returns
the "additional_signature" field from
OEMCrypto_GetBootCertificateChain().
Test: Manual BCC extraction on Pixel 9
Bug: 355160637
Change-Id: I1a310a80c0cfef82ee3697f06c1293d5c1c3896a
[ Merge of http://go/wvgerrit/207790 ]
SPOID is only expected to be stable for L1
Bug: 339917270
Test: CoreIntegrationTest.ProvisioningStableSpoidTest
Change-Id: I34aab2b5f873b643e2cfb3c7ad8c996f2134a48b
[ Merge of http://go/wvgerrit/207720 ]
CertificateProvisioningTests were failing because the expected
filename "cert.bin" was not met. The file path being passed in
on android was "/data/vendor/mediadrm/IDM0/L[1|3]/cert.bin"
Bug: 339917270
Test: CertificateProvisioningTests/CertificateProvisioningTests.ProvisioningResponseSuccess/Keybox
Test: CertificateProvisioningTests/CertificateProvisioningTests.ProvisioningResponseSuccess/OemCert
Test: CertificateProvisioningTests/CertificateProvisioningTests.ProvisioningResponseSuccess/DrmCertificateReprovisioning
Change-Id: I0874b9652d54848d58c202fe197af0da0616e8cd
Since the CDM engine handles license releases for CE CDM and Android
differently, this changes the license release test to accomodate for
that.
Bug: 348712053
Change-Id: Ibc768e5d5c31ef8c2226b63dc622ffabfc0591fe
A new set of license data was created on UAT so that we
could have keys that match those in the license returned by
a License SDK and by those generated by UAT.
It should be more clear now which data is just made up, and
which data has to match some golden values based on the made
up data.
Bug: 338323091
Test: WVTS
Change-Id: Ic112b4594afb99c6f43e011f59ee7592d4809189
This is based on a patch submitted by Amlogic.
When we're doing decrypt fallback, either in the CDM or the OEMCrypto
tests, we sometimes fall back to a point where we're synthesizing new
samples and/or subsamples for the content being decrypted. When this
happens and the output buffer is clear, we should limit the size of the
output buffer to only the space needed to hold the output.
Previously, we've been passing the entire output buffer to every call.
This can create a problem if the reason for the fallback is a lack of
enough memory to communicate the buffers to the TA, since the output
buffer will remain the same size as the total output. Restricting the
buffer passed to each call to only the space needed by that call will
reduce the memory requirement.
Bug: 354834629
Test: x86-64
Merged from https://widevine-internal-review.googlesource.com/204810
Merged from https://widevine-internal-review.googlesource.com/204953
Change-Id: I412f43d8f88c72072ef1dd5293436bdb58e500b3
[ Merge of http://go/wvgerrit/201577 ]
[ Cherry-pick of http://ag/28133919 ]
VIC specific: No DRM reprovisioning support
The SystemIdExtractor did not properly define behavior when working
with opened/closed CryptoSessions. Due to the CryptoSession's class
dual role of being both a session and a general handle into the
crypto engine, small bugs relying on undefined behavior which happened
to return expected output allowed tests to pass.
This CL makes the following changes:
1) Have SystemIdExtractor verify caller expectations when session is
open.
2) Improved SystemIdExtractor to operate when CryptoSession is opened
or closed.
3) Updates several SystemIdExtractorTest cases to better test defined
behavior without relying on undefined behavior.
4) Better code comments; hopefully some which will help prevent future
misuse of the internal APIs.
Test: system_id_extractor_unittest on Oriole
Test: WVTS on oriole
Bug: 329713288
Change-Id: I65518fe62f43e8060ea752852eb08a3d7132e2a0
The original clear lead integration tests weren't following the flow of
the original bug because there was only one sample, so
DecryptMultipleSamples wasn't being called in the same way. This should
fix this.
Bug: 320785945
Merged from https://widevine-internal-review.googlesource.com/198137
(cherry picked from commit 4141e271d44c32da88dc0f02a0173fae0b45ead9)
Change-Id: Ia70e3fd78381d8d34261b95931fdb303f77f73fd
[ Merge of http://go/wvgerrit/197972 ]
The test only needs to verify that the license has a renewal
server url. It does not need to fetch a renewal from that url.
bug: 338103523
Change-Id: I1513f8692089c3f51a53ffd6ecb62348702b8fb8
The test server for UAT and for the SDKs now accept the same
url format for renewals.
Bug: 328763985
Change-Id: I1a58412047735efa26da7986bf19fa9a7fbaf374
This reverts commit 95b50d39ba.
Reason for revert: Rikers changes should go on main. We can decide that partner OEMs can pick up this feature for V once it has been well tested on main.
Change-Id: I129303cbc86e267aba013a7c314724e51477dc82
SCP uses the JNI headers in generated code, so several targets need
the include path; this will have no effect on non-SCP builds. Also,
in "protected" builds, there is a generated library that needs to be
linked in the final binary, but this doesn't exist in the "analysis"
step; we create an empty static library if it doesn't exist so it works
on all cases.
Merged from https://widevine-internal-review.googlesource.com/169850
Merged from https://widevine-internal-review.googlesource.com/176177
Bug: 262635528
Change-Id: Ib676d55efbcbec81de9c3123bc70afb570d6caa5
(cherry picked from commit b9482eb23c261788a4432de7566f1b1de1cf9379)
Also added a unit test to verify that decryption without a license fails
with the correct error code. Also changed comment types for policy
integration tests and core integration tests to be picked up by Doxygen.
Bug: 320785945
Merged from https://widevine-internal-review.googlesource.com/194910
Change-Id: Ibdb70683003bb430dde9b4a1bd9fc9839bace342
* changes:
Unit tests for forbidden RSA key usage
Add DRM reprovisioning request generation
Correct copyright header
Fix bcc length for printing
Update ODK version to 18.4
Adjust skipping tests when provisioning skipped
Change test storage to use protobuf
Remove WvCdmEnginePreProvTestStaging
Rename and clarify Drm Reprovisioning token types
The SetUp for child classes do not automatically quit when
the parent SetUp is skipped.
Bug: 305093063
Change-Id: I606a949ef0e94fa87a97268856b7f2d8b9135ebe
[ Merge of http://go/wvgerrit/194310 ]
Resize bcc to the correct length to eliminate the trailing zeros.
Bug: 330645490
Test: core unit tests
Change-Id: I56b6d30120735a4d7a0f39f29a9f255bd2d2d18c
[ Merge of http://go/wvgerrit/194254 ]
For some platforms, we cannot provision. In this case, any
test that needs provisioning is skipped. However, when a
test is skipped in a subroutine, the rest of SetUp is still
run. Any failures in SetUp will cause the test to be marked
as a failure.
This CL duplicates the check for skipping the test in SetUp
and in TearDown.
Bug: 329467151
Test: WV and unit/integration tests
Change-Id: I0087b12a3f26b52ecf62bf7b0e7bcf4fa2c6c763
[ Merge of http://go/wvgerrit/193190 ]
This changes the persistent test storage to use protobufs instead of
manual parsing. This simplifies the code but makes the files less
"human readable". Files can be read using 'gqui' if needed.
Bug: 312529037
Test: unit/integration tests
Change-Id: I1b025eac96458c0061e0883e1e4fd05484842ff2
[ Merge of http://go/wvgerrit/194370 ]
This test explicitly provisions against the staging server,
which we do not require from partners.
Bug: 329293570
Test: WV unit/integration tests
Change-Id: Id88840f188ec99b386837d83f69844b0990594a9
[ Merge of http://go/wvgerrit/194374 ]
Renames and adds clarifying comments to Drm Reprovisioning token types.
All provisioning methods can be forced to reprovision by apps which can
cause reprovisioning to be an overloaded term. Renaming token types
used by the Drm Reprovisioning method to more clearly state they are
used for Drm Certificate Reprovisioning should help to avoid confusion.
This change also adds comments to help clarify when and where Drm
Reprovisioning is used as a provisioning type.
Bug: b/305093063
Test: WVTS
* Added dependency to dynamic perf tests to fix missing header build
error.
Change-Id: I158eb5672ad9e655a60bc68e0f4f2f7a0d464b4e
