The interface is defined in
hardware/interfaces/drm/aidl(http://go/ag/15329852).
Test: build
m android.hardware.drm-service.widevine -j128
Test: build_and_run_all_unit_tests.sh
for hidl tests
Test: atest VtsAidlHalDrmTargetTest
Bug: 200055138
Bug: 170964303
Change-Id: If2f2a129914436ba5cef1c46f6cb9415e12c3d1c
[ Cherry pick of http://ag/15836995 ]
[ Merge of http://go/wvgerrit/133744 ]
This changes adds several small classes which contain and manage
system and engine information related to OTA keybox provisioning.
These classes closely map to the OKP device file messages.
Bug: 189232882
Test: Linux unit tests
Change-Id: Ia9334c38f9d7ea89b30d9ad05f0595570bb38658
Storing and loading OKP info.
[ Merge of http://go/wvgerrit/133763 and http://go/ag/15645333 ]
This change extends the DeviceFiles module to be able to store and
load OKP info. Mild data validation is performed when storing and
loading the information.
Bug: 189232882
Test: Android unit tests
Change-Id: I077de3234157252f2255a4389bf82a8d5344a355
System OKP fallback policy.
[ Merge of http://go/wvgerrit/133783 and http://go/ag/15645334 ]
SystemFallbackPolicy provides a thread-safe interface for accessing
and modifying OKP info.
Bug: 189232882
Test: Android unit tests
Change-Id: I4e43e3bc047ed5fb6cb517b53e4094e812b70e1e
Engine OKP provisioner.
[ Merge of http://go/wvgerrit/133803 and http://go/ag/15645335 ]
The OtaKeyboxProvisioner provides a CdmEngine-specific context for
performing OTA keybox provisioning. Utilizes the system-wide
SystemFallbackPolicy to relay provisioning status between engines.
The provisioner will handle message wrapping and unwrapping of the
raw OTA keybox request / response into the SignedProvisioningMessage
which is sent to/received from the provisioning server.
[ Partial merge of http://go/wvgerrit/125844 ]
Note: Includes partial CryptoSession changes from various CLs.
CryptoSession functionality has been stripped to reduce impact of
this CL.
Bug: 189232882
Test: Android unit tests
Change-Id: I282bf7d1887daefb2250af1bd595c4dc3dfcfb29
Integrated OKP into CDM Engine
[ Merge of http://go/wvgerrit/133804 and http://go/ag/15646376 ]
Extended the functionality of the CdmEngine to check if the device
requires OKP and to initialize OKP resources if required. The
functionality of OpenSession() and GetProvisioningRequest() have been
the most affected. If OKP is required, these methods will signal to
the app that provisioning is required and will return an OKP request.
Once a device is provisioned, the OKP data is cleared away and the
CdmEngine will resume normal operation. Engines created after a
device is provisioned will immediately enter normal operations.
The exception is for CdmEngines which failed to perform OKP for some
reason and are still running. Those apps will need to restart before
gaining access to L1 operations.
Bug: 187646550
Test: Android integration tests
Change-Id: Ia572a66a7b73479355758aa3d0c682691eaca0fc
[ Merge of http://go/wvgerrit/133729 ]
[ Cherry pick of http://ag/15836224 ]
The OtaKeyboxProvisioner is a system-wide provisioner for sharing the
provisioning workflow between CDM engines.
Bug: 189232882
Test: GtsMediaTestCases
Change-Id: I873af3087cc05e1831bdd1d2c14fb002b73e6902
Added keybox provisioning proto fields.
[ Merge of http://go/wvgerrit/133730 and http://go/ag/15113032 ]
This CL copies over the required license_protocol.proto changes that
are required for OTA keybox provisioning. These fields are defined in
the server-side certificate_provisioning.proto, defined in
http://cl/377533774.
Note, changes are slightly different from server proto due to the RVC
version of license_protocol.proto being out of date with SC and newer
changes.
Bug: 189232882
Test: run_x86_64_tests
Change-Id: I55fcf6a7ac2ba4b6026b9acc63e822ff33c431d9
Added OTA keybox provisioning device files.
[ Merge of http://go/wvgerrit/133743 and http://go/ag/15421141 ]
This change adds a new set of proto messages/fields the CDM's device
files for recording device and engine information around OTA keybox
provisioning (OKP).
To make cleanup and thread protection possible, there is a single file
which will contain all the information for the device as a whole and
each CDM engine tied to an app/origin.
Bug: 189232882
Test: Linux unit tests
Change-Id: Iaf80cd6342f32657e04416750d9b278d935821a5
Client ID for OKP requests.
[ Merge of http://go/wvgerrit/133744 and http://go/ag/15645331 ]
Extended the CDM ClientIdentification class to support a subset of
client info used for OKP requests.
Bug: 189232882
Test: Android unit tests
Change-Id: I6aafb4f2164efe69bc733ece0a912f0e91893b91
[ Merge of http://go/wvgerrit/121568 ]
The CdmEngine logs had both too much and too little information.
Since our logging has been enabled to print function names natively,
many of the log information has become superfluous. Needless
information has been removed, and many of the important INFO logs have
been reduced to only the information not present in the function name.
Some of the INFO and ERROR logs were missing identifiers to match
failures with the same session request should the failures take more
than a few milliseconds to occur. CDM session IDs and key set IDs
have been included in all the logs that _appeared_ to have a slow
operation between the top of the method and log.
To help make enum values more readable, several enums-to-string
functions have been implemented. These converters are intended for
INFO logging and as such, do not log any addition information should
the enum be out of range.
To help make empty and null identifiers more readable in the logs,
empty strings will be logged as <empty> and null strings will be
logged as <null>.
While working through the "cdm_engine.cpp" file, a few minor changes
have been made:
- Adjust if statements to match with Google C++ style guidelines
- Skipped anything that was not obvious
- Added a const qualifier to variables where appropriate
- Moved some null checks to the top of the method
- Only where sequence is non-critical to normal operation
- Removed unnecessary string to vector to string conversions
- Reject empty |force_session_id|
- Already enforced on CE CDM code and not uesd on Android
Bug: 183576879
Test: CE CDM unittests
Change-Id: Id165373055f7ce6097c93c48f84af74bd353c8cb
[ Merge of http://go/wvgerrit/119806 ]
This change replaces all calls for base64 encoding which first converts
a string to a vector. The new base64 encoding function allow for
encoding binary data contained within strings.
Bug: 181732604
Test: Android unittests
Change-Id: Ibfe79dba99e6a2ee2f2a96e85b62fbd22519aea7
[ Merge of http://go/wvgerrit/120510 ]
* Added some comments to clarify which clock times are computed at the
client and at the provisioning service. More detail is present in the
device_files.proto
* Moved helper methods |SetDeviceCertificate| and
|ExtractFromDeviceCertificate| from class methods to anonymous
namespace
* Removed some commented out code
Bug: 169740403
Test: WV unit/integration
Change-Id: Ic263f3dfe296fff6d9b5380b2e7c663d87022cb2
[ Merge of http://go/wvgerrit/120123 ]
DRM certificate creation and expiration times are now validated.
* New DRM (default) certificates will have an expiration time specified
by the provisioning service.
When stored, the client will include the time the certificate was
received. This allows for expiration calculation to occur when client
and provisioning service clocks are out of sync.
When read out, creation, expiration and acquisition times are
validated. The certificate is checked for expiry by making sure
that the time at the client since the license was acquired is not
greater than the expiration period. The time information stored at the
client may be tampered with. The license service will perform an
expiration check and reject the license request if tampered with.
The expiration time may be set to never expires/unlimited. This is not
a valid value for creation or acquisition time.
* Pre-existing (legacy) certificates from upgrading devices will not
have an expiration time set by the provisioning service. Instead
the client will calculate an expiration time 6 months with + or -
a random two month period in the future. This is stored along with the
certificate.
When read out, if no expiration time has been set by the client, one
will be calculated and written out. The certificate will be declared as
valid. If a client calculated expiration time is present, the
certificate will be validated. In case of tampering, the license service
can reject license requests and force reprovisioning when appropriate.
* ATSC certificates will continue to not have an expiration time.
No additional validation is required.
Other changes for non-ATSC licenses involve managing both default and
legacy certificate co-existance. When checking for DRM certificates,
the default certificate is attempted first. This is followed by a check
for the legacy certificate, if the default certificate is not present.
Bug: 169740403
Test: WV unit/integration tests
DeviceFilesTest.StoreCertificateInvalidParams
DeviceFilesTest.RetrieveAtscCertificate
DeviceFilesTest.RetrieveAtscCertificateNotFound
DeviceFilesTest.RetrieveCertificateInvalidParams
DeviceFilesTest.RetrieveLegacyCertificateWithoutExpirationTime
DeviceFilesTest.RetrieveLegacyCertificateWithClientExpirationTime
DeviceFilesTest.RetrieveLegacyExpiredCertificateByClientExpirationTime
DeviceFilesTest.RetrieveLegacyCertificateInvalidClientExpirationTime
DeviceFilesTest.RetrieveCertificateWithoutKeyType
DeviceFilesTest.RetrieveDefaultCertificate
DeviceFilesTest.RetrieveDefaultCertificateNeverExpires
DeviceFilesTest.HasCertificateAtsc
DeviceFilesTest.HasCertificateDefault
DeviceFilesTest.HasCertificateLegacy
DeviceFilesTest.HasCertificateNone
CertificateTest.StoreCertificateTest.DefaultAndLegacy/*
CertificateTest.RetrieveLegacyCertificateTest.ErrorScenarios/*
CertificateTest.RetrieveDefaultCertificateTest.ErrorScenarios/*
Change-Id: I7dbec7555fbd493c1ec61c6bb5d9428a2405b1fd
[ Merge of http://go/wvgerrit/119843 ]
Creation and expiration times are extracted from the device DRM
certificate. They are reported as
* -1 if not set in the proto
* 0 if unlimited
* positive number otherwise
Bug: 169740403
Test: WV unit, integraiton tests
Change-Id: I9463954dfeb82b6a88ff5d608ed74d20f2424e83
[ Merge of http://go/wvgerrit/119564 ]
This closes a crypto session when the provisioning request fails. We
cannot be as eager when handling the response as the app may have
multiple simultaneous provisioning attempts in flight. In this case
all provisioning responses except the one associated with the last
request will fail. If we close the session on error, even the one
associated with the last request may fail.
Bug: 180986725
Test: WV unit/integration tests
Change-Id: Ic3d33a374e442b5bf040e345bed829d91c4ef1dc
[ Merge of http://go/wvgerrit/118563 ]
Sync with the latest version of drm_certificate.proto to add in
certificate expiry time. Add in signed_drm_certificate.proto and remove
messages from device_certificate.proto.
SignedDrmDeviceCertificate and DrmDeviceCertificate are now named
SignedDrmCertificate and DrmCertificate. This necessitated non-proto
changes.
Bug: 169740403
Test: WV unit/integration tests
Change-Id: Ie5969ac7217a25eb075a41df59b77da2becd4545
[ Merge of http://go/wvgerrit/117267 ]
This includes some clang-format corrections that were missed in the
original merge from wvgerrit.
Bug: 174174765
Test: WvCdmRequestLicenseTest.ProvisioningRevocationTest,
WV unit/integration tests
Change-Id: Ifd16ab51eb89530fa5e0b91acc42f30864246d38
[ Merge of http://go/wvgerrit/117267 ]
The client will now advertise the ability to handle provisioning errors
by a minor version updated to the provisioning protocol version.
The provisioning service may indicate that the individual device
is revoked or all devices with the same make/model have been revoked.
If the provisoning service has not been upgraded, the protocol version
field in the request will be ignored. The provisioning service/SDK
will respond with an HTTP 400 error to a provisioning request from
a revoked device.
Bug: 174174765
Test: WvCdmRequestLicenseTest.ProvisioningRevocationTest,
WV unit/integration tests
Change-Id: I5ff61496685f310de6704a90452b8b76b3505cbb
[ Merge of http://go/wvgerrit/117266 ]
These changes facilitate communication of provisioning errors from
provisioning service/SDK to the client.
Clients will indicate in the SignedProvisioningMessage whether they
support handling of error information in the ProvisioningResponse.
The provisioning service/SDK can then indicate why the provisioning
request is being rejected.
The protocol_version field from SignedProvisioningMessage has also been
broken into separate protocol version and provisioning type fields.
This will support changes planned for future releases.
Bug: 174174765
Test: WV unit/integration tests
Change-Id: Ic1a41ed8f83b69697300c586a78266fac20298fb
[ Merge of http://go/wvgerrit/110923 ]
The CDM is responsible for telling OEMCrypto the underlying DRM
private key type when loading it into a session. To do this, the
CDM must determine and store the key type of a successfully loaded
provisioning response. The type of key is available from the
DRM certificate proto that is provided in the reponse.
This change introduces a class to contain the wrapped key and
type together. To store the type, the CDM device files have been
updated to include a key type with the DRM certificate and to
store from and load to the new class.
Unittests have been updated for using the new class where the
wrapped key was used before.
Test: Linux unit tests
Bug: 140813486
Change-Id: I09249afe9c291632fb651ecd00eac697d6939ec7
(cherry picked from commit 6c457402e944079271cef488aa4699f986da6a2e)
Merged-In: I09249afe9c291632fb651ecd00eac697d6939ec7
[ Merge of http://go/wvgerrit/108064 ]
The Widevine License Agreement has been renamed to use inclusive
language. This covers files in the core directory.
Bug: 168562298
Test: verified compilation (comment only change)
Change-Id: I8ae5a10cbfdf7faae6a2735e57b33729763f10b8
Merge from Widevine repo of http://go/wvgerrit/94243
When generating a second provisioning request, a new session should be
opened because a session can only have one nonce for v16.
For Provisioning 3.0 devices, the OEM Cert's private key must be
loaded in the new session.
Test: WvCdmRequestLicenseTest.ProvisioningInterposedRetryTest
Bug: 135288420 Nonce reuse
Bug: 141655126 Cert reload
Change-Id: I8a96566142c4d4380e2bdd571e8d363a7a1f74d4
Merge from Widevine repo of http://go/wvgerrit/93824
This treats an empty core message as not having a core message.
Bug: 149110740
Change-Id: Icacfc5d9a5bdce9b136c25c59205eee575cfba72
Tests: Ran ExoPlayer on taimen
Merge of http://go/wvgerrit/93404
This CL updates the Widevine CDM to support OEMCrypto v16.1
Test: Tested in 16.2 CL
Bug: 141247171
Change-Id: I69bd993500f6fb63bf6010c8b0250dc7acc3d71b
[ Merge of http://go/wvgerrit/87905 ]
Protobuf parsing of the provisioning message has been centralized in
certificate_provisioning.cpp since it will be invoked from
multiple locations. This will also ease maintainability of the code.
Bug: 142731300
Test: android unit/integration tests
Change-Id: Idebf6b0145b317698559cac1cf18a3a0b98315ad
[ Merge of http://go/wvgerrit/83423 ]
[ Merge of http://go/wvgerrit/83424 ]
[ Merge of http://go/wvgerrit/83425 ]
[ Merge of http://go/wvgerrit/83426 ]
[ Merge of http://go/wvgerrit/83427 ]
Types of cleanup:
- Removed function / class prefixes from the logs.
- Fixed log string format options to match the types passed
- Corrected small spelling mistakes / typos
- _Tried_ to make the log format more consistent
- Added static_cast<int> conversion on enumerations when logged
- Changed several LOGE to LOGW and vice versa
- Used LOGE if the triggering condition stops the method/function
from completing its task
- Used LOGW if the triggering condition changes the expected
outcome but does not stop the rest of the method/function's
task
- Changed several instances of `NULL` to `nullptr`
- Ran clang-format on files after cleanup
This is part of a larger code quality effort in Widevine DRM.
Test: WV linux unittests and WV Android unit tests
Bug: 134460638
Bug: 134365840
Bug: 136123217
Change-Id: I958ec70ef99eef95c38dbebd7a1acd62ef304145
[ Merge of http://go/wvgerrit/80484 ]
Clang-format has been run on files in core/src. clang-format has been turned
off for some blocks but otherwise no other changes have been made.
Bug: 134365840
Test: WV unit/integration tests
Change-Id: I6e509f25136f84d37de3d920084302f0f2c23dc4
[ Merge of http://go/wvgerrit/71326 ]
Nonce flood, frame size, session and system invalidation errors
will now bubble up to the app. OEMCrypto v15 returns
OEMCrypto_ERROR_BUFFER_TOO_LARGE, OEMCrypto_ERROR_SESSION_LOST_STATE,
OEMCrypto_ERROR_SYSTEM_INVALIDATED and a variety of nonce errors.
These will be reported to HIDL as OUTPUT_TOO_LARGE_ERROR,
ERROR_DRM_SESSION_LOST_STATE, ERROR_DRM_INVALID_STATE and
ERROR_DRM_RESOURCE_CONTENTION.
Bug: 120572706
Test: Unit/Integration tests
Change-Id: Ida177300046327ce81592a273028ef6c3a0d9fd9
[ Merge of http://go/wvgerrit/71103 ]
A content provider may specify a provider client token in a license.
This is a client token generated by a provider. If present in a license,
they will now be included in a license renewal request.
Bug: 34386290
Test: WV unit/integration tests
Change-Id: I3db303ea4d8b4ff4495393be4015b49e13db2ffc
[ Merge of http://go/wvgerrit/69724 ]
Some queries no longer require a session to be opened before they
can be answered - security level, current HDCP level, max HDCP level,
usage support, number of open sessions, max sessions,
OEMCrypto API version, current SRM version, SRM update support,
resource rating tier and OEMCrypto build information.
b/117104043
Test: WV unit/integration tests
Change-Id: I92f8249e5599860da8cbf42d3b16f25515a46c55
Merge from Widevine repo of http://go/wvgerrit/56520
This CL adds a test base that installs a test keybox and catches nonce
flood errors for all CDM tests.
In order to do this, a new class is added called a
CryptoSessionFactory. The default factory just creates a new
CryptoSession. All places in the code that create a new CryptoSession
now call the static method MakeCryptoSession, which uses the current
factory to create a CryptoSession. If MakeCryptoSession is called and
there is no current factory, a default factory is created.
The CryptoSession constructor is now private, so that we do not
accidentally try to create one without using the factory.
For the new test base, we first create a special test
CryptoSessionFactory that creates a TestCryptoSession. The test
factory catches the first call to MakeCryptoSession and injects an
installation of the test keybox after OEMCrypto_Initialize is called.
The TestCryptoSession injects a sleep statement and a retry whenever
it detects a nonce flood.
Test: current unit tests still pass.
bug: 72354901 Fix Generic Crypto tests.
bug: 111361440 Remove #ifdef from unit tests
Change-Id: I248e7f3c53721c04d2af412ef835e19bb4d15d9a
This CL cleans up some bad merges of client ID code, entitlement keys,
and concurrent session access. After this CL, core cdm code on
android should match that on widevine at the commit 2f916720 on branch
master.
CLs merged here are based on:
http://go/wvgerrit/50483 Protect sessions from concurrent access
http://go/wvgerrit/48860 Remove duplicate information from client identification
http://go/wvgerrit/49040 Revert revertion of Client ID Expansion
http://go/wvgerrit/46448 Test Entitlement Licenses
Test: tested as part of http://go/ag/4674759
Change-Id: I45854d6b034c247b16073a96d6ff3ea953ded3ae
[ Merge of http://go/wvgerrit/48720 ]
The device ID does not need to be sent in the client identification
information as it is either present in other fields or ignored
by the license service.
This also allows for build information to be reported during
provisioning for devices with OEM certificates.
Bug: 78578351
Test: WV unit/integration tests. GtsMediaTestCases.
Change-Id: I708c63d34f0e2df7e465154d12096a394a1b23d7
[ Merge of http://go/wvgerrit/46760 ]
This enables encryption of client ID for provisioning requests for
devices with keyboxes as root of trust. Client ID will not be
provided for those devices with OEM device certificates as root of
trust. That will be addressed in b/78303730.
Bug: 77607585
Test: WV unit/integration tests. Tests with L3 using OEM certs
Change-Id: Id9bd697aa049bd5659ab80714e141dbc50408f6a
Merge from Widevine repo of http://go/wvgerrit/47860
This CL updates the copyright notice to indicate that files
shared with partners are shared under the Widevine Master
License Agreement.
bug: 77926774
test: comment change only
Change-Id: I0423668111578b80fb39a932d763df2827e2dfc3
(This is a merge from http://go/wvgerrit/46447)
The Production Provisioning Service is moving to the "widevine.com"
certificate from the "license.widevine.com" certificate it was using.
This replaces the two places this certificate appears in the source
code. This is expected to be the last such update.
Also, the Staging Provisioning Service was already using this
certificate, but our code had it listed as using the old certificate. It
has also been updated.
Bug: 77244492
Test: CE CDM Unit Tests
Test: Android Unit Tests
Change-Id: I2ce14ea8e672c453ce0f74fbd3345f7e40f2f297
Merge from Widevine repo of http://go/wvgerrit/44505
This CL changes the certificate provisioning code to verify the
provisioning message using a cert from license.widevine.com instead of
the staging certificate.
It also adjusts the certificates in config_test_env.cpp because the
license and provisioning servers are different and may probably have
different certs.
bug: 73031756
test: unit tests with mock oemcrypto, and read oemcrypto on sailfish
Change-Id: I4b457a369a49ef07bda9e5632ab59e5f621ec966
These are a set of CLs merged from the wv cdm repo to the android repo.
* Correct error logging
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/40000 ]
In tests, we set the cipher list to avoid using insecure
ciphers when connecting to the provisioning/license service.
The result of setting the cipher list was being incorrectly
validated.
Bug: 64847919
* Move mips cache headers to clear_cache_function.h
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/39700 ]
Since the clear_cache function has been moved away from the dynamic
adapter, we need these conditional includes to be migrated as well for
MIPS.
* Comment out Level 3 debug call until merge
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/39761 ]
This call was introduced in go/wvgerrit/34260/. Since the haystack tool
in google3 still needs this merge, this should be commented out so the
tool can still build until the merge has finished.
* Add logging for MAC keys to mock
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/39740 ]
Bug: 70637842
* Move external interfaces into level3.h + refactor
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/39673 ]
As part of b/70523618, this CL moves interfaces that partners are
responsible for in Level 3 to level3.h so they can be visible as
part of the CDM release process. It also cleans up some of the
names of the files and adds documentation.
* Corrected close session logging level
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/39676 ]
Bug: 69460963
* Remove Security Level Path Backward Compatibility Support
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/39505 ]
From the android K release onwards certificates were stored in
security level specific directories. If upgrading from
previous releases persistent information needed to be moved
to those directories.
Since no device is likely to upgrade from J to Pi, comptibility
support can be removed.
Bug: 70160032
* Rename privacy_crypto_openssl To privacy_crypto_boringssl
Author: John W. Bruce <juce@google.com>
[ Merge of http://go/wvgerrit/37122 ]
Now that we no longer support OpenSSL in the Shared Source CDM, the name
of this file can be updated.
Bug: 67907873
Test: build.py x86-64
Test: wv_ce_cdm_unittest
Test: jenkins/linux_unit_tests
* Remove Conditional Compilation from OpenSSL/BoringSSL
Author: John W. Bruce <juce@google.com>
[ Merge of http://go/wvgerrit/39460 ]
This change removes the usages of conditional compilation to support
both BoringSSL and OpenSSL, as well as to support multiple versions of
the OpenSSL API. All code is now compiled against one of the two
versions of BoringSSL in third_party/.
Note that in some cases, the kit/ and legacy_kit/ versions of BoringSSL
had different APIs, so when removing the OpenSSL version compatibility
conditional compilation, sometimes the older branch was kept and
sometimes the newer branch was kept.
Bug: 67907873
Test: build.py x86-64
Test: wv_ce_cdm_unittest
Test: jenkins/linux_unit_tests
* Build CE & Jenkins CDMs With BoringSSL from third_party/
Author: John W. Bruce <juce@google.com>
[ Merge of http://go/wvgerrit/37120 ]
Up until now, integrators have been responsible for providing a
compatible crypto library for use by the CE CDM. (either OpenSSL or
BoringSSL) After this change, this decision will no longer be in their
hands. The CE CDM build will always use the copy of BoringSSL in
third_party/, which will be statically linked with our library with
hidden visibility. This allows us to better control what crypto library
we use and will prevent continuing problems with trying to support both
OpenSSL and BoringSSL.
Unfortunately, BoringSSL began using C++11 in mid-2017, and we can't
support C++11 right now. Until we can, we need to use a C++11-free
version of BoringSSL for libssl. The CDM itself will continue to use a
recent BoringSSL, as it only needs libcrypto. But the unit tests that
need libssl have to use the legacy version.
Bug: 67907873
Test: build.py x86-64
Test: wv_ce_cdm_unittest
Test: jenkins/linux_unit_tests
* Modified RNG for Level3 to use more entropy
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/39220 ]
Bug: 65165076
Modified seed generation to use an xor of clock_gettime and
client-implemented code to supply random seeds to the RNG. Modified the RNG
as well to use xoroshiro128+ instead of xorshift, since it uses more
than one seed/state (which are 64-bit) and has higher "statistical quality".
The default implementations for the seed generation use /dev/urandom.
* Configure base path for Level3FileSystem
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/39506 ]
This is in response to b/70354006. This change makes the
Android Level3FileSystem use the existing properties method
GetDevicesFilesBasePath for binderization. The same is done for the
Linux implementation.
* Add legacy_kit/ to BoringSSL Directory
Author: John W. Bruce <juce@google.com>
[ Merge of http://go/wvgerrit/38861 ]
This adds a second copy of BoringSSL to the third_party/boringssl/
directory. This second copy is pinned to the last revision of BoringSSL
not to require C++11 and is not updated by the UPDATE_BORINGSSL.sh
script. This second copy will be used to provide libssl to the tests on
devices that do not support C++11.
Once we support C++11 in the CDM again, this weight should be removed
and all targets should use the copy of BoringSSL in the kit/ directory.
Bug: 67907873
* Use Shared Libraries for Unit Tests
Author: John W. Bruce <juce@google.com>
[ Merge of http://go/wvgerrit/38860 ]
Some unit tests were using a statically-linked CDM instead of a
dynamically-linked one. (Or, in one case, trying to link both ways into
the same binary.) For now, we need to only link dynamically, so that the
unit tests and the CDM can use different versions of BoringSSL.
Long-term, we would like to test both kinds of linkage. (See b/69548115
for that.)
Some unit tests were also using a dynamicaly-linked CDM that was named
such that it appeared to be statically-linked. This patch renames some
targets to make the linkage clearer.
Bug: 67907873
* Change CDM_Backwards_Compatiblity_Tests to dedicated brances
Author: Fred Gylys-Colwell <fredgc@google.com>
[ Merge of http://go/wvgerrit/39003 ]
The build scripts used by CDM_Backwards_Compatiblity_Tests now pull
old versions of oemcrypto from the dedicated branches oemcrypto-v*,
which [will eventually] contain old oemcrypto versions, that build
with the current build system with a current boringssl version.
bug: 67907873
* Fix spacing on level3 header
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/38760 ]
* Correct Query status calls
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/38640 ]
Bug: 70160032
* Refactoring to allow encryption of client ID
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/37460 ]
The code has been restructured to allow encryption of client
identification in provisioning requests. This will be enabled
when server side changes have been made (b/69427217).
* Additional information is included in the Client Identification
portion of the provisioning request.
* Client identification will be encrypted with a service
certificate provided by the app/client. Platform changes
to enable passing this to core are needed. If a service certificate
is not provided, a default one associated with the production Keysmith
will be used.
* Switched APIs in CdmEngine to take a service certificate for
provisioning rather than licensing. Service certificates for
licensing are session based and passed as properties from platform
code.
Bug: 30737060
* Allow some CDM errors to be reported from multiple locations
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/38360 ]
This creates some CdmResponseType errors which may be reused
PARAMETER_NULL, NOT_INITIALIZED_ERROR, REINIT_ERROR.
I have made changes to a few classes to report these errors.
Will work on additional classes in a separate CL.
Bug: 69864404
BUG: 71650075
Test: WV Unit/integration tests
Change-Id: Icc048770d424ac537d11ff327cda2cb142da802d
These are a set of CLs merged from the wv cdm repo to the android
repo.
* Android build fixes
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/36322 ]
* Address android compilation errors and warnings
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/36300 ]
* Gyp cleanup and OpenSSL v10.1 support.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/36001 ]
OpenSSL 10.1 has a small number of incompatible changes.
A desktop system upgrade exposed some issue in the build scripts.
Specifically, the linux build was using both third_party/protobufs (2.6.1)
and the version installed on the system (3.0 in this case). The linux
cdm.gyp depended on cdm/cdm.gyp which caused that plus some
additional issues.
These changes are necessary to support g++ version:
g++ (Debian 6.3.0-18) 6.3.0 20170516
Also did some cosmetic rework on run_current_tests to make it easier
to figure out what is going on when something fails.
Also tweaked some of the compiler settings for g++ support (revisit
this later).
* Refactored Service Certificate encryption to allow encryption of arbitrary data.
Author: Thomas Inskip <tinskip@google.com>
[ Merge of http://go/wvgerrit/36141 ]
* Send cdm test requests to UAT.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/36221 ]
This change resolves the all of the
CdmDecryptTest/CdmTestWithDecryptParam.DecryptToClearBuffer
tests.
The license servers will return different keys and keyids.
Sending the request to staging returned key ids and keys that were
not matching what was expected in the unit tests.
* Fix for building L3 OEMCrypto with clang and libc++
Author: yucliu <yucliu@google.com>
[ Merge of http://go/wvgerrit/35740 ]
1. Include <time.h> for time(time_t*).
2. Create endian check union on stack. Clang may create const union
somewhere else, which may cause crash.
* Remove error result when a sublicense session does
not exist. This is not considered an error.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/36080 ]
* Set default mock handler for GetSupportedCertificateTypes
for all unit tests and removed the use of StrictMock from
MockCryptoSession.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/35922 ]
The handler for this was only set for one test and resulted
in a number of failures.
* Set default handler for GetHdcpCapabilities. For
now the default action is to call the real
GetHdcpCapabilities of crypto_session.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/36140 ]
I also changed the mock to a NiceMock to silence
responses to unexpected calls to GetHdcpCapabilities.
The default handler can be overridden as needed in
the individual tests.
This resolves the policy engine test failures.
* Finalize merge of cdm_partner_3.4 to master.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35360 ]
This is the final set of updates to merge all v3.4.1
changes into master.
* Embedded license: Sublicense rotation.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/35360 ]
Handle sublicense rotation event.
* Embedded license: Initial license phase.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/34280 ]
Initial license phase - key loading subsession.
* Embedded license: generate session data.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33722 ]
Generate session data and add it to the license request for
any embedded license material.
* Resolve missing symbol when building cd-cdm
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/35840 ]
* C++11: Replace OVERRIDE def with override keyword
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35400 ]
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I37d0cb17f255ac6389030047d616ad69f895748c
These are a set of CLs merged from the wv cdm repo to the android repo.
* Resolve intermittent decrypt error.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/35720 ]
The CdmSession's closed state was not properly
initialized resulting in intermittent
SESSION_NOT_FOUND_FOR_DECRYPT errors.
In CdmEngine::Decrypt the session is looked up by
the key id. A list of open sessions is acquired
by calling CdmSessionMap::GetSessionList and each
session in the list is queried to see if it has
the key.
In building the list in CdmSessionMap::GetSessionList,
sessions are only added to the query list *if* the session
is not closed.
The closed status was not initialized and during testing
the query list would not contain the session causing
CdmEngine::Decrypt to return SESSION_NOT_FOUND_FOR_DECRYPT
resulting in the ce cdm api returning widevine::Cdm::kNoKey.
* No support for pre- C++11 compilation.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35381 ]
* Handle unaligned nonce pointer in RewrapDeviceRSAKey calls.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35340 ]
The pointer points into a message and it may not be aligned.
Always copy the nonce into aligned memory before checking it.
BUG: 38140370
Add note to CHANGELOG for this.
* Compiler strictness: more checks and code cleanup.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/35300 ]
Use the switches proposed in b/38033653 (as much as possible - some
conflicts with protobufs and gtest prevent fully accepting them).
Switch to clang for x32 build; ensure that both x86-64 and x86-32 builds
compile and link cleanly.
BUG: 38032429
BUG: 38033653
This partially resolves b/38458986
* Android build fixes
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/35102 ]
These corrections address compile warnings and errors for android
and unit tests.
* Embedded License: Add sub license key sessions.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33680 ]
NOTE: this adds the AddSubSession() method, but it is not yet being
used. Use and proper cleanup is in an upcoming CL.
* Embedded license: Add track label field.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33660 ]
A new track label field (a string) is added to the key container and the
sub session data objects.
This field will be used in handling sub license requests.
* Embedded license: extract keys from init_data.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33621 ]
* Embedded license: add protobuf messages.
Author: Jeff Fore <jfore@google.com>
[ Merge of http://go/wvgerrit/33620 ]
also sync the widevine header definition with recent naming changes.
* Improve handling of provisioning response errors.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/33600 ]
Separate out the case of no response and the case
where the message is believed to be a JSON+base64
message but it doesn't parse properly.
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I3c86f1c54980b071aec7461ac58541836551f896
These are a set of CLs merged from the wv cdm repo to the android repo.
* Correct RELEASE_ALL_USAGE_INFO_ERRORs
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/28742 ]
RELEASE_ALL_USAGE_INFO_ERROR_4 and 5 were introduced and made use of in
http://go/wvgerrit/24022 (branch: oc-dev). The error code definitions
were merged over in http://go/wvgerrit/24602.
When http://go/wvgerrit/24622 from cdm_partners_3.2 was merged to master
(http://go/wvgerrit/27723) there was conflict in error codes. The error
codes were adjusted to RELEASE_ALL_USAGE_INFO_ERROR_3 and 4
and were made use of.
To avoid renaming the errors between oc-dev and master, new errors
RELEASE_ALL_USAGE_INFO_ERROR_6 and 7 have been added to handle the
scenarios noted in the merge from cdm_partner_3.2. The other
errors have been reverted back to RELEASE_ALL_USAGE_INFO_ERROR_4 and 5.
They will be used when http://go/wvgerrit/24602 is merged.
* Address compilation issues
Author: Rahul Frias <rfrias@google.com>
[ Merge of http://go/wvgerrit/28740 ]
These changes enable compilation of most of the cdm code on android
expect for OEMCrypto unit tests (b/62739406) on wv master.
* Add property for binary/base64 provisioning msgs.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/28074 ]
Property is "provisioning_messages_are_binary". Its default setting is
false in the CE CDM, but it can be overridden by integrators.
Added section to integration guide that discusses Provisioning Server
message formats and the new property.
Link: https://docs.google.com/document/d/1cBVbhgrajLpDe2W3_vzLzUqzpdDt73chvm4_sZlZlS8/edit#heading=h.hgxw53ddw7jo
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I9168193819974d1ff65d9a94dbd762e45ecc43ca
These are a set of CLs merged from the wv cdm repo to the android repo.
* Add CDM status return for decrypt blocked by HDCP.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/28062 ]
New status code is kKeyUsageBlockedByPolicy. It is returned by the decrypt()
call instead of kDecryptError or kNoKey.
Also shuffled the CDM status returns to define the EME-aligned codes
first, and added comments to highlight the differences in handling.
BUG: 37540672
* Change division and mod ops to relocatables
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/28600 ]
This is similar to I2dad1028acf295288cd10817a2bcff2513c053c9.
We should be using the relocatable functions instead of the
native division and mod operations.
* Cleanup Encrypted ClientID in provisioning request
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/28083 ]
b/36897239
Staging server does not support it (or the client is not constructing
it properly). Leave it disabled pending investigation.
* Certificate Provisioning fixes.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/28066 ]
Partial fix for BUG: 37482676
Partial fix for BUG: 37481392
Update service certificates, get rid of DEV/QA root certificate.
Provisioning request and response are base64 (web-safe) encoded.
Response is optionally JSON-wrapped.
Change ConfigTestEnv; clearer comments and a closer match to reality.
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I79d3c4bf1124e5e0d3e4d40baead65a8266ea874
These are a set of CLs merged from the wv cdm repo to the android repo.
* Update service certificate.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/28065 ]
The updated service certificate fixes a number of failing tests.
There are still some that fail, apparently due to mismatches
with key set IDs and usage tables.
Also updated QA server URL to point to QA proxy (although neither
can be used by this client).
Also fixed segfault in CdmTest.ListUsageRecords.
* Add CDM APIs for Handling Service Certificates.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/28064 ]
The responsibility for managing Service Certificates has been moved
out of the CDM. Instead, provide CDM and CdmEngine methods to generate
a service certificate request message, and handle a service certificate
response. The API client can use these calls if it needs to get the
service certificate from the License Server.
These functions assume the request and response are base64 (web-safe)
encoded (see b/37481392). Not all servers are operating this way yet.
Any adaptations for non-compliant servers is handled outside the CDM.
See test WvCdmEnginePreProvTest::ServiceCertificateRequestResponse in
cdm_engine_test.cpp for an example of this.
These changes also eliminate the stored init_data and deferred
license type which were used to perform a service certificate request
during a license request.
* Fix and rename ClosesSessionWithoutReturningError test.
Author: Edwin Wong <edwinwong@google.com>
[ Merge of http://go/wvgerrit/27880 ]
ClosesSessionWithoutReturningError should not check for
Status::OK since it is expecting an error code back.
The test is renamed to ClosesSessionWithError.
Test: libwvdrmdrmplugin_hidl_test
BUG: 62205215
* Get rid of default service certificate.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27981 ]
Instead, we need at least two service certs - one for the QA/Test
servers, and one for UAT (and prod?)
There are still some issues around the signature verififcation
of the service cert, and in license_unittest.cpp, the use
of the default service cert has been commented out. I don't know
why this test needs a service cert. If it really does, then the
same mechanism that is used elsewhere for selecting a specific
server type will be needed here.
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: Ieab815fb202c809ad5714cd0364c4bdfa068f77d
Below are a set of CLs being merged from the wv cdm repo to the android repo.
* Fix handling of OEM Cert public key.
Author: Srujan Gaddam <srujzs@google.com>
[ Merge of http://go/wvgerrit/27921 ]
This is a potential fix for b/36656190. Set aside public
key on first call to get the public key, and use it afterwards.
This gets rid of extra calls to OEMCrypto_GetOEMPublicCertificate(),
which has side-effect of staging the OEM private key.
This also fixes a problem where the public cert string was
not being trimmed to match the size returned by
OEMCrypto_GetOEMPublicCertificate().
* Complete provisioning request/response for Provisioning 3.0
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27780 ]
Fix bug on provisioning request path where GenerateDerivedKeys()
was being called when preparing to generate the signature.
Add message signature verification, and call correct OEMCrypto
routine to rewrap the private key (OEMCrypto_RewrapDeviceRSAKey30).
* Implement Cdm::deleteAllUsageRecords()
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27780 ]
Delete all usage records for current origin. Removes usage
records from file system and retains the PSTs. The deletes
any usage entries matching those PSTs held by OEMCrypto.
BUG: 35319024
* Remove stringencoders library from third_party.
Author: Jacob Trimble <modmaker@google.com>
[ Merge of http://go/wvgerrit/27585 ]
We have a fork of the stringencoders library that we use for base64
encoding. This reimplements base64 encoding to remove the extra
dependency and to reduce the amount of code.
* Add Cdm::deleteUsageRecord() based on key_set_id.
Author: Gene Morgan <gmorgan@google.com>
[ Merge of http://go/wvgerrit/27605 ]
Delete specified usage record from file system usage info and
from OEMCrypto.
BUG: 35319024
* Modifiable OEMCrypto
Author: Fred Gylys-Colwell <fredgc@google.com>
[ Merge of http://go/wvgerrit/24729 ]
This CL adds a new variant of the OEMCrypto mock code that adjusts its
behavior based on a configuration file. This is intended for
testing.
For example, a tester can set current_hdcp to 2 in the options.txt
file, push it to the device, and verify that a license is granted for
HDCP 2.0. Then the tester can edit the value of current_hdcp to 1 and
push the file to the device. Playback should stop because the license
is no longer valid.
This variant uses a real level 1 liboemcrypto.so to push data to a
secure buffer. That means we can test playback for a license that
requires secure buffers on an Android device with real secure buffers.
BUG: 35141278
BUG: 37353534
BUG: 71650075
Test: Not currently passing. Will be addressed in a subsequent
commit in the chain.
Change-Id: I58443c510919e992bb455192e70373490a00e2b6
[ Merge of http://go/wvgerrit/23360 ]
Service Certificates are used in two places, provisioning and
licensing. The service certificate code depended on a session_id
to get and set the service certificate properties, but the session_id
was not available in the provisioning path.
This patch pulls out the property lookup by session_id dependency,
and passes the CdmImpl's property_set into the provisioning code, so
the service certificate can be read and written there.
Bug: 62972441
Test: WV unit/integration tests. This introduces three test failures
* WvCdmRequestLicenseTest.PrivacyModeWithServiceCertificateTest
* Cdm/WvCdmStreamingLicenseRenewalTest.WithClientId/4
* Cdm/WvCdmOfflineLicenseReleaseTest.WithClientId/3
Change-Id: I6e9d4e23a9e7e81a63a994db8ec0b443893449a6
[ Merge of http://go/wvgerrit/29004 ]
Enable support for provisioning with OEM certificates as root of
trust.
b/62972441
Test: WV unit/intgration test and cdm_feature_test
Change-Id: I30576fc0bb68a873eeaaca03f6b9c89fa6a14327
(This is a merge of wvgerrit/25582)
Provisioning 3.0 devices that do not use SPOIDs have been returning
their full OEM Public Certificate as their device ID. While this is not
a security concern, (it is a PUBLIC cert) the cert is many times larger
than applications are likely expecting. (several kilobytes vs. just a
few bytes) This patch hashes the OEM Public Certificate to produce a
smaller value, but only when it is being provided out of the CDM to a
caller.
Bug: 34716264
Test: run_all_unit_tests.sh
Change-Id: Ib82cf7a174a8bf02ff606edd0394ada13842224c
Merge from widevine repo of http://go/wvgerrit/24421
A nonce generation error for a certificate provisioning request had a
generic name Error2. However, this is an actionable error by the
application: the application should wait 1 second and try again.
Therefore it deserves a more descriptive name.
bug: 35926133
bug: 35879493
Change-Id: I6c87a5a762cb970c9530a55c993d7acbed773a00
(This is a merge of go/wvgerrit/23182)
This patch adds the framework for Stable Per-Origin Identifiers to the
CDM. Calculating SPOIDs will be done on the client-side, and they are
sent as part of the provisioning request. SPOIDs are also available to
the app as the Device Unique ID, replacing the previous method of
returning the actual Device Unique ID from the keybox / OEM certificate.
Different SPOIDs must use separate storage, just as different origins
already do. Support for this has been added to the Android adapter to the
CDM Core. However, the code in the Android glue layer that would drive
this behavior will be checked in in a separate change. As such, all
Android devices will continue using the legacy behavior even after this
patch goes in, until the glue layer code can be updated.
Bug: 27101531
Test: CE CDM Unit Tests
Test: Linux Jenkins Unit Tests
Test: Android Unit Tests (with and without SPOIDs forced on)
Test: Android GTS Tests
Change-Id: Ia0caf890381cbcb97504d08b19aeab8b29bd07ae
[ Merge of http://go/wvgerrit/22900 ]
Add GetClientToken(), GetProvisioningToken(), GetPreProvisionTokenType()
to CryptoSession. They return the correct token bytes and token type
for preparing the ClientIdentification message for provisioning and
license server transactions.
Also refactor service certificate handling.
OEM certs are introduced in Provisioning 3.0
b/30811184
* Address build breaks
[ Merge of http://go/wvgerrit/23162 ]
This addresses issues introduced by http://go/wvgerrit/22900
b/30811184
* When http://go/wvgerrit/18012 was merged (ag/1446934) some changes
were not merged for mapErrors-inl.h. These changes are included in this CL.
* When ag/1678104 was reverse merged to http//go/wvgerrit/21981/ a variable
was renamed and some comments were added to add clarity in cdm_engine.cpp.
These changes are included in this CL.
Test: All unittests other than some oemcrypto, request_license_test
passed. Those tests failed with or without this CL.
Change-Id: Ie0215509f2f985f2a610f5a4c865db47edec8662
