widevine-partner/ce_cdm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Source release 18.6.0

Browse Source
This commit is contained in:
Alex Dale
2024-06-27 12:54:34 -07:00
parent 28ec8548c6
commit 20c0587dcb
56 changed files with 1191 additions and 35538 deletions
Download Patch File Download Diff File Expand all files Collapse all files

172
oemcrypto/test/oemcrypto_provisioning_test.cpp
View File

@@ -6,6 +6,7 @@
#include "oemcrypto_provisioning_test.h"
#include "log.h"
#include "oec_device_features.h"
#include "platform.h"
#include "test_sleep.h"
@@ -161,10 +162,6 @@ TEST_F(OEMCryptoProv30Test, GetCertOnlyAPI16) {
public_cert.resize(public_cert_length);
ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_GetOEMPublicCertificate(
public_cert.data(), &public_cert_length));
// Derive keys from the session key -- this should use the DRM Cert's key.
// It should NOT use the OEM Private key because that key should not have
// been loaded.
ASSERT_NO_FATAL_FAILURE(s.GenerateDerivedKeysFromSessionKey());
// Now fill a message and try to load it.
LicenseRoundTrip license_messages(&s);
license_messages.set_control(0);
@@ -739,6 +736,9 @@ TEST_F(OEMCryptoLoadsCertificate, SignProvisioningRequest) {
ASSERT_NO_FATAL_FAILURE(s.open());
if (global_features.provisioning_method == OEMCrypto_OEMCertificate) {
s.LoadOEMCert(true);
} else if (global_features.provisioning_method ==
OEMCrypto_DrmReprovisioning) {
s.SetTestRsaPublicKey();
} else {
EXPECT_EQ(global_features.provisioning_method, OEMCrypto_Keybox);
s.GenerateDerivedKeysFromKeybox(keybox_);
@@ -758,6 +758,9 @@ TEST_F(OEMCryptoLoadsCertificate, SignLargeProvisioningRequestAPI16) {
ASSERT_NO_FATAL_FAILURE(s.open());
if (global_features.provisioning_method == OEMCrypto_OEMCertificate) {
s.LoadOEMCert(true);
} else if (global_features.provisioning_method ==
OEMCrypto_DrmReprovisioning) {
s.SetTestRsaPublicKey();
} else {
EXPECT_EQ(global_features.provisioning_method, OEMCrypto_Keybox);
s.GenerateDerivedKeysFromKeybox(keybox_);
@@ -798,6 +801,12 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange1_API16) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -820,6 +829,11 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange2_API16) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -842,6 +856,11 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange3_API16) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -866,6 +885,11 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange4_API16) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -893,6 +917,11 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRange5Prov30_API16) {
if (global_features.provisioning_method != OEMCrypto_OEMCertificate) {
GTEST_SKIP() << "Test for Prov 3.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -940,6 +969,11 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadNonce_API16) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -959,6 +993,11 @@ TEST_F(OEMCryptoLoadsCertificate, CertificateProvisionBadRSAKey) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates and do not support
// key rewrapping.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
Session s;
ProvisioningRoundTrip provisioning_messages(&s, encoded_rsa_key_);
provisioning_messages.PrepareSession(keybox_);
@@ -1125,6 +1164,10 @@ TEST_F(OEMCryptoLoadsCertificate, TestMultipleRSAKeys) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey());
Session s1; // Session s1 loads the default rsa key, but doesn't use it
// until after s2 uses its key.
@@ -1166,6 +1209,10 @@ TEST_F(OEMCryptoLoadsCertificate, TestMaxDRMKeys) {
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
// DRM Reprovisioning CDMs have embedded certificates.
if (global_features.provisioning_method == OEMCrypto_DrmReprovisioning) {
GTEST_SKIP() << "Test for non DRM Reprovisioning devices.";
}
const size_t max_total_keys = GetResourceValue(kMaxTotalDRMPrivateKeys);
std::vector<std::unique_ptr<Session>> sessions;
std::vector<std::unique_ptr<LicenseRoundTrip>> licenses;
@@ -1243,123 +1290,6 @@ TEST_F(OEMCryptoLoadsCertificate, SupportsCertificatesAPI13) {
<< "Supported certificates is only " << OEMCrypto_SupportedCertificates();
}
// This test is not run by default, because it takes a long time and
// is used to measure RSA performance, not test functionality.
TEST_F(OEMCryptoLoadsCertificate, RSAPerformance) {
// TODO(b/197141970): Need to revisit OEMCryptoLoadsCert* tests for
// provisioning 4. Disabled here temporarily.
if (global_features.provisioning_method == OEMCrypto_BootCertificateChain) {
GTEST_SKIP() << "Test for non Prov 4.0 devices only.";
}
const std::chrono::milliseconds kTestDuration(5000);
OEMCryptoResult sts;
std::chrono::steady_clock clock;
wvutil::TestSleep::Sleep(kShortSleep); // Make sure we are not nonce limited.
auto start_time = clock.now();
int count = 15;
for (int i = 0; i < count; i++) { // Only 20 nonce available.
ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey());
}
auto delta_time = clock.now() - start_time;
const double provision_time =
delta_time / std::chrono::milliseconds(1) / count;
Session session;
ASSERT_NO_FATAL_FAILURE(CreateWrappedDRMKey());
start_time = clock.now();
count = 0;
while (clock.now() - start_time < kTestDuration) {
Session s;
ASSERT_NO_FATAL_FAILURE(s.open());
ASSERT_NO_FATAL_FAILURE(s.LoadWrappedRsaDrmKey(wrapped_drm_key_));
const size_t size = 50;
vector<uint8_t> licenseRequest(size);
GetRandBytes(licenseRequest.data(), licenseRequest.size());
size_t signature_length = 0;
sts = OEMCrypto_GenerateRSASignature(s.session_id(), licenseRequest.data(),
licenseRequest.size(), nullptr,
&signature_length, kSign_RSASSA_PSS);
ASSERT_EQ(OEMCrypto_ERROR_SHORT_BUFFER, sts);
ASSERT_NE(static_cast<size_t>(0), signature_length);
if (ShouldGenerateCorpus()) {
const std::string file_name =
GetFileName("oemcrypto_generate_rsa_signature_fuzz_seed_corpus");
OEMCrypto_Generate_RSA_Signature_Fuzz fuzzed_structure;
fuzzed_structure.padding_scheme = kSign_RSASSA_PSS;
fuzzed_structure.signature_length = signature_length;
// Cipher mode and algorithm.
AppendToFile(file_name, reinterpret_cast<const char*>(&fuzzed_structure),
sizeof(fuzzed_structure));
AppendToFile(file_name,
reinterpret_cast<const char*>(licenseRequest.data()),
licenseRequest.size());
}
std::vector<uint8_t> signature(signature_length, 0);
sts = OEMCrypto_GenerateRSASignature(
s.session_id(), licenseRequest.data(), licenseRequest.size(),
signature.data(), &signature_length, kSign_RSASSA_PSS);
ASSERT_EQ(OEMCrypto_SUCCESS, sts);
count++;
}
delta_time = clock.now() - start_time;
const double license_request_time =
delta_time / std::chrono::milliseconds(1) / count;
Session s;
ASSERT_NO_FATAL_FAILURE(s.open());
ASSERT_NO_FATAL_FAILURE(s.LoadWrappedRsaDrmKey(wrapped_drm_key_));
vector<uint8_t> session_key;
vector<uint8_t> enc_session_key;
ASSERT_NO_FATAL_FAILURE(s.SetRsaPublicKeyFromPrivateKeyInfo(
encoded_rsa_key_.data(), encoded_rsa_key_.size()));
ASSERT_TRUE(s.GenerateRsaSessionKey(&session_key, &enc_session_key));
vector<uint8_t> mac_context;
vector<uint8_t> enc_context;
s.FillDefaultContext(&mac_context, &enc_context);
enc_session_key = wvutil::a2b_hex(
"7789c619aa3b9fa3c0a53f57a4abc6"
"02157c8aa57e3c6fb450b0bea22667fb"
"0c3200f9d9d618e397837c720dc2dadf"
"486f33590744b2a4e54ca134ae7dbf74"
"434c2fcf6b525f3e132262f05ea3b3c1"
"198595c0e52b573335b2e8a3debd0d0d"
"d0306f8fcdde4e76476be71342957251"
"e1688c9ca6c1c34ed056d3b989394160"
"cf6937e5ce4d39cc73d11a2e93da21a2"
"fa019d246c852fe960095b32f120c3c2"
"7085f7b64aac344a68d607c0768676ce"
"d4c5b2d057f7601921b453a451e1dea0"
"843ebfef628d9af2784d68e86b730476"
"e136dfe19989de4be30a4e7878efcde5"
"ad2b1254f80c0c5dd3cf111b56572217"
"b9f58fc1dacbf74b59d354a1e62cfa0e"
"bf");
start_time = clock.now();
while (clock.now() - start_time < kTestDuration) {
ASSERT_EQ(OEMCrypto_SUCCESS,
OEMCrypto_DeriveKeysFromSessionKey(
s.session_id(), enc_session_key.data(),
enc_session_key.size(), mac_context.data(),
mac_context.size(), enc_context.data(), enc_context.size()));
count++;
}
delta_time = clock.now() - start_time;
const double derive_keys_time =
delta_time / std::chrono::milliseconds(1) / count;
OEMCrypto_Security_Level level = OEMCrypto_SecurityLevel();
printf(
"PERF:head, security, provision (ms), lic req(ms), derive "
"keys(ms)\n");
printf("PERF:stat, %u, %8.3f, %8.3f, %8.3f\n",
static_cast<unsigned int>(level), provision_time, license_request_time,
derive_keys_time);
}
// Test DeriveKeysFromSessionKey using the maximum size for the HMAC context.
TEST_F(OEMCryptoUsesCertificate, GenerateDerivedKeysLargeBuffer) {
vector<uint8_t> session_key;