widevine-partner/media_cas_packager_sdk_source
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a few more checks for "key length" and "iv length".

Browse Source 
-------------
Pad key value when crypto_mode is DVB_CSA, so that the key length is always 16 bytes.

-------------
Minor comment and example code update.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=219860612
This commit is contained in:
Fang Yu
2018-11-02 14:22:06 -07:00
parent 5ac3c5a95b
commit 0441c0b8d4
5 changed files with 128 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
example/wv_cas_ecm_example.cc
View File

@@ -14,12 +14,13 @@
#include "media_cas_packager_sdk/public/wv_cas_ecm.h" #include "media_cas_packager_sdk/public/wv_cas_ecm.h"
#include "media_cas_packager_sdk/public/wv_cas_types.h" #include "media_cas_packager_sdk/public/wv_cas_types.h"
const int kContentIvSize = 16;
const bool kKeyRotationEnabled = true; const bool kKeyRotationEnabled = true;
const char kEvenKey[] = "even_content_key"; // 16 bytes const char kEvenKey[] = "even_content_key"; // 16 bytes
const char kCsaEvenKey[] = "12345678"; // 8 bytes
const char kEvenContentIv8Bytes[] = "evencont"; // 8 bytes const char kEvenContentIv8Bytes[] = "evencont"; // 8 bytes
const char kEvenContentIv16Bytes[] = "evencontevencont"; // 16 bytes const char kEvenContentIv16Bytes[] = "evencontevencont"; // 16 bytes
const char kOddKey[] = "odd_content_key."; // 16 bytes const char kOddKey[] = "odd_content_key."; // 16 bytes
const char kCsaOddKey[] = "87654321"; // 8 bytes
const char kOddContentIv8Bytes[] = "oddcont."; // 8 bytes const char kOddContentIv8Bytes[] = "oddcont."; // 8 bytes
const char kOddContentIv16Bytes[] = "oddcont.oddcont."; // 16 bytes const char kOddContentIv16Bytes[] = "oddcont.oddcont."; // 16 bytes
const char kEntitlementKeyId[] = "ent_key_id......"; // 16 bytes const char kEntitlementKeyId[] = "ent_key_id......"; // 16 bytes
@@ -28,7 +29,7 @@ const char kEntitlementKey[] = "entitlement_key................."; // 32 bytes
int main(int argc, char **argv) { int main(int argc, char **argv) {
widevine::cas::WvCasEcm wv_cas_ecm; widevine::cas::WvCasEcm wv_cas_ecm;
widevine::cas::WvCasStatus status = widevine::cas::WvCasStatus status =
wv_cas_ecm.Initialize(kContentIvSize, kKeyRotationEnabled, wv_cas_ecm.Initialize(/* content_iv_size= */ 8, kKeyRotationEnabled,
widevine::cas::CryptoMode::kDvbCsa); widevine::cas::CryptoMode::kDvbCsa);
if (status != widevine::cas::OK) { if (status != widevine::cas::OK) {
std::cerr << "Failed to initialize WV CAS ECM, error: " std::cerr << "Failed to initialize WV CAS ECM, error: "
@@ -36,8 +37,8 @@ int main(int argc, char **argv) {
<< std::endl; << std::endl;
} }
std::string ecm; std::string ecm;
status = wv_cas_ecm.GenerateEcm(kEvenKey, kEvenContentIv16Bytes, kOddKey, status = wv_cas_ecm.GenerateEcm(kCsaEvenKey, kEvenContentIv8Bytes, kCsaOddKey,
kOddContentIv16Bytes, kEntitlementKeyId, kOddContentIv8Bytes, kEntitlementKeyId,
kEntitlementKey, &ecm); kEntitlementKey, &ecm);
if (status != widevine::cas::OK) { if (status != widevine::cas::OK) {
std::cerr << "Failed to generate WV CAS ECM, error: " std::cerr << "Failed to generate WV CAS ECM, error: "

53
media_cas_packager_sdk/internal/ecm.cc
View File

@@ -60,6 +60,7 @@ static constexpr int kNumBitsUnusedField = 6;
static constexpr size_t kKeyIdSizeBytes = 16; static constexpr size_t kKeyIdSizeBytes = 16;
static constexpr size_t kKeyDataSizeBytes = 16; static constexpr size_t kKeyDataSizeBytes = 16;
static constexpr size_t kWrappedKeyIvSizeBytes = 16; static constexpr size_t kWrappedKeyIvSizeBytes = 16;
static constexpr size_t kWrappingKeySizeBytes = 32; // entitlement key
static constexpr size_t kWrappingKeyIvSizeBytes = 16; static constexpr size_t kWrappingKeyIvSizeBytes = 16;
// BitField constants for the ECM payload // BitField constants for the ECM payload
@@ -302,21 +303,39 @@ util::Status CasEcm::WrapEntitledKeys(
if (entitled_key->wrapped_key_iv.empty()) { if (entitled_key->wrapped_key_iv.empty()) {
CHECK(RandomBytes(kWrappedKeyIvSizeBytes, &entitled_key->wrapped_key_iv)); CHECK(RandomBytes(kWrappedKeyIvSizeBytes, &entitled_key->wrapped_key_iv));
} }
entitled_key->wrapped_key_value = util::Status status =
WrapKey(entitlement_key->key_value, entitled_key->wrapped_key_iv, WrapKey(entitlement_key->key_value, entitled_key->wrapped_key_iv,
entitled_key->key_value); entitled_key->key_value, &entitled_key->wrapped_key_value);
if (!status.ok()) {
return status;
}
entitlement_key++; entitlement_key++;
} }
return util::OkStatus(); return util::OkStatus();
} }
std::string CasEcm::WrapKey(const std::string& wrapping_key, const std::string& iv, util::Status CasEcm::WrapKey(const std::string& wrapping_key,
const std::string& key_value) { const std::string& wrapping_iv, const std::string& key_value,
if (iv.size() != kWrappingKeyIvSizeBytes) { std::string* wrapped_key) {
LOG(WARNING) << "Incorrect iv size for WrapKey(): " << iv.size(); util::Status status = ValidateKeyValue(wrapping_key, kWrappingKeySizeBytes);
if (!status.ok()) {
return status;
}
status = ValidateIv(wrapping_iv, kWrappingKeyIvSizeBytes);
if (!status.ok()) {
return status;
}
status = ValidateKeyValue(key_value, kKeyDataSizeBytes);
if (!status.ok()) {
return status;
} }
// Wrapped key IV is always 16 bytes. // Wrapped key IV is always 16 bytes.
return crypto_util::EncryptAesCbcNoPad(wrapping_key, iv, key_value); *wrapped_key =
crypto_util::EncryptAesCbcNoPad(wrapping_key, wrapping_iv, key_value);
if (wrapped_key->empty()) {
return util::Status(util::error::INTERNAL, "Failed to wrap key");
}
return util::OkStatus();
} }
util::Status CasEcm::ValidateKeys(const std::vector<EntitledKeyInfo*>& keys) { util::Status CasEcm::ValidateKeys(const std::vector<EntitledKeyInfo*>& keys) {
@@ -326,6 +345,10 @@ util::Status CasEcm::ValidateKeys(const std::vector<EntitledKeyInfo*>& keys) {
if (!status.ok()) { if (!status.ok()) {
return status; return status;
} }
status = ValidateKeyValue(key->key_value, kKeyDataSizeBytes);
if (!status.ok()) {
return status;
}
status = ValidateIv(key->content_iv, content_iv_size_); status = ValidateIv(key->content_iv, content_iv_size_);
if (!status.ok()) { if (!status.ok()) {
return status; return status;
@@ -342,7 +365,7 @@ util::Status CasEcm::ValidateWrappedKeys(
if (!status.ok()) { if (!status.ok()) {
return status; return status;
} }
status = ValidateKeyValue(key->wrapped_key_value); status = ValidateKeyValue(key->wrapped_key_value, kKeyDataSizeBytes);
if (!status.ok()) { if (!status.ok()) {
LOG(ERROR) << "Wrapped key is bad."; LOG(ERROR) << "Wrapped key is bad.";
return status; return status;
@@ -366,9 +389,10 @@ util::Status CasEcm::ValidateKeyId(const std::string& key_id) {
return util::OkStatus(); return util::OkStatus();
} }
util::Status CasEcm::ValidateKeyValue(const std::string& key_value) { util::Status CasEcm::ValidateKeyValue(const std::string& key_value,
if (key_value.size() != kKeyDataSizeBytes) { size_t key_value_size) {
util::Status( if (key_value.size() != key_value_size) {
return util::Status(
util::error::INVALID_ARGUMENT, util::error::INVALID_ARGUMENT,
absl::StrCat("Key is wrong size (", key_value.size(), " bytes).")); absl::StrCat("Key is wrong size (", key_value.size(), " bytes)."));
} }
@@ -390,6 +414,9 @@ std::string CasEcm::SerializeEcm(const std::vector<EntitledKeyInfo*>& keys) {
generation()); generation());
std::bitset<kNumBitsDecryptModeField> decrypt_mode( std::bitset<kNumBitsDecryptModeField> decrypt_mode(
static_cast<int>(crypto_mode())); static_cast<int>(crypto_mode()));
if (decrypt_mode.to_string() == "00") {
LOG(FATAL) << "Invalid decrypt mode \"00\"";
}
std::bitset<kNumBitsRotationEnabledField> rotation_enabled( std::bitset<kNumBitsRotationEnabledField> rotation_enabled(
RotationFieldValue(paired_keys_required())); RotationFieldValue(paired_keys_required()));
std::bitset<kNumBitsWrappedKeyIvSizeField> wrapped_key_iv_size( std::bitset<kNumBitsWrappedKeyIvSizeField> wrapped_key_iv_size(
@@ -490,6 +517,10 @@ util::Status CasEcm::ParseEntitlementResponse(const std::string& response_string
EntitlementKeyInfo ekey; EntitlementKeyInfo ekey;
ekey.key_id = key.key_id(); ekey.key_id = key.key_id();
ekey.key_value = key.key(); ekey.key_value = key.key();
util::Status status = ValidateKeyValue(key.key(), kWrappingKeySizeBytes);
if (!status.ok()) {
return status;
}
// Using only keys with correct KeySlot // Using only keys with correct KeySlot
if (!key.has_key_slot()) { if (!key.has_key_slot()) {

12
media_cas_packager_sdk/internal/ecm.h
View File

@@ -198,17 +198,19 @@ class CasEcm {
const std::vector<EntitledKeyInfo*>& keys, const std::string& track_type, const std::vector<EntitledKeyInfo*>& keys, const std::string& track_type,
std::string* serialized_ecm, uint32_t* generation); std::string* serialized_ecm, uint32_t* generation);
// Wrap a |key_value| using |wrapping_key| (entitlement key) and |iv|. // Wrap |key_value| using |wrapping_key| (entitlement key) and |wrapping_iv|.
// Returns the resulting wrapped key. // Returns the resulting wrapped key in |wrapped_key|.
virtual std::string WrapKey(const std::string& wrapping_key, const std::string& iv, // Return a status indicating whether there has been any error.
const std::string& key_value); virtual util::Status WrapKey(const std::string& wrapping_key,
const std::string& wrapping_iv,
const std::string& key_value, std::string* wrapped_key);
virtual util::Status ValidateKeys(const std::vector<EntitledKeyInfo*>& keys); virtual util::Status ValidateKeys(const std::vector<EntitledKeyInfo*>& keys);
virtual util::Status ValidateWrappedKeys( virtual util::Status ValidateWrappedKeys(
const std::vector<EntitledKeyInfo*>& keys); const std::vector<EntitledKeyInfo*>& keys);
util::Status ValidateKeyId(const std::string& key_id); util::Status ValidateKeyId(const std::string& key_id);
util::Status ValidateKeyValue(const std::string& key_value); util::Status ValidateKeyValue(const std::string& key_value, size_t key_value_size);
util::Status ValidateIv(const std::string& iv, size_t size); util::Status ValidateIv(const std::string& iv, size_t size);
// TODO(user): need unit tests for CreateEntitlementRequest. // TODO(user): need unit tests for CreateEntitlementRequest.

26
media_cas_packager_sdk/public/wv_cas_ecm.cc
View File

@@ -27,6 +27,10 @@ namespace widevine {
namespace cas { namespace cas {
namespace { namespace {
static constexpr size_t kContentKeySizeBytes = 16;
static constexpr size_t kCsaContentKeySizeBytes = 8;
EcmInitParameters CreateEcmInitParameters(int content_iv_size, EcmInitParameters CreateEcmInitParameters(int content_iv_size,
bool key_rotation_enabled, bool key_rotation_enabled,
CryptoMode crypto_mode) { CryptoMode crypto_mode) {
@@ -74,6 +78,13 @@ WvCasStatus WvCasEcm::GenerateEcm(const std::string& even_key,
const std::string& entitlement_key, const std::string& entitlement_key,
std::string* ecm) const { std::string* ecm) const {
DCHECK(ecm); DCHECK(ecm);
if (crypto_mode_ == CryptoMode::kDvbCsa &&
even_key.length() == kCsaContentKeySizeBytes &&
odd_key.length() == kCsaContentKeySizeBytes) {
return GenerateEcm(absl::StrCat(even_key, even_key), even_content_iv,
absl::StrCat(odd_key, odd_key), odd_content_iv,
entitlement_key_id, entitlement_key, ecm);
}
if (!initialized_) { if (!initialized_) {
LOG(ERROR) << "WvCasEcm has not been properly initialized"; LOG(ERROR) << "WvCasEcm has not been properly initialized";
return UNAVAILABLE; return UNAVAILABLE;
@@ -83,6 +94,11 @@ WvCasStatus WvCasEcm::GenerateEcm(const std::string& even_key,
"rotation is disabled"; "rotation is disabled";
return UNAVAILABLE; return UNAVAILABLE;
} }
if (even_key.size() != kContentKeySizeBytes ||
odd_key.size() != kContentKeySizeBytes) {
LOG(ERROR) << "Size of content key is incorrect";
return INVALID_ARGUMENT;
}
if (even_content_iv.size() != content_iv_size_ || if (even_content_iv.size() != content_iv_size_ ||
odd_content_iv.size() != content_iv_size_) { odd_content_iv.size() != content_iv_size_) {
LOG(ERROR) << "Size of content IV is incorrect"; LOG(ERROR) << "Size of content IV is incorrect";
@@ -153,6 +169,12 @@ WvCasStatus WvCasEcm::GenerateSingleKeyEcm(const std::string& even_key,
const std::string& entitlement_key, const std::string& entitlement_key,
std::string* ecm) const { std::string* ecm) const {
DCHECK(ecm); DCHECK(ecm);
if (crypto_mode_ == CryptoMode::kDvbCsa &&
even_key.length() == kCsaContentKeySizeBytes) {
return GenerateSingleKeyEcm(absl::StrCat(even_key, even_key),
even_content_iv, entitlement_key_id,
entitlement_key, ecm);
}
if (!initialized_) { if (!initialized_) {
LOG(ERROR) << "WvCasEcm has not been properly initialized"; LOG(ERROR) << "WvCasEcm has not been properly initialized";
return UNAVAILABLE; return UNAVAILABLE;
@@ -162,6 +184,10 @@ WvCasStatus WvCasEcm::GenerateSingleKeyEcm(const std::string& even_key,
<< "Please call GenerateEcm() instead when key rotation is enabled"; << "Please call GenerateEcm() instead when key rotation is enabled";
return UNAVAILABLE; return UNAVAILABLE;
} }
if (even_key.size() != kContentKeySizeBytes) {
LOG(ERROR) << "Size of content key is incorrect";
return INVALID_ARGUMENT;
}
if (even_content_iv.size() != content_iv_size_) { if (even_content_iv.size() != content_iv_size_) {
LOG(ERROR) << "Size of content IV is incorrect"; LOG(ERROR) << "Size of content IV is incorrect";
return INVALID_ARGUMENT; return INVALID_ARGUMENT;

66
media_cas_packager_sdk/public/wv_cas_ecm_test.cc
View File

@@ -19,8 +19,10 @@ namespace widevine {
namespace cas { namespace cas {
const char kEvenKey[] = "even_content_key"; // 16 bytes const char kEvenKey[] = "even_content_key"; // 16 bytes
const char kCsaEvenKey[] = "12345678"; // 8 bytes
const char kEvenContentIv8Bytes[] = "evencont"; // 8 bytes const char kEvenContentIv8Bytes[] = "evencont"; // 8 bytes
const char kOddKey[] = "odd_content_key."; // 16 bytes const char kOddKey[] = "odd_content_key."; // 16 bytes
const char kCsaOddKey[] = "87654321"; // 8 bytes
const char kOddContentIv8Bytes[] = "oddcont."; // 8 bytes const char kOddContentIv8Bytes[] = "oddcont."; // 8 bytes
const char kEntitlementKeyId[] = "ent_key_id......"; // 16 bytes const char kEntitlementKeyId[] = "ent_key_id......"; // 16 bytes
const char kEntitlementKey[] = "entitlement_key................."; // 32 bytes const char kEntitlementKey[] = "entitlement_key................."; // 32 bytes
@@ -94,6 +96,34 @@ TEST_F(WvCasEcmTest, GenerateSingleKeyEcmInvalidContentIv) {
/* entitlement_key= */ kEntitlementKey, &actual_ecm)); /* entitlement_key= */ kEntitlementKey, &actual_ecm));
} }
TEST_F(WvCasEcmTest, GenerateEcmInvalidContentKey) {
EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 8,
/* key_rotation_enabled= */ true,
CryptoMode::kAesCtr));
std::string actual_ecm;
EXPECT_EQ(INVALID_ARGUMENT,
wv_cas_ecm_.GenerateEcm(
/* even_key= */ kEvenKey,
/* even_content_iv= */ kEvenContentIv8Bytes,
/* odd_key= */ "12345678",
/* odd_content_iv= */ kOddContentIv8Bytes,
/* entitlement_key_id= */ kEntitlementKeyId,
/* entitlement_key= */ kEntitlementKey, &actual_ecm));
}
TEST_F(WvCasEcmTest, GenerateSingleKeyEcmInvalidContentKey) {
EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 8,
/* key_rotation_enabled= */ false,
CryptoMode::kAesCtr));
std::string actual_ecm;
EXPECT_EQ(INVALID_ARGUMENT,
wv_cas_ecm_.GenerateSingleKeyEcm(
/* even_key= */ "12345678",
/* even_content_iv= */ kEvenContentIv8Bytes,
/* entitlement_key_id= */ kEntitlementKeyId,
/* entitlement_key= */ kEntitlementKey, &actual_ecm));
}
TEST_F(WvCasEcmTest, GenerateEcm8BytesContentIvCtrSuccess) { TEST_F(WvCasEcmTest, GenerateEcm8BytesContentIvCtrSuccess) {
EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 8, EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 8,
/* key_rotation_enabled= */ true, /* key_rotation_enabled= */ true,
@@ -226,48 +256,48 @@ TEST_F(WvCasEcmTest, GenerateSingleKeyEcm16BytesContentIvCbcSuccess) {
absl::BytesToHexString(actual_ecm)); absl::BytesToHexString(actual_ecm));
} }
TEST_F(WvCasEcmTest, GenerateEcm16BytesContentIvCsaSuccess) { TEST_F(WvCasEcmTest, GenerateEcm8BytesContentIvCsaSuccess) {
EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 16, EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 8,
/* key_rotation_enabled= */ true, /* key_rotation_enabled= */ true,
CryptoMode::kDvbCsa)); CryptoMode::kDvbCsa));
std::string actual_ecm; std::string actual_ecm;
EXPECT_EQ(OK, wv_cas_ecm_.GenerateEcm( EXPECT_EQ(OK, wv_cas_ecm_.GenerateEcm(
/* even_key= */ kEvenKey, /* even_key= */ kCsaEvenKey,
/* even_content_iv= */ /* even_content_iv= */
absl::StrCat(kEvenContentIv8Bytes, kEvenContentIv8Bytes), kEvenContentIv8Bytes,
/* odd_key= */ kOddKey, /* odd_key= */ kCsaOddKey,
/* odd_content_iv= */ /* odd_content_iv= */
absl::StrCat(kOddContentIv8Bytes, kOddContentIv8Bytes), kOddContentIv8Bytes,
/* entitlement_key_id= */ kEntitlementKeyId, /* entitlement_key_id= */ kEntitlementKeyId,
/* entitlement_key= */ kEntitlementKey, &actual_ecm)); /* entitlement_key= */ kEntitlementKey, &actual_ecm));
EXPECT_EQ( EXPECT_EQ(
"4ad40107c0656e745f6b65795f69642e2e2e2e2e2ea5693deeba52b4cb27e7021eefa2f8" "4ad4010780656e745f6b65795f69642e2e2e2e2e2e1970666a56b136d5d63b009c1a514a"
"c2b25f7d48e60627208f4ecca00703aa2467f28b214546a42320e3fa49f936369c657665" "948b8c0a380f2c9965134faac9d92992627abdd06f4a268bd12f8989373aece8bd657665"
"6e636f6e746576656e636f6e74656e745f6b65795f69642e2e2e2e2e2e0700509b67763b" "6e636f6e74656e745f6b65795f69642e2e2e2e2e2eda65f122610af2c9c9fa7ad18d07f4"
"3f1c356bc1e1dc8bac99a1e2f95c37d9183cbb96582f3a05fdbe29925c37c6c6a45eb552" "3faab4190ac47c0d974547e8615d7bc64beb665a2d7c36f687ad8ec518e83062076f6464"
"b5ddf87f8a6f6464636f6e742e6f6464636f6e742e", "636f6e742e",
absl::BytesToHexString(actual_ecm)); absl::BytesToHexString(actual_ecm));
} }
TEST_F(WvCasEcmTest, GenerateSingleKeyEcm16BytesContentIvCsaSuccess) { TEST_F(WvCasEcmTest, GenerateSingleKeyEcm8BytesContentIvCsaSuccess) {
EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 16, EXPECT_EQ(OK, wv_cas_ecm_.Initialize(/* content_iv_size= */ 8,
/* key_rotation_enabled= */ false, /* key_rotation_enabled= */ false,
CryptoMode::kDvbCsa)); CryptoMode::kDvbCsa));
std::string actual_ecm; std::string actual_ecm;
EXPECT_EQ(OK, wv_cas_ecm_.GenerateSingleKeyEcm( EXPECT_EQ(OK, wv_cas_ecm_.GenerateSingleKeyEcm(
/* even_key= */ kEvenKey, /* even_key= */ kCsaEvenKey,
/* even_content_iv= */ /* even_content_iv= */
absl::StrCat(kEvenContentIv8Bytes, kEvenContentIv8Bytes), kEvenContentIv8Bytes,
/* entitlement_key_id= */ kEntitlementKeyId, /* entitlement_key_id= */ kEntitlementKeyId,
/* entitlement_key= */ kEntitlementKey, &actual_ecm)); /* entitlement_key= */ kEntitlementKey, &actual_ecm));
EXPECT_EQ( EXPECT_EQ(
"4ad40106c0656e745f6b65795f69642e2e2e2e2e2ea5693deeba52b4cb27e7021eefa2f8" "4ad4010680656e745f6b65795f69642e2e2e2e2e2e1970666a56b136d5d63b009c1a514a"
"c2b25f7d48e60627208f4ecca00703aa2467f28b214546a42320e3fa49f936369c657665" "948b8c0a380f2c9965134faac9d92992627abdd06f4a268bd12f8989373aece8bd657665"
"6e636f6e746576656e636f6e74", "6e636f6e74",
absl::BytesToHexString(actual_ecm)); absl::BytesToHexString(actual_ecm));
} }