Update to support OEMCrypto v16 with ODK

2020-09-21 15:54:04 -07:00
parent 93265ab9d1
commit 69d813f0f1
203 changed files with 16337 additions and 2290 deletions
--- a/common/drm_service_certificate_test.cc
+++ b/common/drm_service_certificate_test.cc
@@ -17,6 +17,7 @@
 #include "absl/strings/escaping.h"
 #include "common/aes_cbc_util.h"
 #include "common/drm_root_certificate.h"
+#include "common/hash_algorithm_util.h"
 #include "common/rsa_key.h"
 #include "common/rsa_test_keys.h"
 #include "common/rsa_util.h"
@@ -24,6 +25,7 @@
 #include "protos/public/client_identification.pb.h"
 #include "protos/public/drm_certificate.pb.h"
 #include "protos/public/errors.pb.h"  // IWYU pragma: keep
+#include "protos/public/external_license.pb.h"
 #include "protos/public/license_server_sdk.pb.h"
 #include "protos/public/signed_drm_certificate.pb.h"

@@ -51,9 +53,9 @@ class DrmServiceCertificateTest : public ::testing::Test {

 protected:
  std::string GenerateDrmServiceCertificate(const std::string& serial_number,
-                                       const std::string& provider_id,
-                                       uint32_t creation_time_seconds,
-                                       const std::string& public_key) {
+                                            const std::string& provider_id,
+                                            uint32_t creation_time_seconds,
+                                            const std::string& public_key) {
    DrmCertificate cert;
    cert.set_type(DrmCertificate::SERVICE);
    cert.set_serial_number(serial_number);
@@ -62,8 +64,10 @@ class DrmServiceCertificateTest : public ::testing::Test {
    cert.set_creation_time_seconds(creation_time_seconds);
    SignedDrmCertificate signed_cert;
    cert.SerializeToString(signed_cert.mutable_drm_certificate());
-    root_private_key_->GenerateSignature(signed_cert.drm_certificate(),
-                                         signed_cert.mutable_signature());
+    root_private_key_->GenerateSignature(
+        signed_cert.drm_certificate(),
+        HashAlgorithmProtoToEnum(signed_cert.hash_algorithm()),
+        signed_cert.mutable_signature());
    std::string serialized_cert;
    signed_cert.SerializeToString(&serialized_cert);
    return serialized_cert;
@@ -119,6 +123,24 @@ class DrmServiceCertificateTest : public ::testing::Test {
                     encrypted_client_id->mutable_encrypted_privacy_key());
  }

+  void EncryptLicenseChallenge(
+      const std::string& license_challenge, const std::string& serial_number,
+      const std::string& provider_id, const std::string& public_key,
+      EncryptedLicenseRequest* encrypted_license_request) {
+    CHECK(encrypted_license_request);
+    encrypted_license_request->set_provider_id(provider_id);
+    encrypted_license_request->set_service_certificate_serial_number(
+        serial_number);
+    encrypted_license_request->set_encrypted_license_request(
+        crypto_util::EncryptAesCbc(privacy_key_, iv_, license_challenge));
+    encrypted_license_request->set_encrypted_license_request_iv(iv_);
+    std::unique_ptr<RsaPublicKey> rsa_key(RsaPublicKey::Create(public_key));
+    ASSERT_TRUE(rsa_key.get());
+    rsa_key->Encrypt(
+        privacy_key_,
+        encrypted_license_request->mutable_encrypted_privacy_key());
+  }
+
  RsaTestKeys test_keys_;
  TestDrmCertificates test_certs_;
  std::string privacy_key_;
@@ -160,6 +182,9 @@ TEST_F(DrmServiceCertificateTest, MultipleDrmServiceCertificates) {
  uint32_t creation_time_seconds1(1234);
  std::string serial_number2("serial_number2");
  uint32_t creation_time_seconds2(1234);
+  std::string serial_number3("serial_number3");
+  std::string provider_id3("service3.com");
+  uint32_t creation_time_seconds3(1235);
  std::string bogus_serial_number("bogus-serial-number2");

  EXPECT_EQ(nullptr, DrmServiceCertificate::GetDefaultDrmServiceCertificate());
@@ -172,6 +197,9 @@ TEST_F(DrmServiceCertificateTest, MultipleDrmServiceCertificates) {
  EXPECT_OK(AddDrmServiceCertificate(serial_number2, provider_id1,
                                     creation_time_seconds2));

+  EXPECT_OK(AddDrmServiceCertificate(serial_number3, provider_id3,
+                                     creation_time_seconds3));
+
  EncryptedClientIdentification encrypted_client_id;
  EncryptClientIdentification(serial_number1, provider_id1,
                              test_keys_.public_test_key_2_2048_bits(),
@@ -199,6 +227,61 @@ TEST_F(DrmServiceCertificateTest, MultipleDrmServiceCertificates) {
                .error_code());
 }

+TEST_F(DrmServiceCertificateTest, MultipleDrmServiceCertificatesLookup) {
+  std::string serial_number1("serial_number1");
+  std::string provider_id1("service1.com");
+  uint32_t creation_time_seconds1(1231);
+  std::string serial_number2("serial_number2");
+  std::string provider_id2("service2.com");
+  uint32_t creation_time_seconds2(1232);
+  std::string serial_number3("serial_number3");
+  std::string provider_id3("service3.com");
+  uint32_t creation_time_seconds3(1234);
+  std::string serial_number4("serial_number4");
+  std::string bogus_serial_number("bogus-serial-number");
+
+  EXPECT_OK(AddDrmServiceCertificate(serial_number1, provider_id1,
+                                     creation_time_seconds1));
+  EXPECT_OK(AddDrmServiceCertificate(serial_number2, provider_id2,
+                                     creation_time_seconds2));
+  EXPECT_OK(AddDrmServiceCertificate(serial_number3, provider_id3,
+                                     creation_time_seconds3));
+
+  EXPECT_EQ(provider_id1,
+            DrmServiceCertificate::GetDrmServiceCertificateBySerialNumber(
+                serial_number1)
+                ->provider_id());
+  EXPECT_EQ(provider_id2,
+            DrmServiceCertificate::GetDrmServiceCertificateBySerialNumber(
+                serial_number2)
+                ->provider_id());
+  EXPECT_EQ(provider_id3,
+            DrmServiceCertificate::GetDrmServiceCertificateBySerialNumber(
+                serial_number3)
+                ->provider_id());
+
+  EXPECT_EQ(
+      serial_number1,
+      DrmServiceCertificate::GetDrmServiceCertificateByProvider(provider_id1)
+          ->serial_number());
+  EXPECT_EQ(
+      serial_number2,
+      DrmServiceCertificate::GetDrmServiceCertificateByProvider(provider_id2)
+          ->serial_number());
+  EXPECT_EQ(
+      serial_number3,
+      DrmServiceCertificate::GetDrmServiceCertificateByProvider(provider_id3)
+          ->serial_number());
+
+  // Add a second cert for provider 3.
+  EXPECT_OK(AddDrmServiceCertificate(serial_number4, provider_id3,
+                                     creation_time_seconds3 + 60));
+  EXPECT_EQ(
+      serial_number4,
+      DrmServiceCertificate::GetDrmServiceCertificateByProvider(provider_id3)
+          ->serial_number());
+}
+
 TEST_F(DrmServiceCertificateTest, MultipleCertsPerService) {
  std::string serial_number1("serial_number1");
  std::string serial_number2("serial_number2");
@@ -298,7 +381,7 @@ TEST_F(DrmServiceCertificateTest, InvalidEncryptedClientIdentification) {
  invalid.clear_encrypted_privacy_key();
  EXPECT_EQ(
      "Errors::INVALID_ENCRYPTED_CLIENT_IDENTIFICATION: "
-      "missing-encrypted-privacy-key",
+      "missing-privacy-key",
      DrmServiceCertificate::DecryptClientIdentification(invalid,
                                                         &decrypted_client_id)
          .ToString());
@@ -311,7 +394,7 @@ TEST_F(DrmServiceCertificateTest, InvalidEncryptedClientIdentification) {
  invalid.clear_encrypted_client_id_iv();
  EXPECT_EQ(
      "Errors::INVALID_ENCRYPTED_CLIENT_IDENTIFICATION: "
-      "missing-encrypted-client-id-iv",
+      "missing-iv",
      DrmServiceCertificate::DecryptClientIdentification(invalid,
                                                         &decrypted_client_id)
          .ToString());
@@ -324,7 +407,7 @@ TEST_F(DrmServiceCertificateTest, InvalidEncryptedClientIdentification) {
  invalid.clear_encrypted_client_id();
  EXPECT_EQ(
      "Errors::INVALID_ENCRYPTED_CLIENT_IDENTIFICATION: "
-      "missing-encrypted-client-id",
+      "missing-encrypted-payload",
      DrmServiceCertificate::DecryptClientIdentification(invalid,
                                                         &decrypted_client_id)
          .ToString());
@@ -358,6 +441,142 @@ TEST_F(DrmServiceCertificateTest, PrivateKeyDecryptError) {
          .ToString());
 }

+TEST_F(DrmServiceCertificateTest, DecryptLicenseChallenge) {
+  std::string serial_number("serial_number");
+  std::string provider_id("someservice.com");
+  uint32_t creation_time_seconds(1234);
+
+  EXPECT_OK(AddDrmServiceCertificate(serial_number, provider_id,
+                                     creation_time_seconds));
+  EncryptedLicenseRequest encrypted_license_request;
+  const std::string license_challenge =
+      "<Challenge><Element1>val</Element1></"
+      "Challenge>";
+  EncryptLicenseChallenge(license_challenge, serial_number, provider_id,
+                          test_keys_.public_test_key_2_2048_bits(),
+                          &encrypted_license_request);
+  std::string decrypted_license_challenge;
+  EXPECT_EQ(OkStatus(),
+            DrmServiceCertificate::DecryptLicenseChallenge(
+                encrypted_license_request, &decrypted_license_challenge));
+  EXPECT_EQ(license_challenge, decrypted_license_challenge);
+}
+
+TEST_F(DrmServiceCertificateTest, DecryptLicenseChallengeError) {
+  std::string serial_number("serial_number");
+  std::string provider_id("someservice.com");
+  uint32_t creation_time_seconds(1234);
+
+  EXPECT_OK(AddDrmServiceCertificate(serial_number, provider_id,
+                                     creation_time_seconds));
+  EncryptedLicenseRequest encrypted_license_request;
+  const std::string license_challenge =
+      "<Challenge><Element1>val</Element1></"
+      "Challenge>";
+  EncryptLicenseChallenge(license_challenge, serial_number, provider_id,
+                          test_keys_.public_test_key_2_2048_bits(),
+                          &encrypted_license_request);
+  {
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "null-payload",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, nullptr)
+            .ToString());
+  }
+  std::string decrypted_license_challenge;
+  {
+    const std::string assigned_serial_number =
+        encrypted_license_request.service_certificate_serial_number();
+    encrypted_license_request.clear_service_certificate_serial_number();
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "missing-service-certificate-serial-number",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+    encrypted_license_request.set_service_certificate_serial_number(
+        assigned_serial_number);
+  }
+  {
+    const std::string assigned_provider_id =
+        encrypted_license_request.provider_id();
+    encrypted_license_request.clear_provider_id();
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "missing-service-id",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+    encrypted_license_request.set_provider_id(assigned_provider_id);
+  }
+  {
+    const std::string assigned_encrypted_license_request =
+        encrypted_license_request.encrypted_license_request();
+    encrypted_license_request.clear_encrypted_license_request();
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "missing-encrypted-payload",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+    encrypted_license_request.set_encrypted_license_request(
+        assigned_encrypted_license_request);
+  }
+  {
+    const std::string assigned_encrypted_license_request_iv =
+        encrypted_license_request.encrypted_license_request_iv();
+    encrypted_license_request.clear_encrypted_license_request_iv();
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "missing-iv",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+    encrypted_license_request.set_encrypted_license_request_iv(
+        assigned_encrypted_license_request_iv);
+  }
+  {
+    const std::string assigned_encrypted_privacy_key =
+        encrypted_license_request.encrypted_privacy_key();
+    encrypted_license_request.clear_encrypted_privacy_key();
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "missing-privacy-key",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+    encrypted_license_request.set_encrypted_privacy_key(
+        assigned_encrypted_privacy_key);
+  }
+  {
+    const std::string assigned_encrypted_privacy_key =
+        encrypted_license_request.encrypted_privacy_key();
+    encrypted_license_request.mutable_encrypted_privacy_key()->append(
+        "tampered");
+    EXPECT_EQ(
+        "Errors::INVALID_ENCRYPTED_LICENSE_CHALLENGE: "
+        "privacy-key-decryption-failed",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+    encrypted_license_request.set_encrypted_privacy_key(
+        assigned_encrypted_privacy_key);
+  }
+  {
+    const std::string assigned_provider_id =
+        encrypted_license_request.provider_id();
+    encrypted_license_request.set_provider_id("tamperedProviderId");
+    EXPECT_EQ(
+        "Errors::SERVICE_CERTIFICATE_NOT_FOUND: "
+        "provider-id-mismatch (" +
+            assigned_provider_id + " / tamperedProviderId)",
+        DrmServiceCertificate::DecryptLicenseChallenge(
+            encrypted_license_request, &decrypted_license_challenge)
+            .ToString());
+  }
+}
+
 // TODO(user): Add more unit tests for various fail cases (bad keys having
 // to do with bad keys and bad certs).