Export provisioning sdk

Change-Id: I4d47d80444c9507f84896767dc676112ca11e901

provisioning_sdk/public/BUILD

@@ -0,0 +1,84 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+# Build file for provisioning 3.0 SDK.
+
+package(
+    default_visibility = ["//visibility:public"],
+)
+
+# Defines the common copts for cc_library targets. The main option here is
+# -fvisibility=default, which exports symbols from the public APIs in the shared
+# library.
+# Note that the shared library should be built with -fvisibility=hidden.
+PUBLIC_COPTS = ["-fvisibility=default"]
+
+cc_binary(
+    name = "libprovisioning_sdk.so",
+    linkshared = 1,
+    deps = [":provisioning_engine"],
+)
+
+cc_library(
+    name = "libprovisioning_sdk",
+    srcs = [":libprovisioning_sdk.so"],
+    hdrs = glob(["*.h"]),
+)
+
+cc_library(
+    name = "provisioning_engine",
+    srcs = ["provisioning_engine.cc"],
+    hdrs = ["provisioning_engine.h"],
+    copts = PUBLIC_COPTS,
+    deps = [
+        ":certificate_type",
+        ":provisioning_session",
+        ":provisioning_status",
+        "//base",
+        "//common:rsa_key",
+        "//provisioning_sdk/internal:provisioning_engine_impl",
+        "//provisioning_sdk/internal:provisioning_session_impl",
+    ],
+)
+
+cc_test(
+    name = "provisioning_engine_test",
+    size = "small",
+    srcs = ["provisioning_engine_test.cc"],
+    deps = [
+        ":provisioning_engine",
+        "//external:gtest_main",
+    ],
+)
+
+cc_library(
+    name = "provisioning_session",
+    srcs = ["provisioning_session.cc"],
+    hdrs = ["provisioning_session.h"],
+    copts = PUBLIC_COPTS,
+    deps = [
+        ":provisioning_status",
+        "//base",
+        "//provisioning_sdk/internal:provisioning_session_impl",
+        "//protos/public:device_certificate_proto",
+    ],
+)
+
+cc_library(
+    name = "provisioning_status",
+    srcs = ["provisioning_status.cc"],
+    hdrs = ["provisioning_status.h"],
+    copts = PUBLIC_COPTS,
+    deps = ["//base"],
+)
+
+cc_library(
+    name = "certificate_type",
+    hdrs = ["certificate_type.h"],
+    copts = PUBLIC_COPTS,
+)

provisioning_sdk/public/certificate_type.h

@@ -0,0 +1,22 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef PROVISIONING_SDK_PUBLIC_CERTIFICATE_TYPE_H_
+#define PROVISIONING_SDK_PUBLIC_CERTIFICATE_TYPE_H_
+
+namespace widevine {
+
+enum CertificateType {
+  kCertTesting = 0,
+  kCertDevelopment,
+  kCertProduction,
+};
+
+}  // namespace widevine
+
+#endif  // PROVISIONING_SDK_PUBLIC_CERTIFICATE_TYPE_H_

provisioning_sdk/public/provisioning_engine.cc

@@ -0,0 +1,118 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#include "provisioning_sdk/public/provisioning_engine.h"
+
+#include <utility>
+
+#include "glog/logging.h"
+#include "common/rsa_key.h"
+#include "provisioning_sdk/internal/provisioning_engine_impl.h"
+#include "provisioning_sdk/internal/provisioning_session_impl.h"
+#include "provisioning_sdk/public/provisioning_session.h"
+
+namespace widevine {
+
+ProvisioningEngine::ProvisioningEngine() {}
+
+ProvisioningEngine::~ProvisioningEngine() {}
+
+ProvisioningStatus ProvisioningEngine::Initialize(
+    CertificateType certificate_type, const std::string& service_drm_certificate,
+    const std::string& service_private_key,
+    const std::string& service_private_key_passphrase,
+    const std::string& provisioning_drm_certificate,
+    const std::string& provisioning_private_key,
+    const std::string& provisioning_private_key_passphrase,
+    const std::string& secret_spoid_sauce) {
+  if (impl_) {
+    LOG(WARNING) << "ProvisioningEngine is already initialized.";
+    return INTERNAL_ERROR;
+  }
+
+  std::unique_ptr<ProvisioningEngineImpl> impl(new ProvisioningEngineImpl);
+  ProvisioningStatus status = impl->Initialize(
+      certificate_type, service_drm_certificate, service_private_key,
+      service_private_key_passphrase, provisioning_drm_certificate,
+      provisioning_private_key, provisioning_private_key_passphrase,
+      secret_spoid_sauce);
+  if (status != OK) return status;
+  impl_ = std::move(impl);
+  return OK;
+}
+
+ProvisioningStatus ProvisioningEngine::SetCertificateStatusList(
+    const std::string& certificate_status_list, uint32_t expiration_period_seconds) {
+  if (!impl_) return PROVISIONING_ENGINE_UNINITIALIZED;
+  return impl_->SetCertificateStatusList(certificate_status_list,
+                                         expiration_period_seconds);
+}
+
+ProvisioningStatus ProvisioningEngine::GenerateDrmIntermediateCertificate(
+    uint32_t system_id, const std::string& public_key, std::string* certificate) const {
+  if (!impl_) return PROVISIONING_ENGINE_UNINITIALIZED;
+  if (!certificate) {
+    LOG(WARNING) << "|certificate| should not be a nullptr.";
+    return INTERNAL_ERROR;
+  }
+
+  return impl_->GenerateDrmIntermediateCertificate(system_id, public_key,
+                                                   certificate);
+}
+
+ProvisioningStatus ProvisioningEngine::AddDrmIntermediateCertificate(
+    const std::string& intermediate_cert, const std::string& cert_private_key,
+    const std::string& cert_private_key_passphrase) {
+  if (!impl_) return PROVISIONING_ENGINE_UNINITIALIZED;
+  return impl_->AddDrmIntermediateCertificate(
+      intermediate_cert, cert_private_key, cert_private_key_passphrase);
+}
+
+ProvisioningStatus ProvisioningEngine::NewProvisioningSession(
+    const std::string& device_public_key, const std::string& device_private_key,
+    std::unique_ptr<ProvisioningSession>* new_session) const {
+  if (!impl_) return PROVISIONING_ENGINE_UNINITIALIZED;
+  if (!new_session) {
+    LOG(WARNING) << "|new_session| should not be a nullptr.";
+    return INTERNAL_ERROR;
+  }
+
+  std::unique_ptr<ProvisioningSessionImpl> session_impl(
+      new ProvisioningSessionImpl(*impl_, impl_->oem_device_cert(),
+                                  *impl_->service_private_key()));
+  ProvisioningStatus status =
+      session_impl->Initialize(device_public_key, device_private_key);
+  if (status != OK) return status;
+  new_session->reset(new ProvisioningSession(std::move(session_impl)));
+  return OK;
+}
+
+ProvisioningStatus ProvisioningEngine::GenerateDeviceDrmCertificate(
+    uint32_t system_id, const std::string& public_key, const std::string& serial_number,
+    std::string* certificate) const {
+  if (!impl_) return PROVISIONING_ENGINE_UNINITIALIZED;
+  if (!certificate) {
+    LOG(WARNING) << "|certificate| should not be a nullptr.";
+    return INTERNAL_ERROR;
+  }
+
+  // Validate public key. This validation is done here instead of inside
+  // |impl_->GenerateDeviceDrmCertificate| is because the latter is an internal
+  // function which expect the input to be already validated.
+  std::unique_ptr<RsaPublicKey> rsa_public_key(
+      RsaPublicKey::Create(public_key));
+  if (!rsa_public_key) return INVALID_DEVICE_PUBLIC_KEY;
+  if (serial_number.empty()) return INVALID_SERIAL_NUMBER;
+
+  const std::string empty_oem_ca_serial_number;
+  return impl_->GenerateDeviceDrmCertificate(
+      system_id, empty_oem_ca_serial_number, public_key, serial_number,
+      certificate);
+}
+
+}  // namespace widevine

provisioning_sdk/public/provisioning_engine.h

@@ -0,0 +1,153 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef PROVISIONING_SDK_PUBLIC_PROVISIONING_ENGINE_H_
+#define PROVISIONING_SDK_PUBLIC_PROVISIONING_ENGINE_H_
+
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "provisioning_sdk/public/certificate_type.h"
+#include "provisioning_sdk/public/provisioning_status.h"
+
+namespace widevine {
+
+class ProvisioningEngineImpl;
+class ProvisioningSession;
+
+// Class which is used to implement a Widevine DRM device provisioning engine.
+// There should be only one instance of ProvisioningEngine. The engine should
+// be "Initialized" before being used. ProvisioningEngine::Initialize is the
+// only method that is not thread-safe. After initializing the engine, it can
+// be safely used in different threads.
+class ProvisioningEngine {
+ public:
+  ProvisioningEngine();
+  ~ProvisioningEngine();
+
+  // Initializes the provisioning engine with required credentials.
+  // * |certificate_type| indicates which type of certificate chains will be
+  //   used for device provisioning via this engine.
+  // * |service_drm_certificate| is a Google-generated certificate used to
+  //   authenticate the service provider for purposes of user privacy.
+  // * |service_private_key| is the encrypted PKCS#8 private RSA key
+  //   corresponding to the service certificate.
+  // * |service_private_key_passphrase| is the password required to decrypt
+  //   |service_private_key|, if any.
+  // * |provisioning_drm_certificate| is a Google-generated certificate used to
+  //   sign intermediate DRM certificates.
+  // * |provisioning_private_key| is the encrypted PKCS#8 private RSA key
+  //   corresponding to the provisioning certificate.
+  // * |provisioning_private_key_passphrase| is the password required to
+  //   decrypt |provisioning_private_key|, if any.
+  // * |secret_spoid_sauce| is a stable secret used as a factor in the
+  //   derivation of Stable Per-Origin IDentifiers.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus Initialize(
+      CertificateType certificate_type,
+      const std::string& service_drm_certificate,
+      const std::string& service_private_key,
+      const std::string& service_private_key_passphrase,
+      const std::string& provisioning_drm_certificate,
+      const std::string& provisioning_private_key,
+      const std::string& provisioning_private_key_passphrase,
+      const std::string& secret_spoid_sauce);
+
+  // Set the certificate status list for this engine.
+  // * |certificate_status_list| is a certificate status list generated by the
+  //   Widevine Provisioning Service.
+  // * |expiration_period| is the number of seconds until the
+  //   |certificate_status_list| expires after its creation time
+  //   (creation_time_seconds). Zero means it will never expire.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus SetCertificateStatusList(
+      const std::string& certificate_status_list,
+      uint32_t expiration_period_seconds);
+
+  // Generate an intermediate DRM certificate.
+  // * |system_id| is the Widevine system ID for the type of device.
+  // * |public_key| is a DER-encoded PKCS#1.5 RSAPublicKey message which will
+  //   be embedded in the generated certificate.
+  // * |certificate| will contain the new intermediate certificate, upon
+  //   successful return.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  // NOTE: The generated certificate and associated private key should be stored
+  //       securely to be reused. They should also be propagated to all
+  //       engines, including this one, by invoking
+  //       |AddIntermediatedrmcertificate| on all active ProvisioningEngine(s).
+  ProvisioningStatus GenerateDrmIntermediateCertificate(
+      uint32_t system_id,
+      const std::string& public_key,
+      std::string* certificate) const;
+
+  // Add an intermediate DRM certificate to the provisioning engine. This is
+  // usually done once for each supported device type.
+  // * |intermediate_cert| is the intermediate DRM certificate to be added.
+  // * |cert_private_key| is a PKCS#8 private key corresponding to
+  //   |intermediate_cert|.
+  // * |cert_private_key_passphrase| is the passphrase for cert_private_key,
+  //   if any.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus AddDrmIntermediateCertificate(
+      const std::string& intermediate_cert,
+      const std::string& cert_private_key,
+      const std::string& cert_private_key_passphrase);
+
+  // Create a session to handle a provisioning exchange between a client device
+  // and the provisioning server.
+  // * |device_public_key| is a DER-encoded PKCS#1.5 RSAPublicKey message which
+  //   will used to create the DRM certificate to be provisioned onto the
+  //   device.
+  // * |device_private_key| is a DER-encoded PKCS#8 PrivateKeyInfo message
+  //   which contains the private key matching |device_public_key|.
+  // * |new_session| will point, on successful return, to the newly created
+  //   ProvisioningSession.
+  // * Returns OK if successful, or an appropriate error status code otherwise.
+  // The key pairs can be re-used if the created session failed to process the
+  // message.
+  // NOTE: All ProvisioningSession objects must be deleted before the
+  //       ProvisioningEngine which created them.
+  ProvisioningStatus NewProvisioningSession(
+      const std::string& device_public_key,
+      const std::string& device_private_key,
+      std::unique_ptr<ProvisioningSession>* new_session) const;
+
+  // Generate a new device DRM certificate to be provisioned by means other than
+  // the Widevine provisioning protocol.
+  // NOTE: This API should only be used to provision devices which were
+  //       manufactured without Widevine DRM support. It is meant to be used as
+  //       an exception, and not the norm. Most devices should be provisioned
+  //       by means of a ProvisioningSession.
+  // * |system_id| is the Widevine system ID for the type of device being
+  //   provisioned.
+  // * |public_key| is a DER-encoded PKCS#1.5 RSAPublicKey message which will
+  //   be embedded in the generated certificate.
+  // * |serial_number| is a binary std::string to be used as the generated DRM
+  //   certificate serial number.
+  // * |certificate| will contain, upon successful return the generated
+  //   certificate.
+  // * Returns OK on success, or an appropriate error status code otherwise.
+  ProvisioningStatus GenerateDeviceDrmCertificate(
+      uint32_t system_id,
+      const std::string& public_key,
+      const std::string& serial_number,
+      std::string* certificate) const;
+
+ private:
+#ifndef SWIGPYTHON
+  ProvisioningEngine(const ProvisioningEngine&) = delete;
+  ProvisioningEngine& operator=(const ProvisioningEngine&) = delete;
+#endif
+
+  std::unique_ptr<ProvisioningEngineImpl> impl_;
+};
+
+}  // namespace widevine
+
+#endif  // PROVISIONING_SDK_PUBLIC_PROVISIONING_ENGINE_H_

provisioning_sdk/public/provisioning_engine_test.cc

@@ -0,0 +1,58 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#include "provisioning_sdk/public/provisioning_engine.h"
+
+#include "gtest/gtest.h"
+
+namespace {
+const int kSystemId = 100;
+const int kExpirationPeriodSeconds = 3600;
+}  // namespace
+
+namespace widevine {
+
+class ProvisioningEngineTest : public ::testing::Test {
+ protected:
+  ProvisioningEngine engine_;
+};
+
+TEST_F(ProvisioningEngineTest, SetCertificateStatusListWithoutInit) {
+  EXPECT_EQ(PROVISIONING_ENGINE_UNINITIALIZED,
+            engine_.SetCertificateStatusList("certificate_status_list",
+                                             kExpirationPeriodSeconds));
+}
+
+TEST_F(ProvisioningEngineTest, GenerateDrmIntermediateCertificateWithoutInit) {
+  std::string certificate;
+  EXPECT_EQ(PROVISIONING_ENGINE_UNINITIALIZED,
+            engine_.GenerateDrmIntermediateCertificate(
+                kSystemId, "intermediate_public_key", &certificate));
+}
+
+TEST_F(ProvisioningEngineTest, AddDrmIntermediateCertificateWithoutInit) {
+  std::string certificate;
+  EXPECT_EQ(PROVISIONING_ENGINE_UNINITIALIZED,
+            engine_.AddDrmIntermediateCertificate(
+                "intermediate_certificate", "intermediate_private_key",
+                "intermediate_private_key_passphrase"));
+}
+
+TEST_F(ProvisioningEngineTest, GenerateDeviceDrmCertificateWithoutInit) {
+  std::string certificate;
+  EXPECT_EQ(PROVISIONING_ENGINE_UNINITIALIZED,
+            engine_.GenerateDeviceDrmCertificate(kSystemId, "device_public_key",
+                                                 "device_serial_number",
+                                                 &certificate));
+}
+
+// ProvisioningEngine is basically a wrapper of ProvisioningEngineImpl, so there
+// is no need to test the functionalities as ProvisioningEngineImpl is already
+// tested.
+
+}  // namespace widevine

provisioning_sdk/public/provisioning_session.cc

@@ -0,0 +1,48 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#include "provisioning_sdk/public/provisioning_session.h"
+
+#include <utility>
+
+#include "glog/logging.h"
+#include "provisioning_sdk/internal/provisioning_session_impl.h"
+#include "protos/public/device_certificate.pb.h"
+
+namespace widevine {
+
+ProvisioningSession::~ProvisioningSession() {}
+
+ProvisioningStatus ProvisioningSession::ProcessMessage(const std::string& message,
+                                                       std::string* response,
+                                                       bool* done) {
+  if (!response) {
+    LOG(WARNING) << "|response| should not be a nullptr.";
+    return INTERNAL_ERROR;
+  }
+  if (!done) {
+    LOG(WARNING) << "|done| should not be a nullptr.";
+    return INTERNAL_ERROR;
+  }
+
+  ProvisioningStatus status = impl_->ProcessMessage(message, response);
+  *done = true;
+  return status;
+}
+
+const ProvisionedDeviceInfo* ProvisioningSession::GetDeviceInfo() const {
+  return impl_->GetDeviceInfo();
+}
+
+ProvisioningSession::ProvisioningSession(
+    std::unique_ptr<ProvisioningSessionImpl> impl)
+    : impl_(std::move(impl)) {
+  DCHECK(impl_);
+}
+
+}  // namespace widevine

provisioning_sdk/public/provisioning_session.h

@@ -0,0 +1,56 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef PROVISIONING_SDK_PUBLIC_PROVISIONING_SESSION_H_
+#define PROVISIONING_SDK_PUBLIC_PROVISIONING_SESSION_H_
+
+#include <memory>
+#include <string>
+
+#include "provisioning_sdk/public/provisioning_status.h"
+
+namespace widevine {
+
+class ProvisionedDeviceInfo;
+class ProvisioningSessionImpl;
+
+// Class which is used to implement the provisioning session state machine.
+class ProvisioningSession {
+ public:
+  ~ProvisioningSession();
+
+  // Process a message from the client device.
+  // * |message| is the message received from the client device.
+  // * |response| will contain, upon successful return, a message to be sent
+  //   back to the client device as a response to |message|.
+  // * |done| will indicate, upon successful return, whether the provisioning
+  //   exchange is complete, and the ProvisioningSession can be deleted.
+  // Returns OK if successful, or an appropriate error status code otherwise.
+  ProvisioningStatus ProcessMessage(const std::string& message,
+                                    std::string* response,
+                                    bool* done);
+
+  // * Returns a ProvisioneddeviceInfo message containing information about the
+  //   type of device being provisioned. May return nullptr.
+  const ProvisionedDeviceInfo* GetDeviceInfo() const;
+
+ private:
+#ifndef SWIGPYTHON
+  friend class ProvisioningEngine;
+
+  ProvisioningSession(const ProvisioningSession&) = delete;
+  ProvisioningSession& operator=(const ProvisioningSession&) = delete;
+#endif
+  explicit ProvisioningSession(std::unique_ptr<ProvisioningSessionImpl> impl);
+
+  std::unique_ptr<ProvisioningSessionImpl> impl_;
+};
+
+}  // namespace widevine
+
+#endif  // PROVISIONING_SDK_PUBLIC_PROVISIONING_SESSION_H_

provisioning_sdk/public/provisioning_status.cc

@@ -0,0 +1,48 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#include "provisioning_sdk/public/provisioning_status.h"
+
+#include "base/macros.h"
+
+namespace widevine {
+
+static const char* kProvisioningStatusMessage[] = {
+    "OK",
+    "Invalid certificate type",
+    "Provisioning engine uninitialized",
+    "Invalid service drm certificate",
+    "Invalid service private key",
+    "Invalid provisioning drm certificate",
+    "Invalid provisioning private key",
+    "Invalid intermediate drm certificate",
+    "Invalid intermediate public key",
+    "Invalid intermediate private key",
+    "Invalid status list",
+    "Status list expired",
+    "Unknown system id",
+    "Invalid device public key",
+    "Invalid device private key",
+    "Invalid request message",
+    "Invalid MAC",
+    "Missing DRM intermediate certificate",
+    "DRM device certificate not set",
+    "Device revoked",
+    "Invalid serial number",
+    "Internal error",
+    "Invalid SPOID secret sauce"
+};
+
+const char* GetProvisioningStatusMessage(ProvisioningStatus status) {
+  static_assert(
+      arraysize(kProvisioningStatusMessage) == NUM_PROVISIONING_STATUS,
+      "mismatching provisioning status message and provisioning status.");
+  return kProvisioningStatusMessage[status];
+}
+
+}  // namespace widevine

provisioning_sdk/public/provisioning_status.h

@@ -0,0 +1,49 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef PROVISIONING_SDK_PUBLIC_PROVISIONING_STATUS_H_
+#define PROVISIONING_SDK_PUBLIC_PROVISIONING_STATUS_H_
+
+namespace widevine {
+
+enum ProvisioningStatus {
+  OK = 0,
+  INVALID_CERTIFICATE_TYPE = 1,
+  PROVISIONING_ENGINE_UNINITIALIZED = 2,
+  INVALID_SERVICE_DRM_CERTIFICATE = 3,
+  // Invalid service private key or private key passphrase.
+  INVALID_SERVICE_PRIVATE_KEY = 4,
+  INVALID_PROVISIONER_DRM_CERTIFICATE = 5,
+  // Invalid provisioner private key or private key passphrase.
+  INVALID_PROVISIONER_PRIVATE_KEY = 6,
+  INVALID_INTERMEDIATE_DRM_CERTIFICATE = 7,
+  INVALID_INTERMEDIATE_PUBLIC_KEY = 8,
+  // Invalid intermediate private key or private key passphrase.
+  INVALID_INTERMEDIATE_PRIVATE_KEY = 9,
+  INVALID_STATUS_LIST = 10,
+  STATUS_LIST_EXPIRED = 11,
+  UNKNOWN_SYSTEM_ID = 12,
+  INVALID_DEVICE_PUBLIC_KEY = 13,
+  INVALID_DEVICE_PRIVATE_KEY = 14,
+  INVALID_REQUEST_MESSAGE = 15,
+  INVALID_MAC = 16,
+  MISSING_DRM_INTERMEDIATE_CERT = 17,
+  DRM_DEVICE_CERTIFICATE_NOT_SET = 18,
+  DEVICE_REVOKED = 19,
+  INVALID_SERIAL_NUMBER = 20,
+  INTERNAL_ERROR = 21,
+  INVALID_SPOID_SAUCE = 22,
+  NUM_PROVISIONING_STATUS,
+};
+
+// Returns the message std::string for the given ProvisioningStatus.
+const char* GetProvisioningStatusMessage(ProvisioningStatus status);
+
+}  // namespace widevine
+
+#endif  // PROVISIONING_SDK_PUBLIC_PROVISIONING_STATUS_H_

provisioning_sdk/public/python/BUILD

@@ -0,0 +1,73 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+package(default_visibility = ["//visibility:public"])
+
+py_library(
+    name = "test_data_utility",
+    srcs = ["test_data_utility.py"],
+    data = ["//example:example_data"],
+    deps = [
+        "//protos/public:certificate_provisioning_py_pb2",
+    ],
+)
+
+py_library(
+    name = "crypto_utility",
+    srcs = ["crypto_utility.py"],
+)
+
+py_test(
+    name = "init_engine_test",
+    size = "small",
+    srcs = ["init_engine_test.py"],
+    deps = [
+        ":test_data_utility",
+    ],
+)
+
+py_test(
+    name = "set_certificate_status_list_test",
+    size = "small",
+    srcs = ["set_certificate_status_list_test.py"],
+    deps = [
+        ":test_data_utility",
+    ],
+)
+
+py_test(
+    name = "drm_intermediate_certificate_test",
+    size = "small",
+    srcs = ["drm_intermediate_certificate_test.py"],
+    deps = [
+        ":test_data_utility",
+    ],
+)
+
+py_test(
+    name = "engine_generate_certificate_test",
+    size = "small",
+    srcs = ["engine_generate_certificate_test.py"],
+    deps = [
+        ":crypto_utility",
+        ":test_data_utility",
+        "//protos/public:signed_device_certificate_py_pb2",
+    ],
+)
+
+py_test(
+    name = "new_session_test",
+    size = "small",
+    srcs = ["new_session_test.py"],
+    deps = [
+        ":crypto_utility",
+        ":test_data_utility",
+        "//protos/public:certificate_provisioning_py_pb2",
+        "//protos/public:signed_device_certificate_py_pb2",
+    ],
+)

provisioning_sdk/public/python/base.i

@@ -0,0 +1,27 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+%include "std_string.i"
+%include "typemaps.i"
+
+%define %ignoreall %ignore ""; %enddef
+%define %unignore %rename("%s") %enddef
+%define %unignoreall %rename("%s") ""; %enddef
+
+%define COPY_TYPEMAPS(oldtype, newtype)
+typedef oldtype newtype;
+%apply oldtype * OUTPUT { newtype * OUTPUT };
+%apply oldtype & OUTPUT { newtype & OUTPUT };
+%apply oldtype * INPUT { newtype * INPUT };
+%apply oldtype & INPUT { newtype & INPUT };
+%apply oldtype * INOUT { newtype * INOUT };
+%apply oldtype & INOUT { newtype & INOUT };
+%enddef
+
+COPY_TYPEMAPS(int, int32);
+COPY_TYPEMAPS(unsigned int, uint32);

provisioning_sdk/public/python/certificate_type.i

@@ -0,0 +1,28 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+// Swig file to generate a Python library for:
+//   provisioning_sdk/public/certificate_type.h
+
+%module pywrapcertificate_type
+
+%include "base.i"
+
+%{
+#include "provisioning_sdk/public/certificate_type.h"
+%}
+
+%ignoreall
+
+%unignore widevine;
+%unignore widevine::CertificateType;
+%unignore widevine::kCertTesting;
+%unignore widevine::kCertDevelopment;
+%include "provisioning_sdk/public/certificate_type.h"
+
+%unignoreall

provisioning_sdk/public/python/crypto_utility.py

@@ -0,0 +1,25 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+"""Utility functions for cryptography."""
+
+from cryptography.hazmat import backends
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import padding
+
+
+def VerifySignature(public_key, signature, data):
+  hash_algorithm = hashes.SHA1()
+  salt_len = 20
+
+  key = serialization.load_der_public_key(
+      public_key, backend=backends.default_backend())
+  key.verify(signature, data,
+             padding.PSS(padding.MGF1(hash_algorithm), salt_len),
+             hash_algorithm)

provisioning_sdk/public/python/drm_intermediate_certificate_test.py

@@ -0,0 +1,54 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+import unittest
+
+import pywrapprovisioning_engine
+import pywrapprovisioning_status
+import test_data_utility
+
+
+class AddDrmIntermediateTest(unittest.TestCase):
+
+  def setUp(self):
+    self._engine = pywrapprovisioning_engine.ProvisioningEngine()
+    test_data_utility.InitProvisionEngineWithTestData(
+        self._engine, verify_success=True)
+
+  def testGenerateDrmIntermediateCertificateWithValidExpirationPeriod(self):
+    test_data_utility.SetCertificateStatusListWithTestData(
+        self._engine, 0, verify_success=True)
+
+    test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001, verify_success=True)
+
+  def testSetCertificateStatusListInvalid(self):
+    set_cert_status_list = self._engine.SetCertificateStatusList(
+        'INVALID_STATUS_LIST', 0)
+    self.assertEqual(pywrapprovisioning_status.INVALID_STATUS_LIST,
+                     set_cert_status_list)
+
+  def testAddDrmIntermediateCertificateWithoutCertificateStatusList(self):
+    # Users should not be able to add DRM certificate without having
+    # certificate status list.
+    status = test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001)
+    self.assertEqual(pywrapprovisioning_status.STATUS_LIST_EXPIRED, status)
+
+  def testAddDrmIntermediateCertificateSystemIdInvalid(self):
+    test_data_utility.SetCertificateStatusListWithTestData(
+        self._engine, 0, verify_success=True)
+
+    # system_id 9999 is not in the sample certificate status list
+    add_ca_status = test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 9999)
+    self.assertEqual(pywrapprovisioning_status.UNKNOWN_SYSTEM_ID, add_ca_status)
+
+
+if __name__ == '__main__':
+  unittest.main()

provisioning_sdk/public/python/engine_generate_certificate_test.py

@@ -0,0 +1,64 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+import unittest
+
+import crypto_utility
+import pywrapprovisioning_engine
+import pywrapprovisioning_status
+import test_data_utility
+from protos.public import signed_device_certificate_pb2
+
+
+class EngineGenerateCertificateTest(unittest.TestCase):
+
+  def setUp(self):
+    self._engine = pywrapprovisioning_engine.ProvisioningEngine()
+    test_data_utility.InitProvisionEngineWithTestData(
+        self._engine, verify_success=True)
+    test_data_utility.SetCertificateStatusListWithTestData(
+        self._engine, 0, verify_success=True)
+    test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001, verify_success=True)
+
+  def testSuccess(self):
+    status, signed_cert_string = self._engine.GenerateDeviceDrmCertificate(
+        2001, test_data_utility.DEVICE_PUBLIC_KEY, 'DEVICE_SERIAL_NUMBER')
+    self.assertEqual(pywrapprovisioning_status.OK, status)
+
+    signed_cert = signed_device_certificate_pb2.SignedDrmDeviceCertificate()
+    signed_cert.ParseFromString(signed_cert_string)
+    crypto_utility.VerifySignature(test_data_utility.CA_PUBLIC_KEY,
+                                   signed_cert.signature,
+                                   signed_cert.drm_certificate)
+
+  def testEmptySerialNumber(self):
+    status, _ = self._engine.GenerateDeviceDrmCertificate(
+        2001, test_data_utility.DEVICE_PUBLIC_KEY, '')
+    self.assertEqual(pywrapprovisioning_status.INVALID_SERIAL_NUMBER, status)
+
+  def testEmptyPublicKey(self):
+    status, _ = self._engine.GenerateDeviceDrmCertificate(
+        2001, '', 'DEVICE_SERIAL_NUMBER')
+    self.assertEqual(pywrapprovisioning_status.INVALID_DEVICE_PUBLIC_KEY,
+                     status)
+
+  def testInvalidPublicKey(self):
+    status, _ = self._engine.GenerateDeviceDrmCertificate(
+        2001, 'PUBLIC_KEY_MUST_BE_IN_DER_ENCODED_PKCS1_FORMAT',
+        'DEVICE_SERIAL_NUMBER')
+    self.assertEqual(pywrapprovisioning_status.INVALID_DEVICE_PUBLIC_KEY,
+                     status)
+
+  def testMissingIntermediateCertificate(self):
+    status, _ = self._engine.GenerateDeviceDrmCertificate(
+        2002, test_data_utility.DEVICE_PUBLIC_KEY, 'DEVICE_SERIAL_NUMBER')
+    self.assertEqual(pywrapprovisioning_status.DEVICE_REVOKED, status)
+
+if __name__ == '__main__':
+  unittest.main()

provisioning_sdk/public/python/init_engine_test.py

@@ -0,0 +1,170 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+import unittest
+
+import pywrapcertificate_type
+import pywrapprovisioning_engine
+import pywrapprovisioning_status
+import test_data_utility
+
+
+class InitEngineTest(unittest.TestCase):
+
+  def setUp(self):
+    self._engine = pywrapprovisioning_engine.ProvisioningEngine()
+
+  def testInitEngineSucceed(self):
+    test_data_utility.InitProvisionEngineWithTestData(
+        self._engine, verify_success=True)
+
+  def testSetCertificateStatusListWithoutInit(self):
+    status = self._engine.SetCertificateStatusList('CERTIFICATE_STATUS_LIST',
+                                                   3600)
+    self.assertEqual(
+        pywrapprovisioning_status.PROVISIONING_ENGINE_UNINITIALIZED, status)
+
+  def testGenerateDrmIntermediateCertificateWithoutInit(self):
+    status, _ = self._engine.GenerateDrmIntermediateCertificate(
+        100, 'INTERMEDIATE_PUBLIC_KEY')
+    self.assertEqual(
+        pywrapprovisioning_status.PROVISIONING_ENGINE_UNINITIALIZED, status)
+
+  def testAddDrmIntermediateCertificateWithoutInit(self):
+    status = self._engine.AddDrmIntermediateCertificate(
+        'INTERMEDIATE_CERTIFICATE', 'INTERMEDIATE_PRIVATE_KEY',
+        'INTERMEDIATE_PRIVATE_KEY_PASSPHRASE')
+    self.assertEqual(
+        pywrapprovisioning_status.PROVISIONING_ENGINE_UNINITIALIZED, status)
+
+  def testGenerateDeviceDrmCertificateWithoutInit(self):
+    status, _ = self._engine.GenerateDeviceDrmCertificate(
+        100, 'DEVICE_PUBLIC_KEY', 'DEVICE_SERIAL_NUMBER')
+    self.assertEqual(
+        pywrapprovisioning_status.PROVISIONING_ENGINE_UNINITIALIZED, status)
+
+  def testNewProvisioningSessionWithoutInit(self):
+    status, session = self._engine.NewProvisioningSession('DEVICE_PUBLIC_KEY',
+                                                          'DEVICE_PRIVATE_KEY')
+    self.assertEqual(
+        pywrapprovisioning_status.PROVISIONING_ENGINE_UNINITIALIZED, status)
+    self.assertIsNone(session)
+
+  def testInitEngineInvalidServiceDrmCert(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting, 'INVALID_CERT',
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_SERVICE_DRM_CERTIFICATE,
+                     status)
+
+  def testInitEngineInvalidServicePrivateKey(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT, 'INVALID_KEY',
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_SERVICE_PRIVATE_KEY,
+                     status)
+
+  def testInitEngineWrongServicePrivateKey(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_SERVICE_PRIVATE_KEY,
+                     status)
+
+  def testInitEngineInvalidServicePrivateKeyPassphrase(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY, 'INVALID_PASSPHRASE',
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_SERVICE_PRIVATE_KEY,
+                     status)
+
+  def testInitEngineInvalidDrmCert(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS, 'INVALID_CERT',
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(
+        pywrapprovisioning_status.INVALID_PROVISIONER_DRM_CERTIFICATE, status)
+
+  def testInitEngineInvalidDrmPrivateKey(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT, 'INVALID_KEY',
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_PROVISIONER_PRIVATE_KEY,
+                     status)
+
+  def testInitEngineWrongDrmPrivateKey(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_PROVISIONER_PRIVATE_KEY,
+                     status)
+
+  def testInitEngineInvalidDrmPrivateKeyPassphrase(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        'INVALID_PASSPHRASE',
+        test_data_utility.PROVISIONER_SPOID_SECRET)
+    self.assertEqual(pywrapprovisioning_status.INVALID_PROVISIONER_PRIVATE_KEY,
+                     status)
+
+  def testInitEngineInvalidSpoidSecret(self):
+    status = self._engine.Initialize(
+        pywrapcertificate_type.kCertTesting,
+        test_data_utility.SERVICE_DRM_CERT,
+        test_data_utility.SERVICE_PRIVATE_KEY,
+        test_data_utility.SERVICE_PRIVATE_KEY_PASS,
+        test_data_utility.PROVISIONER_DRM_CERT,
+        test_data_utility.PROVISIONER_PRIVATE_KEY,
+        test_data_utility.PROVISIONER_PRIVATE_KEY_PASS,
+        '')
+    self.assertEqual(pywrapprovisioning_status.INVALID_SPOID_SAUCE, status)
+
+if __name__ == '__main__':
+  unittest.main()

provisioning_sdk/public/python/new_session_test.py

@@ -0,0 +1,103 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+import unittest
+
+import crypto_utility
+import pywrapprovisioning_engine
+import pywrapprovisioning_status
+import test_data_utility
+from protos.public import certificate_provisioning_pb2
+from protos.public import signed_device_certificate_pb2
+
+
+class NewSessionTest(unittest.TestCase):
+
+  def setUp(self):
+    self._engine = pywrapprovisioning_engine.ProvisioningEngine()
+    test_data_utility.InitProvisionEngineWithTestData(
+        self._engine, verify_success=True)
+    test_data_utility.SetCertificateStatusListWithTestData(
+        self._engine, 0, verify_success=True)
+
+  def testNewSessionSuccess(self):
+    test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001, verify_success=True)
+
+    (_, new_session) = test_data_utility.NewProvisioningSessionWithTestData(
+        self._engine, verify_success=True)
+    (status, raw_response,
+     _) = new_session.ProcessMessage(test_data_utility.MESSAGE)
+    test_data_utility.AssertSuccess(status, 'Failed to create session.')
+
+    signed_request = test_data_utility.ConvertToSignedProvisioningMessage(
+        test_data_utility.MESSAGE)
+
+    unsigned_request = certificate_provisioning_pb2.ProvisioningRequest()
+    unsigned_request.ParseFromString(signed_request.message)
+
+    signed_response = test_data_utility.ConvertToSignedProvisioningMessage(
+        raw_response)
+
+    self._VerifyMessageSignature(test_data_utility.SERVICE_PUBLIC_KEY,
+                                 signed_response)
+
+    unsigned_response = certificate_provisioning_pb2.ProvisioningResponse()
+    unsigned_response.ParseFromString(signed_response.message)
+
+    self._VerifyProvisioningResponse(unsigned_request, unsigned_response)
+
+  def testProcessInvalidMessage(self):
+    test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001, verify_success=True)
+    (_, new_session
+    ) = test_data_utility.NewProvisioningSessionWithTestData(self._engine)
+    (status, _, _) = new_session.ProcessMessage('INVALID_MESSAGE')
+    self.assertEqual(pywrapprovisioning_status.INVALID_REQUEST_MESSAGE, status)
+
+  def testNewSessionWithoutIntermediateCert(self):
+    (_, new_session) = test_data_utility.NewProvisioningSessionWithTestData(
+        self._engine, verify_success=True)
+    (status, _, _) = new_session.ProcessMessage(test_data_utility.MESSAGE)
+    self.assertEqual(pywrapprovisioning_status.MISSING_DRM_INTERMEDIATE_CERT,
+                     status)
+
+  def testNewSessionInvalidDevicePublicKey(self):
+    test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001, verify_success=True)
+    (session_status, _) = self._engine.NewProvisioningSession(
+        'INVALID_PUBLIC_KEY', test_data_utility.DEVICE_PRIVATE_KEY)
+    self.assertEqual(pywrapprovisioning_status.INVALID_DEVICE_PUBLIC_KEY,
+                     session_status)
+
+  def testNewSessionInvalidDevicePrivateKey(self):
+    test_data_utility.AddDrmIntermediateCertificateWithTestData(
+        self._engine, 2001, verify_success=True)
+    (session_status, _) = self._engine.NewProvisioningSession(
+        test_data_utility.DEVICE_PUBLIC_KEY, 'INVALID_PRIVATE_KEY')
+    self.assertEqual(pywrapprovisioning_status.INVALID_DEVICE_PRIVATE_KEY,
+                     session_status)
+
+  def _VerifyMessageSignature(self, public_key, signed_response):
+    crypto_utility.VerifySignature(public_key, signed_response.signature,
+                                   signed_response.message)
+
+  def _VerifyCertSignature(self, public_key, signed_cert):
+    crypto_utility.VerifySignature(public_key, signed_cert.signature,
+                                   signed_cert.drm_certificate)
+
+  def _VerifyProvisioningResponse(self, request, response):
+    self.assertEqual(request.nonce, response.nonce)
+
+    signed_cert = signed_device_certificate_pb2.SignedDrmDeviceCertificate()
+    signed_cert.ParseFromString(response.device_certificate)
+
+    self._VerifyCertSignature(test_data_utility.CA_PUBLIC_KEY, signed_cert)
+
+if __name__ == '__main__':
+  unittest.main()

provisioning_sdk/public/python/provisioning_engine.i

@@ -0,0 +1,49 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+// Swig file to generate a Python library for:
+//   provisioning_sdk/public/provisioning_engine.h
+
+%module pywrapprovisioning_engine
+
+%include "base.i"
+%include "unique_ptr.i"
+%import(module="pywrapprovisioning_session") "provisioning_sdk/public/python/provisioning_session.i"
+
+UNIQUE_PTR_ARGOUT(widevine::ProvisioningSession, new_session);
+
+%apply int { CertificateType, ProvisioningStatus };
+%apply int32 { int32_t };
+%apply uint32 { uint32_t };
+
+%apply std::string* OUTPUT { std::string* certificate };
+
+%{
+#include "provisioning_sdk/public/provisioning_engine.h"
+#include "provisioning_sdk/public/provisioning_session.h"
+using namespace widevine;
+%}
+
+%ignoreall
+
+%unignore widevine;
+%unignore widevine::ProvisioningSession;
+
+%unignore widevine::ProvisioningEngine;
+%unignore widevine::ProvisioningEngine::ProvisioningEngine;
+%unignore widevine::ProvisioningEngine::~ProvisioningEngine;
+%unignore widevine::ProvisioningEngine::SetCertificateStatusList;
+%unignore widevine::ProvisioningEngine::Initialize;
+%unignore widevine::ProvisioningEngine::GenerateDrmIntermediateCertificate;
+%unignore widevine::ProvisioningEngine::AddDrmIntermediateCertificate;
+%unignore widevine::ProvisioningEngine::NewProvisioningSession;
+%unignore widevine::ProvisioningEngine::GenerateDeviceDrmCertificate;
+
+%include "provisioning_sdk/public/provisioning_engine.h"
+
+%unignoreall

provisioning_sdk/public/python/provisioning_session.i

@@ -0,0 +1,37 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+// Swig file to generate a Python library for:
+//   provisioning_sdk/public/provisioning_session.h
+
+%module pywrapprovisioning_session
+
+%include "base.i"
+
+%apply bool* OUTPUT { bool* done };
+
+%apply int { ProvisioningStatus };
+
+%apply std::string* OUTPUT { std::string* response };
+
+%{
+#include "provisioning_sdk/public/provisioning_session.h"
+using namespace widevine;
+%}
+
+%ignoreall
+
+%unignore widevine;
+%unignore widevine::ProvisioningSession;
+%unignore widevine::ProvisioningSession::~ProvisioningSession;
+%unignore widevine::ProvisioningSession::ProcessMessage;
+
+
+%include "provisioning_sdk/public/provisioning_session.h"
+
+%unignoreall

provisioning_sdk/public/python/provisioning_status.i

@@ -0,0 +1,44 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+// Swig file to generate a Python library for:
+//   provisioning_sdk/public/provisioning_status.h
+
+%module pywrapprovisioning_status
+
+%include "base.i"
+
+%{
+#include "provisioning_sdk/public/provisioning_status.h"
+%}
+
+%ignoreall
+
+%unignore widevine;
+%unignore widevine::ProvisioningStatus;
+%unignore widevine::OK;
+%unignore widevine::PROVISIONING_ENGINE_UNINITIALIZED;
+%unignore widevine::INVALID_SERVICE_DRM_CERTIFICATE;
+%unignore widevine::INVALID_SERVICE_PRIVATE_KEY;
+%unignore widevine::INVALID_PROVISIONER_DRM_CERTIFICATE;
+%unignore widevine::INVALID_PROVISIONER_PRIVATE_KEY;
+%unignore widevine::INVALID_STATUS_LIST;
+%unignore widevine::STATUS_LIST_EXPIRED;
+%unignore widevine::UNKNOWN_SYSTEM_ID;
+%unignore widevine::INVALID_DEVICE_PUBLIC_KEY;
+%unignore widevine::INVALID_DEVICE_PRIVATE_KEY;
+%unignore widevine::INVALID_REQUEST_MESSAGE;
+%unignore widevine::MISSING_DRM_INTERMEDIATE_CERT;
+%unignore widevine::DEVICE_REVOKED;
+%unignore widevine::INVALID_SERIAL_NUMBER;
+%unignore widevine::INVALID_SPOID_SAUCE;
+%unignore widevine::GetProvisioningStatusMessage;
+
+%include "provisioning_sdk/public/provisioning_status.h"
+
+%unignoreall

provisioning_sdk/public/python/set_certificate_status_list_test.py

@@ -0,0 +1,35 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+import unittest
+
+import pywrapprovisioning_engine
+import pywrapprovisioning_status
+import test_data_utility
+
+
+class SetCertificateStatusListTest(unittest.TestCase):
+
+  def setUp(self):
+    self._engine = pywrapprovisioning_engine.ProvisioningEngine()
+    test_data_utility.InitProvisionEngineWithTestData(
+        self._engine, verify_success=True)
+
+  def testSetCertificateStatusListSuccess(self):
+    test_data_utility.SetCertificateStatusListWithTestData(
+        self._engine, 0, verify_success=True)
+
+  def testSetCertificateStatusListInvalid(self):
+    set_cert_status_list = self._engine.SetCertificateStatusList(
+        'INVALID_STATUS_LIST', 0)
+    self.assertEqual(pywrapprovisioning_status.INVALID_STATUS_LIST,
+                     set_cert_status_list)
+
+
+if __name__ == '__main__':
+  unittest.main()

provisioning_sdk/public/python/setup.py

@@ -0,0 +1,62 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+"""setup script to build Python wrappers using swig configurations."""
+
+import os
+
+from distutils import core
+
+OUT_DIRNAME = 'test_genfiles'
+
+
+def GetSdkRootDir():
+  """Obtains folder containing |OUT_DIRNAME| that is considered as root dir."""
+  current_dir = os.path.realpath(os.path.dirname(__file__))
+  while not os.path.isdir(os.path.join(current_dir, OUT_DIRNAME)):
+    current_dir = os.path.dirname(current_dir)
+  return current_dir
+
+
+SDK_ROOT_DIR = GetSdkRootDir()
+
+SWIG_CONFIG_FILE = os.path.join(SDK_ROOT_DIR, OUT_DIRNAME, '%s.i')
+SWIG_CONFIG_MODULE_PATH = OUT_DIRNAME + '.%s'
+
+SDK_LIBRARY_DIR = os.path.join(SDK_ROOT_DIR, 'bazel-bin', 'provisioning_sdk',
+                               'public')
+
+
+def ProvisioningSwigExtension(extension_name):
+  return core.Extension(
+      name=SWIG_CONFIG_MODULE_PATH % ('_pywrap' + extension_name),
+      sources=[SWIG_CONFIG_FILE % extension_name],
+      include_dirs=[SDK_ROOT_DIR],
+      swig_opts=['-c++'],
+      library_dirs=[SDK_ROOT_DIR, SDK_LIBRARY_DIR],
+      runtime_library_dirs=[SDK_ROOT_DIR, SDK_LIBRARY_DIR],
+      libraries=['provisioning_sdk'],
+      extra_compile_args=['-std=c++11'])
+
+
+if __name__ == '__main__':
+  os.chdir(SDK_ROOT_DIR)
+  core.setup(
+      name='provisioning_sdk',
+      ext_modules=[
+          ProvisioningSwigExtension('certificate_type'),
+          ProvisioningSwigExtension('provisioning_status'),
+          ProvisioningSwigExtension('provisioning_session'),
+          ProvisioningSwigExtension('provisioning_engine')
+      ],
+      py_modules=[
+          SWIG_CONFIG_MODULE_PATH % 'pywrapcertificate_type',
+          SWIG_CONFIG_MODULE_PATH % 'pywarpprovisioning_status',
+          SWIG_CONFIG_MODULE_PATH % 'pywrapprovisioning_session',
+          SWIG_CONFIG_MODULE_PATH % 'pywrapprovisioning_engine'
+      ])

provisioning_sdk/public/python/test_data_utility.py

@@ -0,0 +1,151 @@
+################################################################################
+# Copyright 2016 Google Inc.
+#
+# This software is licensed under the terms defined in the Widevine Master
+# License Agreement. For a copy of this agreement, please contact
+# widevine-licensing@google.com.
+################################################################################
+
+"""Utility class for Provisioning SDK testing."""
+
+import os
+
+import pywrapcertificate_type
+import pywrapprovisioning_status
+from protos.public import certificate_provisioning_pb2
+
+TEST_DATA_FOLDER = os.path.join('example', 'example_data')
+
+
+def GetTestData(filename):
+  current_dir = os.path.realpath(os.path.dirname(__file__))
+  while not os.path.isdir(os.path.join(current_dir, TEST_DATA_FOLDER)):
+    current_dir = os.path.dirname(current_dir)
+  filename = os.path.join(current_dir, TEST_DATA_FOLDER, filename)
+  with open(filename, 'rb') as data_file:
+    data = data_file.read()
+  return data
+
+
+SERVICE_DRM_CERT = GetTestData('service.cert')
+SERVICE_PUBLIC_KEY = GetTestData('service.public')
+SERVICE_PRIVATE_KEY = GetTestData('service.encrypted.private')
+SERVICE_PRIVATE_KEY_PASS = GetTestData('service.passphrase')
+PROVISIONER_DRM_CERT = GetTestData('provisioner.cert')
+PROVISIONER_PRIVATE_KEY = GetTestData('provisioner.encrypted.private')
+PROVISIONER_PRIVATE_KEY_PASS = GetTestData('provisioner.passphrase')
+PROVISIONER_SPOID_SECRET = GetTestData('provisioner.spoid_secret')
+CA_PUBLIC_KEY = GetTestData('intermediate.public')
+DEVICE_PUBLIC_KEY = GetTestData('user.public')
+DEVICE_PRIVATE_KEY = GetTestData('user.private')
+MESSAGE = GetTestData('message')
+
+
+def InitProvisionEngineWithTestData(engine, verify_success=False):
+  """Initialize the provisioning engine with sample credentials.
+
+  Args:
+    engine: a pywrapprovisioning_engine.ProvisioningEngine instance
+    verify_success: whether to verify that resulting status code equals OK
+
+  Returns:
+    OK on success, or an appropriate error status code otherwise.
+  """
+  status = engine.Initialize(pywrapcertificate_type.kCertTesting,
+                             SERVICE_DRM_CERT, SERVICE_PRIVATE_KEY,
+                             SERVICE_PRIVATE_KEY_PASS, PROVISIONER_DRM_CERT,
+                             PROVISIONER_PRIVATE_KEY,
+                             PROVISIONER_PRIVATE_KEY_PASS,
+                             PROVISIONER_SPOID_SECRET)
+  if verify_success:
+    AssertSuccess(status, 'Failed to initialize.')
+  return status
+
+
+def SetCertificateStatusListWithTestData(engine,
+                                         expiration_period_seconds,
+                                         verify_success=False):
+  """Set the certificate status list with sample certificate status list.
+
+  Args:
+    engine: a pywrapprovisioning_engine.ProvisioningEngine instance
+    expiration_period_seconds: number of seconds until certificate_status_list
+      expires after its creation time
+    verify_success: whether to verify that resulting status code equals OK
+
+  Returns:
+    OK on success, or an appropriate error status code otherwise.
+  """
+  certificate_status_list = GetTestData('certificate_list')
+
+  status = engine.SetCertificateStatusList(certificate_status_list,
+                                           expiration_period_seconds)
+
+  if verify_success:
+    AssertSuccess(status, 'Failed to set certificate status list.')
+
+  return status
+
+
+def AddDrmIntermediateCertificateWithTestData(engine,
+                                              system_id,
+                                              verify_success=False):
+  """Generate an intermediate DRM cert and add it to provisioning engine.
+
+  The intermediate DRM certificate is generated with sample public key and
+  is added to the provisioning engine with sample certificate private key and
+  passphrase.
+
+  Args:
+    engine: a pywrapprovisioning_engine.ProvisioningEngine instance
+    system_id: Widevine system ID for the type of device
+    verify_success: whether to verify that resulting status code equals OK
+
+  Returns:
+    OK on success, or an appropriate error status code otherwise.
+  """
+  ca_private_key = GetTestData('intermediate.encrypted.private')
+  ca_private_key_passphrase = GetTestData('intermediate.passphrase')
+
+  gen_status, ca_certificate = engine.GenerateDrmIntermediateCertificate(
+      system_id, CA_PUBLIC_KEY)
+  AssertSuccess(gen_status, 'Failed to generate intermediate certificate.')
+
+  add_ca_status = engine.AddDrmIntermediateCertificate(
+      ca_certificate, ca_private_key, ca_private_key_passphrase)
+
+  if verify_success:
+    AssertSuccess(add_ca_status, 'Failed to add intermediate certificate.')
+
+  return add_ca_status
+
+
+def NewProvisioningSessionWithTestData(engine, verify_success=False):
+  """Create a provisioning session with sample device public and private keys.
+
+  Args:
+    engine: a pywrapprovisioning_engine.ProvisioningEngine instance
+    verify_success: whether to verify that resulting status code equals OK
+
+  Returns:
+      status: OK on success, or an appropriate error status code otherwise.
+      new_session: A new provisioning_session.
+  """
+  status, new_session = engine.NewProvisioningSession(DEVICE_PUBLIC_KEY,
+                                                      DEVICE_PRIVATE_KEY)
+
+  if verify_success:
+    AssertSuccess(status, 'Failed to create session.')
+
+  return (status, new_session)
+
+
+def AssertSuccess(status, message=None):
+  """Assert status equals OK."""
+  assert pywrapprovisioning_status.OK == status, message
+
+
+def ConvertToSignedProvisioningMessage(serialized_message):
+  signed_message = certificate_provisioning_pb2.SignedProvisioningMessage()
+  signed_message.ParseFromString(serialized_message)
+  return signed_message

provisioning_sdk/public/python/unique_ptr.i

@@ -0,0 +1,51 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+namespace std {
+   template <class T> class unique_ptr {};
+}
+
+%define _UNIQUE_PTR_TEMPLATE(type)
+template <> class std::unique_ptr <type> {};
+%enddef
+
+%define UNIQUE_PTR(type)
+_UNIQUE_PTR_TEMPLATE(type);
+
+%typemap(out) std::unique_ptr<type> %{
+  $result = SWIG_NewPointerObj(
+      SWIG_as_voidptr($1.release()), $descriptor(type*), SWIG_POINTER_OWN);
+%}
+%enddef
+
+%define UNIQUE_PTR_WITH_ERROR(type, err_str)
+_UNIQUE_PTR_TEMPLATE(type);
+
+%typemap(out) std::unique_ptr<type> %{
+  if ($1) {
+    $result = SWIG_NewPointerObj(
+        SWIG_as_voidptr($1.release()), $descriptor(type*), SWIG_POINTER_OWN);
+  } else {
+    SWIG_exception(SWIG_ValueError, err_str);
+  }
+%}
+%enddef
+
+%define UNIQUE_PTR_ARGOUT(type, arg_name)
+_UNIQUE_PTR_TEMPLATE(type)
+
+%typemap(in, numinputs=0) std::unique_ptr<type>* arg_name
+    (std::unique_ptr<type> temp) %{
+  $1 = &temp;
+%}
+
+%typemap(argout) std::unique_ptr<type>* arg_name %{
+  %append_output(SWIG_NewPointerObj(SWIG_as_voidptr($1->release()),
+      $descriptor(type*), SWIG_POINTER_OWN));
+%}
+%enddef