Improved error logging when drive and certificate are incompatible

src/libaacs/aacs.c

@@ -288,6 +288,7 @@ static int _read_vid(AACS *aacs, cert_list *hcl)
     int error_code = AACS_ERROR_NO_CERT;
 
     MKB *hrl_mkb = _get_hrl_mkb(mmc);
+    const uint8_t *drive_cert = mmc_get_drive_cert(mmc);
 
     for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {
 
@@ -302,13 +303,19 @@ static int _read_vid(AACS *aacs, cert_list *hcl)
             continue;
         }
 
-        if (mkb_host_cert_is_revoked(hrl_mkb, cert + 4)) {
+        if (mkb_host_cert_is_revoked(hrl_mkb, cert + 4) > 0) {
             DEBUG(DBG_AACS | DBG_CRIT, "Host certificate %s has been revoked.\n",
                   print_hex(tmp_str, cert + 4, 6));
             error_code = AACS_ERROR_CERT_REVOKED;
             //continue;
         }
 
+        if (drive_cert && (drive_cert[1] & 0x01) && !(cert[1] & 0x01)) {
+            DEBUG(DBG_AACS, "Certificate (id 0x%s) does not support bus encryption\n",
+                  print_hex(tmp_str, cert + 4, 6));
+            //continue;
+        }
+
         DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
               print_hex(tmp_str, cert + 4, 6));
 
@@ -392,6 +399,7 @@ static int _read_pmsn(AACS *aacs, cert_list *hcl)
     }
 
     int error_code = AACS_ERROR_NO_CERT;
+    const uint8_t *drive_cert = mmc_get_drive_cert(mmc);
 
     for (;hcl && hcl->host_priv_key && hcl->host_cert; hcl = hcl->next) {
 
@@ -406,6 +414,12 @@ static int _read_pmsn(AACS *aacs, cert_list *hcl)
             continue;
         }
 
+        if (drive_cert && (drive_cert[1] & 0x01) && !(cert[1] & 0x01)) {
+            DEBUG(DBG_AACS, "Certificate (id 0x%s) does not support bus encryption\n",
+                  print_hex(tmp_str, cert + 4, 6));
+            //continue;
+        }
+
         DEBUG(DBG_AACS, "Trying host certificate (id 0x%s)...\n",
               print_hex(tmp_str, cert + 4, 6));
 

src/libaacs/mmc.c

@@ -1040,7 +1040,13 @@ static int _mmc_aacs_auth(MMC *mmc, uint8_t agid, const uint8_t *host_priv_key,
 
     // send host cert + nonce
     if (!_mmc_send_host_cert(mmc, agid, mmc->host_nonce, host_cert)) {
-        DEBUG(DBG_MMC | DBG_CRIT, "Host key / Certificate has been revoked by your drive ?\n");
+
+        if ((mmc->drive_cert[1] & 0x01) && !(host_cert[1] & 0x01)) {
+            DEBUG(DBG_MMC | DBG_CRIT, "Certificate (id 0x%s) can not be used with bus encryption capable drive\n",
+                  print_hex(str, host_cert + 4, 6));
+        } else {
+            DEBUG(DBG_MMC | DBG_CRIT, "Host key / Certificate has been revoked by your drive ?\n");
+        }
         return MMC_ERROR_CERT_REVOKED;
     }
 
@@ -1280,6 +1286,14 @@ int mmc_read_drive_cert(MMC *mmc, uint8_t *drive_cert)
     return MMC_SUCCESS;
 }
 
+const uint8_t *mmc_get_drive_cert(MMC *mmc)
+{
+    if (mmc->drive_cert[0] == 0x01) {
+        return mmc->drive_cert;
+    }
+    return NULL;
+}
+
 uint8_t *mmc_read_mkb(MMC *mmc, int address, int *size)
 {
     uint8_t agid = 0;

src/libaacs/mmc.h

@@ -40,6 +40,7 @@ AACS_PRIVATE int  mmc_read_pmsn(MMC *mmc, const uint8_t *host_priv_key, const ui
 AACS_PRIVATE int  mmc_read_data_keys(MMC *mmc, const uint8_t *host_priv_key, const uint8_t *host_cert,
                                      uint8_t *read_data_key, uint8_t *write_data_key);
 AACS_PRIVATE int  mmc_read_drive_cert(MMC *mmc, uint8_t *drive_cert);
+AACS_PRIVATE const uint8_t *mmc_get_drive_cert(MMC *mmc);
 
 /* read partial MKB */
 AACS_PRIVATE uint8_t *mmc_read_mkb(MMC *mmc, int address, int *size);