Update drm_certificate.proto

[ Merge of http://go/wvgerrit/118563 ] Sync with the latest version of drm_certificate.proto to add in certificate expiry time. Add in signed_drm_certificate.proto and remove messages from device_certificate.proto. SignedDrmDeviceCertificate and DrmDeviceCertificate are now named SignedDrmCertificate and DrmCertificate. This necessitated non-proto changes. Bug: 169740403 Test: WV unit/integration tests Change-Id: Ie5969ac7217a25eb075a41df59b77da2becd4545
2021-03-02 15:39:23 -08:00
parent d40302f3e3
commit 0cf99f685f
5 changed files with 62 additions and 85 deletions
--- a/libwvdrmengine/cdm/core/src/license_protocol.proto
+++ b/libwvdrmengine/cdm/core/src/license_protocol.proto
@@ -804,12 +804,18 @@ message EncryptedClientIdentification {
 }

 // ----------------------------------------------------------------------------
-// Source of truth: drm_certificate.proto
-// Formally: device_certificate.proto (of wv_drm_sdk)
+// drm_certificate.proto
 // ----------------------------------------------------------------------------
 // Description of section:
-//   Device certificate and certificate status list format definitions.
-
+// Definition of the root of trust identifier proto. The proto message contains
+// the EC-IES encrypted identifier (e.g. keybox unique id) for a device and
+// an associated hash. These can be used by Widevine to identify the root of
+// trust that was used to acquire a DRM certificate.
+//
+// In addition to the encrypted part and the hash, the proto contains the
+// version of the root of trust id which implies the EC key algorithm that was
+// used.
+// Next id: 5
 message RootOfTrustId {
  // The version specifies the EC algorithm that was used to generate the
  // root of trust id.
@@ -840,13 +846,12 @@ message RootOfTrustId {

 // DRM certificate definition for user devices, intermediate, service, and root
 // certificates.
-// DrmDeviceCertificate tracks the provisioning service's DrmCertificate,
-// only including fields that are required by CDM devices.
-message DrmDeviceCertificate {
-  enum CertificateType {
-    ROOT = 0;
-    DRM_INTERMEDIATE = 1;
-    DRM_USER_DEVICE = 2;
+// Next id: 13
+message DrmCertificate {
+  enum Type {
+    ROOT = 0;  // ProtoBestPractices: ignore.
+    DEVICE_MODEL = 1;
+    DEVICE = 2;
    SERVICE = 3;
    PROVISIONER = 4;
  }
@@ -877,12 +882,16 @@ message DrmDeviceCertificate {
  }

  // Type of certificate. Required.
-  optional CertificateType type = 1;
+  optional Type type = 1;
  // 128-bit globally unique serial number of certificate.
  // Value is 0 for root certificate. Required.
  optional bytes serial_number = 2;
  // POSIX time, in seconds, when the certificate was created. Required.
  optional uint32 creation_time_seconds = 3;
+  // POSIX time, in seconds, when the certificate should expire. Value of zero
+  // denotes indefinite expiry time. For more information on limited lifespan
+  // DRM certificates see (go/limited-lifespan-drm-certificates).
+  optional uint32 expiration_time_seconds = 12;
  // Device public key. PKCS#1 ASN.1 DER-encoded. Required.
  optional bytes public_key = 4;
  // Widevine system ID for the device. Required for intermediate and
@@ -917,50 +926,21 @@ message DrmDeviceCertificate {
  optional EncryptionKey encryption_key = 11;
 }

-// DeviceCertificate signed with intermediate or root certificate private key.
-message SignedDrmDeviceCertificate {
+// ----------------------------------------------------------------------------
+// signed_drm_certificate.proto
+// ----------------------------------------------------------------------------
+// Description of section:
+// DrmCertificate signed by a higher (CA) DRM certificate.
+message SignedDrmCertificate {
  // Serialized certificate. Required.
  optional bytes drm_certificate = 1;
  // Signature of certificate. Signed with root or intermediate
  // certificate specified below. Required.
  optional bytes signature = 2;
-  // SignedDrmDeviceCertificate used to sign this certificate.
-  optional SignedDrmDeviceCertificate signer = 3;
-}
-
-// Contains the status of the root or an intermediate DeviceCertificate.
-message DeviceCertificateStatus {
-  enum Status {
-    VALID = 0;
-    REVOKED = 1;
-  };
-
-  // Serial number of the intermediate DrmDeviceCertificate to which this
-  // message refers. Required.
-  optional bytes drm_serial_number = 1;
-  // Status of the certificate. Optional.
-  optional Status status = 2 [default = VALID];
-  // Device model information about the device to which the intermediate
-  // certificate(s) correspond.
-  optional ProvisionedDeviceInfo device_info = 4;
-}
-
-// List of DeviceCertificateStatus. Used to propagate certificate revocation
-// status and device information.
-message DeviceCertificateStatusList {
-  // POSIX time, in seconds, when the list was created. Required.
-  optional uint32 creation_time_seconds = 1;
-  // DeviceCertificateStatus for each system ID.
-  repeated DeviceCertificateStatus certificate_status = 2;
-}
-
-// Signed CertificateStatusList
-message SignedCertificateStatusList {
-  // Serialized DeviceCertificateStatusList. Required.
-  optional bytes certificate_status_list = 1;
-  // Signature of certificate_status_list. Signed with root certificate private
-  // key using RSASSA-PSS. Required.
-  optional bytes signature = 2;
+  // SignedDrmCertificate used to sign this certificate.
+  optional SignedDrmCertificate signer = 3;
+  // Optional field that indicates the hash algorithm used in signature scheme.
+  optional HashAlgorithmProto hash_algorithm = 4;
 }

 // ----------------------------------------------------------------------------