Merge "Updated DrmDeviceCertificate for signature algo." into sc-dev
This commit is contained in:
Alex Dale
@@ -758,13 +758,44 @@ message EncryptedClientIdentification {
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
// device_certificate.proto
|
||||
// Source of truth: drm_certificate.proto
|
||||
// Formally: device_certificate.proto (of wv_drm_sdk)
|
||||
// ----------------------------------------------------------------------------
|
||||
// Description of section:
|
||||
// Device certificate and certificate status list format definitions.
|
||||
|
||||
message RootOfTrustId {
|
||||
// The version specifies the EC algorithm that was used to generate the
|
||||
// root of trust id.
|
||||
enum RootOfTrustIdVersion {
|
||||
// Should not be used.
|
||||
ROOT_OF_TRUST_ID_VERSION_UNSPECIFIED = 0;
|
||||
// Version 1 of the ID uses EC-IES with SECP256R1 curve.
|
||||
ROOT_OF_TRUST_ID_VERSION_1 = 1;
|
||||
}
|
||||
optional RootOfTrustIdVersion version = 1;
|
||||
// The key_id is used for key rotation. It indicates which key was used to
|
||||
// generate the root of trust id.
|
||||
optional uint32 key_id = 2;
|
||||
|
||||
// The EC-IES encrypted message containing the unique_id. The bytes are
|
||||
// a concatenation of
|
||||
// 1) The ephemeral public key. Uncompressed keypoint format per X9.62.
|
||||
// 2) The plaintext encrypted with the derived AES key using AES CBC,
|
||||
// PKCS7 padding and a zerio iv.
|
||||
// 3) The HMAC SHA256 of the cipher text.
|
||||
optional bytes encrypted_unique_id = 3;
|
||||
|
||||
// The hash of encrypted unique id and other values.
|
||||
// unique_id_hash = SHA256(
|
||||
// encrypted_unique_id || system_id || SHA256(unique_id || secret_sauce)).
|
||||
optional bytes unique_id_hash = 4;
|
||||
}
|
||||
|
||||
// DRM certificate definition for user devices, intermediate, service, and root
|
||||
// certificates.
|
||||
// DrmDeviceCertificate tracks the provisioning service's DrmCertificate,
|
||||
// only including fields that are required by CDM devices.
|
||||
message DrmDeviceCertificate {
|
||||
enum CertificateType {
|
||||
ROOT = 0;
|
||||
@@ -773,6 +804,31 @@ message DrmDeviceCertificate {
|
||||
SERVICE = 3;
|
||||
PROVISIONER = 4;
|
||||
}
|
||||
enum ServiceType {
|
||||
UNKNOWN_SERVICE_TYPE = 0;
|
||||
LICENSE_SERVER_SDK = 1;
|
||||
LICENSE_SERVER_PROXY_SDK = 2;
|
||||
PROVISIONING_SDK = 3;
|
||||
CAS_PROXY_SDK = 4;
|
||||
}
|
||||
enum Algorithm {
|
||||
UNKNOWN_ALGORITHM = 0;
|
||||
RSA = 1;
|
||||
ECC_SECP256R1 = 2;
|
||||
ECC_SECP384R1 = 3;
|
||||
ECC_SECP521R1 = 4;
|
||||
}
|
||||
|
||||
message EncryptionKey {
|
||||
// Device public key. PKCS#1 ASN.1 DER-encoded. Required.
|
||||
optional bytes public_key = 1;
|
||||
// Required. The algorithm field contains the curve used to create the
|
||||
// |public_key| if algorithm is one of the ECC types.
|
||||
// The |algorithm| is used for both to determine the if the certificate is
|
||||
// ECC or RSA. The |algorithm| also specifies the parameters that were used
|
||||
// to create |public_key| and are used to create an ephemeral session key.
|
||||
optional Algorithm algorithm = 2 [default = RSA];
|
||||
}
|
||||
|
||||
// Type of certificate. Required.
|
||||
optional CertificateType type = 1;
|
||||
@@ -793,6 +849,26 @@ message DrmDeviceCertificate {
|
||||
// Service identifier (web origin) for the provider which owns the
|
||||
// certificate. Required for service and provisioner certificates.
|
||||
optional string provider_id = 7;
|
||||
// This field is used only when type = SERVICE to specify which SDK uses
|
||||
// service certificate. This repeated field is treated as a set. A certificate
|
||||
// may be used for the specified service SDK if the appropriate ServiceType
|
||||
// is specified in this field.
|
||||
repeated ServiceType service_types = 8;
|
||||
// Required. The algorithm field contains the curve used to create the
|
||||
// |public_key| if algorithm is one of the ECC types.
|
||||
// The |algorithm| is used for both to determine the if the certificate is ECC
|
||||
// or RSA. The |algorithm| also specifies the parameters that were used to
|
||||
// create |public_key| and are used to create an ephemeral session key.
|
||||
optional Algorithm algorithm = 9 [default = RSA];
|
||||
// Optional. May be present in DEVICE certificate types. This is the root
|
||||
// of trust identifier that holds an encrypted value that identifies the
|
||||
// keybox or other root of trust that was used to provision a DEVICE drm
|
||||
// certificate.
|
||||
optional RootOfTrustId rot_id = 10;
|
||||
// Optional. May be present in devices that explicitly support dual keys. When
|
||||
// present the |public_key| is used for verification of received license
|
||||
// request messages.
|
||||
optional EncryptionKey encryption_key = 11;
|
||||
}
|
||||
|
||||
// DeviceCertificate signed with intermediate or root certificate private key.
|
||||
|
||||
Reference in New Issue
Block a user