Updated DrmDeviceCertificate for signature algo.

[ Merge of http://go/wvgerrit/110823 ] DrmDeviceCertificate is the CDM's reduced version of DrmCertificate used in the backend. With the introduction of ECC, the CDM needs to extract the signature algorithm to determine how to handle the wrapped private key used by OEMCrypto post-provisioning. This change brings the DrmDeviceCertificate in line with the provisioning service's DrmCertificate message as the new source of truth. Bug: 140813486 Test: Compiled proto Change-Id: I164a1c9266fb74b6cdd0ff35f1986ca032033bba (cherry picked from commit 667c672c80) Merged-In: I164a1c9266fb74b6cdd0ff35f1986ca032033bba
2021-01-27 11:32:30 -08:00
parent 9397f5b972
commit 5e982e8fff
1 changed files with 77 additions and 1 deletions
--- a/libwvdrmengine/cdm/core/src/license_protocol.proto
+++ b/libwvdrmengine/cdm/core/src/license_protocol.proto
@@ -758,13 +758,44 @@ message EncryptedClientIdentification {
 }

 // ----------------------------------------------------------------------------
-// device_certificate.proto
+// Source of truth: drm_certificate.proto
+// Formally: device_certificate.proto (of wv_drm_sdk)
 // ----------------------------------------------------------------------------
 // Description of section:
 //   Device certificate and certificate status list format definitions.

+message RootOfTrustId {
+  // The version specifies the EC algorithm that was used to generate the
+  // root of trust id.
+  enum RootOfTrustIdVersion {
+    // Should not be used.
+    ROOT_OF_TRUST_ID_VERSION_UNSPECIFIED = 0;
+    // Version 1 of the ID uses EC-IES with SECP256R1 curve.
+    ROOT_OF_TRUST_ID_VERSION_1 = 1;
+  }
+  optional RootOfTrustIdVersion version = 1;
+  // The key_id is used for key rotation. It indicates which key was used to
+  // generate the root of trust id.
+  optional uint32 key_id = 2;
+
+  // The EC-IES encrypted message containing the unique_id. The bytes are
+  // a concatenation of
+  //    1) The ephemeral public key. Uncompressed keypoint format per X9.62.
+  //    2) The plaintext encrypted with the derived AES key using AES CBC,
+  //       PKCS7 padding and a zerio iv.
+  //    3) The HMAC SHA256 of the cipher text.
+  optional bytes encrypted_unique_id = 3;
+
+  // The hash of encrypted unique id and other values.
+  // unique_id_hash = SHA256(
+  //   encrypted_unique_id || system_id || SHA256(unique_id || secret_sauce)).
+  optional bytes unique_id_hash = 4;
+}
+
 // DRM certificate definition for user devices, intermediate, service, and root
 // certificates.
+// DrmDeviceCertificate tracks the provisioning service's DrmCertificate,
+// only including fields that are required by CDM devices.
 message DrmDeviceCertificate {
  enum CertificateType {
    ROOT = 0;
@@ -773,6 +804,31 @@ message DrmDeviceCertificate {
    SERVICE = 3;
    PROVISIONER = 4;
  }
+  enum ServiceType {
+    UNKNOWN_SERVICE_TYPE = 0;
+    LICENSE_SERVER_SDK = 1;
+    LICENSE_SERVER_PROXY_SDK = 2;
+    PROVISIONING_SDK = 3;
+    CAS_PROXY_SDK = 4;
+  }
+  enum Algorithm {
+    UNKNOWN_ALGORITHM = 0;
+    RSA = 1;
+    ECC_SECP256R1 = 2;
+    ECC_SECP384R1 = 3;
+    ECC_SECP521R1 = 4;
+  }
+
+  message EncryptionKey {
+    // Device public key. PKCS#1 ASN.1 DER-encoded. Required.
+    optional bytes public_key = 1;
+    // Required. The algorithm field contains the curve used to create the
+    // |public_key| if algorithm is one of the ECC types.
+    // The |algorithm| is used for both to determine the if the certificate is
+    // ECC or RSA. The |algorithm| also specifies the parameters that were used
+    // to create |public_key| and are used to create an ephemeral session key.
+    optional Algorithm algorithm = 2 [default = RSA];
+  }

  // Type of certificate. Required.
  optional CertificateType type = 1;
@@ -793,6 +849,26 @@ message DrmDeviceCertificate {
  // Service identifier (web origin) for the provider which owns the
  // certificate. Required for service and provisioner certificates.
  optional string provider_id = 7;
+  // This field is used only when type = SERVICE to specify which SDK uses
+  // service certificate. This repeated field is treated as a set. A certificate
+  // may be used for the specified service SDK if the appropriate ServiceType
+  // is specified in this field.
+  repeated ServiceType service_types = 8;
+  // Required. The algorithm field contains the curve used to create the
+  // |public_key| if algorithm is one of the ECC types.
+  // The |algorithm| is used for both to determine the if the certificate is ECC
+  // or RSA. The |algorithm| also specifies the parameters that were used to
+  // create |public_key| and are used to create an ephemeral session key.
+  optional Algorithm algorithm = 9 [default = RSA];
+  // Optional. May be present in DEVICE certificate types. This is the root
+  // of trust identifier that holds an encrypted value that identifies the
+  // keybox or other root of trust that was used to provision a DEVICE drm
+  // certificate.
+  optional RootOfTrustId rot_id = 10;
+  // Optional. May be present in devices that explicitly support dual keys. When
+  // present the |public_key| is used for verification of received license
+  // request messages.
+  optional EncryptionKey encryption_key = 11;
 }

 // DeviceCertificate signed with intermediate or root certificate private key.