Update CDM to newest license protocol definitions.
* CDM license protocol updates [ Merge of http://go/wvgerrit/22789 ] No functional changes (yet) - all tests in widevine_ce_cdm_unittest run successfully. * Address android test build failures [ Merge of http://go/wvgerrit/22983 ] Updates to the license_protocol.proto in go/wvgerrit/22789 did not include the integration tests for android. b/34202048 Test: Reran unittests. All tests other than some oemcrypto, request_license_test passed. Those tests failed with or without this CL. Change-Id: Ib9041d397187859b8fcbc1b1f7d275f8c4ef6aba
This commit is contained in:
Rahul Frias
@@ -9,11 +9,13 @@
|
||||
|
||||
syntax = "proto2";
|
||||
|
||||
package video_widevine_server.sdk;
|
||||
package video_widevine;
|
||||
|
||||
// need this if we are using libprotobuf-cpp-2.3.0-lite
|
||||
option optimize_for = LITE_RUNTIME;
|
||||
|
||||
option java_package = "com.google.video.widevine.protos";
|
||||
|
||||
enum LicenseType {
|
||||
STREAMING = 1;
|
||||
OFFLINE = 2;
|
||||
@@ -81,7 +83,11 @@ message License {
|
||||
|
||||
// Indicates to client that license renewal and release requests ought to
|
||||
// include ClientIdentification (client_id).
|
||||
optional bool renew_with_client_id = 12 [default = false];
|
||||
optional bool always_include_client_id = 12 [default = false];
|
||||
|
||||
// Duration of grace period before playback_duration_seconds (short window)
|
||||
// goes into effect. Optional.
|
||||
optional int64 play_start_grace_period_seconds = 13 [default = 0];
|
||||
|
||||
// Enables "soft enforcement" of playback_duration_seconds, letting the user
|
||||
// finish playback even if short window expires. Optional.
|
||||
@@ -121,6 +127,8 @@ message License {
|
||||
}
|
||||
|
||||
message KeyControl {
|
||||
// |key_control| is documented in:
|
||||
// Widevine Modular DRM Security Integration Guide for CENC
|
||||
// If present, the key control must be communicated to the secure
|
||||
// environment prior to any usage. This message is automatically generated
|
||||
// by the Widevine License Server SDK.
|
||||
@@ -196,14 +204,19 @@ message License {
|
||||
optional LicenseIdentification id = 1;
|
||||
optional Policy policy = 2;
|
||||
repeated KeyContainer key = 3;
|
||||
// Time of the request in seconds (UTC) as set in
|
||||
// LicenseRequest.request_time. If this time is not set in the request,
|
||||
// the local time at the license service is used in this field.
|
||||
optional int64 license_start_time = 4;
|
||||
optional bool remote_attestation_verified = 5 [default = false];
|
||||
// Client token generated by the content provider. Optional.
|
||||
optional bytes provider_client_token = 6;
|
||||
// Protection scheme identifying the encryption algorithm. Represented as one
|
||||
// of the following 4CC values: 'cenc' (AES-CTR), 'cbc1' (AES-CBC),
|
||||
// 'cens' (AES-CTR subsample), 'cbcs' (AES-CBC subsample).
|
||||
// 4cc code specifying the CENC protection scheme as defined in the CENC 3.0
|
||||
// specification. Propagated from Widevine PSSH box. Optional.
|
||||
optional uint32 protection_scheme = 7;
|
||||
// Minimum HDCP SRM version needed for using this key on content sent to
|
||||
// HDCP enabled outputs.
|
||||
optional uint32 min_hdcp_srm_version = 8;
|
||||
}
|
||||
|
||||
enum ProtocolVersion {
|
||||
@@ -213,13 +226,13 @@ enum ProtocolVersion {
|
||||
|
||||
message LicenseRequest {
|
||||
message ContentIdentification {
|
||||
message CENC {
|
||||
message CencDeprecated {
|
||||
repeated bytes pssh = 1;
|
||||
optional LicenseType license_type = 2;
|
||||
optional bytes request_id = 3; // Opaque, client-specified.
|
||||
}
|
||||
|
||||
message WebM {
|
||||
message WebmDeprecated {
|
||||
optional bytes header = 1;
|
||||
optional LicenseType license_type = 2;
|
||||
optional bytes request_id = 3; // Opaque, client-specified.
|
||||
@@ -232,10 +245,25 @@ message LicenseRequest {
|
||||
optional bytes session_usage_table_entry = 4;
|
||||
}
|
||||
|
||||
// Exactly one of these must be present.
|
||||
optional CENC cenc_id = 1;
|
||||
optional WebM webm_id = 2;
|
||||
optional ExistingLicense license = 3;
|
||||
message InitData {
|
||||
enum InitDataType {
|
||||
CENC = 1;
|
||||
WEBM = 2;
|
||||
}
|
||||
|
||||
optional InitDataType init_data_type = 1 [default = CENC];
|
||||
optional bytes init_data = 2;
|
||||
optional LicenseType license_type = 3;
|
||||
optional bytes request_id = 4;
|
||||
}
|
||||
|
||||
//oneof content_id_variant {
|
||||
// Exactly one of these must be present.
|
||||
optional CencDeprecated cenc_id_deprecated = 1;
|
||||
optional WebmDeprecated webm_id_deprecated = 2;
|
||||
optional ExistingLicense existing_license = 3;
|
||||
optional InitData init_data = 4;
|
||||
//}
|
||||
}
|
||||
|
||||
enum RequestType {
|
||||
@@ -251,6 +279,7 @@ message LicenseRequest {
|
||||
optional ClientIdentification client_id = 1;
|
||||
optional ContentIdentification content_id = 2;
|
||||
optional RequestType type = 3;
|
||||
// Time of the request in seconds (UTC) as set by the client.
|
||||
optional int64 request_time = 4;
|
||||
// Old-style decimal-encoded string key control nonce.
|
||||
optional bytes key_control_nonce_deprecated = 5;
|
||||
@@ -265,10 +294,10 @@ message LicenseRequest {
|
||||
message LicenseError {
|
||||
enum Error {
|
||||
// The device credentials are invalid. The device must re-provision.
|
||||
INVALID_DEVICE_CERTIFICATE = 1;
|
||||
INVALID_DRM_DEVICE_CERTIFICATE = 1;
|
||||
// The device credentials have been revoked. Re-provisioning is not
|
||||
// possible.
|
||||
REVOKED_DEVICE_CERTIFICATE = 2;
|
||||
REVOKED_DRM_DEVICE_CERTIFICATE = 2;
|
||||
// The service is currently unavailable due to the backend being down
|
||||
// or similar circumstances.
|
||||
SERVICE_UNAVAILABLE = 3;
|
||||
@@ -330,17 +359,38 @@ message SignedMessage {
|
||||
}
|
||||
|
||||
message GroupKeys {
|
||||
repeated License.KeyContainer key = 1;
|
||||
enum GroupLicenseVersion {
|
||||
GROUP_LICENSE_VERSION_1 = 0;
|
||||
GROUP_LICENSE_VERSION_2 = 1;
|
||||
}
|
||||
|
||||
message GroupKeyData {
|
||||
// Required track type. This indicates the track type to which this key
|
||||
// belongs.
|
||||
optional string track_type = 1;
|
||||
// A required signed message. The message body contains a serialized group
|
||||
// msg.
|
||||
optional bytes key = 2;
|
||||
}
|
||||
|
||||
// Optional key container array used in group licensing V1. This is not used
|
||||
// in V2.
|
||||
repeated License.KeyContainer key = 1 [deprecated = true];
|
||||
|
||||
// Byte string that identifies the group to which this license material
|
||||
// belongs.
|
||||
optional bytes group_id = 2;
|
||||
|
||||
// Required version id beginning with version 2. If not present version 1
|
||||
// should be assumed.
|
||||
optional GroupLicenseVersion version = 3 [default = GROUP_LICENSE_VERSION_1];
|
||||
// Optional key container array for group licensing V2.
|
||||
repeated GroupKeyData key_data = 4;
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
// certificate_provisioning.proto
|
||||
// ----------------------------------------------------------------------------
|
||||
// Copyright 2013 Google Inc. All Rights Reserved.
|
||||
//
|
||||
// Description:
|
||||
// Public protocol buffer definitions for Widevine Device Certificate
|
||||
// Provisioning protocol.
|
||||
@@ -353,53 +403,76 @@ message ProvisioningOptions {
|
||||
X509 = 1; // X.509 certificate.
|
||||
}
|
||||
|
||||
optional CertificateType certificate_type = 1;
|
||||
optional CertificateType certificate_type = 1 [default = WIDEVINE_DRM];
|
||||
|
||||
// It is recommended that the certificate_authority specify the X.509
|
||||
// Subject of the signing certificate.
|
||||
// Contains the application-specific name used to identify the certificate
|
||||
// authority for signing the generated certificate. This is required iff the
|
||||
// certificate type is X509.
|
||||
optional string certificate_authority = 2;
|
||||
}
|
||||
|
||||
// Provisioning request sent by client devices to provisioning service.
|
||||
message ProvisioningRequest {
|
||||
// Device root of trust and other client identification. Required.
|
||||
optional ClientIdentification client_id = 1;
|
||||
//oneof clear_or_encrypted_client_id {
|
||||
// Device root of trust and other client identification. Required.
|
||||
optional ClientIdentification client_id = 1;
|
||||
optional EncryptedClientIdentification encrypted_client_id = 5;
|
||||
//}
|
||||
// Nonce value used to prevent replay attacks. Required.
|
||||
optional bytes nonce = 2;
|
||||
// Options for type of certificate to generate. Optional.
|
||||
optional ProvisioningOptions options = 3;
|
||||
// Stable identifier, unique for each device + application (or origin).
|
||||
// Required if doing per-origin provisioning.
|
||||
optional bytes stable_id = 4;
|
||||
//oneof origin_id {
|
||||
// Stable identifier, unique for each device + application (or origin).
|
||||
// Required if doing per-origin provisioning.
|
||||
optional bytes stable_id = 4;
|
||||
// Stable content provider ID.
|
||||
optional bytes provider_id = 6;
|
||||
//}
|
||||
}
|
||||
|
||||
// Provisioning response sent by the provisioning server to client devices.
|
||||
// This message is used for both regular Widevine DRM certificates and for
|
||||
// application-specific X.509 certificates.
|
||||
message ProvisioningResponse {
|
||||
// AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
|
||||
// Required.
|
||||
// Required. For X.509 certificates, the private RSA key may also include
|
||||
// a prefix as specified by private_key_prefix in the X509CertificateMetadata
|
||||
// proto message.
|
||||
optional bytes device_rsa_key = 1;
|
||||
// Initialization vector used to encrypt device_rsa_key. Required.
|
||||
optional bytes device_rsa_key_iv = 2;
|
||||
// Serialized SignedDeviceCertificate. Required.
|
||||
// For Widevine DRM certificates, this contains the serialized
|
||||
// SignedDrmDeviceCertificate. For X.509 certificates, this contains the PEM
|
||||
// encoded X.509 certificate. Required.
|
||||
optional bytes device_certificate = 3;
|
||||
// Nonce value matching nonce in ProvisioningRequest. Required.
|
||||
optional bytes nonce = 4;
|
||||
// Key used to wrap device_rsa_key when DRM provisioning an OEM factory
|
||||
// provisioned device. Encrypted with the device OEM public key using
|
||||
// RSA-OAEP.
|
||||
optional bytes wrapping_key = 5;
|
||||
}
|
||||
|
||||
// Serialized ProvisioningRequest or ProvisioningResponse signed with
|
||||
// The message authentication key.
|
||||
message SignedProvisioningMessage {
|
||||
enum ProtocolVersion {
|
||||
VERSION_2 = 2; // Keybox factory-provisioned devices.
|
||||
VERSION_3 = 3; // OEM certificate factory-provisioned devices.
|
||||
}
|
||||
|
||||
// Serialized ProvisioningRequest or ProvisioningResponse. Required.
|
||||
optional bytes message = 1;
|
||||
// HMAC-SHA256 signature of message. Required.
|
||||
// HMAC-SHA256 (Keybox) or RSASSA-PSS (OEM) signature of message. Required.
|
||||
optional bytes signature = 2;
|
||||
// Version number of provisioning protocol.
|
||||
optional ProtocolVersion protocol_version = 3 [default = VERSION_2];
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
// client_identification.proto
|
||||
// ----------------------------------------------------------------------------
|
||||
// Copyright 2013 Google Inc. All Rights Reserved.
|
||||
//
|
||||
// Description:
|
||||
// ClientIdentification messages used by provisioning and license protocols.
|
||||
|
||||
@@ -407,8 +480,9 @@ message SignedProvisioningMessage {
|
||||
message ClientIdentification {
|
||||
enum TokenType {
|
||||
KEYBOX = 0;
|
||||
DEVICE_CERTIFICATE = 1;
|
||||
DRM_DEVICE_CERTIFICATE = 1;
|
||||
REMOTE_ATTESTATION_CERTIFICATE = 2;
|
||||
OEM_DEVICE_CERTIFICATE = 3;
|
||||
}
|
||||
|
||||
message NameValue {
|
||||
@@ -433,6 +507,9 @@ message ClientIdentification {
|
||||
optional bool video_resolution_constraints = 3 [default = false];
|
||||
optional HdcpVersion max_hdcp_version = 4 [default = HDCP_NONE];
|
||||
optional uint32 oem_crypto_api_version = 5;
|
||||
// Client has hardware support for protecting the usage table, such as
|
||||
// storing the generation number in secure memory. For Details, see:
|
||||
// Widevine Modular DRM Security Integration Guide for CENC
|
||||
optional bool anti_rollback_usage_table = 6 [default = false];
|
||||
}
|
||||
|
||||
@@ -449,6 +526,8 @@ message ClientIdentification {
|
||||
optional uint32 license_counter = 5;
|
||||
// List of non-baseline client capabilities.
|
||||
optional ClientCapabilities client_capabilities = 6;
|
||||
// Serialized VmpData message. Optional.
|
||||
optional bytes vmp_data = 7;
|
||||
}
|
||||
|
||||
// EncryptedClientIdentification message used to hold ClientIdentification
|
||||
@@ -460,32 +539,30 @@ message EncryptedClientIdentification {
|
||||
// Serial number for the service certificate for which ClientIdentification is
|
||||
// encrypted.
|
||||
optional bytes service_certificate_serial_number = 2;
|
||||
// Serialized ClientIdentification message, encrypted with the privacy key using
|
||||
// AES-128-CBC with PKCS#5 padding.
|
||||
// Serialized ClientIdentification message, encrypted with the privacy key
|
||||
// using AES-128-CBC with PKCS#5 padding.
|
||||
optional bytes encrypted_client_id = 3;
|
||||
// Initialization vector needed to decrypt encrypted_client_id.
|
||||
optional bytes encrypted_client_id_iv = 4;
|
||||
// AES-128 privacy key, encrypted with the service public public key using
|
||||
// RSA-OAEP.
|
||||
// AES-128 privacy key, encrypted with the service public key using RSA-OAEP.
|
||||
optional bytes encrypted_privacy_key = 5;
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
// device_certificate.proto
|
||||
// ----------------------------------------------------------------------------
|
||||
// Copyright 2013 Google Inc. All Rights Reserved.
|
||||
//
|
||||
// Description:
|
||||
// Device certificate and certificate status list format definitions.
|
||||
|
||||
// Certificate definition for user devices, intermediate, service, and root
|
||||
// DRM certificate definition for user devices, intermediate, service, and root
|
||||
// certificates.
|
||||
message DeviceCertificate {
|
||||
message DrmDeviceCertificate {
|
||||
enum CertificateType {
|
||||
ROOT = 0;
|
||||
INTERMEDIATE = 1;
|
||||
USER_DEVICE = 2;
|
||||
DRM_INTERMEDIATE = 1;
|
||||
DRM_USER_DEVICE = 2;
|
||||
SERVICE = 3;
|
||||
PROVISIONING_PROVIDER = 4;
|
||||
}
|
||||
|
||||
// Type of certificate. Required.
|
||||
@@ -509,23 +586,55 @@ message DeviceCertificate {
|
||||
optional string service_id = 7;
|
||||
}
|
||||
|
||||
// DeviceCertificate signed with intermediate or root certificate private key.
|
||||
message SignedDeviceCertificate {
|
||||
// Serialized DeviceCertificate. Required.
|
||||
optional bytes device_certificate = 1;
|
||||
// Signature of device_certificate. Signed with root or intermediate
|
||||
// certificate private key using RSASSA-PSS. Required.
|
||||
optional bytes signature = 2;
|
||||
// Intermediate signing certificate. Present only for user device
|
||||
// certificates. All others signed with root certificate private key.
|
||||
optional SignedDeviceCertificate signer = 3;
|
||||
// Contains DRM and OEM certificate status and device information for a
|
||||
// specific system ID.
|
||||
message DeviceCertificateStatus {
|
||||
enum Status {
|
||||
VALID = 0;
|
||||
REVOKED = 1;
|
||||
};
|
||||
|
||||
// Serial number of the intermediate DrmDeviceCertificate to which this
|
||||
// message refers. Required.
|
||||
optional bytes drm_serial_number = 1;
|
||||
// Status of the certificate. Optional.
|
||||
optional Status status = 2 [default = VALID];
|
||||
// Device model information about the device to which the intermediate
|
||||
// certificate(s) correspond.
|
||||
optional ProvisionedDeviceInfo device_info = 4;
|
||||
// Serial number of the OEM X.509 intermediate certificate for this type
|
||||
// of device. Present only if the device is OEM-provisioned.
|
||||
optional bytes oem_serial_number = 5;
|
||||
}
|
||||
|
||||
// List of DeviceCertificateStatus. Used to propagate certificate revocation
|
||||
// status and device information.
|
||||
message DeviceCertificateStatusList {
|
||||
// POSIX time, in seconds, when the list was created. Required.
|
||||
optional uint32 creation_time_seconds = 1;
|
||||
// DeviceCertificateStatus for each system ID.
|
||||
repeated DeviceCertificateStatus certificate_status = 2;
|
||||
}
|
||||
|
||||
// Signed CertificateStatusList
|
||||
message SignedCertificateStatusList {
|
||||
// Serialized DeviceCertificateStatusList. Required.
|
||||
optional bytes certificate_status_list = 1;
|
||||
// Signature of certificate_status_list. Signed with root certificate private
|
||||
// key using RSASSA-PSS. Required.
|
||||
optional bytes signature = 2;
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
// provisioned_device_info.proto
|
||||
// ----------------------------------------------------------------------------
|
||||
// Description:
|
||||
// Provisioned device info format definitions.
|
||||
|
||||
// Contains device model information for a provisioned device.
|
||||
message ProvisionedDeviceInfo {
|
||||
enum WvSecurityLevel {
|
||||
// Defined in "WV Modular DRM Security Integration Guide for
|
||||
// Common Encryption (CENC)"
|
||||
// Defined in "Widevine Security Integration Guide for DASH on Android"
|
||||
LEVEL_UNSPECIFIED = 0;
|
||||
LEVEL_1 = 1;
|
||||
LEVEL_2 = 2;
|
||||
@@ -551,49 +660,13 @@ message ProvisionedDeviceInfo {
|
||||
optional bool test_device = 8 [default = false];
|
||||
}
|
||||
|
||||
// Contains the status of the root or an intermediate DeviceCertificate.
|
||||
message DeviceCertificateStatus {
|
||||
enum CertificateStatus {
|
||||
VALID = 0;
|
||||
REVOKED = 1;
|
||||
};
|
||||
|
||||
// Serial number of the DeviceCertificate to which this message refers.
|
||||
// Required.
|
||||
optional bytes serial_number = 1;
|
||||
// Status of the certificate. Optional.
|
||||
optional CertificateStatus status = 2 [default = VALID];
|
||||
// Device model information about the device to which the certificate
|
||||
// corresponds. Required.
|
||||
optional ProvisionedDeviceInfo device_info = 4;
|
||||
}
|
||||
|
||||
// List of DeviceCertificateStatus. Used to propagate certificate revocation and
|
||||
// update list.
|
||||
message DeviceCertificateStatusList {
|
||||
// POSIX time, in seconds, when the list was created. Required.
|
||||
optional uint32 creation_time_seconds = 1;
|
||||
// DeviceCertificateStatus for each certifificate.
|
||||
repeated DeviceCertificateStatus certificate_status = 2;
|
||||
}
|
||||
|
||||
// Signed CertificateStatusList
|
||||
message SignedCertificateStatusList {
|
||||
// Serialized DeviceCertificateStatusList. Required.
|
||||
optional bytes certificate_status_list = 1;
|
||||
// Signature of certificate_status_list. Signed with root certificate private
|
||||
// key using RSASSA-PSS. Required.
|
||||
optional bytes signature = 2;
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------------
|
||||
// widevine_header.proto
|
||||
// ----------------------------------------------------------------------------
|
||||
// Copyright 2016 Google Inc. All Rights Reserved.
|
||||
//
|
||||
// Description:
|
||||
// Public protocol buffer definitions for Widevine Cenc Header
|
||||
// protocol.
|
||||
|
||||
message WidevineCencHeader {
|
||||
enum Algorithm {
|
||||
UNENCRYPTED = 0;
|
||||
@@ -630,3 +703,15 @@ message WidevineCencHeader {
|
||||
// 'cens' (AES-CTR subsample), 'cbcs' (AES-CBC subsample).
|
||||
optional uint32 protection_scheme = 9;
|
||||
}
|
||||
|
||||
// Signed device certificate definition.
|
||||
// DrmDeviceCertificate signed by a higher (CA) DRM certificate.
|
||||
message SignedDrmDeviceCertificate {
|
||||
// Serialized certificate. Required.
|
||||
optional bytes drm_certificate = 1;
|
||||
// Signature of certificate. Signed with root or intermediate
|
||||
// certificate specified below. Required.
|
||||
optional bytes signature = 2;
|
||||
// SignedDrmDeviceCertificate used to sign this certificate.
|
||||
optional SignedDrmDeviceCertificate signer = 3;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user