Merge "Update drm_certificate.proto" into sc-dev am: 9f918bc16b

Original change: https://googleplex-android-review.googlesource.com/c/platform/vendor/widevine/+/13744352 MUST ONLY BE SUBMITTED BY AUTOMERGER Change-Id: I15bb1291e5e2a6dd8891302847ef4e98b7288284
2021-03-11 19:26:13 +00:00
parent d3cd01d34c 9f918bc16b
commit cb48161e95
5 changed files with 62 additions and 85 deletions
--- a/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
+++ b/libwvdrmengine/cdm/core/src/certificate_provisioning.cpp
@@ -111,12 +111,12 @@ namespace wvcdm {
 // Protobuf generated classes.
 using video_widevine::ClientIdentification_ClientCapabilities;
 using video_widevine::ClientIdentification_NameValue;
-using video_widevine::DrmDeviceCertificate;
+using video_widevine::DrmCertificate;
 using video_widevine::EncryptedClientIdentification;
 using video_widevine::ProvisioningOptions;
 using video_widevine::ProvisioningRequest;
 using video_widevine::ProvisioningResponse;
-using video_widevine::SignedDrmDeviceCertificate;
+using video_widevine::SignedDrmCertificate;
 using video_widevine::SignedProvisioningMessage;
 using video_widevine::
    SignedProvisioningMessage_ProvisioningProtocolVersion_VERSION_1_1;
@@ -425,7 +425,7 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
  const CdmSecurityLevel security_level = crypto_session_->GetSecurityLevel();
  crypto_session_->Close();
-  // This is the entire certificate (SignedDrmDeviceCertificate).
+  // This is the entire certificate (SignedDrmCertificate).
  const std::string& device_cert_data =
      provisioning_response.device_certificate();
@@ -436,12 +436,12 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
  }
  // Need to parse cert for key type.
-  SignedDrmDeviceCertificate signed_device_cert;
+  SignedDrmCertificate signed_device_cert;
  if (!signed_device_cert.ParseFromString(device_cert_data)) {
    LOGE("Failed to parse signed DRM certificate");
    return CERT_PROVISIONING_RESPONSE_ERROR_9;
  }
-  DrmDeviceCertificate device_cert;
+  DrmCertificate device_cert;
  if (!device_cert.ParseFromString(signed_device_cert.drm_certificate())) {
    LOGE("Failed to parse DRM certificate");
    return CERT_PROVISIONING_RESPONSE_ERROR_9;
@@ -451,12 +451,12 @@ CdmResponseType CertificateProvisioning::HandleProvisioningResponse(
    private_key.set_type(CryptoWrappedKey::kRsa);
  } else {
    switch (device_cert.algorithm()) {
-      case DrmDeviceCertificate::RSA:
+      case DrmCertificate::RSA:
        private_key.set_type(CryptoWrappedKey::kRsa);
        break;
-      case DrmDeviceCertificate::ECC_SECP256R1:
+      case DrmCertificate::ECC_SECP256R1:
-      case DrmDeviceCertificate::ECC_SECP384R1:
+      case DrmCertificate::ECC_SECP384R1:
-      case DrmDeviceCertificate::ECC_SECP521R1:
+      case DrmCertificate::ECC_SECP521R1:
        private_key.set_type(CryptoWrappedKey::kEcc);
        break;
      default:
@@ -498,25 +498,24 @@ bool CertificateProvisioning::ExtractDeviceInfo(
  }
  // Get serial number and system ID from certificate
-  SignedDrmDeviceCertificate signed_drm_device_certificate;
+  SignedDrmCertificate signed_drm_certificate;
-  if (!signed_drm_device_certificate.ParseFromString(device_certificate) ||
+  if (!signed_drm_certificate.ParseFromString(device_certificate) ||
-      !signed_drm_device_certificate.has_drm_certificate()) {
+      !signed_drm_certificate.has_drm_certificate()) {
    LOGE("Failed to parse signed DRM device certificate");
    return false;
  }
-  DrmDeviceCertificate drm_device_certificate;
+  DrmCertificate drm_certificate;
-  if (!drm_device_certificate.ParseFromString(
+  if (!drm_certificate.ParseFromString(
-          signed_drm_device_certificate.drm_certificate()) ||
+          signed_drm_certificate.drm_certificate()) ||
-      (drm_device_certificate.type() !=
+      (drm_certificate.type() != video_widevine::DrmCertificate::DEVICE)) {
       video_widevine::DrmDeviceCertificate::DRM_USER_DEVICE)) {
    LOGE("Failed to parse DRM device certificate message");
    return false;
  }
  if (serial_number != nullptr) {
-    *serial_number = drm_device_certificate.serial_number();
+    *serial_number = drm_certificate.serial_number();
  }
  if (system_id != nullptr) {
-    *system_id = drm_device_certificate.system_id();
+    *system_id = drm_certificate.system_id();
  }
  return true;
 }
--- a/libwvdrmengine/cdm/core/src/license_protocol.proto
+++ b/libwvdrmengine/cdm/core/src/license_protocol.proto
@@ -804,12 +804,18 @@ message EncryptedClientIdentification {
 }
 // ----------------------------------------------------------------------------
-// Source of truth: drm_certificate.proto
+// drm_certificate.proto
 // Formally: device_certificate.proto (of wv_drm_sdk)
 // ----------------------------------------------------------------------------
 // Description of section:
-//   Device certificate and certificate status list format definitions.
+// Definition of the root of trust identifier proto. The proto message contains
-
+// the EC-IES encrypted identifier (e.g. keybox unique id) for a device and
 // an associated hash. These can be used by Widevine to identify the root of
 // trust that was used to acquire a DRM certificate.
 //
 // In addition to the encrypted part and the hash, the proto contains the
 // version of the root of trust id which implies the EC key algorithm that was
 // used.
 // Next id: 5
 message RootOfTrustId {
  // The version specifies the EC algorithm that was used to generate the
  // root of trust id.
@@ -840,13 +846,12 @@ message RootOfTrustId {
 // DRM certificate definition for user devices, intermediate, service, and root
 // certificates.
-// DrmDeviceCertificate tracks the provisioning service's DrmCertificate,
+// Next id: 13
-// only including fields that are required by CDM devices.
+message DrmCertificate {
-message DrmDeviceCertificate {
+  enum Type {
-  enum CertificateType {
+    ROOT = 0;  // ProtoBestPractices: ignore.
-    ROOT = 0;
+    DEVICE_MODEL = 1;
-    DRM_INTERMEDIATE = 1;
+    DEVICE = 2;
    DRM_USER_DEVICE = 2;
    SERVICE = 3;
    PROVISIONER = 4;
  }
@@ -877,12 +882,16 @@ message DrmDeviceCertificate {
  }
  // Type of certificate. Required.
-  optional CertificateType type = 1;
+  optional Type type = 1;
  // 128-bit globally unique serial number of certificate.
  // Value is 0 for root certificate. Required.
  optional bytes serial_number = 2;
  // POSIX time, in seconds, when the certificate was created. Required.
  optional uint32 creation_time_seconds = 3;
  // POSIX time, in seconds, when the certificate should expire. Value of zero
  // denotes indefinite expiry time. For more information on limited lifespan
  // DRM certificates see (go/limited-lifespan-drm-certificates).
  optional uint32 expiration_time_seconds = 12;
  // Device public key. PKCS#1 ASN.1 DER-encoded. Required.
  optional bytes public_key = 4;
  // Widevine system ID for the device. Required for intermediate and
@@ -917,50 +926,21 @@ message DrmDeviceCertificate {
  optional EncryptionKey encryption_key = 11;
 }
-// DeviceCertificate signed with intermediate or root certificate private key.
+// ----------------------------------------------------------------------------
-message SignedDrmDeviceCertificate {
+// signed_drm_certificate.proto
 // ----------------------------------------------------------------------------
 // Description of section:
 // DrmCertificate signed by a higher (CA) DRM certificate.
 message SignedDrmCertificate {
  // Serialized certificate. Required.
  optional bytes drm_certificate = 1;
  // Signature of certificate. Signed with root or intermediate
  // certificate specified below. Required.
  optional bytes signature = 2;
-  // SignedDrmDeviceCertificate used to sign this certificate.
+  // SignedDrmCertificate used to sign this certificate.
-  optional SignedDrmDeviceCertificate signer = 3;
+  optional SignedDrmCertificate signer = 3;
-}
+  // Optional field that indicates the hash algorithm used in signature scheme.
-
+  optional HashAlgorithmProto hash_algorithm = 4;
 // Contains the status of the root or an intermediate DeviceCertificate.
 message DeviceCertificateStatus {
  enum Status {
    VALID = 0;
    REVOKED = 1;
  };
  // Serial number of the intermediate DrmDeviceCertificate to which this
  // message refers. Required.
  optional bytes drm_serial_number = 1;
  // Status of the certificate. Optional.
  optional Status status = 2 [default = VALID];
  // Device model information about the device to which the intermediate
  // certificate(s) correspond.
  optional ProvisionedDeviceInfo device_info = 4;
 }
 // List of DeviceCertificateStatus. Used to propagate certificate revocation
 // status and device information.
 message DeviceCertificateStatusList {
  // POSIX time, in seconds, when the list was created. Required.
  optional uint32 creation_time_seconds = 1;
  // DeviceCertificateStatus for each system ID.
  repeated DeviceCertificateStatus certificate_status = 2;
 }
 // Signed CertificateStatusList
 message SignedCertificateStatusList {
  // Serialized DeviceCertificateStatusList. Required.
  optional bytes certificate_status_list = 1;
  // Signature of certificate_status_list. Signed with root certificate private
  // key using RSASSA-PSS. Required.
  optional bytes signature = 2;
 }
 // ----------------------------------------------------------------------------
--- a/libwvdrmengine/cdm/core/src/service_certificate.cpp
+++ b/libwvdrmengine/cdm/core/src/service_certificate.cpp
@@ -129,10 +129,10 @@ namespace wvcdm {
 // Protobuf generated classes.
 using video_widevine::ClientIdentification;
-using video_widevine::DrmDeviceCertificate;
+using video_widevine::DrmCertificate;
 using video_widevine::EncryptedClientIdentification;
 using video_widevine::LicenseError;
-using video_widevine::SignedDrmDeviceCertificate;
+using video_widevine::SignedDrmCertificate;
 using video_widevine::SignedMessage;
 CdmResponseType ServiceCertificate::Init(const std::string& certificate) {
@@ -140,12 +140,12 @@ CdmResponseType ServiceCertificate::Init(const std::string& certificate) {
                            sizeof(kRootCertForProd));
  // Load root cert public key. Don't bother verifying it.
-  SignedDrmDeviceCertificate signed_root_cert;
+  SignedDrmCertificate signed_root_cert;
  if (!signed_root_cert.ParseFromString(root_cert_str)) {
    LOGE("Failed to deserialize signed root certificate");
    return DEVICE_CERTIFICATE_ERROR_1;
  }
-  DrmDeviceCertificate root_cert;
+  DrmCertificate root_cert;
  if (!root_cert.ParseFromString(signed_root_cert.drm_certificate())) {
    LOGE("Failed to deserialize root certificate");
    return DEVICE_CERTIFICATE_ERROR_1;
@@ -158,7 +158,7 @@ CdmResponseType ServiceCertificate::Init(const std::string& certificate) {
  // Load the provided service certificate.
  // First, parse it and verify its signature.
-  SignedDrmDeviceCertificate signed_service_cert;
+  SignedDrmCertificate signed_service_cert;
  if (!signed_service_cert.ParseFromString(certificate)) {
    LOGE("Failed to parse signed service certificate");
    return DEVICE_CERTIFICATE_ERROR_2;
@@ -174,19 +174,17 @@ CdmResponseType ServiceCertificate::Init(const std::string& certificate) {
  }
 #endif
-  DrmDeviceCertificate service_cert;
+  DrmCertificate service_cert;
  if (!service_cert.ParseFromString(signed_service_cert.drm_certificate())) {
    LOGE("Failed to parse service certificate");
    return DEVICE_CERTIFICATE_ERROR_2;
  }
-  if (service_cert.type() !=
+  if (service_cert.type() != video_widevine::DrmCertificate_Type_SERVICE) {
      video_widevine::DrmDeviceCertificate_CertificateType_SERVICE) {
    LOGE(
        "DRM device certificate type is not a service certificate: "
        "type = %d, expected_type = %d",
        static_cast<int>(service_cert.type()),
-        static_cast<int>(
+        static_cast<int>(video_widevine::DrmCertificate_Type_SERVICE));
            video_widevine::DrmDeviceCertificate_CertificateType_SERVICE));
    return DEVICE_CERTIFICATE_ERROR_3;
  }
--- a/libwvdrmengine/cdm/core/test/fake_provisioning_server.cpp
+++ b/libwvdrmengine/cdm/core/test/fake_provisioning_server.cpp
@@ -221,8 +221,8 @@ FakeProvisioningServer::FakeProvisioningServer() {
  // Generate a service certificate that can convince the CDM we are a real
  // provisioning server.  it only works if the CDM is compiled with the symbol
  // ACCEPT_TEST_CERT defined.
-  video_widevine::DrmDeviceCertificate cert;
+  video_widevine::DrmCertificate cert;
-  cert.set_type(video_widevine::DrmDeviceCertificate_CertificateType_SERVICE);
+  cert.set_type(video_widevine::DrmCertificate_Type_SERVICE);
  cert.set_public_key(kPublicFakeServiceCert);
  cert.set_serial_number("Serial Number 007");
@@ -231,7 +231,7 @@ FakeProvisioningServer::FakeProvisioningServer() {
  std::string serialized_cert;
  cert.SerializeToString(&serialized_cert);
-  video_widevine::SignedDrmDeviceCertificate signed_cert;
+  video_widevine::SignedDrmCertificate signed_cert;
  signed_cert.set_drm_certificate(serialized_cert);
  signed_cert.SerializeToString(&service_certificate_);
 }
--- a/libwvdrmengine/cdm/core/test/test_base.cpp
+++ b/libwvdrmengine/cdm/core/test/test_base.cpp
@@ -572,9 +572,9 @@ void TestLicenseHolder::CreateDefaultLicense() {
  // Extract the RSA key from the DRM certificate.
  std::string token = client_id.token();
-  video_widevine::SignedDrmDeviceCertificate signed_drm_cert;
+  video_widevine::SignedDrmCertificate signed_drm_cert;
  EXPECT_TRUE(signed_drm_cert.ParseFromString(token));
-  video_widevine::DrmDeviceCertificate drm_cert;
+  video_widevine::DrmCertificate drm_cert;
  EXPECT_TRUE(drm_cert.ParseFromString(signed_drm_cert.drm_certificate()));
  EXPECT_TRUE(rsa_key_.Init(drm_cert.public_key()));
  EXPECT_TRUE(rsa_key_.VerifySignature(signed_message.msg(),