widevine-partner/media_cas_proxy_sdk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CAS Proxy SDK git checkin as per g3doc.

Browse Source 
Adds support for specifying service type when creating a service certificate.

A recent change to the SDK allows for service certificates (DrmCertificate) to also specify a ServiceType indicating which type of service they are supposed to be used on.  This CL adds certificate creation service support for this.

-------------
Fix typo in cas proxy SDK.

-------------
Migrate C++ proto_library rules to cc_proto_library.

We update dependency edges of cc_* rules on proto_library() rules to use a cc_proto_library() intermediary in preparation for eliminating proto_library()'s cc support as per []

More information: []

Tested:
    TAP --sample for global presubmit queue
    []

-------------
Migrate cc proto_library to cc_proto_library. Also fixes build break introduced by []

-------------
Remove unnecessary #MOE directives

-------------
[Proxy_SDK] Move generateSignature in WvPLSDKEnvironment to signature_util.cc file.

-------------
[SDK]Add service_certificate type check in WVPL LSDK and PROXY SDK.

-------------
[Proxy_SDK] Add new API to get remote_attestation_cert_serial_number for proxy SDK.

-------------
[Proxy_SDK] Add getDrmDeviceId function

-------------
[Proxy_SDK] add getrequesttype function for proxy sdk

-------------
[SDK] Add videoFeature field to WvPLWidevinePsshData in WvPLWidevine.java and wvpl_type.h. Related to []

-------------
Allow specified devices to request licenses even if these devices are in TEST_ONLY state.
This will also override the global setting of TEST_ONLY devices not being allowed to
successfully receive licenses from Widevine License SDK.

-------------
[Proxy_SDK] Add ParseDCSL function and test case.

-------------
[Proxy_SDK] Return non-ok status for service_certificate_request when create proxy sdk session. Add test case in Java test.

-------------
[Proxy_SDK] Add video_feature parsing in GetPsshData function. Also check video_feature when geneateModularDrmLicenseRequest.

-------------
[SDK]Deprecated message_type() function, use request_type() instead.

-------------
Use JDK instead of JRE

The concept of a JRE is going away in JDK 11. The jre/ subdirectory in the JDK will no longer exist and the :jre targets will no longer make sense.

Currently in JDK 8, the JDK is a superset of the JRE (it contains all of the files in the JRE), so this is a safe change.

Tested:
    TAP found no affected targets
    []

-------------
Renaming WvPLSDKSession.request_type() API.
Added LICENSE_TYPE_UNSPECIFIED enumeration to WvPLLicenseType.

-------------
Additional VLOG messaging for licensing with TEST_ONLY devices.

-------------
Remove forward declarations of absl names. The style guide bans this, and those names are not for external users to redeclare. External users should include the public headers instead.

-------------
Change Kokoro to use latest bazel version

-------------
Update the abseil build to the December 18 release.

This fixes a problem where the MOE build is failing because there was no definition for node_hash_map.

-------------
[CAS_Proxy]Add WvPLCASProxyEnvironmentJNI.cc and com_google_video_widevine_sdk_wvpl_WvPLCASProxyEnvironment.h file to implement JNI layer for WvPLCASProxyEnvironment.

-------------
Apply changes to sdk to match device certificate status list updates.

Cleans up some of the protos we're using for the new SignedDeviceInfo. Also, adjusts the sdk implementation to reflect the proto and service changes.

-------------
[CAS_PROXY]Add WvPLCASProxyEnvironment.java, WvPLCASProxySession.java and WvPLCASProxyTest.java file.

-------------
Add API to return the DRM service certificate by provider.

-------------
[CAS_PROXY]Implement SetDrmServiceCertificate and SetDeviceCertificateStatusList JNI layer.

-------------
Get DeviceInfo from request.

-------------
CAS Proxy SDK updated to 1.1.5.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=248640225
This commit is contained in:
Widevine Buildbot
2019-05-21 18:20:53 +00:00
parent cb621e566a
commit dda00601c2
31 changed files with 4438 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
common/certificate_type.h Normal file
View File

@@ -0,0 +1,22 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef COMMON_CERTIFICATE_TYPE_H_
#define COMMON_CERTIFICATE_TYPE_H_
namespace widevine {
enum CertificateType {
kCertificateTypeTesting,
kCertificateTypeDevelopment,
kCertificateTypeProduction,
};
} // namespace widevine
#endif // COMMON_CERTIFICATE_TYPE_H_

109
common/status.h Normal file
View File

@@ -0,0 +1,109 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef COMMON_STATUS_H_
#define COMMON_STATUS_H_
#include <iosfwd>
#include <string>
#include "util/error_space.h"
namespace widevine {
namespace error {
enum StatusCode {
// Success.
OK = 0,
// Client specified an invalid argument.
INVALID_ARGUMENT = 3,
// Some requested entity (e.g., file or directory) was not found.
NOT_FOUND = 5,
// Some entity that we attempted to create (e.g., file or directory)
// already exists.
ALREADY_EXISTS = 6,
// The caller does not have permission to execute the specified
// operation. PERMISSION_DENIED must not be used for rejections
// caused by exhausting some resource (use RESOURCE_EXHAUSTED
// instead for those errors).
PERMISSION_DENIED = 7,
// Operation is not implemented or not supported/enabled in this service.
UNIMPLEMENTED = 12,
// Internal errors. Means some invariants expected by underlying
// system has been broken. If you see one of these errors,
// something is very broken.
INTERNAL = 13,
// Operation is not implemented or not supported/enabled in this service.
UNAVAILABLE = 14,
// Number of generic (non license related) errors.
NUM_ERRORS,
};
} // namespace error
class Status {
public:
Status() = default;
~Status() = default;
explicit Status(error::StatusCode c) : status_code_(c) {}
Status(error::StatusCode c, const std::string& error_message)
: status_code_(c), error_message_(error_message) {}
Status(const util::ErrorSpace* e, error::StatusCode c,
const std::string& error_message)
: error_space_(e), status_code_(c), error_message_(error_message) {}
Status(const util::ErrorSpace* e, int error, const std::string& error_message)
: error_space_(e), status_code_(error), error_message_(error_message) {}
bool ok() const { return status_code_ == error::OK; }
const util::ErrorSpace* error_space() const { return error_space_; }
static const util::ErrorSpace* canonical_space();
std::string ToString() const;
std::string error_message() const { return error_message_; }
int error_code() const { return status_code_; }
private:
const util::ErrorSpace* error_space_ = canonical_space();
int status_code_ = error::OK;
std::string error_message_;
};
inline Status OkStatus() { return Status(); }
inline bool operator==(const Status& s1, const Status& s2) {
return s1.error_space() == s2.error_space() &&
s1.error_code() == s2.error_code() &&
s1.error_message() == s2.error_message();
}
inline bool operator!=(const Status& s1, const Status& s2) {
return !(s1 == s2);
}
// Prints a human-readable representation of 'x' to 'os'.
std::ostream& operator<<(std::ostream& os, const Status& x);
#define CHECK_OK(expression) CHECK(expression.ok()) << expression.ToString()
} // namespace widevine
#endif // COMMON_STATUS_H_

BIN
example/wvpl_cas_proxy_environment_example Normal file
View File

Binary file not shown.

145
example/wvpl_cas_proxy_environment_example.cc Normal file
View File

@@ -0,0 +1,145 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2019 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
// Example of usage of wvpl_cas_proxy_environment.
#include <iostream>
#include <map>
#include <string>
#include "media_cas_proxy_sdk/external/common/wvpl/wvpl_cas_proxy_environment.h"
#include "media_cas_proxy_sdk/external/common/wvpl/wvpl_cas_proxy_session.h"
using widevine_server::wv_pl_sdk::WvPLCASProxySession;
using widevine_server::wv_pl_sdk::WvPLStatus;
namespace {
const char kValidRequestFromCdm[] =
"080712b90b0a840b080112ed090aae02080212108b8832fb7921b3e65419c6112f96d1"
"ce18e4edd4e105228e023082010a0282010100a729e70e43515708819fe6c62f9fc26e"
"a9f2300bd5cca79131b46997cc2822a8479a58ea287b7dceada6b77290cd0df3f7a98b"
"d4e91907631bfc4065afe93b08f95a5799f7391252de6a3d0a0e502dc116c0e0853c87"
"5e5ebff843858c322f2c06017d423981a7a41070ff8eae0c2ac135491187eb227907b1"
"185ecb76cd3f26eb0259a3e6c177c35ade2c07aa243d29599e251a6ab4dbb9bea00112"
"7bd39765bd40a1bb23b883b10ab829adde17311b90295059570936f0ee5ec6bdaba0be"
"07adbff30505537c67f1004daf469e6d760024f6f07095687fde35a62651b504beeaca"
"79282ce83001a914fdd9eface7e6d15959abee536b3c4cb53e573b39128d0203010001"
"2899201280023231afb3b643ea7db3095fdca3fe8df49e299d2b19fe9da7ab5f286ef2"
"17a08226bd0d530e9683fbb78edecca7d8bc3f1f9ac03a53a8d48029c0f490a6af301b"
"da27316e5920409a5a889acba49539d1d92c0b784b181da114f3bb45edbc7bba7cddfa"
"6e599500e92f8c0dd11ecebebb80fec73273d5c620bf30b30c0be1a90f1b86ea913497"
"39d961b589ce1b1b83d31e135e489b752a32431ad1bd6e8b6986dbd0c98073872b5349"
"11fc8ebfa528c62f6969b6d4b5079a640b02fa5989cccac708d4130e4686020f8b50f9"
"ea38f82424293555f82fc920ad33f41398b532fe01e28b50f76d35349835328714969b"
"ab67f68eb3cc30aac5d271fff3e1b1c9621ab6050ab00208011210084d60bc65937db6"
"ac7f992b41ecf5f218a2d38a8c05228e023082010a0282010100991b357bb714decac1"
"e70eaa36d1d0834df24a3d10369f90a22734a3ad4aebccfc2432bdd6dcd1ffd75699ba"
"5608c4457972d27c47abcff8c88cd9900938260b8c85795327b2aef3a1db27e8b96203"
"9284d602c6a74c6a143a67be64a16a1c8f44fafadac242ceb6d8ade9c4d4542ebd3ee9"
"d2a0a71eb7a4ccf916e02f26793b0c13a4921c3eed49c5c96cd455598ede040ce472b0"
"15a9af3cda82c49792aa7f6bbfbf4667293b44ec7429c39a038911ce1fe462c35e95c2"
"64d363343c3adb944fa2aabdba0fb61c402797585f3dfb796f6ce1dcf3b79c9887be98"
"1470ecbcb048e59e564fc3ad2c4b860f70aa468fb66c4a2847eec755ade89bd6225740"
"c9a502030100012899203001128003212de141c13057c1987218dd7fbc2dc9f84c82f9"
"1f5b163d0370c7069387c70c90c3060f0504573c6e0bd3acb984fc3ab7b221a77d3733"
"324d670a9a5eea64691d5666a9b67dd367803cd5753bd75ea7239bec0c008297695771"
"ce203c60898d4f264ad55d3d01c96f66d6fb6c53d1928a60ad040d7d48e9c83d6849c2"
"48e45c0f95bbb8cd0b1feee4458c5c60ab0d52e1fb0f8ee98766af9cf93307578657e8"
"00f1a4ed3f6a00e8951b2158f45cfcc2f7e5e5cc3d7f04ea2be34aa8dd49ebd78c618c"
"1404e308257e502aac8df00d52a8985301bfe5e6e784d77b0bc52c935a8b183fb5afed"
"25a5855a77fcf2715c907611624a58b037d819857bab926bee4d560277089efb070fb3"
"f5385d1dde1e486d8f32d253de8692e3098e35b3192647e79544cf0fb28b362133e942"
"97781cf3f68960531667ee74e7026bd72137eb1ddd057834cf1dabe8d7069f88acb4b7"
"a402470f2801264bb49c3bfee24fc640a46374d6c10bc7d2b960792d11da5086ab8ccf"
"f46180c243c395d22f1a9e4f6b021a130a0c636f6d70616e795f6e616d651203777777"
"1a110a0a6d6f64656c5f6e616d6512037777771a200a0c70726f647563745f6e616d65"
"12105769646576696e6543617354657374731a260a116172636869746563747572655f"
"6e616d6512116172636869746563747572655f6e616d651a1a0a0b6465766963655f6e"
"616d65120b6465766963655f6e616d653202280e12200a1e0a1c1a0d7769646576696e"
"655f746573742209436173547346616b655802180120e4edd4e105301538d3a2fbfe02"
"1a80020570d7809a297c640bc56234cfea3687e747dcbf8e6cc326de6a1102fecc43ec"
"674c02e5c8d31109a1ac7f2cb52f44a6b2b410a6d2632bb841ead6437be510efa7c8a5"
"02de1e734e057b9ac65eec6361afaf3b71f074ff37428580067d856d4bfbecef170d11"
"d5cb631bcf31193a66156b06a16119d0d19381cd57cacb0aeb6b6e5b3e427c8117be13"
"7b662332a1a80f48e599675325b5b8afd4010f7850ba332fa78eaf0ddeef7086890cce"
"194631e3d205cb459a7e1ff11b54791ef394b74fb8a729d0104b00e17b9e05c5d42fac"
"923f98d43aedc70ab0733039eb22f35c6961e4587085a14c4a9ace1db00508843e79ee"
"ba68321b559fbdfdf04c88813cdd";
const char kWidevineTestProvider[] = "widevine_test";
static const char hex_value[256] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0,
0, // '0'..'9'
0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'A'..'F'
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13,
14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 'a'..'f'
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
void a2b_hex(const char* a, char* b, int num) {
for (int i = 0; i < num; i++) {
b[i] = (hex_value[a[i * 2] & 0xFF] << 4) + (hex_value[a[i * 2 + 1] & 0xFF]);
}
}
std::string a2b_hex(const std::string& a) {
int len = a.size();
char* b = new char[len];
a2b_hex(a.data(), b, len);
// Binary length is half ascii length plus one byte if ascii length is odd.
std::string s(b, len / 2 + ((len % 2) ? 1 : 0));
delete[](b);
return s;
}
} // namespace
int main(int argc, char** argv) {
std::map<std::string, std::string> config_values;
config_values["drm_certificate_type"] = "test";
config_values["provider"] = kWidevineTestProvider;
widevine_server::wv_pl_sdk::WvPLCASProxyEnvironment environment(
config_values);
WvPLStatus status = environment.Initialize();
if (!status.ok()) {
std::cerr << "Environment failed to initialize. Exiting." << std::endl;
exit(status.error_code());
}
std::cout << "Environment created and initialized" << std::endl;
WvPLCASProxySession* wvpl_cas_proxy_session = nullptr;
status = environment.CreateSession(a2b_hex(kValidRequestFromCdm),
&wvpl_cas_proxy_session);
if (!status.ok()) {
std::cerr << "Session creation failed. Exiting. Error code = "
<< std::to_string(status.error_code()) << std::endl;
exit(status.error_code());
}
std::cout << "Session created." << std::endl;
std::string json_signed_cas_drm_request;
status = wvpl_cas_proxy_session->GenerateLicenseRequestAsJSON(
&json_signed_cas_drm_request);
if (!status.ok()) {
std::cerr << "Failed to generate license request. Exiting. Error code = "
<< std::to_string(status.error_code()) << std::endl;
exit(status.error_code());
}
std::cout
<< "Request to POST over HTTP(s) to "
"https://license.uat.widevine.com/cas/getlicense/widevine_test = "
<< json_signed_cas_drm_request << std::endl;
return 0;
}

BIN
example/wvpl_cas_proxy_session_example Normal file
View File

Binary file not shown.

23
example/wvpl_cas_proxy_session_example.cc Normal file
View File

@@ -0,0 +1,23 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2019 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
// Example of usage of wvpl_cas_proxy_session.
#include <iostream>
#include <string>
#include "media_cas_proxy_sdk/external/common/wvpl/wvpl_cas_proxy_session.h"
int main(int argc, char **argv) {
std::cout << "Session version: "
<< widevine_server::wv_pl_sdk::WvPLCASProxySession::
GetVersionString()
<< std::endl;
return 0;
}

BIN
libwvpl_cas_proxy.so Executable file
View File

Binary file not shown.

101
media_cas_proxy_sdk/external/common/wvpl/wvpl_cas_proxy_environment.h vendored Normal file
View File

@@ -0,0 +1,101 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2018 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef MEDIA_CAS_PROXY_SDK_EXTERNAL_COMMON_WVPL_WVPL_CAS_PROXY_ENVIRONMENT_H_
#define MEDIA_CAS_PROXY_SDK_EXTERNAL_COMMON_WVPL_WVPL_CAS_PROXY_ENVIRONMENT_H_
#include <string>
#include "sdk/external/common/wvpl/wvpl_sdk_environment.h"
namespace widevine_server {
namespace wv_pl_sdk {
class WvPLCASProxySession;
/**
* Sets up an environment for partners who are using the Widevine CAS License
* Proxy SDK. This environment *must* be successfully created in order to work
* with the SDK API.
*
* Implements the following public API:
* - CreateSession()
* - SetDeviceCertificateStatusList()
*
* Example Usage:
* map<std::string, std::string> config_values;
* config_values.insert(std::make_pair(kDrmCertificateType, "prod");
* config_values.insert(std::make_pair(kProvider, "TEST_PROVIDER");
* config_values.insert(std::make_pair(kProviderIv, "TEST_IV"));
* config_values.insert(std::make_pair(kProviderKey, "TEST_KEY"));
* WvPLCASProxyEnvironment* wv_cas_proxy_environment =
* new WvPLCASProxyEnvironment(config_values);
* // This is the DeviceCertificateStatusList returned from a query to the
* // Widevine Certificate Provisioning Service (List API).
* std::string certificate_status_list = "TEST_CERTIFICATE_STATUS_LIST";
* wvpl_status = wvpl_cas_proxy_environment->SetDeviceCertificateStatusList(
* certificate_status_list);
* WvPLCASProxySession** wvpl_cas_proxy_session = nullptr;
* std::string license_request_from_cdm = "TEST_LICENSE_REQUEST";
* wvpl_status = wvpl_cas_proxy_environment->CreateSession(
* license_request_from_cdm, &wvpl_cas_proxy_session);
*/
class WvPLCASProxyEnvironment : public WvPLSDKEnvironment {
public:
/**
* Constructor.
*
* @param config_values
*/
explicit WvPLCASProxyEnvironment(
const std::map<std::string, std::string>& config_values);
/**
* Destructor.
*/
~WvPLCASProxyEnvironment() override;
/**
* One-time initialization. Must be called after creating the environment.
*/
virtual WvPLStatus Initialize();
/**
* Creates a session for the license request from the Widevine CDM.
*
* @param license_request_from_cdm
* @param session
*
* @return WvPLStatus enumeration
*/
virtual WvPLStatus CreateSession(const std::string& cas_license_request,
WvPLCASProxySession** cas_proxy_session);
/**
* Deletes the session
*
* @param session
*/
virtual void DestroySession(WvPLCASProxySession* cas_proxy_session) const;
/**
* Set the certificate status list system-wide.
* |cert_list| specifies the device certificate status
* list as std::string or certificate status list response from keysmith.
*
* @param cert_list
*
* @return WvPLStatus enumeration
*/
WvPLStatus SetDeviceCertificateStatusList(const std::string& cert_list) const;
};
} // namespace wv_pl_sdk
} // namespace widevine_server
#endif // MEDIA_CAS_PROXY_SDK_EXTERNAL_COMMON_WVPL_WVPL_CAS_PROXY_ENVIRONMENT_H_

118
media_cas_proxy_sdk/external/common/wvpl/wvpl_cas_proxy_session.h vendored Normal file
View File

@@ -0,0 +1,118 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2018 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef MEDIA_CAS_PROXY_SDK_EXTERNAL_COMMON_WVPL_WVPL_CAS_PROXY_SESSION_H_
#define MEDIA_CAS_PROXY_SDK_EXTERNAL_COMMON_WVPL_WVPL_CAS_PROXY_SESSION_H_
#include <memory>
#include <string>
#include <vector>
#include "absl/synchronization/mutex.h"
#include "sdk/external/common/wvpl/wvpl_sdk_session.h"
namespace widevine {
class CasDrmLicenseRequest;
} // namespace widevine
namespace widevine_server {
namespace wv_pl_sdk {
constexpr uint32_t kMajorVersion = 1;
constexpr uint32_t kMinorVersion = 1;
constexpr uint32_t kRelease = 5;
/**
* Models a session for Widevine CAS Proxy functionality for
* communication with the Widevine License Service. The API allows a partner to
* inspect a license request and to generate a license request.
*
* Inherits the following "public" methods.
* - WvPLStatus AddKey(const WvPLKey& key);
* - const std::vector<WvPLKey>& key() const;
* - void set_policy(const WvPLPlaybackPolicy& policy);
* - const WvPLPlaybackPolicy& policy() const;
* - void set_session_init(const WvPLSessionInit& session_init);
* - const WvPLSessionInit& session_init();
* - WvPLStatus GetPsshData(WvPLWidevinePsshData* wvpl_widevine_pssh_data)
* const;
* - WvPLStatus GetClientInfo(WvPLClientInfo* client_info) const;
* - WvPLStatus GetClientCapabilities(WvPLClientCapabilities*
* client_capabilities) const;
* - WvPLStatus GetDeviceInfo(WvPLDeviceInfo* device_info) const;
* - MessageType message_type() const;
*
* "Implements" the following "public" methods.
* - bool IsChromeCDM() const;
* - PlatformVerificationStatus VerifyPlatform();
*/
class WvPLCASProxySession : public WvPLSDKSession {
public:
~WvPLCASProxySession() override;
/**
* Returns a std::string containing the version in the form -
* <major_version>.<minor_version>.<release>
*/
static std::string GetVersionString();
/**
* Returns whether the CAS license request originated from Widevine Chrome
* CDM. Since MediaCAS is part of the Android framework, this method would
* return "false" for requests from AndroidTV.
*/
bool IsChromeCDM() const override;
/**
* Returns the enum PlatformVerificationStatus for the CAS license request
* from the Widevine CDM. Since CAS license requests do not require client
* platform verification currently, this method would return
* PLATFORM_NO_VERIFICATION.
*/
PlatformVerificationStatus VerifyPlatform() override;
/**
* Returns license request as a JSON string. This std::string is placed in
* |license_request|, if successful. Returns OK status upon success, else an
* error status.
*/
WvPLStatus GenerateLicenseRequestAsJSON(std::string* license_request);
/**
* Adds a key to the WvPLCasKey collection.
*/
WvPLStatus AddCasKey(const WvPLCasKey& key);
private:
friend class WvPLCASProxyEnvironment;
friend class WvPLCASProxyEnvironmentTest;
friend class WvPLCASProxySessionTest;
WvPLCASProxySession(
const widevine::DrmRootCertificate* drm_root_certificate,
const std::string& cas_license_request_from_cdm);
WvPLStatus BuildCasDrmLicenseRequest(
widevine::CasDrmLicenseRequest* cas_drm_license_request);
void set_provider(const std::string& provider) { provider_ = provider; }
// name of the provider hosting this service.
std::string provider_;
// holds all the WvPLCasKey objects. Used when generating a CAS License.
std::vector<WvPLCasKey> cas_keys_;
// Mutex to protect the keys, |cas_keys_|, owned by this session.
mutable std::unique_ptr<absl::Mutex> cas_keys_mutex_;
};
} // namespace wv_pl_sdk
} // namespace widevine_server
#endif // MEDIA_CAS_PROXY_SDK_EXTERNAL_COMMON_WVPL_WVPL_CAS_PROXY_SESSION_H_

282
protos/public/BUILD Normal file
View File

@@ -0,0 +1,282 @@
################################################################################
# Copyright 2018 Google LLC.
#
# This software is licensed under the terms defined in the Widevine Master
# License Agreement. For a copy of this agreement, please contact
# widevine-licensing@google.com.
################################################################################
# Protocol buffer definitions for Widevine Services Proxy SDK.
package(default_visibility = ["//visibility:public"])
filegroup(
name = "binary_release_files",
srcs = glob(["**"]),
)
# TODO(user): Remove unnecessary proto targets in this file
# once cl/216707967 is submitted.
proto_library(
name = "exported_proxy_sdk_proto",
srcs = [
"client_identification.proto",
"device_certificate_status.proto",
"drm_certificate.proto",
"errors.proto",
"sdk_stats.proto",
"license_protocol.proto",
"license_server_sdk.proto",
"provisioned_device_info.proto",
"remote_attestation.proto",
"signed_device_info.proto",
"signed_drm_certificate.proto",
"verified_media_pipeline.proto",
"widevine_pssh.proto",
"license_services.proto",
"media_cas_encryption.proto",
"media_cas_license.proto",
],
)
java_proto_library(
name = "exported_proxy_sdk_java_proto",
deps = [":exported_proxy_sdk_proto"],
)
proto_library(
name = "license_services_proto",
srcs = ["license_services.proto"],
deps = [
":client_identification_proto",
":license_protocol_proto",
":license_server_sdk_proto",
":errors_proto",
],
)
cc_proto_library(
name = "license_services_cc_proto",
deps = [":license_services_proto"],
)
java_proto_library(
name = "license_services_java_proto",
deps = [":license_services_proto"],
)
proto_library(
name = "client_identification_proto",
srcs = ["client_identification.proto"],
)
cc_proto_library(
name = "client_identification_cc_proto",
deps = [":client_identification_proto"],
)
java_proto_library(
name = "client_identification_java_proto",
deps = [":client_identification_proto"],
)
proto_library(
name = "device_certificate_status_proto",
srcs = ["device_certificate_status.proto"],
deps = [":provisioned_device_info_proto"],
)
cc_proto_library(
name = "device_certificate_status_cc_proto",
deps = [":device_certificate_status_proto"],
)
java_proto_library(
name = "device_certificate_status_java_proto",
deps = [":device_certificate_status_proto"],
)
proto_library(
name = "sdk_stats_proto",
srcs = ["sdk_stats.proto"],
)
cc_proto_library(
name = "sdk_stats_cc_proto",
deps = [":sdk_stats_proto"],
)
java_proto_library(
name = "sdk_stats_java_proto",
deps = [":sdk_stats_proto"],
)
proto_library(
name = "drm_certificate_proto",
srcs = ["drm_certificate.proto"],
)
cc_proto_library(
name = "drm_certificate_cc_proto",
deps = [":drm_certificate_proto"],
)
java_proto_library(
name = "drm_certificate_java_proto",
deps = [":drm_certificate_proto"],
)
proto_library(
name = "errors_proto",
srcs = ["errors.proto"],
)
cc_proto_library(
name = "errors_cc_proto",
deps = [":errors_proto"],
)
java_proto_library(
name = "errors_java_proto",
deps = [":errors_proto"],
)
proto_library(
name = "license_protocol_proto",
srcs = ["license_protocol.proto"],
deps = [
":client_identification_proto",
":remote_attestation_proto",
],
)
cc_proto_library(
name = "license_protocol_cc_proto",
deps = [":license_protocol_proto"],
)
java_proto_library(
name = "license_protocol_java_proto",
deps = [":license_protocol_proto"],
)
proto_library(
name = "license_server_sdk_proto",
srcs = ["license_server_sdk.proto"],
deps = [":license_protocol_proto",
":widevine_pssh_proto"],
)
cc_proto_library(
name = "license_server_sdk_cc_proto",
deps = [":license_server_sdk_proto"],
)
java_proto_library(
name = "license_server_sdk_java_proto",
deps = [":license_server_sdk_proto"],
)
proto_library(
name = "provisioned_device_info_proto",
srcs = ["provisioned_device_info.proto"],
)
cc_proto_library(
name = "provisioned_device_info_cc_proto",
deps = [":provisioned_device_info_proto"],
)
java_proto_library(
name = "provisioned_device_info_java_proto",
deps = [":provisioned_device_info_proto"],
)
proto_library(
name = "remote_attestation_proto",
srcs = ["remote_attestation.proto"],
deps = [":client_identification_proto"],
)
cc_proto_library(
name = "remote_attestation_cc_proto",
deps = [":remote_attestation_proto"],
)
java_proto_library(
name = "remote_attestation_java_proto",
deps = [":remote_attestation_proto"],
)
proto_library(
name = "signed_device_info_proto",
srcs = ["signed_device_info.proto"],
)
cc_proto_library(
name = "signed_device_info_cc_proto",
deps = [":signed_device_info_proto"],
)
proto_library(
name = "signed_drm_certificate_proto",
srcs = ["signed_drm_certificate.proto"],
)
cc_proto_library(
name = "signed_drm_certificate_cc_proto",
deps = [":signed_drm_certificate_proto"],
)
proto_library(
name = "verified_media_pipeline_proto",
srcs = ["verified_media_pipeline.proto"],
)
cc_proto_library(
name = "verified_media_pipeline_cc_proto",
deps = [":verified_media_pipeline_proto"],
)
proto_library(
name = "widevine_pssh_proto",
srcs = ["widevine_pssh.proto"],
)
cc_proto_library(
name = "widevine_pssh_cc_proto",
deps = [":widevine_pssh_proto"],
)
java_proto_library(
name = "widevine_pssh_java_proto",
deps = [":widevine_pssh_proto"],
)
proto_library(
name = "media_cas_license_proto",
srcs = ["media_cas_license.proto"],
deps = [
":license_protocol_proto",
":license_server_sdk_proto",
":errors_proto",
":media_cas_encryption_proto",
],
)
cc_proto_library(
name = "media_cas_license_cc_proto",
deps = [":media_cas_license_proto"],
)
proto_library(
name = "media_cas_encryption_proto",
srcs = ["media_cas_encryption.proto"],
)
cc_proto_library(
name = "media_cas_encryption_cc_proto",
deps = [":media_cas_encryption_proto"],
)

120
protos/public/client_identification.proto Normal file
View File

@@ -0,0 +1,120 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// ClientIdentification messages used by provisioning and license protocols.
syntax = "proto2";
package widevine;
option java_package = "com.google.video.widevine.protos";
option java_outer_classname = "ClientIdentificationProtos";
// ClientIdentification message used to authenticate the client device.
message ClientIdentification {
enum TokenType {
KEYBOX = 0;
DRM_DEVICE_CERTIFICATE = 1;
REMOTE_ATTESTATION_CERTIFICATE = 2;
OEM_DEVICE_CERTIFICATE = 3;
}
message NameValue {
optional string name = 1;
optional string value = 2;
}
// Capabilities which not all clients may support. Used for the license
// exchange protocol only.
message ClientCapabilities {
enum HdcpVersion {
HDCP_NONE = 0;
HDCP_V1 = 1;
HDCP_V2 = 2;
HDCP_V2_1 = 3;
HDCP_V2_2 = 4;
HDCP_V2_3 = 5;
HDCP_NO_DIGITAL_OUTPUT = 0xff;
}
enum CertificateKeyType {
RSA_2048 = 0;
RSA_3072 = 1;
}
enum AnalogOutputCapabilities {
ANALOG_OUTPUT_UNKNOWN = 0;
ANALOG_OUTPUT_NONE = 1;
ANALOG_OUTPUT_SUPPORTED = 2;
ANALOG_OUTPUT_SUPPORTS_CGMS_A = 3;
}
optional bool client_token = 1 [default = false];
optional bool session_token = 2 [default = false];
optional bool video_resolution_constraints = 3 [default = false];
optional HdcpVersion max_hdcp_version = 4 [default = HDCP_NONE];
optional uint32 oem_crypto_api_version = 5;
// Client has hardware support for protecting the usage table, such as
// storing the generation number in secure memory. For Details, see:
// https://docs.google.com/document/d/1Mm8oB51SYAgry62mEuh_2OEkabikBiS61kN7HsDnh9Y/edit#heading=h.xgjl2srtytjt
optional bool anti_rollback_usage_table = 6 [default = false];
// The client shall report |srm_version| if available.
optional uint32 srm_version = 7;
// A device may have SRM data, and report a version, but may not be capable
// of updating SRM data.
optional bool can_update_srm = 8 [default = false];
repeated CertificateKeyType supported_certificate_key_type = 9;
optional AnalogOutputCapabilities analog_output_capabilities = 10
[default = ANALOG_OUTPUT_UNKNOWN];
optional bool can_disable_analog_output = 11 [default = false];
// Clients can indicate a performance level supported by OEMCrypto.
// This will allow applications and providers to choose an appropriate
// quality of content to serve. Currently defined tiers are
// 1 (low), 2 (medium) and 3 (high). Any other value indicate that
// the resource rating is unavailable or reporting erroneous values
// for that device. For details see,
// https://docs.google.com/document/d/1wodSYK-Unj3AgTSXqujWuBCAFC00qF85G1AhfLtqdko
optional uint32 resource_rating_tier = 12 [default = 0];
}
// Type of factory-provisioned device root of trust. Optional.
optional TokenType type = 1 [default = KEYBOX];
// Factory-provisioned device root of trust. Required.
optional bytes token = 2;
// Optional client information name/value pairs.
repeated NameValue client_info = 3;
// Client token generated by the content provider. Optional.
optional bytes provider_client_token = 4;
// Number of licenses received by the client to which the token above belongs.
// Only present if client_token is specified.
optional uint32 license_counter = 5;
// List of non-baseline client capabilities.
optional ClientCapabilities client_capabilities = 6;
// Serialized VmpData message. Optional.
optional bytes vmp_data = 7;
}
// EncryptedClientIdentification message used to hold ClientIdentification
// messages encrypted for privacy purposes.
message EncryptedClientIdentification {
// Provider ID for which the ClientIdentifcation is encrypted (owner of
// service certificate).
optional string provider_id = 1;
// Serial number for the service certificate for which ClientIdentification is
// encrypted.
optional bytes service_certificate_serial_number = 2;
// Serialized ClientIdentification message, encrypted with the privacy key
// using AES-128-CBC with PKCS#5 padding.
optional bytes encrypted_client_id = 3;
// Initialization vector needed to decrypt encrypted_client_id.
optional bytes encrypted_client_id_iv = 4;
// AES-128 privacy key, encrypted with the service public key using RSA-OAEP.
optional bytes encrypted_privacy_key = 5;
}

74
protos/public/device_certificate_status.proto Normal file
View File

@@ -0,0 +1,74 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
//
// Description:
// Device certificate status list object definitions.
syntax = "proto2";
package widevine;
import "protos/public/provisioned_device_info.proto";
option java_outer_classname = "DeviceCertificateStatusProtos";
option java_package = "com.google.video.widevine.protos";
// Contains DRM and OEM certificate status and device information for a
// specific system ID.
// TODO(user): Move this to its own file.
message DeviceCertificateStatus {
enum DeprecatedStatus {
DEPRECATED_VALID = 0;
DEPRECATED_REVOKED = 1;
}
enum Status {
STATUS_UNKNOWN = 0;
STATUS_IN_TESTING = 10; // Pre-release, active device.
STATUS_RELEASED = 20; // Released, active device.
STATUS_TEST_ONLY = 30; // Development-only device.
STATUS_REVOKED = 40; // Revoked device.
}
// Serial number of the intermediate DrmCertificate to which this
// message refers. Required.
optional bytes drm_serial_number = 1;
// Status of the certificate. Optional & deprecated in favor of |status|
// below.
optional DeprecatedStatus deprecated_status = 2 [default = DEPRECATED_VALID];
// Device model information about the device to which the intermediate
// certificate(s) correspond.
optional ProvisionedDeviceInfo device_info = 4;
// Serial number of the OEM X.509 intermediate certificate for this type
// of device. Present only if the device is OEM-provisioned.
optional bytes oem_serial_number = 5;
// Status of the device. Optional.
optional Status status = 6 [default = STATUS_UNKNOWN];
}
// List of DeviceCertificateStatus. Used to propagate certificate revocation
// status and device information.
message DeviceCertificateStatusList {
// POSIX time, in seconds, when the list was created. Required.
optional uint32 creation_time_seconds = 1;
// DeviceCertificateStatus for each system ID.
repeated DeviceCertificateStatus certificate_status = 2;
// The duration for this device certificate status list in seconds. Within
// this grace period, content provider can set device certificate status list
// in the SDK. The default time is 7 days.
optional uint32 duration_time_seconds = 3;
}
// Signed CertificateStatusList
message SignedDeviceCertificateStatusList {
// Serialized DeviceCertificateStatusList. Required.
optional bytes certificate_status_list = 1;
// Signature of certificate_status_list. Signed with root certificate private
// key using RSASSA-PSS. Required.
optional bytes signature = 2;
}

61
protos/public/drm_certificate.proto Normal file
View File

@@ -0,0 +1,61 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// DRM certificate object definition.
syntax = "proto2";
package widevine;
option java_outer_classname = "DrmCertificateProtos";
option java_package = "com.google.video.widevine.protos";
// DRM certificate definition for user devices, intermediate, service, and root
// certificates.
message DrmCertificate {
enum Type {
ROOT = 0; // ProtoBestPractices: ignore.
DEVICE_MODEL = 1;
DEVICE = 2;
SERVICE = 3;
PROVISIONER = 4;
}
enum ServiceType {
UNKNOWN_SERVICE_TYPE = 0;
LICENSE_SERVER_SDK = 1;
LICENSE_SERVER_PROXY_SDK = 2;
PROVISIONING_SDK = 3;
CAS_PROXY_SDK = 4;
}
// Type of certificate. Required.
optional Type type = 1;
// 128-bit globally unique serial number of certificate.
// Value is 0 for root certificate. Required.
optional bytes serial_number = 2;
// POSIX time, in seconds, when the certificate was created. Required.
optional uint32 creation_time_seconds = 3;
// Device public key. PKCS#1 ASN.1 DER-encoded. Required.
optional bytes public_key = 4;
// Widevine system ID for the device. Required for intermediate and
// user device certificates.
optional uint32 system_id = 5;
// Deprecated field, which used to indicate whether the device was a test
// (non-production) device. The test_device field in ProvisionedDeviceInfo
// below should be observed instead.
optional bool test_device_deprecated = 6 [deprecated = true];
// Service identifier (web origin) for the provider which owns the
// certificate. Required for service and provisioner certificates.
optional string provider_id = 7;
// This field is used only when type = SERVICE to specify which SDK uses
// service certificate. This repeated field is treated as a set. A certificate
// may be used for the specified service SDK if the appropriate ServiceType
// is specified in this field.
repeated ServiceType service_types = 8;
}

255
protos/public/errors.proto Normal file
View File

@@ -0,0 +1,255 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// Definitions of the common Widevine protocol errors.
syntax = "proto2";
package widevine;
option java_package = "com.google.video.widevine.protos";
enum Errors {
// Attempt to parse the signed message failed.
SIGNED_MESSAGE_PARSE_ERROR = 100;
// Attempt to parse the license request message failed.
LICENSE_REQUEST_PARSE_ERROR = 101;
// Attempt to parse the session state message failed.
SESSION_STATE_PARSE_ERROR = 102;
// The license request does not contain content_id. Since client_id was
// not present, content_id was expected.
MISSING_CONTENT_ID = 103;
// The license request does not contain license_id. Since client_id was
// not present, license_id was expected.
MISSING_LICENSE_ID = 104;
// The license request does not contain client_id. Since this is not a
// renewal, client_id was expected.
MISSING_CLIENT_ID = 105;
// ClientCert construction failed.
INVALID_SIGNATURE = 106;
// Session Id from the session state does not match session Id specified.
SESSION_ID_MISMATCH = 107;
// License Id from session state does not match license Id in the renewal
// license request.
RENEWAL_LICENSE_ID_MISMATCH = 108;
// Signing key is missing from the session state.
MISSING_RENEWAL_SIGNING_KEY = 109;
// Signature verification failed when using the session's state signing key.
INVALID_RENEWAL_SIGNATURE = 110;
// System Id from the keybox is not supported.
UNSUPPORTED_SYSTEM_ID = 111;
// Error trying to encrypt.
ENCRYPT_ERROR = 112;
// Error trying to decrypt the keybox.
KEYBOX_DECRYPT_ERROR = 113;
// Client Id type is not expected.
INVALID_CLIENT_CERT_TYPE = 114;
// Error usung the keybox token. Perhaps the size is less than 72 bytes.
INVALID_KEYBOX_TOKEN = 115;
// Unable to find a preprovisionnig key based on the system Id. Perhaps the
// device was revoked.
MISSING_PRE_PROV_KEY = 116;
// Unable to verify the token hash.
TOKEN_HASH_MISMATCH = 117;
// Unable to create the encryption key for the initial license.
MISSING_ENCRYPTION_KEY = 118;
// Signing key is missing from the session state.
MISSING_SIGNING_KEY = 119;
// Serialization failed.
UNABLE_TO_SERIALIZE_SIGNED_MESSAGE = 120;
// Serialization failed.
UNABLE_TO_SERIALIZE_SESSION_STATE = 121;
// Client cert is missing. Perhaps an attempt to renew with content keys.
MISSING_CLIENT_CERT = 122;
// Attempt to use GenerateSignedLicense() for license renewal containing
// content keys.
RENEWAL_WITH_CONTENT_KEYS_NOT_ALLOWED = 123;
// Invalid Nonce, expected as a 32 bit unsigned int.
INVALID_KEY_CONTROL_NONCE = 124;
// Invalid renewal signing key size. For protocol version 2_0, size must be 32
// bytes. For protocol version 2_1, size must be 64 bytes.
INVALID_RENEWAL_SIGNING_KEY_SIZE = 125;
// Invalid Device Certificate token. Perhaps the intermediate cert was
// replaced or the device cert is corrupt. Will result in re-provisioning.
INVALID_DRM_CERTIFICATE = 126;
// Device Certificate was revoked.
DRM_DEVICE_CERTIFICATE_REVOKED = 127;
// Device Certificate not in the certificate status list, and unknown
// devices are not allowed.
DRM_DEVICE_CERTIFICATE_UNKNOWN = 128;
// Invalid Certificate status list.
INVALID_CERTIFICATE_STATUS_LIST = 129;
// Expired Certificate status list.
EXPIRED_CERTIFICATE_STATUS_LIST = 130;
// KeyControl block generation failed.
KEYCONTROL_GENERATION_ERROR = 131;
// The device root certificate was not set.
ROOT_CERTIFICATE_NOT_SET = 132;
// The service certificate is invalid.
INVALID_SERVICE_CERTIFICATE = 133;
// Service certificate not found.
SERVICE_CERTIFICATE_NOT_FOUND = 134;
// Invalid EncryptedClientIdentification message.
INVALID_ENCRYPTED_CLIENT_IDENTIFICATION = 135;
// No service certificates have been added.
SERVICE_CERTIFICATE_NOT_SET = 136;
// Could not process service private key.
INVALID_SERVICE_PRIVATE_KEY = 137;
// ClientIdentification and EncryptedClientIdentification were specified.
MULTIPLE_CLIENT_ID = 138;
// Message is a service certificate request.
SERVICE_CERTIFICATE_REQUEST_MESSAGE = 139;
// Invalid message type
INVALID_MESSAGE_TYPE = 140;
// Remote attestation verification failed.
REMOTE_ATTESTATION_FAILED = 141;
// can_play = true for license RELEASE response.
INVALID_RELEASE_CAN_PLAY_VALUE = 142;
// can_persist = false for offline license.
INVALID_OFFLINE_CAN_PERSIST = 143;
// Session usage table entry is malformed.
INVALID_SESSION_USAGE_TABLE_ENTRY = 144;
// Session usage table entry signature verification failed.
INVALID_SESSION_USAGE_SIGNATURE = 145;
// The type of ContentIdentification is unrecognized
INVALID_CONTENT_ID_TYPE = 146;
// Unknown InitData type.
UNKNOWN_INIT_DATA_TYPE = 147;
// InitData.init_data field is missing.
MISSING_INIT_DATA = 148;
// InitData contains invalid ISO BMFF boxes.
INVALID_CENC_INIT_DATA = 149;
// Malformed PSSH box.
INVALID_PSSH = 150;
// PSSH box version not supported.
UNSUPPORTED_PSSH_VERSION = 151;
// Widevine PSSH Data malformed.
INVALID_WIDEVINE_PSSH_DATA = 152;
// Device capabilities are too low for the specified output protection.
DEVICE_CAPABILITIES_TOO_LOW = 153;
// Invalid master signing key size. Must be 16 bytes.
INVALID_MASTER_SIGNING_KEY_SIZE = 154;
// Invalid signing key size. Must be 64 bytes.
INVALID_SIGNING_KEY_SIZE = 155;
// Keybox tokens not intialized. PreProvisioning keys not loaded.
KEYBOX_TOKEN_KEYS_NOT_INITIALIZED = 156;
// Provider Id in device certificate does not match service Id for License
// server. Check cert used when initializing with AddDrmServiceCertificate().
PROVIDER_ID_MISMATCH = 157;
// Certificate chain not selected.
CERT_CHAIN_NOT_SELECTED = 158;
// Failed to read the SRM file from specified location.
INVALID_SRM_LOCATION = 159;
// Invalid SRM file size, HDCP2 SRM file must be at least 396 bytes.
INVALID_SRM_SIZE = 160;
// SRM file signature validation failed.
INVALID_SRM_SIGNATURE = 161;
// Unable to find provider.
MISSING_PROVIDER = 162;
// Unable to find group master key id.
MISSING_GROUP_MASTER_KEY_ID = 163;
// Unable to find group master key.
MISSING_GROUP_MASTER_KEY = 164;
// Invalid Provider session token size. Must be less than 256 bytes.
INVALID_PROVIDER_SESSION_TOKEN_SIZE = 165;
// Failure to decrypt data with service certificate private key.
SERVICE_PRIVATE_KEY_DECRYPT_ERROR = 166;
// Disallowed development certificate.
DEVELOPMENT_CERTIFICATE_NOT_ALLOWED = 167;
// Invalid message. E.g. Deserialization failed.
INVALID_MESSAGE = 168;
// Invalid key size.
INVALID_KEY_SIZE = 169;
// Invalid method parameter.
INVALID_PARAMETER = 170;
// Even KeyID not specified, CasEncryptionResponse.KeyInfo.KeySlot
MISSING_EVEN_KEY_ID = 171;
// Even Key not specified, CasEncryptionResponse.KeyInfo.KeySlot
MISSING_EVEN_KEY = 172;
// VMP verification required for this platform, however VMP data is missing.
VMP_ERROR_PLATFORM_NOT_VERIFIED = 173;
// VMP verification failed this platform, perhaps was tampered with.
VMP_ERROR_PLATFORM_TAMPERED = 174;
}

419
protos/public/license_protocol.proto Normal file
View File

@@ -0,0 +1,419 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// Definitions of the protocol buffer messages used in the Widevine license
// exchange protocol, described in Widevine license exchange protocol document
// TODO(user): find out a right way to strip out all the doc link.
syntax = "proto2";
package widevine;
import "protos/public/client_identification.proto";
import "protos/public/remote_attestation.proto";
option java_package = "com.google.video.widevine.protos";
// option optimize_for = LITE_RUNTIME;
enum LicenseType {
STREAMING = 1;
OFFLINE = 2;
}
enum PlatformVerificationStatus {
// The platform is not verified.
PLATFORM_UNVERIFIED = 0;
// Tampering detected on the platform.
PLATFORM_TAMPERED = 1;
// The platform has been verified by means of software.
PLATFORM_SOFTWARE_VERIFIED = 2;
// The platform has been verified by means of hardware (e.g. secure boot).
PLATFORM_HARDWARE_VERIFIED = 3;
// Platform verification was not performed.
PLATFORM_NO_VERIFICATION = 4;
// Platform and secure storage capability have been verified by means of
// software.
PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED = 5;
}
// LicenseIdentification is propagated from LicenseRequest to License,
// incrementing version with each iteration.
message LicenseIdentification {
optional bytes request_id = 1;
optional bytes session_id = 2;
optional bytes purchase_id = 3;
optional LicenseType type = 4;
optional int32 version = 5;
optional bytes provider_session_token = 6;
}
message License {
// LINT.IfChange
message Policy {
// Indicates that playback of the content is allowed.
optional bool can_play = 1 [default = false];
// Indicates that the license may be persisted to non-volatile
// storage for offline use.
optional bool can_persist = 2 [default = false];
// Indicates that renewal of this license is allowed.
optional bool can_renew = 3 [default = false];
// For the |*duration*| fields, playback must halt when
// license_start_time (seconds since the epoch (UTC)) +
// license_duration_seconds is exceeded. A value of 0
// indicates that there is no limit to the duration.
// Indicates the rental window.
optional int64 rental_duration_seconds = 4 [default = 0];
// Indicates the viewing window, once playback has begun.
optional int64 playback_duration_seconds = 5 [default = 0];
// Indicates the time window for this specific license.
optional int64 license_duration_seconds = 6 [default = 0];
// The |renewal*| fields only apply if |can_renew| is true.
// The window of time, in which playback is allowed to continue while
// renewal is attempted, yet unsuccessful due to backend problems with
// the license server.
optional int64 renewal_recovery_duration_seconds = 7 [default = 0];
// All renewal requests for this license shall be directed to the
// specified URL.
optional string renewal_server_url = 8;
// How many seconds after license_start_time, before renewal is first
// attempted.
optional int64 renewal_delay_seconds = 9 [default = 0];
// Specifies the delay in seconds between subsequent license
// renewal requests, in case of failure.
optional int64 renewal_retry_interval_seconds = 10 [default = 0];
// Indicates that the license shall be sent for renewal when usage is
// started.
optional bool renew_with_usage = 11 [default = false];
// Indicates to client that license renewal and release requests ought to
// include ClientIdentification (client_id).
optional bool always_include_client_id = 12 [default = false];
// Duration of grace period before playback_duration_seconds (short window)
// goes into effect. Optional.
optional int64 play_start_grace_period_seconds = 13 [default = 0];
// Enables "soft enforcement" of playback_duration_seconds, letting the user
// finish playback even if short window expires. Optional.
optional bool soft_enforce_playback_duration = 14 [default = false];
}
message KeyContainer {
enum KeyType {
SIGNING = 1; // Exactly one key of this type must appear.
CONTENT = 2; // Content key.
KEY_CONTROL = 3; // Key control block for license renewals. No key.
OPERATOR_SESSION = 4; // wrapped keys for auxiliary crypto operations.
ENTITLEMENT = 5; // Entitlement keys.
OEM_CONTENT = 6; // Partner-specific content key.
}
// The SecurityLevel enumeration allows the server to communicate the level
// of robustness required by the client, in order to use the key.
enum SecurityLevel {
// Software-based whitebox crypto is required.
SW_SECURE_CRYPTO = 1;
// Software crypto and an obfuscated decoder is required.
SW_SECURE_DECODE = 2;
// The key material and crypto operations must be performed within a
// hardware backed trusted execution environment.
HW_SECURE_CRYPTO = 3;
// The crypto and decoding of content must be performed within a hardware
// backed trusted execution environment.
HW_SECURE_DECODE = 4;
// The crypto, decoding and all handling of the media (compressed and
// uncompressed) must be handled within a hardware backed trusted
// execution environment.
HW_SECURE_ALL = 5;
}
message KeyControl {
// If present, the key control must be communicated to the secure
// environment prior to any usage. This message is automatically generated
// by the Widevine License Server SDK.
optional bytes key_control_block = 1;
optional bytes iv = 2;
}
message OutputProtection {
// Indicates whether HDCP is required on digital outputs, and which
// version should be used.
enum HDCP {
HDCP_NONE = 0;
HDCP_V1 = 1;
HDCP_V2 = 2;
HDCP_V2_1 = 3;
HDCP_V2_2 = 4;
HDCP_V2_3 = 5;
HDCP_NO_DIGITAL_OUTPUT = 0xff;
}
optional HDCP hdcp = 1 [default = HDCP_NONE];
// Indicate the CGMS setting to be inserted on analog output.
enum CGMS {
CGMS_NONE = 42;
COPY_FREE = 0;
COPY_ONCE = 2;
COPY_NEVER = 3;
}
optional CGMS cgms_flags = 2 [default = CGMS_NONE];
enum HdcpSrmRule {
HDCP_SRM_RULE_NONE = 0;
// In 'required_protection', this means most current SRM is required.
// Update the SRM on the device. If update cannot happen,
// do not allow the key.
// In 'requested_protection', this means most current SRM is requested.
// Update the SRM on the device. If update cannot happen,
// allow use of the key anyway.
CURRENT_SRM = 1;
}
optional HdcpSrmRule hdcp_srm_rule = 3 [default = HDCP_SRM_RULE_NONE];
// Optional requirement to indicate analog output is not allowed.
optional bool disable_analog_output = 4 [default = false];
// Optional requirement to indicate digital output is not allowed.
optional bool disable_digital_output = 5 [default = false];
}
message VideoResolutionConstraint {
// Minimum and maximum video resolutions in the range (height x width).
optional uint32 min_resolution_pixels = 1;
optional uint32 max_resolution_pixels = 2;
// Optional output protection requirements for this range. If not
// specified, the OutputProtection in the KeyContainer applies.
optional OutputProtection required_protection = 3;
}
message OperatorSessionKeyPermissions {
// Permissions/key usage flags for operator service keys
// (type = OPERATOR_SESSION).
optional bool allow_encrypt = 1 [default = false];
optional bool allow_decrypt = 2 [default = false];
optional bool allow_sign = 3 [default = false];
optional bool allow_signature_verify = 4 [default = false];
}
optional bytes id = 1;
optional bytes iv = 2;
optional bytes key = 3;
optional KeyType type = 4;
optional SecurityLevel level = 5 [default = SW_SECURE_CRYPTO];
optional OutputProtection required_protection = 6;
// NOTE: Use of requested_protection is not recommended as it is only
// supported on a small number of platforms.
optional OutputProtection requested_protection = 7;
optional KeyControl key_control = 8;
optional OperatorSessionKeyPermissions operator_session_key_permissions = 9;
// Optional video resolution constraints. If the video resolution of the
// content being decrypted/decoded falls within one of the specified ranges,
// the optional required_protections may be applied. Otherwise an error will
// be reported.
// NOTE: Use of this feature is not recommended, as it is only supported on
// a small number of platforms.
repeated VideoResolutionConstraint video_resolution_constraints = 10;
// Optional flag to indicate the key must only be used if the client
// supports anti rollback of the user table. Content provider can query the
// client capabilities to determine if the client support this feature.
optional bool anti_rollback_usage_table = 11 [default = false];
// Optional not limited to commonly known track types such as SD, HD.
// It can be some provider defined label to identify the track.
optional string track_label = 12;
}
optional LicenseIdentification id = 1;
optional Policy policy = 2;
repeated KeyContainer key = 3;
// Time of the request in seconds (UTC) as set in
// LicenseRequest.request_time. If this time is not set in the request,
// the local time at the license service is used in this field.
optional int64 license_start_time = 4;
// TODO(b/65054419): Deprecate remote_attestation_verified in favor of
// platform_verification_status, below.
optional bool remote_attestation_verified = 5 [default = false];
// Client token generated by the content provider. Optional.
optional bytes provider_client_token = 6;
// 4cc code specifying the CENC protection scheme as defined in the CENC 3.0
// specification. Propagated from Widevine PSSH box. Optional.
optional uint32 protection_scheme = 7;
// 8 byte verification field "HDCPDATA" followed by unsigned 32 bit minimum
// HDCP SRM version (whether the version is for HDCP1 SRM or HDCP2 SRM
// depends on client max_hdcp_version).
optional bytes srm_requirement = 8;
// If present this contains a signed SRM file (either HDCP1 SRM or HDCP2 SRM
// depending on client max_hdcp_version) that should be installed on the
// client device.
optional bytes srm_update = 9;
// Indicates the status of any type of platform verification performed by the
// server.
optional PlatformVerificationStatus platform_verification_status = 10
[default = PLATFORM_NO_VERIFICATION];
// IDs of the groups for which keys are delivered in this license, if any.
repeated bytes group_ids = 11;
}
enum ProtocolVersion {
VERSION_2_0 = 20;
VERSION_2_1 = 21;
VERSION_2_2 = 22;
}
message LicenseRequest {
message ContentIdentification {
message WidevinePsshData {
repeated bytes pssh_data = 1;
optional LicenseType license_type = 2;
optional bytes request_id = 3; // Opaque, client-specified.
}
message WebmKeyId {
optional bytes header = 1;
optional LicenseType license_type = 2;
optional bytes request_id = 3; // Opaque, client-specified.
}
message ExistingLicense {
optional LicenseIdentification license_id = 1;
optional int64 seconds_since_started = 2;
optional int64 seconds_since_last_played = 3;
optional bytes session_usage_table_entry = 4;
}
message InitData {
enum InitDataType {
CENC = 1;
WEBM = 2;
}
optional InitDataType init_data_type = 1 [default = CENC];
optional bytes init_data = 2;
optional LicenseType license_type = 3;
optional bytes request_id = 4;
}
oneof content_id_variant {
// Exactly one of these must be present.
WidevinePsshData widevine_pssh_data = 1;
WebmKeyId webm_key_id = 2;
ExistingLicense existing_license = 3;
InitData init_data = 4;
}
}
enum RequestType {
NEW = 1;
RENEWAL = 2;
RELEASE = 3;
}
// The client_id provides information authenticating the calling device. It
// contains the Widevine keybox token that was installed on the device at the
// factory. This field or encrypted_client_id below is required for a valid
// license request, but both should never be present in the same request.
optional ClientIdentification client_id = 1;
optional ContentIdentification content_id = 2;
optional RequestType type = 3;
// Time of the request in seconds (UTC) as set by the client.
optional int64 request_time = 4;
// Old-style decimal-encoded string key control nonce.
optional bytes key_control_nonce_deprecated = 5;
optional ProtocolVersion protocol_version = 6 [default = VERSION_2_0];
// New-style uint32 key control nonce, please use instead of
// key_control_nonce_deprecated.
optional uint32 key_control_nonce = 7;
// Encrypted ClientIdentification message, used for privacy purposes.
optional EncryptedClientIdentification encrypted_client_id = 8;
}
message LicenseError {
enum Error {
// The device credentials are invalid. The device must re-provision.
INVALID_DRM_DEVICE_CERTIFICATE = 1;
// The device credentials have been revoked. Re-provisioning is not
// possible.
REVOKED_DRM_DEVICE_CERTIFICATE = 2;
// The service is currently unavailable due to the backend being down
// or similar circumstances.
SERVICE_UNAVAILABLE = 3;
}
optional Error error_code = 1;
}
message MetricData {
enum MetricType {
// The time spent in the 'stage', specified in microseconds.
LATENCY = 1;
// The UNIX epoch timestamp at which the 'stage' was first accessed in
// microseconds.
TIMESTAMP = 2;
}
message TypeValue {
optional MetricType type = 1;
// The value associated with 'type'. For example if type == LATENCY, the
// value would be the time in microseconds spent in this 'stage'.
optional int64 value = 2 [default = 0];
}
// 'stage' that is currently processing the SignedMessage. Required.
optional string stage_name = 1;
// metric and associated value.
repeated TypeValue metric_data = 2;
}
message VersionInfo {
// License SDK version reported by the Widevine License SDK. This field
// is populated automatically by the SDK.
optional string license_sdk_version = 1;
// Version of the service hosting the license SDK. This field is optional.
// It may be provided by the hosting service.
optional string license_service_version = 2;
}
message SignedMessage {
enum MessageType {
LICENSE_REQUEST = 1;
LICENSE = 2;
ERROR_RESPONSE = 3;
SERVICE_CERTIFICATE_REQUEST = 4;
SERVICE_CERTIFICATE = 5;
SUB_LICENSE = 6;
CAS_LICENSE_REQUEST = 7;
CAS_LICENSE = 8;
}
optional MessageType type = 1;
optional bytes msg = 2;
optional bytes signature = 3;
optional bytes session_key = 4;
// Remote attestation data which will be present in the initial license
// request for ChromeOS client devices operating in verified mode. Remote
// attestation challenge data is |msg| field above. Optional.
optional RemoteAttestation remote_attestation = 5;
repeated MetricData metric_data = 6;
// Version information from the SDK and license service. This information is
// provided in the license response.
optional VersionInfo service_version_info = 7;
}

121
protos/public/license_server_sdk.proto Normal file
View File

@@ -0,0 +1,121 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// Definitions of the protocol buffer messages used in the Widevine License
// Server SDK.
syntax = "proto2";
package widevine;
import "protos/public/license_protocol.proto";
import "protos/public/widevine_pssh.proto";
option java_package = "com.google.video.widevine.protos";
// This message is used to pass optional data on initial license issuance.
// LINT.IfChange
message SessionInit {
optional bytes session_id = 1;
optional bytes purchase_id = 2;
// master_signing_key should be 128 bits in length.
optional bytes master_signing_key = 3;
// signing_key should be 512 bits in length to be split into two
// (server || client) HMAC-SHA256 keys.
optional bytes signing_key = 4;
optional int64 license_start_time = 5;
// Client token for the session. This session is for use by the license
// provider, and is akin to a client cookie. It will be copied to
// License::provider_client_token, and sent back by the client in
// ClientIdentification::provider_client_token in all license requests
// thereafter.
optional bytes provider_client_token = 6;
// Session token for the session. This token is for use by the license
// provider, and is akin to a session cookie. It will be copied to
// LicenseIdentfication::provider_session_token, and sent back in all
// license renewal and release requests for the session thereafter.
optional bytes provider_session_token = 7;
// If false and the request contains a provider_client_token, use the token
// from the request even if SessionInit.provider_client_token is specified.
// If true and the request contains a provider_client_token, use
// SessionInit.provider_client_token.
optional bool override_provider_client_token = 8 [default = false];
// Set true if group key(s) should not be included in the license. If true,
// the result license will contain keys for the current content only,
// therefore the license cannot be used to playback other content in the same
// group.
optional bool exclude_group_key = 9 [default = false];
// If set to true, the OEM Crypto API version will be not be reflected in the
// license response.
optional bool disable_oem_crypto_api_version_reflection = 10
[default = false];
// For testing use only. Service Providers can test how devices are handling
// the version reflection in KCB (key control block) by specifying the api
// version that is reflected back in the KCB. If an override is specified,
// the override value will be used in the KCB instead of the api version
// specified by the client in client_capabilities.
// Crypto API version is represented as 4 bytes, for example 'kcxx', where xx
// is the API version. Some valid values are: 'kc09', kc10', kc14'. Only the
// first 4 bytes are used and additional bytes are ignored.
optional bytes override_oem_crypto_api_version = 11;
}
// This message is used by the server to preserve and restore session state.
message SessionState {
optional LicenseIdentification license_id = 1;
optional bytes signing_key = 2;
optional uint32 keybox_system_id = 3;
// Provider client token sent back in the license.
optional bytes provider_client_token = 4;
// License counter associated with the avove token.
optional uint32 license_counter = 5;
}
message ContentInfo {
message ContentInfoEntry {
message Pssh {
optional bytes system_id = 1;
oneof pssh_data {
// Populated for non-Widevine PSSH boxes.
bytes raw_data = 2;
// Populated if system_id matches Widevines system ID.
WidevinePsshData widevine_data = 3;
}
}
repeated bytes key_ids = 1;
// Populated if init_data_type = CENC.
optional Pssh pssh = 2;
}
optional LicenseRequest.ContentIdentification.InitData.InitDataType
init_data_type = 1;
repeated ContentInfoEntry content_info_entry = 2;
}
// Usage report sent in a license release.
message SessionUsage {
enum ClockSecurityLevel {
INSECURE_CLOCK = 0;
SECURE_TIMER = 1;
SECURE_CLOCK = 2;
HW_SECURE_CLOCK = 3;
}
// Set to true is the license was used.
optional bool license_used = 1;
// Set to true is the license was released.
optional bool license_released = 2;
optional ClockSecurityLevel clock_security_level = 3;
optional uint64 seconds_since_license_received = 4;
// The decrypt values are only set if the license was used.
optional uint64 seconds_since_first_decrypt = 5;
optional uint64 seconds_since_last_decrypt = 6;
optional bytes provider_session_token = 7;
}

416
protos/public/license_services.proto Normal file
View File

@@ -0,0 +1,416 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
// Data and Service definitions for Widevine DRM Service.
syntax = "proto2";
option java_package = "com.google.video.widevine.licensing";
import "protos/public/client_identification.proto";
import "protos/public/license_protocol.proto";
import "protos/public/license_server_sdk.proto";
package widevine;
// TODO(user): refactor license_services.proto and sdk_stats.proto.
enum ModularDrmType {
WIDEVINE = 0;
PLAYREADY = 1;
FAIRPLAY = 2;
}
// LINT.IfChange
// The Modular DRM license request sent to the RPC service.
message ModularDrmLicenseRequest {
// The request payload. This is usually the HTTP Post body of a request.
// Required.
optional bytes payload = 1;
// A ContentKeySpec identifies a content key by track type name. It also
// specifies the policy that should be used for this key.
// LINT.IfChange
message ContentKeySpec {
// A track type is used to represent a set of tracks that share the same
// content key and security level. Common values are SD, HD, UHD1, UHD2
// and AUDIO. Content providers may use arbitrary strings for track type
// as long as they are consistent with the track types used at registration
// time. Required.
optional string track_type = 1;
// The following settings override pre-stored settings referenced by the
// policy_name.
// Security level defines the robustness requirements on key handling at
// client side.
optional License.KeyContainer.SecurityLevel security_level = 2;
optional License.KeyContainer.OutputProtection required_output_protection =
3;
optional License.KeyContainer.OutputProtection requested_output_protection =
4;
// Optional content key Id for this track. If specified, this Id is used to
// identify the key for this track. If not specified, the license server
// will either generate or lookup the key Id for this track.
optional bytes key_id = 5;
// Optional content key for this track. If specified, this key is used to
// build the license. If not specified, the license server will generate
// or lookup the key for this track.
optional bytes key = 6;
// TODO (robinconnell): iv, key_type, and operator_session_key_permissions
// where added to support OPERATION_SESSION licenses. But with the addition
// of the field the ContentKeySpec message is almost the same as the
// License.KeyContainer message. Merge the two messages needs to be
// investigated.
// Optional iv used to encrypt the keys. If not specified random iv will be
// generated.
optional bytes iv = 7;
optional License.KeyContainer.KeyType key_type = 8;
optional License.KeyContainer.OperatorSessionKeyPermissions
operator_session_key_permissions = 9;
// Optional video resolution constraints. If the video resolution of the
// content being decrypted/decoded falls within one of the specified ranges,
// the optional required_protections may be applied. Otherwise an error will
// be reported.
repeated License.KeyContainer.VideoResolutionConstraint
video_resolution_constraints = 10;
// Video feature associated with this key. Common value is HDR.
// If specified and the key_id/key is not specified, this value will be
// used to derive the key_id/key.
optional string video_feature = 11;
}
// Specifies a list of content keys and policies to be included in a license.
repeated ContentKeySpec content_key_specs = 2;
// A shortcut for specifying which track types should be included in a
// license.
// This field is ignored if one or more content_key_specs is specified.
// LINT.IfChange
enum CommonTrackTypeSet {
// Implies SD and HD.
SD_HD = 0;
// Implies SD only.
SD_ONLY = 1;
// Implies SD, HD, and UHD1.
SD_UHD1 = 2;
// Implies SD, HD, UHD1 and UHD2.
SD_UHD2 = 3;
}
optional CommonTrackTypeSet allowed_track_types = 3 [default = SD_UHD1];
// Identifier used to derive KeyId(s) and Content Key(s)
// for each content_key_specs.track_type. Required only
// when the content id isn't part of the PSSH. Used for
// backward-compatibility with existing YouTube CENC
// videos. Ignored for assets whose PSSH includes a
// content id.
optional bytes content_id = 4;
// Used to look up Content Key(s) and policy. Required.
optional string provider = 5;
// A blob of data to be sent to client and bounce back in subsequent heartbeat
// requests. Maps to license.license_id.prchase.id.
optional string replay_data = 6;
// License policy information could come from various sources. For any given
// field in a policy, the final value is determined by (in the order by
// highest precedence to lowest)
// 1. request.policy // acts as policy override.
// 2. if !use_policy_overrides_exclusively,
// if request.has_policy_name
// GetStoredPolicy(request.policy_name)
// else
// GetStoredPolicy(GetRegisteredAsset(request.content_id).policy_name)
// Policy overrides specified by a content provider proxy.
optional License.Policy policy_overrides = 7;
// Use a previously registered policy named <policy_name>.
optional string policy_name = 8;
// Use Policy attributes specified by policy_overrides and
// skip any Policy lookup from storage.
optional bool use_policy_overrides_exclusively = 9 [default = false];
// Indicates whether this is a Widevine, PlayReady or FairPlay license
// request.
optional ModularDrmType drm_type = 10 [default = WIDEVINE];
// This is now handled as a server configuration, only enabled for QA and UAT.
optional bool allow_test_device_deprecated = 11 [deprecated = true];
// The IP Address of the portal that is forwarding the license request from
// the device.
optional string client_ip_address = 13;
// The client software identifier, as used by HTTP.
optional string user_agent = 14;
// Client token owned by Content Provider. This value is added to the
// license response.
// TODO(user): Deprecated and use session_init instead.
optional bytes provider_client_token = 15;
// Session token owned by Content Provider. This value is added to the
// license response.
// TODO(user): Deprecated and use session_init instead.
optional bytes provider_session_token = 16;
// Pass optional data to initial license.
optional SessionInit session_init = 17;
// Indicates whether to process the license request and return the parsed data
// only, hence not generating an actual license.
optional bool parse_only = 18 [default = false];
// The request identifier for this license request as specified by the
// content provider proxy. Optional.
optional string content_provider_request_id = 19 [default = "unspecified"];
// Indicates all key and iv values in ContentKeySpec are encrypted with this
// sesion key. This session key is encrypted with the providers AES key. If
// session_key is used, session_iv must also be specified.
optional bytes session_key = 20;
// Indicates all key and iv values in ContentKeySpec are encrypted with this
// session IV. This session IV is encrypted with the provider's AES key.
optional bytes session_iv = 21;
// In prod environment, normally license request from IN_TESTING devices
// will be rejected. But if test_content is true, such request from
// a IN_TESTING device will succeed.
// In all other environments, test_content has no impact, licensing for
// IN_TESTING wil be allowed regardless.
// See b/26692995 for more info.
optional bool test_content = 22 [default = false];
// The name of the provider making the request. This field will be
// populated by content providers who are serving content packaged by
// content owners. If the content owner and content provider are the same,
// this field will be empty.
// Example: Play is a content provider which serves content packaged and
// owned by the content owner, YouTube.
optional string requesting_provider = 23;
// Serialized ClientIdentification protobuf message returned by the Proxy SDK
// GetClientInfoAsAtring() API.
optional bytes client_id_msg = 24;
// If set to true and the device is L3, return AUDIO and SD keys only.
// This takes precedence over allowed_track_types.
optional bool sd_only_for_l3 = 25 [default = false];
// Content providers who host their own service certificate must set this
// field by using the ProxySDK(internally, RequestInspector) API.
optional PlatformVerificationStatus platform_verification_status = 26
[default = PLATFORM_NO_VERIFICATION];
// By default, a license request will fail if VMP status is unverified for
// Chrome. Set this field to 'true' to allow license request to succeed when
// VMP status is unverified for Chrome platforms.
// TODO (b/126434032) Change the default to false once partners are notified
optional bool allow_unverified_platform = 27 [default = true];
// By default, a license request will fail if VMP status is tampered for
// Chrome. Set this field to 'true' to allow license request to succeed when
// VMP status is tampered for Chrome platforms.
// TODO (b/126434032) Change the default to false once partners are notified
optional bool allow_tampered_platform = 28 [default = true];
// A shortcut for specifying whether to return keys for the video feature only
// or to return all keys or ignore the video feature.
// The VideoFeatureKeySet only applies when video feature is specified in the
// PSSH.
enum VideoFeatureKeySet {
VF_UNSPECIFIED = 0;
// License should not include keys for the video feature, instead only
// include keys not associated with the video feature.
VF_EXCLUDED = 1;
// License should only include keys associated with the video feature
// (e.g., HDR).
VF_ONLY = 2;
// License should include keys for the video feature and also for keys
// not associated with the video feature (e.g., SDR keys).
VF_INCLUDED = 3;
}
// This field is ignored if one or more content_key_specs is specified.
optional VideoFeatureKeySet video_feature_key_set = 29
[default = VF_EXCLUDED];
}
// LINT.IfChange
// A generic protobuf used as the request format of various Modular DRM APIs,
// including GetModularDrmLicense and KeyRequest APIs.
// The following docs describe how the proto is interpreted by various APIs.
message SignedModularDrmRequest {
// For GetModularDrmLicenseExternal, request is a ModularDrmLicenseRequest in
// JSON format.
optional bytes request = 1;
optional bytes signature = 2;
// Identifies the entity sending / signing the request.
optional string signer = 3;
// The IP Address of the portal that is forwarding the request from the
// original sender.
optional string client_ip_address = 4;
// The client software identifier, as used by HTTP.
optional string user_agent = 5;
// The request identifier for this license request as specified by the
// content provider proxy. Optional.
optional string content_provider_request_id = 6 [default = "unspecified"];
// The provider on behalf of whom, this request is made. This field will be
// populated by content providers who are serving content packaged by content
// owners ("signer").
optional string provider = 7;
}
// LINT.IfChange
message SignedModularDrmResponse {
// A CommonEncryptionResponse message in JSON format.
optional bytes response = 1;
optional bytes signature = 2;
}
message LicenseMetadata {
// DRM-specific status code from the WvmStatus enum. It's a uint32 here
// because providers can use the 'setstatus' field to supply their own
// arbitrary return values.
optional uint32 drm_status_code = 1;
// Asset Identifier that was generated by this DRM service.
optional uint64 asset_id = 2;
optional string asset_name = 4;
}
// LINT.IfChange
message ModularDrmLicenseResponse {
enum Status {
OK = 0;
SIGNATURE_FAILED = 1;
INVALID_LICENSE_CHALLENGE = 2;
INVALID_CONTENT_INFO = 3;
POLICY_UNKNOWN = 4;
MALFORMED_REQUEST = 5;
INTERNAL_ERROR = 6;
PROVIDER_MISSING = 7;
INVALID_REQUEST = 8;
ACCESS_DENIED = 9;
SIGNING_KEY_EXPIRED = 10;
}
optional Status status = 1;
optional string status_message = 2;
optional bytes license = 3;
message LicenseMetadata {
optional bytes content_id = 1;
optional LicenseType license_type = 2;
optional LicenseRequest.RequestType request_type = 3;
// The current SRM version sent back to client in the license.
optional uint32 srm_version = 4;
// Whether SRM file was included in the license.
optional bool srm_included = 5 [default = false];
// Sets the value from
// ClientIdentification.ClientCapabilities.can_update_srm in the license
// request.
optional bool can_update_srm = 6 [default = false];
// SessionInit that was used when generating the license.
optional SessionInit session_init = 7;
}
optional LicenseMetadata license_metadata = 4;
message Track {
optional string type = 1;
optional bytes key_id = 2;
optional string video_feature = 3;
}
// A subset of data from the Widevine PSSH.
message Pssh {
repeated bytes key_id = 1;
optional bytes content_id = 2;
}
// List of tracks for which keys exist in the license response.
repeated Track supported_tracks = 5;
// Make as identified from the provisioned device info. If that is not
// available, the device make will be retrieved from the license request.
optional string make = 6;
// Model as identified from the provisioned device info. If that is not
// available, the device model will be retrieved from the license request.
optional string model = 7;
// Set to true if the license request contained remote attestation challenge
// and the challenge was verified.
optional bool remote_attestation_verified = 8;
// Widevine-defined security level.
optional uint32 security_level = 9;
// Actual SDK license status as defined in widevine/protos/public/errors.proto
optional uint32 internal_status = 10;
// Usage report sent in a license release.
optional SessionUsage session_usage = 11;
optional SessionState session_state = 12;
// Globally unique serial number of certificate associated with this
// device.
optional bytes drm_cert_serial_number = 13;
// Whether the device (make/model) making the license request is whitelisted.
// Indicates the type of message in the license response.
optional SignedMessage.MessageType message_type = 15;
// Optional Android Id reported by the Android client.
// See go/avi-unique-device-id
optional bytes android_id = 16;
// If this is a group key license, this is the group identifier from the PSSH.
optional bytes group_id = 17;
// Platform specifies the OS or device type and perhaps other software
// information for the device receving this license response.
// Example: Android, iOS, Chrome, PC.
optional string platform = 18;
optional Pssh pssh_data = 20;
// Maximum HDCP version specified by the client.
optional ClientIdentification.ClientCapabilities.HdcpVersion
client_max_hdcp_version = 21;
// Optional client information name/value pairs from the client.
repeated ClientIdentification.NameValue client_info = 22;
// Optional number of seconds before a signing key expires.
optional int64 signature_expiration_secs = 23;
// Set to true, if license request was for "live" stream.
optional bool is_live = 24 [default = false];
// Platform verification status
optional PlatformVerificationStatus platform_verification_status = 25
[default = PLATFORM_UNVERIFIED];
// The "provider" field in ModularDrmLicenseRequest.
optional string content_owner = 26;
// The "requesting_provider" in ModularDrmLicenseRequest. If
// "requesting_provider" is empty, then "provider" from
// ModularDrmLicenseRequest will be set here.
optional string content_provider = 27;
// SystemID of the requesting device.
optional uint32 system_id = 28;
}
message LicenseResponse {
// Each license is a Base64-encoded string which is of the format
// <status><asset_id><license blob>. Multiple licenses are separated by a
// comma. Required.
optional string licenses = 2;
// License for the requested asset. This should not be returned to the
// client, but possibly evaluated by the provider. The number of
// license_metadata fields must be the same as the number of licenses.
// Required.
repeated LicenseMetadata license_metadata = 3;
// Make as specified in the license request.
optional string make = 4;
// Model as specified in the license request.
optional string model = 5;
// Platform specifies the OS or device type and perhaps other software
// information for the device receving this license response.
// Example: Android, iOS, Chrome, PC.
optional string platform = 6;
}

74
protos/public/media_cas_encryption.proto Normal file
View File

@@ -0,0 +1,74 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2018 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
// Protocol buffer definitions for Widevine CAS.
syntax = "proto2";
package widevine;
option java_package = "com.google.video.widevine.mediacasencryption";
message CasEncryptionRequest {
optional bytes content_id = 1;
optional string provider = 2;
// Optional track types such as "AUDIO", SD" or "HD".
repeated string track_types = 3;
// Indicates if the client is using key rotation. If true, the server will
// return one key for EVEN and one key for ODD, otherwise only a single key is
// returned.
optional bool key_rotation = 4;
}
message CasEncryptionResponse {
enum Status {
STATUS_UNSPECIFIED = 0;
OK = 1;
SIGNATURE_FAILED = 2;
ACCESS_DENIED = 3;
INTERNAL_ERROR = 4;
INVALID_ARGUMENT = 5;
PROVIDER_ID_MISSING = 6;
CONTENT_ID_MISSING = 7;
TRACK_TYPE_MISSING = 8;
}
message KeyInfo {
enum KeySlot {
KEY_SLOT_UNSPECIFIED = 0;
SINGLE = 1;
EVEN = 2;
ODD = 3;
}
optional bytes key_id = 1;
optional bytes key = 2;
// Optional label used for the key.
optional string track_type = 3;
optional KeySlot key_slot = 4;
}
optional Status status = 1;
optional string status_message = 2;
optional bytes content_id = 3;
repeated KeyInfo entitlement_keys = 4;
}
message SignedCasEncryptionRequest {
optional bytes request = 1;
optional bytes signature = 2;
// Identifies the entity sending / signing the request.
optional string signer = 3;
}
message SignedCasEncryptionResponse {
// Serialized CasEncryptionResponse message.
optional bytes response = 1;
optional bytes signature = 2;
}
message HttpResponse {
optional bytes response = 1;
}

129
protos/public/media_cas_license.proto Normal file
View File

@@ -0,0 +1,129 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2018 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// Definitions of the protocol buffer messages used in the Widevine license
// exchange protocol for Media CAS.
syntax = "proto2";
option java_package = "com.google.video.widevine.mediacaslicense";
import "protos/public/license_protocol.proto";
import "protos/public/license_server_sdk.proto";
import "protos/public/media_cas_encryption.proto";
package widevine;
message CasDrmLicenseRequest {
// The request payload. This is usually the HTTP Post body of a request.
// Required.
optional bytes payload = 1;
// The content provider whose proxy is sending this license request onto the
// Widevine license service. Required.
optional string provider_id = 2;
// An identifier supplied by a content provider, used to identify a piece of
// content and derive key IDs and content keys.
optional bytes content_id = 3;
// A ContentKeySpec identifies a content key by track type name. It also
// specifies the policy that should be used for this key.
// TODO(user): Consolidate this ContentKeySpec with
// ModularDrmLicenseRequest_ContentKeySpec. Both should include a common
// ContentKeySpec.
message ContentKeySpec {
optional License.KeyContainer.SecurityLevel security_level = 1;
optional License.KeyContainer.OutputProtection required_output_protection =
2;
optional License.KeyContainer.OutputProtection requested_output_protection =
3;
// Optionally specify even, odd or single slot for key rotation.
repeated CasEncryptionResponse.KeyInfo entitlement_keys = 4;
optional License.KeyContainer.KeyType key_type = 5;
}
repeated ContentKeySpec content_key_specs = 4;
// Policy for the entire license such as playback duration.
optional License.Policy policy = 5;
}
message CasDrmLicenseResponse {
enum Status {
UNKNOWN = 0;
OK = 1;
SIGNATURE_FAILED = 2;
INVALID_LICENSE_CHALLENGE = 3;
PROVIDER_ID_MISSING = 4;
INVALID_CONTENT_INFO = 5;
EMPTY_CONTENT_INFO = 6;
CONTENT_ID_MISMATCH = 7;
MISSING_CONTENT_ID = 8;
MALFORMED_REQUEST = 9;
INTERNAL_ERROR = 10;
}
optional Status status = 1;
optional string status_message = 2;
// Serialzed bytes for a CAS license.
// TODO(user): Until a CAS license protocol is defined, this field is a
// serialized License message defined in license_protocol.proto.
optional bytes license = 3;
// Actual SDK license status as defined in widevine/protos/public/errors.proto
optional uint32 internal_status = 4;
// Indicates the type of message in the license response.
optional SignedMessage.MessageType message_type = 5;
// A subset of data from the Widevine PSSH.
message PsshData {
repeated bytes key_id = 1;
optional bytes content_id = 2;
// If this is a group key license, this is the group identifier.
optional bytes group_id = 3;
}
message LicenseMetadata {
optional bytes content_id = 1;
repeated bytes key_id = 2;
}
optional PsshData pssh_data = 6;
optional SessionState session_state = 7;
optional string content_owner = 8;
optional string content_provider = 9;
optional LicenseMetadata license_metadata = 10;
message DeviceInfo {
// Make as identified from the provisioned device info. If that is not
// available, the device make will be retrieved from the license request.
optional string make = 1;
// Model as identified from the provisioned device info. If that is not
// available, the device model will be retrieved from the license request.
optional string model = 2;
// Widevine-defined device security level.
optional uint32 security_level = 3;
// Globally unique serial number of certificate associated with this
// device.
optional bytes drm_cert_serial_number = 4;
// Platform specifies the OS or device type and perhaps other software
// information for the device receving this license response.
// Example: Android, iOS, Chrome, PC.
optional string platform = 5;
// SystemID of the requesting device.
optional uint32 system_id = 6;
}
// Device information for the device making the CAS license request.
optional DeviceInfo device_info = 11;
}
message SignedCasDrmRequest {
optional bytes request = 1;
optional bytes signature = 2;
// Identifies the entity sending / signing the request. Required if signature
// is present.
optional string signer = 3;
// The IP Address of the portal that is forwarding the request from the
// original sender.
optional string client_ip_address = 4;
// The client software identifier, as used by HTTP.
optional string user_agent = 5;
optional string provider = 6;
}

73
protos/public/provisioned_device_info.proto Normal file
View File

@@ -0,0 +1,73 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
// Description:
// Provisioned device info format definitions.
syntax = "proto2";
package widevine;
option java_package = "com.google.video.widevine.protos";
option java_outer_classname = "ProvisionedDeviceInfoProto";
// Contains device model information for a provisioned device.
message ProvisionedDeviceInfo {
enum WvSecurityLevel {
// Defined in Widevine Security Integration Guide for DASH on Android:
// http://doc/1Zum-fcJeoIw6KG1kDP_KepIE5h9gAZg0PaMtemBvk9c/edit#heading=h.1t3h5sf
LEVEL_UNSPECIFIED = 0;
LEVEL_1 = 1;
LEVEL_2 = 2;
LEVEL_3 = 3;
}
// Widevine initial provisioning / bootstrapping method. DRM certificates are
// required for retrieving licenses, so if a DRM certificate is not initially
// provisioned, then the provisioned credentials will be used to provision
// a DRM certificate via the Widevine Provisioning Service.
enum ProvisioningMethod {
// Don't use this.
PROVISIONING_METHOD_UNSPECIFIED = 0;
// Factory-provisioned device-unique keybox.
FACTORY_KEYBOX = 1;
// Factory-provisioned device-unique OEM certificate.
FACTORY_OEM_DEVICE_CERTIFICATE = 2;
// Factory-provisioned model-group OEM certificate.
FACTORY_OEM_GROUP_CERTIFICATE = 3;
// Factory-provisioned model-group DRM certificate (Level-3 "baked in").
FACTORY_DRM_GROUP_CERTIFICATE = 4;
// OTA-provisioned keybox (Level-1 ARC++).
OTA_KEYBOX = 5;
// OTA-provisioned device-unique OEM certificate.
OTA_OEM_DEVICE_CERTIFICATE = 6;
// OTA-provisioned model-group OEM certificate.
OTA_OEM_GROUP_CERTIFICATE = 7;
// OTA-provisioned device-unique DRM certificate (Bedrock).
OTA_DRM_DEVICE_CERTIFICATE = 8;
}
// Widevine system ID for the device. Mandatory.
optional uint32 system_id = 1;
// Name of system-on-a-chip. Optional.
optional string soc = 2;
// Name of manufacturer. Optional.
optional string manufacturer = 3;
// Manufacturer's model name. Matches "brand" in device metadata. Optional.
optional string model = 4;
// Type of device (Phone, Tablet, TV, etc).
optional string device_type = 5;
// Device model year. Optional.
optional uint32 model_year = 6;
// Widevine-defined security level. Optional.
optional WvSecurityLevel security_level = 7 [default = LEVEL_UNSPECIFIED];
// True if the certificate corresponds to a test (non production) device.
// Optional.
optional bool test_device = 8 [default = false];
// Indicates the type of device root of trust which was factory provisioned.
optional ProvisioningMethod provisioning_method = 9;
}

30
protos/public/remote_attestation.proto Normal file
View File

@@ -0,0 +1,30 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// Remote attestation is used by ChromeOS device to authenticate itself
// to Widevine services for both licensing and keybox provisioning.
syntax = "proto2";
package widevine;
import "protos/public/client_identification.proto";
option java_package = "com.google.video.widevine.protos";
message RemoteAttestation {
// Encrypted ClientIdentification message containing the device remote
// attestation certificate. Required.
optional EncryptedClientIdentification certificate = 1;
// Bytes of salt which were added to the remote attestation challenge prior to
// signing it. Required.
optional bytes salt = 2;
// Signed remote attestation challenge + salt. Required.
optional bytes signature = 3;
}

71
protos/public/sdk_stats.proto Normal file
View File

@@ -0,0 +1,71 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Main protocol buffers for Widevine external SDK
// licensing statistics.
// Design doc:
// https://docs.google.com/document/d/1yyt5TxApYbI0N07aH94zwnKYuzYdFcmqZtC3jCyph8k/edit#
syntax = "proto2";
package widevine;
option java_package = "com.google.video.widevine.protos";
option java_outer_classname = "LicenseStatsProtos";
message DeviceLicenseCounterByStatus {
// The response status sent by the SDK in response to the license request.
// Required.
optional int32 license_status = 1;
// Count of licenses for this status code. Required.
optional int64 count = 2;
}
message DeviceLicenseCounterByModel {
// The model of the device sending a license request to the Widevine SDK.
// Optional.
optional string device_model = 1;
// license status specific breakdown of counter data
repeated DeviceLicenseCounterByStatus counter_by_status = 2;
}
message DeviceLicenseCounterByMake {
// The make of the device sending a license request to the Widevine SDK.
// Optional.
optional string device_make = 1;
// device model specific breakdown of counter data.
repeated DeviceLicenseCounterByModel counter_by_model = 2;
}
message DeviceLicenseCounterBySystemId {
// The system identifier for the device make/model family. Optional.
optional int32 device_system_id = 1;
// device make specific breakdown of counter data.
repeated DeviceLicenseCounterByMake counter_by_make = 2;
}
message DeviceLicenseCounterRequest {
// The provider hosting the Widevine SDK. Required.
optional string provider = 1;
// The collection start time in UTC for this counter data. Required.
optional int64 counter_utc_start_time_usec = 2;
// The collection end time in UTC for this counter data. Required.
optional int64 counter_utc_end_time_usec = 3;
// device systemId specific breakdown of counter data.
repeated DeviceLicenseCounterBySystemId counter_by_systemid = 4;
}
message SignedDeviceLicenseCounterRequest {
// The license counter data by device. Required.
optional DeviceLicenseCounterRequest device_license_counter_request = 1;
// The signature for the provider sending the request. Required.
optional bytes signature = 2;
}

66
protos/public/signed_device_info.proto Normal file
View File

@@ -0,0 +1,66 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2019 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// This is a pared down copy of the file in:
//
// Do not modify this file without keeping the other file in sync.
// Items in the original file but removed here include.
// - comments
// - SignedDeviceInfoService definition
// - Google api annotations.
//
// TODO(user, yawenyu): Figure out how we can avoid having two copies
// of the same file.
syntax = "proto3";
package widevine;
option csharp_namespace = "Google.Chrome.Widevine.Deviceinfo.V1";
option java_multiple_files = true;
option java_outer_classname = "DeviceCertificateStatusProtos";
option java_package = "com.google.chrome.widevine.deviceinfo.v1";
// GCWDI == Google Chrome Widevine Device Info
option objc_class_prefix = "GCWDI";
// A request sent to Widevine Provisioning Server (keysmith) to retrieve
// 'DeviceCertificateStatusList'.
message DeviceCertificateStatusListRequest {
// The version of sdk. Required.
string sdk_version = 1;
// POSIX time, in seconds, when this request was created. Required.
uint64 sdk_time_seconds = 2;
// The serialized service certificate used to sign the request. Required.
bytes service_certificate = 3;
}
// A device certificate status resource in the Widevine Signed Device Info
// API. It intended to carry information about DRM and OEM certificate
// status and device information for a specific system ID. The information is
// intended to be shared publicly.
// A signed request sent to Widevine Provisioning Server (keysmith) to retrieve
// 'DeviceCertificateStatusList'.
message SignedDeviceInfoRequest {
// A serialized DeviceCertificateStatusListRequest. Required.
bytes device_certificate_status_list_request = 1;
// TODO(user): What's the signature algorithm and the key used?
bytes signature = 2;
}
// Contains a serialized DeviceCertificateStatusList and the signature.
message SignedDeviceInfo {
// Serialized DeviceCertificateStatusList. Required.
bytes device_certificate_status_list = 1;
// Signature of device_certificate_status_list_request. Signed with root
// certificate private key using RSASSA-PSS. Required.
bytes signature = 2;
}

27
protos/public/signed_drm_certificate.proto Normal file
View File

@@ -0,0 +1,27 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
// Signed device certificate definition.
syntax = "proto2";
package widevine;
option java_outer_classname = "SignedDrmCertificateProtos";
option java_package = "com.google.video.widevine.protos";
// DrmCertificate signed by a higher (CA) DRM certificate.
message SignedDrmCertificate {
// Serialized certificate. Required.
optional bytes drm_certificate = 1;
// Signature of certificate. Signed with root or intermediate
// certificate specified below. Required.
optional bytes signature = 2;
// SignedDrmCertificate used to sign this certificate.
optional SignedDrmCertificate signer = 3;
}

39
protos/public/verified_media_pipeline.proto Normal file
View File

@@ -0,0 +1,39 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Description:
// Protocol messages used for the Verified Media Pipeline feature of the
// Widevine CDM.
syntax = "proto2";
package vmp;
option optimize_for = LITE_RUNTIME;
message VmpData {
message SignedBinaryInfo {
// File name of the binary. Required.
optional string file_name = 1;
// Index into |certificates| for the code signing certificate used to sign
// this binary. Required if the binary is signed..
optional uint32 certificate_index = 2;
// SHA-512 digest of signed binary. Required if the file was present.
optional bytes binary_hash = 3;
// Flags from signature file, if any. Required if signed.
optional uint32 flags = 4;
// Signature of the binary. Required if signed.
optional bytes signature = 5;
}
// Distinct certificates used in binary code signing. No certificate should
// be present more than once.
repeated bytes certificates = 1;
// Info about each signed binary.
repeated SignedBinaryInfo signed_binary_info = 2;
}

106
protos/public/widevine_pssh.proto Normal file
View File

@@ -0,0 +1,106 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
// Declaration of protocol buffer which is used to encode the data stored in
// Common Encryption (CENC) 'pssh' box Data fields.
syntax = "proto2";
package widevine;
option java_package = "com.google.video.widevine.protos";
message WidevinePsshData {
enum Type {
SINGLE = 0; // Single PSSH to be used to retrieve content keys.
ENTITLEMENT = 1; // Primary PSSH used to retrieve entitlement keys.
ENTITLED_KEY = 2; // Secondary PSSH containing entitled key(s).
}
message EntitledKey {
// ID of entitlement key used for wrapping |key|.
optional bytes entitlement_key_id = 1;
// ID of the entitled key.
optional bytes key_id = 2;
// Wrapped key. Required.
optional bytes key = 3;
// IV used for wrapping |key|. Required.
optional bytes iv = 4;
// Size of entitlement key used for wrapping |key|.
optional uint32 entitlement_key_size_bytes = 5 [default = 32];
}
// Entitlement or content key IDs. Can onnly present in SINGLE or ENTITLEMENT
// PSSHs. May be repeated to facilitate delivery of multiple keys in a
// single license. Cannot be used in conjunction with content_id or
// group_ids, which are the preferred mechanism.
repeated bytes key_ids = 2;
// Content identifier which may map to multiple entitlement or content key
// IDs to facilitate the delivery of multiple keys in a single license.
// Cannot be present in conjunction with key_ids, but if used must be in all
// PSSHs.
optional bytes content_id = 4;
// Crypto period index, for media using key rotation. Always corresponds to
// The content key period. This means that if using entitlement licensing
// the ENTITLED_KEY PSSHs will have sequential crypto_period_index's, whereas
// the ENTITELEMENT PSSHs will have gaps in the sequence. Required if doing
// key rotation.
optional uint32 crypto_period_index = 7;
// Protection scheme identifying the encryption algorithm. The protection
// scheme is represented as a uint32 value. The uint32 contains 4 bytes each
// representing a single ascii character in one of the 4CC protection scheme
// values. To be deprecated in favor of signaling from content.
// 'cenc' (AES-CTR) protection_scheme = 0x63656E63,
// 'cbc1' (AES-CBC) protection_scheme = 0x63626331,
// 'cens' (AES-CTR pattern encryption) protection_scheme = 0x63656E73,
// 'cbcs' (AES-CBC pattern encryption) protection_scheme = 0x63626373.
optional uint32 protection_scheme = 9;
// Optional. For media using key rotation, this represents the duration
// of each crypto period in seconds.
optional uint32 crypto_period_seconds = 10;
// Type of PSSH. Required if not SINGLE.
optional Type type = 11 [default = SINGLE];
// Key sequence for Widevine-managed keys. Optional.
optional uint32 key_sequence = 12;
// Group identifiers for all groups to which the content belongs. This can
// be used to deliver licenses to unlock multiple titles / channels.
// Optional, and may only be present in ENTITLEMENT and ENTITLED_KEY PSSHs,
// and not in conjunction with key_ids.
repeated bytes group_ids = 13;
// Copy/copies of the content key used to decrypt the media stream in which
// the PSSH box is embedded, each wrapped with a different entitlement key.
// May also contain sub-licenses to support devices with OEMCrypto 13 or
// older. May be repeated if using group entitlement keys. Present only in
// PSSHs of type ENTITLED_KEY.
repeated EntitledKey entitled_keys = 14;
// Video feature identifier, which is used in conjunction with |content_id|
// to determine the set of keys to be returned in the license. Cannot be
// present in conjunction with |key_ids|.
// Current values are "HDR".
optional string video_feature = 15;
//////////////////////////// Deprecated Fields ////////////////////////////
enum Algorithm {
UNENCRYPTED = 0;
AESCTR = 1;
}
optional Algorithm algorithm = 1 [deprecated = true];
optional string provider = 3 [deprecated = true];
optional string track_type = 5 [deprecated = true];
optional string policy = 6 [deprecated = true];
optional bytes grouped_license = 8 [deprecated = true];
}

146
sdk/external/common/wvpl/wvpl_sdk_environment.h vendored Normal file
View File

@@ -0,0 +1,146 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef SDK_EXTERNAL_COMMON_WVPL_WVPL_SDK_ENVIRONMENT_H_
#define SDK_EXTERNAL_COMMON_WVPL_WVPL_SDK_ENVIRONMENT_H_
#include <memory>
#include <string>
#include "sdk/external/common/wvpl/wvpl_types.h"
#include "protos/public/drm_certificate.pb.h"
namespace widevine {
class DeviceCertificateStatusList;
class DrmRootCertificate;
class DrmCertificate;
class ProvisionedDeviceInfo;
} // namespace widevine
namespace widevine_server {
namespace wv_pl_sdk {
// These fields show the configuration options that can be initialized via
// the implementation classes (WvPLEnvironment and WvPLProxyEnvironment).
const char kDeviceCertificateExpiration[] = "device_certificate_expiration";
const char kAllowUnknownDevice[] = "allow_unknown_device";
const char kProvider[] = "provider";
const char kProviderIv[] = "provider_iv";
const char kProviderKey[] = "provider_key";
const char kApiVerInKcb[] = "api_ver_in_kcb";
const char kLimitUsageStatsToErrorsOnly[] = "limit_usage_stats_to_errors_only";
// Valid values are 'test' and 'prod'.
const char kDrmCertificateType[] = "drm_certificate_type";
/**
* Parent class of SDK environment. This class is not be instantiated directly,
* but its API can be accessed via the derived environment classes.
*/
class WvPLSDKEnvironment {
public:
virtual ~WvPLSDKEnvironment();
// Generates a license response containing a message generated in response to
// an error condition. |create_session_status| is a previous error status
// returned by the CreateSession(). |license_response| points to a std::string to
// contain the license response and may not be NULL. This method returns true
// if there is an error license to be sent to the client, or false
// otherwise.
static bool GenerateErrorResponse(const WvPLStatus& create_session_status,
std::string* license_response);
/**
* Add a service certificate system-wide at the sdk. |service_certificate|
* is a Google-generated certificate used to authenticate the service
* provider. |service_private_key| is the encrypted PKCS#8 private RSA key
* corresponding to the service certificate. |service_private_key_passphrase|
* is the password required to decrypt |service_private_key|. This is a
* thread-safe call.
*
* @param service_certificate
* @param service_private_key
* @param service_private_key_passphrase
*
* @return WvPLStatus enumeration
*/
virtual WvPLStatus SetDrmServiceCertificate(
const std::string& service_certificate, const std::string& service_private_key,
const std::string& service_private_key_passphrase);
// Returns the DRM root certificate configured for this environment.
const widevine::DrmRootCertificate* drm_root_certificate() const {
return drm_root_certificate_.get();
}
protected:
// Return the signature for the provider specified in the |config_values|
// parameter in the constructor. |signature| is owned by the caller.
static WvPLStatus GenerateSignature(const std::string& plain_text,
std::string* signature);
/**
* Insert or update provisionedDeviceInfoMap with device info in
* certificate_status_list.
*/
static WvPLStatus UpdateProvisionedDeviceInfoMap(
const widevine::DeviceCertificateStatusList&
certificate_status_list);
WvPLStatus SetDeviceCertificateStatusList(const std::string& cert_list) const;
// Number of seconds until the certificate status list expires after its
// creation time. Default value is 604800 seconds.
uint32_t device_certificate_expiration_seconds_ = 604800;
// "config_values" setting for "kDrmCertificateType".
// Supported values are "test" and "prod". Default value is "prod".
std::string drm_certificate_type_ = "prod";
// name of the provider hosting this service.
std::string provider_;
// value of the "iv" specified for the provider.
std::string provider_iv_;
// value of the "key" specified for the provider.
std::string provider_key_;
// is_service_certificate_loaded_ is not thread safe.
bool is_service_certificate_loaded_ = false;
// If true, allow devices not in the certificate status list.
bool allow_unknown_device_ = false;
// DRM root certificate used for verifying all other DRM certificates.
std::unique_ptr<widevine::DrmRootCertificate> drm_root_certificate_;
private:
// Get the expected service type for drm service certificate.
virtual widevine::DrmCertificate::ServiceType
GetExpectedServiceCertificateType();
// Check the type of |service_certificate|. Returns "OK" if the cert can be
// used for the current SDK, else an error status.
virtual WvPLStatus CheckServiceCertificateType(
const std::string& service_certificate);
/**
* Return provisioned_device_info if the device_info_map_ contains system_id.
*
* @return WvPLStatus - Status::OK if success, else error.
*/
static WvPLStatus LookupDeviceInfo(
uint32_t system_id,
widevine::ProvisionedDeviceInfo* provisioned_device_info);
/**
* Add a device to the current environment/session.
*/
static void AddDeviceInfo(
const widevine::ProvisionedDeviceInfo& provisioned_device_info);
friend class WvPLSDKSession;
friend class WvPLProxySession;
friend class WvPLProxySessionTest;
friend class WvPLSessionTest;
};
} // namespace wv_pl_sdk
} // namespace widevine_server
#endif // SDK_EXTERNAL_COMMON_WVPL_WVPL_SDK_ENVIRONMENT_H_

231
sdk/external/common/wvpl/wvpl_sdk_session.h vendored Normal file
View File

@@ -0,0 +1,231 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2018 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef SDK_EXTERNAL_COMMON_WVPL_WVPL_SDK_SESSION_H_
#define SDK_EXTERNAL_COMMON_WVPL_WVPL_SDK_SESSION_H_
#include <memory>
#include "sdk/external/common/wvpl/wvpl_types.h"
namespace widevine {
class ClientIdentification;
class DrmRootCertificate;
class LicenseRequest;
class License_KeyContainer_OutputProtection;
class License_KeyContainer;
class License_Policy;
class ProvisionedDeviceInfo;
class SessionInit;
class SessionState;
class SignedMessage;
} // namespace widevine
namespace widevine_server {
namespace wv_pl_sdk {
class WvPLSDKSession {
public:
explicit WvPLSDKSession(
const widevine::DrmRootCertificate* drm_root_certificate);
virtual ~WvPLSDKSession();
public:
// Add WvPLKey.
virtual WvPLStatus AddKey(const WvPLKey& key);
// Get the WvPLKey.
virtual const std::vector<WvPLKey>& keys() const { return keys_; }
// Set the license policy.
virtual void set_policy(const WvPLPlaybackPolicy& policy) {
policy_ = policy;
}
// Get the license policy.
virtual const WvPLPlaybackPolicy& policy() const { return policy_; }
// Set the Session Init.
virtual void set_session_init(const WvPLSessionInit& session_init) {
session_init_ = session_init;
}
// Get the Session Init.
virtual const WvPLSessionInit& session_init() const { return session_init_; }
virtual bool IsChromeCDM() const;
/**
* Returns the Widevine PSSH data for the license request handled by this
* session.
*
* @param wvpl_widevine_pssh_data.
* @return WvPLStatus - Status::OK if success, else error.
*/
virtual WvPLStatus GetPsshData(
WvPLWidevinePsshData* wvpl_widevine_pssh_data) const;
/**
* Returns the ClientIdentification information for the license request
* handled by this session.
*
* @param client_info
* @return WvPLStatus - Status::OK if success, else error.
*/
virtual WvPLStatus GetClientInfo(WvPLClientInfo* client_info) const;
/**
* Returns the WvPL Client Capabilities information for the license request
* handled by this session.
*
* @param client_capabilities.
* @return WvPLStatus - Status::OK if success, else error.
*/
virtual WvPLStatus GetClientCapabilities(
WvPLClientCapabilities* client_capabilities) const;
/**
* Returns the WvPLDeviceInfo information for the license request
* handled by this session.
*
* @param device_info
* @return WvPLStatus - Status::OK if success, else error.
*/
virtual WvPLStatus GetDeviceInfo(WvPLDeviceInfo* device_info) const;
virtual PlatformVerificationStatus VerifyPlatform() = 0;
virtual WvPLRequestType GetRequestType() const { return type_; }
/**
* Returns true if the license type is offline, otherwise return false.
*
* @return bool.
*/
virtual bool is_offline_license() const;
/**
* Returns the license request contains client id or not.
*
* @return bool.
*/
virtual bool has_client_id() const { return has_client_id_; }
/**
* Returns true if license request has encrypted_client_id. Otherwise return
* false.
*
* @return bool.
*/
virtual bool has_encrypted_client_id() { return has_encrypted_client_id_; }
protected:
const widevine::DrmRootCertificate* drm_root_certificate_;
std::string user_agent_;
std::string device_id_;
std::vector<WvPLKey> keys_;
WvPLPlaybackPolicy policy_;
WvPLSessionInit session_init_;
WvPLWidevinePsshData pssh_data_;
std::unique_ptr<widevine::ClientIdentification> client_id_;
bool has_pssh_data_ = false;
bool has_client_id_ = false;
PlatformVerificationStatus platform_verification_status_ =
PLATFORM_NO_VERIFICATION;
std::unique_ptr<widevine::SignedMessage>
signed_message_request_from_cdm_;
std::string license_request_from_cdm_;
std::string remote_attestation_cert_serial_number_;
std::unique_ptr<widevine::LicenseRequest> sdk_license_request_;
WvPLRequestType type_;
bool has_session_state_ = false;
bool has_encrypted_client_id_ = false;
virtual WvPLStatus VerifyRemoteAttestation();
// Returns the WvPL Client Capabilities information for the license request
// handled by this session.
WvPLStatus GetWvPLClientCapabilities(
const widevine::ClientIdentification& client_id,
WvPLClientCapabilities* client_capabilities) const;
// Copy and translates the Key fields from a WvPL Key into an SDK
// key container.
// Copies
// (1) key id
// (2) key
// (3) video_resolution_constraints
// (4) output protection using CopyOutputProtection
// (5) security_level using CopySecurityLevel
// Translates
// (1) key type
void CopyKey(const WvPLKey& wvpl_key,
widevine::License_KeyContainer* sdk_key_container);
// Copies/translates output_protection in WvPL Key into an SDK key container.
void CopyOutputProtection(
const WvPLOutputProtection& wvpl_output_protection,
widevine::License_KeyContainer_OutputProtection* output_protection);
// Copies/translatessecurity_level in WvPL Key into an SDK key container.
virtual void CopySecurityLevel(
const WvPLOutputProtection& output_protection, TrackType track_type,
widevine::License_KeyContainer* key_container);
// Copies/translates the policy from a WvPL policy into an SDK policy. A
// helper function for GenerateLicenseRequestAsJSON.
virtual void CopyPlaybackPolicy(const WvPLPlaybackPolicy& wvpl_policy,
widevine::License_Policy* sdk_policy);
// Copy the |hdcp_value| into the key container.
virtual void CopyHDCP(
HDCP hdcp_value,
widevine::License_KeyContainer_OutputProtection* output_protection);
// Copy the WvPLSession Init into Session Init.
virtual void CopySessionInit(const WvPLSessionInit& wvpl_session_init,
widevine::SessionInit* session_init);
// Copy the WvPLDeviceInfo into ProvisionedDeviceInfo.
virtual void CopyProvisionedDeviceInfo(
const WvPLDeviceInfo& wvpl_device_info,
widevine::ProvisionedDeviceInfo* device_info);
// Populate deviceInfo, clientIdentification and psshdata for license request.
WvPLStatus ParseLicenseRequest();
// Copy the WvPLSessionState to SessionState.
void CopySessionState(const WvPLSessionState& wvpl_session_state,
widevine::SessionState* session_state);
// Set system_id value.
virtual void SetSystemId(uint32_t system_id);
// Return has_system_id_ value. True if session has system id.
virtual bool HasSystemId() const;
// Return system_id value in uint32_t. The function will crash if it does not
// have system_id.
virtual uint32_t GetSystemId() const;
/**
* Use system_id to loop up device info.
*
* @return WvPLStatus - Status::OK if success, else error.
*/
virtual WvPLStatus LookupDeviceInfo(
uint32_t system_id,
widevine::ProvisionedDeviceInfo* provisioned_device_info) const;
virtual const std::string TrackTypeToString(TrackType track_type) const;
private:
std::unique_ptr<uint32_t> system_id_;
};
} // namespace wv_pl_sdk
} // namespace widevine_server
#endif // SDK_EXTERNAL_COMMON_WVPL_WVPL_SDK_SESSION_H_

1097
sdk/external/common/wvpl/wvpl_types.h vendored Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
ubuntu/media_cas_proxy_sdk-bin.tar
View File

Binary file not shown.

83
util/error_space.h Normal file
View File

@@ -0,0 +1,83 @@
////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
#ifndef UTIL_ERROR_SPACE_H_
#define UTIL_ERROR_SPACE_H_
#include <string>
namespace widevine {
namespace util {
class ErrorSpace {
public:
std::string SpaceName() const { return space_name_func_(this); }
std::string String(int code) const { return code_to_string_func_(this, code); }
protected:
// typedef instead of using statements for SWIG compatibility.
typedef std::string (*SpaceNameFunc)(const ErrorSpace* space);
typedef std::string (*CodeToStringFunc)(const ErrorSpace* space, int code);
constexpr ErrorSpace(SpaceNameFunc space_name_func,
CodeToStringFunc code_to_string_func)
: space_name_func_(space_name_func),
code_to_string_func_(code_to_string_func) {}
private:
const SpaceNameFunc space_name_func_;
const CodeToStringFunc code_to_string_func_;
};
// Manages creation of error space subclasses.
template <typename T>
class ErrorSpaceImpl : public ErrorSpace {
public:
constexpr ErrorSpaceImpl()
: ErrorSpace(&ErrorSpaceImpl::SpaceNameImpl,
&ErrorSpaceImpl::CodeToStringImpl) {}
// Returns the canonical instance of the `T` error space.
static constexpr const T* Get();
private:
// These functions adapt the stateful implementation that takes a space
// pointer to stateless static methods, so that clients of ErrorSpaceImpl are
// safe to have constexpr global instances.
static std::string SpaceNameImpl(const ErrorSpace* /*space*/) {
return T::space_name();
}
static std::string CodeToStringImpl(const ErrorSpace* /*space*/, int code) {
return T::code_to_string(code);
}
};
namespace internal {
// Provides a global constexpr instance of the error space `T`.
// We need the indirection because ErrorSpaceImpl can't declare constexpr
// instances of T since it is not yet fully declared.
template <typename T>
struct ErrorSpaceInstance {
static constexpr T value = {};
};
template <typename T>
constexpr T ErrorSpaceInstance<T>::value;
} // namespace internal
template <typename T>
constexpr const T* ErrorSpaceImpl<T>::Get() {
return &internal::ErrorSpaceInstance<T>::value;
}
} // namespace util
} // namespace widevine
#endif // UTIL_ERROR_SPACE_H_