107 lines
4.2 KiB
Protocol Buffer
107 lines
4.2 KiB
Protocol Buffer
// Copyright 2017 Google LLC. All rights reserved.
|
|
//
|
|
// Author: tinskip@google.com (Thomas Inskip)
|
|
//
|
|
// Description:
|
|
// Device certificate status list object definitions.
|
|
|
|
syntax = "proto2";
|
|
|
|
package video_widevine;
|
|
|
|
import "protos/public/hash_algorithm.proto";
|
|
import "protos/public/provisioned_device_info.proto";
|
|
|
|
option java_outer_classname = "DeviceCertificateStatusProtos";
|
|
option java_package = "com.google.video.widevine.protos";
|
|
|
|
// Contains DRM and OEM certificate status and device information for a
|
|
// specific system ID.
|
|
// TODO(tinskip): Move this to its own file.
|
|
message DeviceCertificateStatus {
|
|
enum DeprecatedStatus {
|
|
DEPRECATED_VALID = 0;
|
|
DEPRECATED_REVOKED = 1;
|
|
}
|
|
enum Status {
|
|
STATUS_UNKNOWN = 0;
|
|
STATUS_IN_TESTING = 10; // Pre-release, active device.
|
|
STATUS_RELEASED = 20; // Released, active device.
|
|
STATUS_TEST_ONLY = 30; // Development-only device.
|
|
STATUS_REVOKED = 40; // Revoked device.
|
|
}
|
|
|
|
message RevokedIdentifiers {
|
|
// Contains a sorted list of DRM serial numbers that are revoked.
|
|
repeated bytes revoked_certificate_serial_numbers = 1;
|
|
// Contains a sorted list of revoked_unique_id_hashes that are revoked.
|
|
// These identifiers are hash values of the root of trust identifier.
|
|
// For a keybox, hash = SHA256(KeyboxUniqueID || SecretSauce) where
|
|
// SecretSauce is a Widevine owned secret. For Provisioning 3.0, hash =
|
|
// SHA256(X509SerialNumber|| SecretSauce) where SecretSauce is a Widevine
|
|
// owned secret.
|
|
repeated bytes revoked_unique_id_hashes = 2;
|
|
}
|
|
|
|
// Serial number of the intermediate DrmCertificate to which this
|
|
// message refers. Required.
|
|
optional bytes drm_serial_number = 1;
|
|
// Status of the certificate. Optional & deprecated in favor of |status|
|
|
// below.
|
|
optional DeprecatedStatus deprecated_status = 2 [default = DEPRECATED_VALID];
|
|
// Device model information about the device to which the intermediate
|
|
// certificate(s) correspond.
|
|
optional ProvisionedDeviceInfo device_info = 4;
|
|
// Serial number of the OEM X.509 intermediate certificate for this type
|
|
// of device. Present only if the device is OEM-provisioned.
|
|
optional bytes oem_serial_number = 5;
|
|
// Status of the device. Optional.
|
|
optional Status status = 6 [default = STATUS_UNKNOWN];
|
|
|
|
// RevokedIdentifiers collect all the serial_numbers or unique_id_hashes used
|
|
// for individual drm certificate revocation.
|
|
optional RevokedIdentifiers revoked_identifiers = 7;
|
|
|
|
// Vulnerability levels as defined by NIST national vulnerability database.
|
|
// https://nvd.nist.gov/vuln-metrics/cvss
|
|
enum DeviceVulnerabilityLevel {
|
|
DEVICE_VULNERABILITY_LEVEL_UNSPECIFIED = 0;
|
|
DEVICE_VULNERABILITY_LEVEL_NONE = 1;
|
|
DEVICE_VULNERABILITY_LEVEL_LOW = 2;
|
|
DEVICE_VULNERABILITY_LEVEL_MEDIUM = 3;
|
|
DEVICE_VULNERABILITY_LEVEL_HIGH = 4;
|
|
DEVICE_VULNERABILITY_LEVEL_CRITICAL = 5;
|
|
}
|
|
// Specifies the device vulnerability level.
|
|
optional DeviceVulnerabilityLevel device_vulnerability_level = 8;
|
|
}
|
|
|
|
// List of DeviceCertificateStatus. Used to propagate certificate revocation
|
|
// status and device information.
|
|
message DeviceCertificateStatusList {
|
|
// POSIX time, in seconds, when the list was created. Required.
|
|
optional uint32 creation_time_seconds = 1;
|
|
// DeviceCertificateStatus for each system ID.
|
|
repeated DeviceCertificateStatus certificate_status = 2;
|
|
}
|
|
|
|
// List of DeviceCertificateStatus. Used to propagate certificate revocation
|
|
// status and device information. (Used in published devices library)
|
|
message PublishedDevicesList {
|
|
// POSIX time, in seconds, when the list was created. Required.
|
|
optional uint32 creation_time_seconds = 1;
|
|
// DeviceCertificateStatus for each system ID.
|
|
repeated DeviceCertificateStatus device_certificate_status = 2;
|
|
}
|
|
|
|
// Signed CertificateStatusList
|
|
message SignedDeviceCertificateStatusList {
|
|
// Serialized DeviceCertificateStatusList. Required.
|
|
optional bytes certificate_status_list = 1;
|
|
// Signature of certificate_status_list. Signed with root certificate private
|
|
// key using RSASSA-PSS. Required.
|
|
optional bytes signature = 2;
|
|
// Optional field that indicates the hash algorithm used in signature scheme.
|
|
optional HashAlgorithmProto hash_algorithm = 3;
|
|
}
|