////////////////////////////////////////////////////////////////////////////////
// Copyright 2016 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////

//
// Description:
//   ClientIdentification messages used by provisioning and license protocols.

syntax = "proto2";

package widevine;

option java_package = "com.google.video.widevine.protos";
option java_outer_classname = "ClientIdentificationProtos";

// ClientIdentification message used to authenticate the client device.
message ClientIdentification {
  enum TokenType {
    KEYBOX = 0;
    DRM_DEVICE_CERTIFICATE = 1;
    REMOTE_ATTESTATION_CERTIFICATE = 2;
    OEM_DEVICE_CERTIFICATE = 3;
  }

  message NameValue {
    optional string name = 1;
    optional string value = 2;
  }

  // Capabilities which not all clients may support. Used for the license
  // exchange protocol only.
  message ClientCapabilities {
    enum HdcpVersion {
      HDCP_NONE = 0;
      HDCP_V1 = 1;
      HDCP_V2 = 2;
      HDCP_V2_1 = 3;
      HDCP_V2_2 = 4;
      HDCP_V2_3 = 5;
      HDCP_NO_DIGITAL_OUTPUT = 0xff;
    }

    enum CertificateKeyType {
      RSA_2048 = 0;
      RSA_3072 = 1;
    }

    enum AnalogOutputCapabilities {
      ANALOG_OUTPUT_UNKNOWN = 0;
      ANALOG_OUTPUT_NONE = 1;
      ANALOG_OUTPUT_SUPPORTED = 2;
      ANALOG_OUTPUT_SUPPORTS_CGMS_A = 3;
    }

    optional bool client_token = 1 [default = false];
    optional bool session_token = 2 [default = false];
    optional bool video_resolution_constraints = 3 [default = false];
    optional HdcpVersion max_hdcp_version = 4 [default = HDCP_NONE];
    optional uint32 oem_crypto_api_version = 5;
    // Client has hardware support for protecting the usage table, such as
    // storing the generation number in secure memory.  For Details, see:
    // https://docs.google.com/document/d/1Mm8oB51SYAgry62mEuh_2OEkabikBiS61kN7HsDnh9Y/edit#heading=h.xgjl2srtytjt
    optional bool anti_rollback_usage_table = 6 [default = false];
    // The client shall report |srm_version| if available.
    optional uint32 srm_version = 7;
    // A device may have SRM data, and report a version, but may not be capable
    // of updating SRM data.
    optional bool can_update_srm = 8 [default = false];
    repeated CertificateKeyType supported_certificate_key_type = 9;
    optional AnalogOutputCapabilities analog_output_capabilities = 10
        [default = ANALOG_OUTPUT_UNKNOWN];
    optional bool can_disable_analog_output = 11 [default = false];
    // Clients can indicate a performance level supported by OEMCrypto.
    // This will allow applications and providers to choose an appropriate
    // quality of content to serve. Currently defined tiers are
    // 1 (low), 2 (medium) and 3 (high). Any other value indicate that
    // the resource rating is unavailable or reporting erroneous values
    // for that device. For details see,
    // https://docs.google.com/document/d/1wodSYK-Unj3AgTSXqujWuBCAFC00qF85G1AhfLtqdko
    optional uint32 resource_rating_tier = 12 [default = 0];
  }

  // Type of factory-provisioned device root of trust. Optional.
  optional TokenType type = 1 [default = KEYBOX];
  // Factory-provisioned device root of trust. Required.
  optional bytes token = 2;
  // Optional client information name/value pairs.
  repeated NameValue client_info = 3;
  // Client token generated by the content provider. Optional.
  optional bytes provider_client_token = 4;
  // Number of licenses received by the client to which the token above belongs.
  // Only present if client_token is specified.
  optional uint32 license_counter = 5;
  // List of non-baseline client capabilities.
  optional ClientCapabilities client_capabilities = 6;
  // Serialized VmpData message. Optional.
  optional bytes vmp_data = 7;
}

// EncryptedClientIdentification message used to hold ClientIdentification
// messages encrypted for privacy purposes.
message EncryptedClientIdentification {
  // Provider ID for which the ClientIdentifcation is encrypted (owner of
  // service certificate).
  optional string provider_id = 1;
  // Serial number for the service certificate for which ClientIdentification is
  // encrypted.
  optional bytes service_certificate_serial_number = 2;
  // Serialized ClientIdentification message, encrypted with the privacy key
  // using AES-128-CBC with PKCS#5 padding.
  optional bytes encrypted_client_id = 3;
  // Initialization vector needed to decrypt encrypted_client_id.
  optional bytes encrypted_client_id_iv = 4;
  // AES-128 privacy key, encrypted with the service public key using RSA-OAEP.
  optional bytes encrypted_privacy_key = 5;
}