89 lines
3.4 KiB
Protocol Buffer
89 lines
3.4 KiB
Protocol Buffer
// Copyright 2013 Google Inc. All Rights Reserved.
|
|
// Author: tinskip@google.com (Thomas Inskip)
|
|
//
|
|
// Description:
|
|
// Public protocol buffer definitions for Widevine Device Certificate
|
|
// Provisioning protocol.
|
|
|
|
syntax = "proto2";
|
|
|
|
package widevine;
|
|
option java_package = "com.google.video.widevine.protos";
|
|
|
|
import "protos/public/client_identification.proto";
|
|
|
|
// ProvisioningOptions specifies the type of certificate to specify and
|
|
// in the case of X509 certificates, the certificate authority to use.
|
|
message ProvisioningOptions {
|
|
enum CertificateType {
|
|
WIDEVINE_DRM = 0; // Default. The original certificate type.
|
|
X509 = 1; // X.509 certificate.
|
|
}
|
|
|
|
optional CertificateType certificate_type = 1 [default = WIDEVINE_DRM];
|
|
|
|
// Contains the application-specific name used to identify the certificate
|
|
// authority for signing the generated certificate. This is required iff the
|
|
// certificate type is X509.
|
|
optional string certificate_authority = 2;
|
|
}
|
|
|
|
// Provisioning request sent by client devices to provisioning service.
|
|
message ProvisioningRequest {
|
|
oneof clear_or_encrypted_client_id {
|
|
// Device root of trust and other client identification. Required.
|
|
ClientIdentification client_id = 1;
|
|
EncryptedClientIdentification encrypted_client_id = 5;
|
|
}
|
|
// Nonce value used to prevent replay attacks. Required.
|
|
optional bytes nonce = 2;
|
|
// Options for type of certificate to generate. Optional.
|
|
optional ProvisioningOptions options = 3;
|
|
oneof origin_id {
|
|
// Stable identifier, unique for each device + application (or origin).
|
|
// Required if doing per-origin provisioning.
|
|
bytes stable_id = 4;
|
|
// Stable content provider ID.
|
|
bytes provider_id = 6;
|
|
}
|
|
}
|
|
|
|
// Provisioning response sent by the provisioning server to client devices.
|
|
// This message is used for both regular Widevine DRM certificates and for
|
|
// application-specific X.509 certificates.
|
|
message ProvisioningResponse {
|
|
// AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
|
|
// Required. For X.509 certificates, the private RSA key may also include
|
|
// a prefix as specified by private_key_prefix in the X509CertificateMetadata
|
|
// proto message.
|
|
optional bytes device_rsa_key = 1;
|
|
// Initialization vector used to encrypt device_rsa_key. Required.
|
|
optional bytes device_rsa_key_iv = 2;
|
|
// For Widevine DRM certificates, this contains the serialized
|
|
// SignedDrmDeviceCertificate. For X.509 certificates, this contains the PEM
|
|
// encoded X.509 certificate. Required.
|
|
optional bytes device_certificate = 3;
|
|
// Nonce value matching nonce in ProvisioningRequest. Required.
|
|
optional bytes nonce = 4;
|
|
// Key used to wrap device_rsa_key when DRM provisioning an OEM factory
|
|
// provisioned device. Encrypted with the device OEM public key using
|
|
// RSA-OAEP.
|
|
optional bytes wrapping_key = 5;
|
|
}
|
|
|
|
// Serialized ProvisioningRequest or ProvisioningResponse signed with
|
|
// The message authentication key.
|
|
message SignedProvisioningMessage {
|
|
enum ProtocolVersion {
|
|
VERSION_2 = 2; // Keybox factory-provisioned devices.
|
|
VERSION_3 = 3; // OEM certificate factory-provisioned devices.
|
|
}
|
|
|
|
// Serialized ProvisioningRequest or ProvisioningResponse. Required.
|
|
optional bytes message = 1;
|
|
// HMAC-SHA256 (Keybox) or RSASSA-PSS (OEM) signature of message. Required.
|
|
optional bytes signature = 2;
|
|
// Version number of provisioning protocol.
|
|
optional ProtocolVersion protocol_version = 3 [default = VERSION_2];
|
|
}
|