Export provisioning sdk

Change-Id: I4d47d80444c9507f84896767dc676112ca11e901
2017-01-24 20:06:25 -08:00
parent d2903a4951
commit 8d17e4549a
110 changed files with 10187 additions and 0 deletions
--- a/protos/public/certificate_provisioning.proto
+++ b/protos/public/certificate_provisioning.proto
@@ -0,0 +1,98 @@
+////////////////////////////////////////////////////////////////////////////////
+// Copyright 2016 Google Inc.
+//
+// This software is licensed under the terms defined in the Widevine Master
+// License Agreement. For a copy of this agreement, please contact
+// widevine-licensing@google.com.
+////////////////////////////////////////////////////////////////////////////////
+
+//
+// Description:
+//   Public protocol buffer definitions for Widevine Device Certificate
+//   Provisioning protocol.
+
+syntax = "proto2";
+
+package widevine;
+option java_package = "com.google.video.widevine.protos";
+
+import "protos/public/client_identification.proto";
+
+// ProvisioningOptions specifies the type of certificate to specify and
+// in the case of X509 certificates, the certificate authority to use.
+message ProvisioningOptions {
+  enum CertificateType {
+    WIDEVINE_DRM = 0; // Default.  The original certificate type.
+    X509 = 1; // X.509 certificate.
+  }
+
+  optional CertificateType certificate_type = 1 [default = WIDEVINE_DRM];
+
+  // Contains the application-specific name used to identify the certificate
+  // authority for signing the generated certificate. This is required iff the
+  // certificate type is X509.
+  optional string certificate_authority = 2;
+}
+
+// Provisioning request sent by client devices to provisioning service.
+message ProvisioningRequest {
+  oneof clear_or_encrypted_client_id {
+    // Device root of trust and other client identification. Required.
+    ClientIdentification client_id = 1;
+    EncryptedClientIdentification encrypted_client_id = 5;
+  }
+  // Nonce value used to prevent replay attacks. Required.
+  optional bytes nonce = 2;
+  // Options for type of certificate to generate.  Optional.
+  optional ProvisioningOptions options = 3;
+  oneof spoid_param {
+    // Stable identifier, unique for each device + application (or origin).
+    // To be deprecated.
+    bytes stable_id = 4;
+    // Service provider ID from the service certificate's provider_id field.
+    // Preferred parameter.
+    bytes provider_id = 6;
+    // Client-generated stable per-origin identifier to be copied directly
+    // to the client certificate serial number.
+    bytes spoid = 7;
+  }
+}
+
+// Provisioning response sent by the provisioning server to client devices.
+// This message is used for both regular Widevine DRM certificates and for
+// application-specific X.509 certificates.
+message ProvisioningResponse {
+  // AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
+  // Required. For X.509 certificates, the private RSA key may also include
+  // a prefix as specified by private_key_prefix in the X509CertificateMetadata
+  // proto message.
+  optional bytes device_rsa_key = 1;
+  // Initialization vector used to encrypt device_rsa_key. Required.
+  optional bytes device_rsa_key_iv = 2;
+  // For Widevine DRM certificates, this contains the serialized
+  // SignedDrmDeviceCertificate. For X.509 certificates, this contains the PEM
+  // encoded X.509 certificate. Required.
+  optional bytes device_certificate = 3;
+  // Nonce value matching nonce in ProvisioningRequest. Required.
+  optional bytes nonce = 4;
+  // Key used to wrap device_rsa_key when DRM provisioning an OEM factory
+  // provisioned device. Encrypted with the device OEM public key using
+  // RSA-OAEP.
+  optional bytes wrapping_key = 5;
+}
+
+// Serialized ProvisioningRequest or ProvisioningResponse signed with
+// The message authentication key.
+message SignedProvisioningMessage {
+  enum ProtocolVersion {
+    VERSION_2 = 2;  // Keybox factory-provisioned devices.
+    VERSION_3 = 3;  // OEM certificate factory-provisioned devices.
+  }
+
+  // Serialized ProvisioningRequest or ProvisioningResponse. Required.
+  optional bytes message = 1;
+  // HMAC-SHA256 (Keybox) or RSASSA-PSS (OEM) signature of message. Required.
+  optional bytes signature = 2;
+  // Version number of provisioning protocol.
+  optional ProtocolVersion protocol_version = 3 [default = VERSION_2];
+}