//////////////////////////////////////////////////////////////////////////////// // Copyright 2016 Google Inc. // // This software is licensed under the terms defined in the Widevine Master // License Agreement. For a copy of this agreement, please contact // widevine-licensing@google.com. //////////////////////////////////////////////////////////////////////////////// // // Description: // Public protocol buffer definitions for Widevine Device Certificate // Provisioning protocol. syntax = "proto2"; package widevine; option java_package = "com.google.video.widevine.protos"; import "protos/public/client_identification.proto"; // ProvisioningOptions specifies the type of certificate to specify and // in the case of X509 certificates, the certificate authority to use. message ProvisioningOptions { enum CertificateType { WIDEVINE_DRM = 0; // Default. The original certificate type. X509 = 1; // X.509 certificate. } optional CertificateType certificate_type = 1 [default = WIDEVINE_DRM]; // Contains the application-specific name used to identify the certificate // authority for signing the generated certificate. This is required iff the // certificate type is X509. optional string certificate_authority = 2; } // Provisioning request sent by client devices to provisioning service. message ProvisioningRequest { oneof clear_or_encrypted_client_id { // Device root of trust and other client identification. Required. ClientIdentification client_id = 1; EncryptedClientIdentification encrypted_client_id = 5; } // Nonce value used to prevent replay attacks. Required. optional bytes nonce = 2; // Options for type of certificate to generate. Optional. optional ProvisioningOptions options = 3; oneof spoid_param { // Stable identifier, unique for each device + application (or origin). // To be deprecated. bytes stable_id = 4; // Service provider ID from the service certificate's provider_id field. // Preferred parameter. bytes provider_id = 6; // Client-generated stable per-origin identifier to be copied directly // to the client certificate serial number. bytes spoid = 7; } } // Provisioning response sent by the provisioning server to client devices. // This message is used for both regular Widevine DRM certificates and for // application-specific X.509 certificates. message ProvisioningResponse { // AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded. // Required. For X.509 certificates, the private RSA key may also include // a prefix as specified by private_key_prefix in the X509CertificateMetadata // proto message. optional bytes device_rsa_key = 1; // Initialization vector used to encrypt device_rsa_key. Required. optional bytes device_rsa_key_iv = 2; // For Widevine DRM certificates, this contains the serialized // SignedDrmDeviceCertificate. For X.509 certificates, this contains the PEM // encoded X.509 certificate. Required. optional bytes device_certificate = 3; // Nonce value matching nonce in ProvisioningRequest. Required. optional bytes nonce = 4; // Key used to wrap device_rsa_key when DRM provisioning an OEM factory // provisioned device. Encrypted with the device OEM public key using // RSA-OAEP. optional bytes wrapping_key = 5; } // Serialized ProvisioningRequest or ProvisioningResponse signed with // The message authentication key. message SignedProvisioningMessage { enum ProtocolVersion { VERSION_2 = 2; // Keybox factory-provisioned devices. VERSION_3 = 3; // OEM certificate factory-provisioned devices. } // Serialized ProvisioningRequest or ProvisioningResponse. Required. optional bytes message = 1; // HMAC-SHA256 (Keybox) or RSASSA-PSS (OEM) signature of message. Required. optional bytes signature = 2; // Version number of provisioning protocol. optional ProtocolVersion protocol_version = 3 [default = VERSION_2]; }