provisioning_sdk_source/protos/public/device_certificate_status.proto

////////////////////////////////////////////////////////////////////////////////
// Copyright 2017 Google LLC.
//
// This software is licensed under the terms defined in the Widevine Master
// License Agreement. For a copy of this agreement, please contact
// widevine-licensing@google.com.
////////////////////////////////////////////////////////////////////////////////
//
//
// Description:
//   Device certificate status list object definitions.

syntax = "proto2";

package widevine;

import "protos/public/hash_algorithm.proto";
import "protos/public/provisioned_device_info.proto";

option java_outer_classname = "DeviceCertificateStatusProtos";
option java_package = "com.google.video.widevine.protos";

// Contains DRM and OEM certificate status and device information for a
// specific system ID.
// TODO(user): Move this to its own file.
message DeviceCertificateStatus {
  enum DeprecatedStatus {
    DEPRECATED_VALID = 0;
    DEPRECATED_REVOKED = 1;
  }
  enum Status {
    STATUS_UNKNOWN = 0;
    STATUS_IN_TESTING = 10;  // Pre-release, active device.
    STATUS_RELEASED = 20;    // Released, active device.
    STATUS_TEST_ONLY = 30;   // Development-only device.
    STATUS_REVOKED = 40;     // Revoked device.
  }

  message RevokedIdentifiers {
    // Contains a sorted list of DRM serial numbers that are revoked.
    repeated bytes revoked_certificate_serial_numbers = 1;
    // Contains a sorted list of revoked_unique_id_hashes that are revoked.
    // These identifiers are hash values of the root of trust identifier.
    // For a keybox, hash = SHA256(KeyboxUniqueID || SecretSauce) where
    // SecretSauce is a Widevine owned secret. For Provisioning 3.0, hash =
    // SHA256(X509SerialNumber|| SecretSauce) where SecretSauce is a Widevine
    // owned secret.
    repeated bytes revoked_unique_id_hashes = 2;
  }

  // Serial number of the intermediate DrmCertificate to which this
  // message refers. Required.
  optional bytes drm_serial_number = 1;
  // Status of the certificate. Optional & deprecated in favor of |status|
  // below.
  optional DeprecatedStatus deprecated_status = 2 [default = DEPRECATED_VALID];
  // Device model information about the device to which the intermediate
  // certificate(s) correspond.
  optional ProvisionedDeviceInfo device_info = 4;
  // Serial number of the OEM X.509 intermediate certificate for this type
  // of device. Present only if the device is OEM-provisioned.
  optional bytes oem_serial_number = 5;
  // Status of the device. Optional.
  optional Status status = 6 [default = STATUS_UNKNOWN];

  // RevokedIdentifiers collect all the serial_numbers or unique_id_hashes used
  // for individual drm certificate revocation.
  optional RevokedIdentifiers revoked_identifiers = 7;
}

// List of DeviceCertificateStatus. Used to propagate certificate revocation
// status and device information.
message DeviceCertificateStatusList {
  // POSIX time, in seconds, when the list was created. Required.
  optional uint32 creation_time_seconds = 1;
  // DeviceCertificateStatus for each system ID.
  repeated DeviceCertificateStatus certificate_status = 2;
}

// List of DeviceCertificateStatus. Used to propagate certificate revocation
// status and device information. (Used in published devices library)
message PublishedDevicesList {
  // POSIX time, in seconds, when the list was created. Required.
  optional uint32 creation_time_seconds = 1;
  // DeviceCertificateStatus for each system ID.
  repeated DeviceCertificateStatus device_certificate_status = 2;
}

// Signed CertificateStatusList
message SignedDeviceCertificateStatusList {
  // Serialized DeviceCertificateStatusList. Required.
  optional bytes certificate_status_list = 1;
  // Signature of certificate_status_list. Signed with root certificate private
  // key using RSASSA-PSS. Required.
  optional bytes signature = 2;
  // Optional field that indicates the hash algorithm used in signature scheme.
  optional HashAlgorithmProto hash_algorithm = 3;
}