119 lines
4.6 KiB
Protocol Buffer
119 lines
4.6 KiB
Protocol Buffer
////////////////////////////////////////////////////////////////////////////////
|
|
// Copyright 2017 Google LLC.
|
|
//
|
|
// This software is licensed under the terms defined in the Widevine Master
|
|
// License Agreement. For a copy of this agreement, please contact
|
|
// widevine-licensing@google.com.
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// Description:
|
|
// DRM certificate object definition.
|
|
|
|
syntax = "proto2";
|
|
|
|
package widevine;
|
|
|
|
option java_outer_classname = "DrmCertificateProtos";
|
|
option java_package = "com.google.video.widevine.protos";
|
|
|
|
|
|
// Definition of the root of trust identifier proto. The proto message contains
|
|
// the EC-IES encrypted identifier (e.g. keybox unique id) for a device and
|
|
// an associated hash. These can be used by Widevine to identify the root of
|
|
// trust that was used to acquire a DRM certificate.
|
|
//
|
|
// In addition to the encrypted part and the hash, the proto contains the
|
|
// version of the root of trust id which implies the EC key algorithm that was
|
|
// used.
|
|
// Next id: 5
|
|
message RootOfTrustId {
|
|
// The version specifies the EC algorithm that was used to generate the
|
|
// root of trust id.
|
|
enum RootOfTrustIdVersion {
|
|
// Should not be used.
|
|
ROOT_OF_TRUST_ID_VERSION_UNSPECIFIED = 0;
|
|
// Version 1 of the ID uses EC-IES with SECP256R1 curve.
|
|
ROOT_OF_TRUST_ID_VERSION_1 = 1;
|
|
}
|
|
optional RootOfTrustIdVersion version = 1;
|
|
// The key_id is used for key rotation. It indicates which key was used to
|
|
// generate the root of trust id.
|
|
optional uint32 key_id = 2;
|
|
|
|
// The EC-IES encrypted message containing the unique_id. The bytes are
|
|
// a concatenation of
|
|
// 1) The ephemeral public key. Uncompressed keypoint format per X9.62.
|
|
// 2) The plaintext encrypted with the derived AES key using AES CBC,
|
|
// PKCS7 padding and a zerio iv.
|
|
// 3) The HMAC SHA256 of the cipher text.
|
|
optional bytes encrypted_unique_id = 3;
|
|
|
|
// The hash of encrypted unique id and other values.
|
|
// unique_id_hash = SHA256(
|
|
// encrypted_unique_id || system_id || SHA256(unique_id || secret_sauce)).
|
|
optional bytes unique_id_hash = 4;
|
|
}
|
|
|
|
// DRM certificate definition for user devices, intermediate, service, and root
|
|
// certificates.
|
|
// Next id: 11
|
|
message DrmCertificate {
|
|
enum Type {
|
|
ROOT = 0; // ProtoBestPractices: ignore.
|
|
DEVICE_MODEL = 1;
|
|
DEVICE = 2;
|
|
SERVICE = 3;
|
|
PROVISIONER = 4;
|
|
}
|
|
enum ServiceType {
|
|
UNKNOWN_SERVICE_TYPE = 0;
|
|
LICENSE_SERVER_SDK = 1;
|
|
LICENSE_SERVER_PROXY_SDK = 2;
|
|
PROVISIONING_SDK = 3;
|
|
CAS_PROXY_SDK = 4;
|
|
}
|
|
enum Algorithm {
|
|
UNKNOWN_ALGORITHM = 0;
|
|
RSA = 1;
|
|
ECC_SECP256R1 = 2;
|
|
ECC_SECP384R1 = 3;
|
|
ECC_SECP521R1 = 4;
|
|
}
|
|
// Type of certificate. Required.
|
|
optional Type type = 1;
|
|
// 128-bit globally unique serial number of certificate.
|
|
// Value is 0 for root certificate. Required.
|
|
optional bytes serial_number = 2;
|
|
// POSIX time, in seconds, when the certificate was created. Required.
|
|
optional uint32 creation_time_seconds = 3;
|
|
// Device public key. PKCS#1 ASN.1 DER-encoded. Required.
|
|
optional bytes public_key = 4;
|
|
// Widevine system ID for the device. Required for intermediate and
|
|
// user device certificates.
|
|
optional uint32 system_id = 5;
|
|
// Deprecated field, which used to indicate whether the device was a test
|
|
// (non-production) device. The test_device field in ProvisionedDeviceInfo
|
|
// below should be observed instead.
|
|
optional bool test_device_deprecated = 6 [deprecated = true];
|
|
// Service identifier (web origin) for the provider which owns the
|
|
// certificate. Required for service and provisioner certificates.
|
|
optional string provider_id = 7;
|
|
// This field is used only when type = SERVICE to specify which SDK uses
|
|
// service certificate. This repeated field is treated as a set. A certificate
|
|
// may be used for the specified service SDK if the appropriate ServiceType
|
|
// is specified in this field.
|
|
repeated ServiceType service_types = 8;
|
|
// Required. The algorithm field contains the curve used to create the
|
|
// |public_key| if algorithm is one of the ECC types.
|
|
// The |algorithm| is used for both to determine the if the certificate is ECC
|
|
// or RSA. The |algorithm| also specifies the parameters that were used to
|
|
// create |public_key| and are used to create an ephemeral session key.
|
|
optional Algorithm algorithm = 9 [default = RSA];
|
|
// Optional. May be present in DEVICE certificate types. This is the root
|
|
// of trust identifier that holds an encrypted value that identifies the
|
|
// keybox or other root of trust that was used to provision a DEVICE drm
|
|
// certificate.
|
|
optional RootOfTrustId rot_id = 10;
|
|
}
|