Update ODK to v17.1 and add tests

whitebox/WORKSPACE

@@ -65,8 +65,8 @@ http_archive(
 new_git_repository(
     name = "odk_repo",
     build_file = "//external:odk.BUILD",
-    commit = "c1401c6a1cc6a4378b6aa3d1c3d3f1f58278616e",
+    commit = "5232c51e33dc2b61d8b8a7414063696e8aaac49b",  # v17.1
-    remote = "https://widevine-partner.googlesource.com/oemcrypto_core_message.git",
+    remote = "https://widevine-partner.googlesource.com/oemcrypto",
 )
 
 bind(

whitebox/api/BUILD

@@ -164,7 +164,7 @@ cc_library(
         ":license_whitebox",
         ":shared_settings",
         ":test_key_types",
-        "//chromium_deps/cdm/protos:license_protocol_proto",
+        "//chromium_deps/cdm/protos",
     ],
 )
 
@@ -191,7 +191,7 @@ cc_library(
         ":test_license_provider_keys",
         ":test_server",
         "//chromium_deps/cdm/keys:dev_certs",
-        "//chromium_deps/cdm/protos:license_protocol_proto",
+        "//chromium_deps/cdm/protos",
         "//crypto_utils:aes_cbc_encryptor",
         "//crypto_utils:crypto_util",
         "//external:odk",

whitebox/api/license_whitebox_process_license_response_core_message_test.cc

@@ -2,6 +2,7 @@
 
 #include "api/license_whitebox.h"
 
+#include <tuple>
 #include <vector>
 
 #include "api/license_whitebox_test_base.h"
@@ -11,6 +12,9 @@
 namespace widevine {
 
 using OdkVersion = TestLicenseBuilder::OdkVersion;
+using Padding = TestLicenseBuilder::Padding;
+
+constexpr const Padding kNoSigningKey = static_cast<Padding>(0xff);
 
 class LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest
     : public LicenseWhiteboxTestBase {
@@ -42,9 +46,18 @@ class LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest
 
 // Success tests below test with and without the ODK.
 
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
+class LicenseWhiteboxProcessLicenseResponseWithCoreMessageGenericTest
-       SuccessWithoutOdkAndWithoutSigningKey) {
+    : public LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-  UseLicenseWithoutSigningKey(OdkVersion::kNone);
+      public testing::WithParamInterface<std::tuple<Padding, OdkVersion>> {};
+
+TEST_P(LicenseWhiteboxProcessLicenseResponseWithCoreMessageGenericTest,
+       Success) {
+  if (std::get<0>(GetParam()) == kNoSigningKey) {
+    UseLicenseWithoutSigningKey(std::get<1>(GetParam()));
+  } else {
+    UseLicenseWithSigningKey(std::get<0>(GetParam()), std::get<1>(GetParam()));
+  }
+
   ASSERT_EQ(
       WB_License_ProcessLicenseResponse(
           whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
@@ -54,125 +67,24 @@ TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
           license_.session_key.size(), kNoProviderKeyId,
           license_.request.data(), license_.request.size()),
       WB_RESULT_OK);
+
+  auto& key = golden_data_.CBCContent().software_crypto_key;
+  WB_KeyStatus status;
+  ASSERT_EQ(WB_License_QueryKeyStatus(
+                whitebox_, WB_KEY_QUERY_TYPE_CONTENT_KEY, key.id.data(),
+                key.id.size(), &status),
+            WB_RESULT_OK);
 }
 
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
+INSTANTIATE_TEST_SUITE_P(
-       SuccessWithOdk16_3AndWithoutSigningKey) {
+    Success,
-  UseLicenseWithoutSigningKey(OdkVersion::k16_3);
+    LicenseWhiteboxProcessLicenseResponseWithCoreMessageGenericTest,
-  ASSERT_EQ(
+    ::testing::Combine(
-      WB_License_ProcessLicenseResponse(
+        ::testing::Values(kNoSigningKey, Padding::kNone, Padding::kPKSC8),
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
+        ::testing::Values(OdkVersion::kNone, OdkVersion::k16_3,
-          license_.core_message.size(), license_.message.data(),
+                          OdkVersion::k16_5, OdkVersion::k17_1)));
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
 
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
+// Failure tests
-       SuccessWithOdk16_5AndWithoutSigningKey) {
-  UseLicenseWithoutSigningKey(OdkVersion::k16_5);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
-
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-       SuccessWithoutOdkAndWithSigningKeyNoPadding) {
-  UseLicenseWithSigningKey(TestLicenseBuilder::Padding::kNone,
-                           OdkVersion::kNone);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
-
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-       SuccessWithOdk16_3AndWithSigningKeyNoPadding) {
-  UseLicenseWithSigningKey(TestLicenseBuilder::Padding::kNone,
-                           OdkVersion::k16_3);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
-
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-       SuccessWithOdk16_5AndWithSigningKeyNoPadding) {
-  UseLicenseWithSigningKey(TestLicenseBuilder::Padding::kNone,
-                           OdkVersion::k16_5);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
-
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-       SuccessWithoutOdkAndWithSigningKeyPKSC8Padding) {
-  UseLicenseWithSigningKey(TestLicenseBuilder::Padding::kPKSC8,
-                           OdkVersion::kNone);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
-
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-       SuccessWithOdk16_3AndWithSigningKeyPKSC8Padding) {
-  UseLicenseWithSigningKey(TestLicenseBuilder::Padding::kPKSC8,
-                           OdkVersion::k16_3);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
-
-TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
-       SuccessWithOdk16_5AndWithSigningKeyPKSC8Padding) {
-  UseLicenseWithSigningKey(TestLicenseBuilder::Padding::kPKSC8,
-                           OdkVersion::k16_5);
-  ASSERT_EQ(
-      WB_License_ProcessLicenseResponse(
-          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
-          license_.core_message.size(), license_.message.data(),
-          license_.message.size(), license_.signature.data(),
-          license_.signature.size(), license_.session_key.data(),
-          license_.session_key.size(), kNoProviderKeyId,
-          license_.request.data(), license_.request.size()),
-      WB_RESULT_OK);
-}
 
 TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
        InvalidParameterForNullCoreMessage) {
@@ -188,6 +100,20 @@ TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
       WB_RESULT_INVALID_PARAMETER);
 }
 
+TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
+       InvalidParameterForInvalidVersionNumber) {
+  UseLicenseWithoutSigningKey(OdkVersion::k99);
+  ASSERT_EQ(
+      WB_License_ProcessLicenseResponse(
+          whitebox_, WB_LICENSE_KEY_MODE_DUAL_KEY, license_.core_message.data(),
+          license_.core_message.size(), license_.message.data(),
+          license_.message.size(), license_.signature.data(),
+          license_.signature.size(), license_.session_key.data(),
+          license_.session_key.size(), kNoProviderKeyId,
+          license_.request.data(), license_.request.size()),
+      WB_RESULT_INVALID_PARAMETER);
+}
+
 TEST_F(LicenseWhiteboxProcessLicenseResponseWithCoreMessageTest,
        InvalidSignatureWithZeroCoreMessageSize) {
   UseLicenseWithoutSigningKey(OdkVersion::k16_5);

whitebox/api/test_license_builder.cc

@@ -182,7 +182,9 @@ std::string GenerateCoreMessage(const std::string& serialized_request,
                                 uint16_t api_major_version,
                                 uint16_t api_minor_version,
                                 bool use_padding) {
-  DCHECK_EQ(api_major_version, ODK_MAJOR_VERSION)
+  DCHECK_GE(api_major_version, ODK_FIRST_VERSION)
+      << "Verify ODK library is compatible.";
+  DCHECK_LE(api_major_version, ODK_MAJOR_VERSION)
       << "Verify ODK library is compatible.";
   constexpr uint32_t session_id = 0xcafebabe;
   constexpr uint32_t nonce = 0xdeadbeef;
@@ -219,9 +221,14 @@ std::string GenerateCoreMessage(const std::string& serialized_request,
   CHECK(oemcrypto_core_message::deserialize::CoreLicenseRequestFromMessage(
       request_core_message, &core_request));
 
+  oemcrypto_core_message::features::CoreMessageFeatures features =
+      oemcrypto_core_message::features::CoreMessageFeatures::kDefaultFeatures;
+  features.maximum_major_version = api_major_version;
+  features.maximum_minor_version = api_minor_version;
+
   std::string oemcrypto_core_message;
   CHECK(oemcrypto_core_message::serialize::CreateCoreLicenseResponseFromProto(
-      serialized_license_response, core_request, core_message_hash,
+      features, serialized_license_response, core_request, core_message_hash,
       /* nonce_required= */ true, use_padding, &oemcrypto_core_message));
   return oemcrypto_core_message;
 }
@@ -466,12 +473,32 @@ void AddOperatorSessionKeyToContainer(
   container->set_id(key_id.data(), key_id.size());
 }
 
+uint16_t GetOdkMajorVersion(TestLicenseBuilder::OdkVersion odk_version) {
+  switch (odk_version) {
+    case TestLicenseBuilder::OdkVersion::k16_3:
+    case TestLicenseBuilder::OdkVersion::k16_5:
+    case TestLicenseBuilder::OdkVersion::k99:
+      return 16;
+    case TestLicenseBuilder::OdkVersion::k17_1:
+      return 17;
+    case TestLicenseBuilder::OdkVersion::kNone:
+      DCHECK(false);
+      return 0;
+    default:
+      CHECK(false) << "Unknown ODK Version";
+      return 0;
+  }
+}
+
 uint16_t GetOdkMinorVersion(TestLicenseBuilder::OdkVersion odk_version) {
   switch (odk_version) {
     case TestLicenseBuilder::OdkVersion::k16_3:
+    case TestLicenseBuilder::OdkVersion::k99:
       return 3;
     case TestLicenseBuilder::OdkVersion::k16_5:
       return 5;
+    case TestLicenseBuilder::OdkVersion::k17_1:
+      return 1;
     case TestLicenseBuilder::OdkVersion::kNone:
       DCHECK(false);
       return 0;
@@ -607,11 +634,17 @@ void TestLicenseBuilder::Build(const TestServer& server,
 
   std::string oemcrypto_core_message;
   if (settings_.odk_version != OdkVersion::kNone) {
-    uint16_t api_major_version = 16;
+    uint16_t api_major_version = GetOdkMajorVersion(settings_.odk_version);;
     uint16_t api_minor_version = GetOdkMinorVersion(settings_.odk_version);
     oemcrypto_core_message = GenerateCoreMessage(
         serialized_request_, message_str, api_major_version, api_minor_version,
         settings_.padding != Padding::kNone);
+
+    if (settings_.odk_version == OdkVersion::k99) {
+      // Change the api_major_version field to be too large (invalid)
+      CHECK_EQ(oemcrypto_core_message[11], 16);
+      oemcrypto_core_message[11] = 99;
+    }
   }
 
   // If |odk_version| is kNone, |oemcrypto_core_message| will be empty.

whitebox/api/test_license_builder.h

@@ -56,6 +56,9 @@ class TestLicenseBuilder {
     kNone,  // No `core_message`
     k16_3,  // ODK version 16.3
     k16_5,  // ODK version 16.5
+    k17_1,  // ODK version 17.1
+
+    k99,    // ODK 16.3, but with the version set to 99 (an arbitrary value).
   };
 
   enum class KeyControlBlock {

whitebox/chromium_deps/cdm/protos/BUILD

@@ -1,13 +1,23 @@
 # Copyright 2020 Google LLC. All Rights Reserved.
 
-# Protobuf generated code doesn't like it when include prefixes are
+# Protocol buffer definitions for Widevine Services.
-# stripped off. So this is a stub to mimic the protobuf C++ header.
+package(default_visibility = ["//visibility:public"])
-cc_library(
+
-    name = "license_protocol_proto",
+load("@com_google_protobuf//:protobuf.bzl", "cc_proto_library")
-    hdrs = ["license_protocol.pb.h"],
+
-    strip_include_prefix = "//chromium_deps/cdm/protos",
+cc_proto_library(
-    visibility = ["//visibility:public"],
+    name = "protos",
-    deps = [
+    srcs = [
-        "//chromium_deps/cdm/protos/defs:license_protocol_proto",
+      "certificate_provisioning.proto",
+      "client_identification.proto",
+      "drm_certificate.proto",
+      "dtcp_usage.proto",
+      "hash_algorithm.proto",
+      "license_protocol.proto",
+      "remote_attestation.proto",
+      "root_of_trust_id.proto",
     ],
+    include = ".",
+    default_runtime = "@com_google_protobuf//:protobuf",
+    protoc = "@com_google_protobuf//:protoc",
 )

whitebox/chromium_deps/cdm/protos/defs/BUILD

@@ -1,41 +0,0 @@
-# Copyright 2020 Google LLC. All Rights Reserved.
-
-# Protocol buffer definitions for Widevine Services.
-package(default_visibility = ["//visibility:public"])
-
-load("@com_google_protobuf//:protobuf.bzl", "cc_proto_library")
-
-cc_proto_library(
-    name = "certificate_provisioning_proto",
-    srcs = ["certificate_provisioning.proto"],
-    default_runtime = "@com_google_protobuf//:protobuf",
-    protoc = "@com_google_protobuf//:protoc",
-)
-
-cc_proto_library(
-    name = "client_identification_proto",
-    srcs = ["client_identification.proto"],
-    default_runtime = "@com_google_protobuf//:protobuf",
-    protoc = "@com_google_protobuf//:protoc",
-)
-
-cc_proto_library(
-    name = "license_protocol_proto",
-    srcs = ["license_protocol.proto"],
-    default_runtime = "@com_google_protobuf//:protobuf",
-    protoc = "@com_google_protobuf//:protoc",
-    deps = [
-        ":client_identification_proto",
-        ":remote_attestation_proto",
-    ],
-)
-
-cc_proto_library(
-    name = "remote_attestation_proto",
-    srcs = ["remote_attestation.proto"],
-    default_runtime = "@com_google_protobuf//:protobuf",
-    protoc = "@com_google_protobuf//:protoc",
-    deps = [
-        ":client_identification_proto",
-    ],
-)

whitebox/chromium_deps/cdm/protos/drm_certificate.proto

@@ -0,0 +1,102 @@
+// Copyright 2017 Google LLC. All rights reserved.
+
+// Author: tinskip@google.com (Thomas Inskip)
+//
+// Description:
+//   DRM certificate object definition.
+
+syntax = "proto2";
+
+package video_widevine;
+
+import "root_of_trust_id.proto";
+
+option optimize_for = LITE_RUNTIME;
+
+// DRM certificate definition for user devices, intermediate, service, and root
+// certificates.
+// Next id: 13
+message DrmCertificate {
+  enum Type {
+    ROOT = 0;
+    DEVICE_MODEL = 1;
+    DEVICE = 2;
+    SERVICE = 3;
+    PROVISIONER = 4;
+  }
+  enum ServiceType {
+    UNKNOWN_SERVICE_TYPE = 0;
+    LICENSE_SERVER_SDK = 1;
+    LICENSE_SERVER_PROXY_SDK = 2;
+    PROVISIONING_SDK = 3;
+    CAS_PROXY_SDK = 4;
+  }
+  enum Algorithm {
+    UNKNOWN_ALGORITHM = 0;
+    RSA = 1;
+    ECC_SECP256R1 = 2;
+    ECC_SECP384R1 = 3;
+    ECC_SECP521R1 = 4;
+  }
+
+  message EncryptionKey {
+    // |public_key| is required.
+    // If the |algorithm| is RSA, |public_key| is a PKCS#1 ASN.1 DER-encoded.
+    // If the |algorithm| is ECC, |public_key_ is encoded as an ASN.1
+    // DER-encoded SubjectPublicKeyInfo as defined in RFC 5280.
+    optional bytes public_key = 1;
+    // Required. The algorithm field contains the curve used to create the
+    // |public_key| if algorithm is one of the ECC types.
+    // The |algorithm| is used for both to determine the if the certificate is
+    // ECC or RSA. The |algorithm| also specifies the parameters that were used
+    // to create |public_key| and are used to create an ephemeral session key.
+    optional Algorithm algorithm = 2 [default = RSA];
+  }
+
+  // Type of certificate. Required.
+  optional Type type = 1;
+  // 128-bit globally unique serial number of certificate.
+  // Value is 0 for root certificate. Required.
+  optional bytes serial_number = 2;
+  // POSIX time, in seconds, when the certificate was created. Required.
+  optional uint32 creation_time_seconds = 3;
+  // POSIX time, in seconds, when the certificate should expire. Value of zero
+  // denotes indefinite expiry time. For more information on limited lifespan
+  // DRM certificates see (go/limited-lifespan-drm-certificates).
+  optional uint32 expiration_time_seconds = 12;
+  // |public_key| is required.
+  // If the |algorithm| is RSA, |public_key| is a PKCS#1 ASN.1 DER-encoded.
+  // If the |algorithm| is ECC, |public_key| is encoded as an ASN.1 DER-encoded
+  // SubjectPublicKeyInfo as defined in RFC 5280.
+  optional bytes public_key = 4;
+  // Widevine system ID for the device. Required for intermediate and
+  // user device certificates.
+  optional uint32 system_id = 5;
+  // Deprecated field, which used to indicate whether the device was a test
+  // (non-production) device. The test_device field in ProvisionedDeviceInfo
+  // below should be observed instead.
+  optional bool test_device_deprecated = 6 [deprecated = true];
+  // Service identifier (web origin) for the provider which owns the
+  // certificate. Required for service and provisioner certificates.
+  optional string provider_id = 7;
+  // This field is used only when type = SERVICE to specify which SDK uses
+  // service certificate. This repeated field is treated as a set. A certificate
+  // may be used for the specified service SDK if the appropriate ServiceType
+  // is specified in this field.
+  repeated ServiceType service_types = 8;
+  // Required. The algorithm field contains the curve used to create the
+  // |public_key| if algorithm is one of the ECC types.
+  // The |algorithm| is used for both to determine the if the certificate is ECC
+  // or RSA. The |algorithm| also specifies the parameters that were used to
+  // create |public_key| and are used to create an ephemeral session key.
+  optional Algorithm algorithm = 9 [default = RSA];
+  // Optional. May be present in DEVICE certificate types. This is the root
+  // of trust identifier that holds an encrypted value that identifies the
+  // keybox or other root of trust that was used to provision a DEVICE drm
+  // certificate.
+  optional RootOfTrustId rot_id = 10;
+  // Optional. May be present in devices that explicitly support dual keys. When
+  // present the |public_key| is used for verification of received license
+  // request messages.
+  optional EncryptionKey encryption_key = 11;
+}

whitebox/chromium_deps/cdm/protos/dtcp_usage.proto

@@ -0,0 +1,156 @@
+// Copyright 2021 Google LLC. All rights reserved.
+// Description:
+//   Definitions of the protocol buffer message used for DTCP2 usage rules.
+
+syntax = "proto2";
+
+package video_widevine;
+
+option optimize_for = LITE_RUNTIME;
+
+// LINT.IfChange
+// DTCP2 usage rules used in the license policy.
+message DTCPUsageRules {
+  // This field indicates the value of Retention_State.
+  enum RetentionState {
+    // (-- api-linter: core::0126::unspecified=disabled
+    //     aip.dev/not-precedent: name and values are defined in the DTCP
+    //     specification. --)
+    // Forever
+    RETENTION_STATE_FOREVER = 0;
+    // 1 week
+    RETENTION_STATE_1_WEEK = 1;
+    // 2 day
+    RETENTION_STATE_2_DAYS = 2;
+    // 1 day
+    RETENTION_STATE_1_DAY = 3;
+    // 12 hours
+    RETENTION_STATE_12_HOURS = 4;
+    // 6 hours
+    RETENTION_STATE_6_HOURS = 5;
+    // 3 hours
+    RETENTION_STATE_3_HOURS = 6;
+    // 90 minutes
+    RETENTION_STATE_90_MINUTES = 7;
+  }
+
+  // This field indicates Copy Control Information (CCI).
+  enum CopyControlInfo {
+    // Copy freely
+    COPY_FREE = 0;
+    // No more copies
+    COPY_NO_MORE = 1;
+    // One time copy
+    COPY_ONE = 2;
+    // Copy not allowed
+    COPY_NEVER = 3;
+  }
+
+  // This field indicates Analog Protection System (APS) used to block
+  // recording devices.
+  enum AnalogProtectionSystem {
+    // Copy freely, APS is off
+    APS_OFF = 0;
+    // APS is on, Type 1 (AGC)
+    APS_TYPE1 = 1;
+    // APS is on, Type 2 (AGC + 2L Colorstripe)
+    APS_TYPE2 = 2;
+    // APS is on, Type 3 (AGC + 4L Colorstripe)
+    APS_TYPE3 = 3;
+  }
+
+  // This field indicates the value of the Image Constraint Token (ICT) that
+  // controls downsampling of high-definition video.
+  enum ImageConstraintToken {
+    // HD analog output, Constrained Image
+    ICT_CONSTRAINED = 0;
+    //  HD analog out
+    ICT_HD_ANALOG = 1;
+  }
+
+  // This field indicates the value of Analog Sunset Token (AST) used to limit
+  // playback to standard definition (SD) only
+  enum AnalogSunsetToken {
+    // Asserted
+    AST_ASSERTED = 0;
+    // Unasserted
+    AST_UNASERTED = 1;
+  }
+
+  // This field indicates the value of Digital Only Token (DOT) used to restrict
+  // output to digital only.
+  enum DigitalOnlyToken {
+    // Asserted
+    DOT_ASSERTED = 0;
+    // Unasserted
+    DOT_UNASSERTED = 1;
+  }
+
+  // This field indicates the value of Audio Enhanced Token (AET).
+  enum AudioEnhancedToken {
+    // Asserted
+    AET_ASSERTED = 0;
+    // Unasserted
+    AET_UNASSERTED = 1;
+  }
+
+  // This field indicates the value of Standard Digital Output (SDO) token.
+  enum StandardDigitalOutputToken {
+    // Unasserted
+    SDO_UNASSEERTED = 0;
+    // Asserted, L2 protection is permitted
+    SDO_ASSEERTED = 1;
+  }
+
+  // This field indicates the value of High Dynamic Rnage (HDR) token.
+  enum HighDynamicRangeToken {
+    // Unasserted, SDR conversion is permitted
+    HDR_UNASSERTED = 0;
+    // Unasserted, SDR conversion is not permitted
+    HDR_ASSERTED = 1;
+  }
+
+  // This field indicates the value of the L2 Protection Only token.
+  enum L2ProtectionOnlyToken {
+    // Unasserted
+    L2_ONLY_UNASSERTED = 0;
+    // Aasserted (L2 protection onl)
+    L2_ONLY_ASSERTED = 1;
+  }
+
+  // This field indicates the value of the Enhanced Image (EI) token
+  enum EnhancedImageToken {
+    // Unasserted, Non-Enhanced Image
+    EI_UNASSERTED = 0;
+    // Asserted, Enhanced Image
+    EI_ASSERTED = 1;
+  }
+
+  // This field indicates whether a further Bound Copy can be made from a
+  // Bound Copy retained in accordance with the RetentionStatefield.
+  enum FurtherBoundCopy {
+    // Furthur Bound Copy Prohibited
+    FBC_PROHIBITED = 0;
+    // Furthur Bound Copy Permitted
+    FBC_PERMITTED = 1;
+  }
+
+  // Indicates if Digital Transmission Control Protection 2 (DTCP2) is required.
+  optional bool require_dtcp2 = 1 [default = false];
+  optional CopyControlInfo copy_control = 2;
+  optional bool encryption_plus = 3;
+  optional RetentionState retention_state = 4;
+  optional AnalogProtectionSystem analog_protection_system = 5;
+  optional ImageConstraintToken image_constraint_token = 6;
+  optional AnalogSunsetToken analog_sunset_token = 7;
+  optional DigitalOnlyToken digital_only_token = 8;
+  optional AudioEnhancedToken audio_enhanced_token = 9;
+  optional uint32 copy_count = 10;
+  optional StandardDigitalOutputToken standard_digital_token = 11;
+  optional HighDynamicRangeToken high_dynamic_token = 12;
+  optional L2ProtectionOnlyToken l2_only_token = 13;
+  optional EnhancedImageToken enhaned_image_token = 14;
+  optional uint32 retention_time = 15;
+  optional FurtherBoundCopy further_copy = 16;
+}
+// LINT.ThenChange(//depot/google3/google/chrome/widevine/licensedata/v1/license_policy.proto)

whitebox/chromium_deps/cdm/protos/hash_algorithm.proto

@@ -0,0 +1,18 @@
+// Copyright 2020 Google LLC. All rights reserved.
+
+syntax = "proto3";
+
+package video_widevine;
+
+option optimize_for = LITE_RUNTIME;
+
+// LINT.IfChange
+enum HashAlgorithmProto {
+  // Unspecified hash algorithm: SHA_256 shall be used for ECC based algorithms
+  // and SHA_1 shall be used otherwise.
+  HASH_ALGORITHM_UNSPECIFIED = 0;
+  HASH_ALGORITHM_SHA_1 = 1;
+  HASH_ALGORITHM_SHA_256 = 2;
+  HASH_ALGORITHM_SHA_384 = 3;
+}
+// LINT.ThenChange(//depot/google3/google/chrome/widevine/contentpartners/v1beta1/device_security_profiles.proto)

whitebox/chromium_deps/cdm/protos/license_protocol.pb.h

@@ -1,10 +0,0 @@
-// Copyright 2020 Google LLC. All Rights Reserved.
-
-#ifndef CDM_PROTOS_LICENSE_PROTOCOL_PB_H_
-#define CDM_PROTOS_LICENSE_PROTOCOL_PB_H_
-
-// Protobuf generated code doesn't like it when include prefixes are stripped
-// off. So simply including the actual generated protobuf C++ header.
-#include "chromium_deps/cdm/protos/defs/license_protocol.pb.h"
-
-#endif  // CDM_PROTOS_LICENSE_PROTOCOL_PB_H_

whitebox/chromium_deps/cdm/protos/license_protocol.proto

@@ -3,24 +3,24 @@
 // Description:
 //   Definitions of the protocol buffer messages used in the Widevine license
 //   exchange protocol, described in Widevine license exchange protocol document
-// TODO(yawenyu): find out a right way to strip out all the doc link.
-// MOE:begin_strip
-// Design doc at:
-//   http://doc/1cng6cDnchbDQDymLEd5MxMc_laS3EDv6IsoW3IzpgwQ
-// MOE:end_strip
 
 syntax = "proto2";
 
 package video_widevine;
 
-import "chromium_deps/cdm/protos/defs/client_identification.proto";
+import "client_identification.proto";
-import "chromium_deps/cdm/protos/defs/remote_attestation.proto";
+import "drm_certificate.proto";
+import "dtcp_usage.proto";
+import "hash_algorithm.proto";
+import "remote_attestation.proto";
 
 option optimize_for = LITE_RUNTIME;
 
 enum LicenseType {
   STREAMING = 1;
   OFFLINE = 2;
+  // License type decision is left to provider.
+  AUTOMATIC = 3;
 }
 
 enum PlatformVerificationStatus {
@@ -48,11 +48,89 @@ message LicenseIdentification {
   optional LicenseType type = 4;
   optional int32 version = 5;
   optional bytes provider_session_token = 6;
+  // Set by the SDK representing the rental duration from the initial license.
+  optional int64 original_rental_duration_seconds = 7;
+  // Set by the SDK representing the playback duration from the initial license.
+  optional int64 original_playback_duration_seconds = 8;
+  // Set by the SDK representing the start time of the initial license in
+  // seconds (UTC). This is from the original license's license_start_time,
+  // which is from the LicenseRequest.request_time when set, or set by the
+  // server to be the time that the original license was processed.
+  optional int64 original_start_time_seconds = 9;
+  // Set by the SDK representing the renewal recovery duration from the initial
+  // license.
+  optional int64 original_renewal_recovery_duration_seconds = 10;
+  // Set by the SDK representing the renewal delay seconds from the original
+  // license.
+  optional int64 original_renewal_delay_seconds = 11;
+}
+
+// This message is used to indicate the license cateogry spec for a license as
+// a part of initial license issuance.
+// LINT.IfChange
+message LicenseCategorySpec {
+  // Possible license categories.
+  enum LicenseCategory {
+    // By default, License is used for single content.
+    SINGLE_CONTENT_LICENSE_DEFAULT = 0;
+    // License is used for multiple contents (could be a combination of
+    // single contents and groups of contents).
+    MULTI_CONTENT_LICENSE = 1;
+    // License is used for contents logically grouped.
+    GROUP_LICENSE = 2;
+  }
+  // Optional. License category indicates if license is used for single
+  // content, multiple contents (could be a combination of
+  // single contents and groups of contents) or a group of contents.
+  optional LicenseCategory license_category = 1;
+  // Optional. Content or group ID covered by the license.
+  oneof content_or_group_id {
+    // Content_id would be present if it is a license for single content.
+    bytes content_id = 2;
+    // Group_id would be present if the license is a multi_content_license or
+    // group_license. Group Id could be the name of a group of contents,
+    // defined by licensor.
+    bytes group_id = 3;
+  }
+}
+// LINT.ThenChange(//depot/google3/google/chrome/widevine/licensedata/v1/session_init.proto)
+
+message ProxyInfo {
+  // Indicates SDK type(Including UNKNOWN_SERVICE_TYPE, LICENSE_PROXY_SDK,
+  // CAS_PROXY_SDK).
+  optional DrmCertificate.ServiceType sdk_type = 1;
+  // Indicates the version of SDK.
+  optional string sdk_version = 2;
 }
 
 message License {
   // LINT.IfChange
   message Policy {
+    // Client-side watermarking restrictions for the license.
+    enum WatermarkingControl {
+      // Watermarking may or may not be used, provider does not care.
+      WATERMARKING_CONTROL_UNSPECIFIED = 0;
+      // Watermarking must not be used. The device must disable watermarking
+      // if it supports it.
+      WATERMARKING_FORBIDDEN = 1;
+      // Watermarking is required if the device supports it.
+      WATERMARKING_REQUIRED = 2;
+    }
+
+    // The base for (delayed) timers, i.e. the time from which the delayed timer
+    // starts.
+    enum TimerDelayBase {
+      // Not specified
+      TIMER_DELAY_BASE_UNSPECIFIED = 0;
+      // The timer delay is based on `license_start_time`.
+      LICENSE_START = 1;
+      // The timer delay is based on the time the license is received by the
+      // CDM. Playback window begins at license load time.
+      LICENSE_LOAD = 2;
+      // The timer delay is based on the time of first decryption.
+      FIRST_DECRYPT = 3;
+    }
+
     // Indicates that playback of the content is allowed.
     optional bool can_play = 1 [default = false];
 
@@ -88,8 +166,10 @@ message License {
     // specified URL.
     optional string renewal_server_url = 8;
 
-    // How many seconds after license_start_time, before renewal is first
+    // How many seconds after |license_start_time| before renewal is first
-    // attempted.
+    // attempted. If |renew_with_usage| is true in a new license, then this is
+    // the optional number of seconds after first playback, before renewal is
+    // first attempted.
     optional int64 renewal_delay_seconds = 9 [default = 0];
 
     // Specifies the delay in seconds between subsequent license
@@ -97,7 +177,8 @@ message License {
     optional int64 renewal_retry_interval_seconds = 10 [default = 0];
 
     // Indicates that the license shall be sent for renewal when usage is
-    // started.
+    // started, i.e. on first playback. This should only be used for a new
+    // license. The client shall ignore this if set in a renewal.
     optional bool renew_with_usage = 11 [default = false];
 
     // Indicates to client that license renewal and release requests ought to
@@ -106,10 +187,11 @@ message License {
 
     // Duration of grace period before playback_duration_seconds (short window)
     // goes into effect. Optional.
+    // Deprecated in V16.
     optional int64 play_start_grace_period_seconds = 13 [default = 0];
 
     // Enables "soft enforcement" of playback_duration_seconds, letting the user
-    // finish playback even if short window expires. Optional.
+    // finish playback even if playback window expires. Optional.
     optional bool soft_enforce_playback_duration = 14 [default = false];
 
     // Enables "soft enforcement" of rental_duration_seconds. Initial playback
@@ -118,17 +200,39 @@ message License {
     // soft_enforce_playback_duration must be true. Otherwise, subsequent
     // playbacks will not be allowed once rental duration expires. Optional.
     optional bool soft_enforce_rental_duration = 15 [default = true];
+
+    // Optional requirement to indicate watermarking is allowed.
+    optional WatermarkingControl watermarking_control = 16
+        [default = WATERMARKING_CONTROL_UNSPECIFIED];
+
+    // Optional DTCP2 requirements. Default is to not allow dtcp2.
+    optional DTCPUsageRules dtcp2 = 17;
+
+    // The base for `renewal_delay_seconds` for a new license. This should only
+    // be set for a new license. For renewal licenses this field will be ignored
+    // and `renewal_delay_seconds` should always be based on
+    // `license_start_time`. When `initial_renewal_delay_base` is FIRST_DECRYPT,
+    // the delay of `renewal_delay_seconds` is optional for backward
+    // compatibility with old clients.
+    optional TimerDelayBase initial_renewal_delay_base = 18
+        [default = TIMER_DELAY_BASE_UNSPECIFIED];
   }
   // LINT.ThenChange(//depot/google3/google/chrome/widevine/licensedata/v1/license_policy.proto)
 
+  // LINT.IfChange
   message KeyContainer {
     enum KeyType {
-      SIGNING = 1;           // Exactly one key of this type must appear.
+      SIGNING = 1;           // No more than one signing key may appear.
       CONTENT = 2;           // Content key.
       KEY_CONTROL = 3;       // Key control block for license renewals. No key.
       OPERATOR_SESSION = 4;  // wrapped keys for auxiliary crypto operations.
       ENTITLEMENT = 5;       // Entitlement keys.
       OEM_CONTENT = 6;       // Partner-specific content key.
+      // Public signing key provided by content providers. Currently used by CAS
+      // for verifying the received ECM/EMM signature. Only EC key is supported
+      // for now.
+      PROVIDER_ECM_VERIFIER_PUBLIC_KEY = 7;
+      OEM_ENTITLEMENT = 8;  // Partner-specific entitlement key.
     }
 
     // The SecurityLevel enumeration allows the server to communicate the level
@@ -154,11 +258,15 @@ message License {
       HW_SECURE_ALL = 5;
     }
 
+    // The EncryptionScheme to be used for the content keys.  This is applicable
+    // only to Moho API.
+    enum EncryptionScheme {
+      ENCRYPTION_SCHEME_UNSPECIFIED = 0;
+      AES128_CTR = 1;
+      AES128_CBC = 2;
+    }
+
     message KeyControl {
-      // MOE:begin_strip
-      // |key_control| is documented here:
-      //   http://doc/1pHSJ2IKL0axmQz2gmDZ7olxPWb_ZcULaJrYwDZAeS7k/edit#heading=h.pua7563f80h6
-      // MOE:end_strip
       // If present, the key control must be communicated to the secure
       // environment prior to any usage. This message is automatically generated
       // by the Widevine License Server SDK.
@@ -199,11 +307,15 @@ message License {
         // allow use of the key anyway.
         CURRENT_SRM = 1;
       }
+
       optional HdcpSrmRule hdcp_srm_rule = 3 [default = HDCP_SRM_RULE_NONE];
       // Optional requirement to indicate analog output is not allowed.
       optional bool disable_analog_output = 4 [default = false];
       // Optional requirement to indicate digital output is not allowed.
       optional bool disable_digital_output = 5 [default = false];
+      // Optional. If set, it indicates digital video recording (DVR) is
+      // allowed.
+      optional bool allow_record = 6 [default = false];
     }
 
     message VideoResolutionConstraint {
@@ -224,6 +336,28 @@ message License {
       optional bool allow_signature_verify = 4 [default = false];
     }
 
+    // KeyCategorySpec message is used to identify if current key is generated
+    // for a single content or a group of contents. Currently it is only used in
+    // CAS request.
+    message KeyCategorySpec {
+      // Represents what kind of content a key is used for.
+      enum KeyCategory {
+        // By default, key is created for single content.
+        SINGLE_CONTENT_KEY_DEFAULT = 0;
+        // Key is created for a group of contents.
+        GROUP_KEY = 1;
+      }
+      // Indicate if the current key is created for single content or for group
+      // use.
+      optional KeyCategory key_category = 1;
+      // Id for key category. If it is a key for single content, this id
+      // represents the content_id. Otherwise, it represents a group_id.
+      oneof content_or_group_id {
+        bytes content_id = 2;
+        bytes group_id = 3;
+      }
+    }
+
     optional bytes id = 1;
     optional bytes iv = 2;
     optional bytes key = 3;
@@ -241,7 +375,8 @@ message License {
     // be reported.
     // NOTE: Use of this feature is not recommended, as it is only supported on
     // a small number of platforms.
-    repeated VideoResolutionConstraint video_resolution_constraints = 10;
+    repeated VideoResolutionConstraint video_resolution_constraints = 10
+        [deprecated = true];
     // Optional flag to indicate the key must only be used if the client
     // supports anti rollback of the user table.  Content provider can query the
     // client capabilities to determine if the client support this feature.
@@ -249,6 +384,14 @@ message License {
     // Optional not limited to commonly known track types such as SD, HD.
     // It can be some provider defined label to identify the track.
     optional string track_label = 12;
+    // Optional. It is used to identify if current key is generated for a
+    // single content or a group of contents. Currently it is only used in CAS
+    // request.
+    optional KeyCategorySpec key_category_spec = 13;
+    // Optional. Used by Moho API for Content key encryption. If unspecified,
+    // the Moho code uses the encryption scheme of type AES128_CTR.
+    optional EncryptionScheme encryption_scheme = 14
+        [default = ENCRYPTION_SCHEME_UNSPECIFIED];
   }
   // LINT.ThenChange(//depot/google3/google/chrome/widevine/licensedata/v1/key_container.proto)
 
@@ -259,7 +402,7 @@ message License {
   // LicenseRequest.request_time.  If this time is not set in the request,
   // the local time at the license service is used in this field.
   optional int64 license_start_time = 4;
-  // TODO(b/65054419): Deprecate remote_attestation_verified in favor of
+  // Deprecate remote_attestation_verified in favor of
   // platform_verification_status, below.
   optional bool remote_attestation_verified = 5 [default = false];
   // Client token generated by the content provider. Optional.
@@ -270,10 +413,6 @@ message License {
   // 8 byte verification field "HDCPDATA" followed by unsigned 32 bit minimum
   // HDCP SRM version (whether the version is for HDCP1 SRM or HDCP2 SRM
   // depends on client max_hdcp_version).
-  // MOE:begin_strip
-  // Additional details at:
-  //   http://doc/1MYwkQjcdeP7eMAZGeYCvjlXMO0MqRKTUYk2SlsoSXXc/#heading=h.8l3xqpa3rvfi.
-  // MOE:end_strip
   optional bytes srm_requirement = 8;
   // If present this contains a signed SRM file (either HDCP1 SRM or HDCP2 SRM
   // depending on client max_hdcp_version) that should be installed on the
@@ -285,6 +424,10 @@ message License {
       [default = PLATFORM_NO_VERIFICATION];
   // IDs of the groups for which keys are delivered in this license, if any.
   repeated bytes group_ids = 11;
+  // Optional. LicenseCategorySpec is used to indicate the license cateogry for
+  // a license. It could be used as a part of initial license issuance or shown
+  // as a part of license in license response.
+  optional LicenseCategorySpec license_category_spec = 12;
   // Optional: The provider key id indicates which provider key was used
   // during provider key encryption.
   optional uint32 provider_key_id = 13;
@@ -361,6 +504,9 @@ message LicenseRequest {
   optional uint32 key_control_nonce = 7;
   // Encrypted ClientIdentification message, used for privacy purposes.
   optional EncryptedClientIdentification encrypted_client_id = 8;
+  // The version of the client implementation. This field is optional and
+  // informational only.
+  optional string client_version = 9;
 }
 
 message LicenseError {
@@ -373,6 +519,8 @@ message LicenseError {
     // The service is currently unavailable due to the backend being down
     // or similar circumstances.
     SERVICE_UNAVAILABLE = 3;
+    // The device credentials are expired. The device must re-provision.
+    EXPIRED_DRM_DEVICE_CERTIFICATE = 4;
   }
   optional Error error_code = 1;
 }
@@ -425,8 +573,9 @@ message SignedMessage {
   enum SessionKeyType {
     UNDEFINED = 0;
     WRAPPED_AES_KEY = 1;
-    EPHERMERAL_ECC_PUBLIC_KEY = 2;
+    EPHEMERAL_ECC_PUBLIC_KEY = 2;
   }
+
   optional MessageType type = 1;
   optional bytes msg = 2;
   // Required field that contains the signature of the bytes of msg.
@@ -445,10 +594,6 @@ message SignedMessage {
   // request for ChromeOS client devices operating in verified mode. Remote
   // attestation challenge data is |msg| field above. Optional.
   optional RemoteAttestation remote_attestation = 5;
-  // MOE:begin_strip
-  // Design doc at:
-  //   http://doc/1LqEzxw1v2CVBx_zv5lVX55FcGKjx6JLnFdXjEUbNTOQ
-  // MOE:end_strip
 
   repeated MetricData metric_data = 6;
   // Version information from the SDK and license service. This information is
@@ -460,4 +605,10 @@ message SignedMessage {
   // The core message is the simple serialization of fields used by OEMCrypto.
   // This field was introduced in OEMCrypto API v16.
   optional bytes oemcrypto_core_message = 9;
+  // Optional field that indicates the hash algorithm used in signature scheme.
+  optional HashAlgorithmProto hash_algorithm = 10;
+  // If true it indicates that a LICENSE message session key was based on an
+  // alternate key provided by the client credentials.
+  optional bool using_secondary_key = 11;
 }
+

whitebox/chromium_deps/cdm/protos/remote_attestation.proto

@@ -8,7 +8,7 @@ syntax = "proto2";
 
 package video_widevine;
 
-import "chromium_deps/cdm/protos/defs/client_identification.proto";
+import "client_identification.proto";
 
 option optimize_for = LITE_RUNTIME;
 

whitebox/chromium_deps/cdm/protos/root_of_trust_id.proto

@@ -0,0 +1,44 @@
+// Copyright 2021 Google LLC. All rights reserved.
+
+syntax = "proto2";
+
+package video_widevine;
+
+option optimize_for = LITE_RUNTIME;
+
+// Definition of the root of trust identifier proto. The proto message contains
+// the EC-IES encrypted identifier (e.g. keybox unique id) for a device and
+// an associated hash. These can be used by Widevine to identify the root of
+// trust that was used to acquire a DRM certificate.
+//
+// In addition to the encrypted part and the hash, the proto contains the
+// version of the root of trust id which implies the EC key algorithm that was
+// used.
+// Next id: 5
+message RootOfTrustId {
+  // The version specifies the EC algorithm that was used to generate the
+  // root of trust id.
+  enum RootOfTrustIdVersion {
+    // Should not be used.
+    ROOT_OF_TRUST_ID_VERSION_UNSPECIFIED = 0;
+    // Version 1 of the ID uses EC-IES with SECP256R1 curve.
+    ROOT_OF_TRUST_ID_VERSION_1 = 1;
+  }
+  optional RootOfTrustIdVersion version = 1;
+  // The key_id is used for key rotation. It indicates which key was used to
+  // generate the root of trust id.
+  optional uint32 key_id = 2;
+
+  // The EC-IES encrypted message containing the unique_id. The bytes are
+  // a concatenation of
+  //    1) The ephemeral public key. Uncompressed keypoint format per X9.62.
+  //    2) The plaintext encrypted with the derived AES key using AES CBC,
+  //       PKCS7 padding and a zerio iv.
+  //    3) The HMAC SHA256 of the cipher text.
+  optional bytes encrypted_unique_id = 3;
+
+  // The hash of encrypted unique id and other values.
+  // unique_id_hash = SHA256(
+  //   encrypted_unique_id || system_id || SHA256(unique_id || secret_sauce)).
+  optional bytes unique_id_hash = 4;
+}

whitebox/external/odk.BUILD

@@ -29,6 +29,7 @@ cc_library(
         ":odk_common_hdrs",
     ],
     hdrs = [
+        "oemcrypto/odk/include/core_message_features.h",
         "oemcrypto/odk/include/OEMCryptoCENCCommon.h",
         "oemcrypto/odk/include/odk.h",
         "oemcrypto/odk/include/odk_attributes.h",
@@ -46,6 +47,7 @@ cc_library(
     name = "serialization",
     srcs = [
         "oemcrypto/odk/src/core_message_deserialize.cpp",
+        "oemcrypto/odk/src/core_message_features.cpp",
         "oemcrypto/odk/src/core_message_serialize.cpp",
         "oemcrypto/odk/src/core_message_serialize_proto.cpp",
         ":odk_common_hdrs",

whitebox/odk_deps/BUILD

@@ -7,7 +7,6 @@ cc_library(
     hdrs = ["license_protocol.pb.h"],
     strip_include_prefix = "//odk_deps/",
     deps = [
-        "//chromium_deps/cdm/protos/defs:certificate_provisioning_proto",
+        "//chromium_deps/cdm/protos",
-        "//chromium_deps/cdm/protos/defs:license_protocol_proto",
     ],
 )

whitebox/odk_deps/license_protocol.pb.h

@@ -5,7 +5,7 @@
 
 // Because the Android repo combines the two protobufs, we need to include both
 // of them in this header so that the ODK code can find it.
-#include "chromium_deps/cdm/protos/defs/certificate_provisioning.pb.h"
+#include "chromium_deps/cdm/protos/certificate_provisioning.pb.h"
-#include "chromium_deps/cdm/protos/defs/license_protocol.pb.h"
+#include "chromium_deps/cdm/protos/license_protocol.pb.h"
 
 #endif // ODK_DEPS_LICENSE_PROTOCOL_PB_H_

whitebox/reference/impl/BUILD

@@ -47,7 +47,7 @@ cc_library(
     deps = [
         "//api:license_whitebox",
         "//api:shared_settings",
-        "//chromium_deps/cdm/protos:license_protocol_proto",
+        "//chromium_deps/cdm/protos",
     ],
 )
 
@@ -69,7 +69,7 @@ cc_library(
         ":renewal_key",
         "//api:result",
         "//api:shared_settings",
-        "//chromium_deps/cdm/protos:license_protocol_proto",
+        "//chromium_deps/cdm/protos",
         "//crypto_utils:aes_cbc_decryptor",
         "//crypto_utils:crypto_util",
     ],
@@ -95,7 +95,7 @@ cc_library(
         ":license_parser",
         "//api:shared_settings",
         "//chromium_deps/base:glog",
-        "//chromium_deps/cdm/protos:license_protocol_proto",
+        "//chromium_deps/cdm/protos",
         "//crypto_utils:crypto_util",
     ],
 )
@@ -172,7 +172,7 @@ cc_library(
         "//api:result",
         "//api:shared_settings",
         "//chromium_deps/cdm/keys:dev_certs",
-        "//chromium_deps/cdm/protos:license_protocol_proto",
+        "//chromium_deps/cdm/protos",
         "//crypto_utils:aes_cbc_decryptor",
         "//crypto_utils:aes_cbc_encryptor",
         "//crypto_utils:aes_ctr_encryptor",