550 lines
20 KiB
Protocol Buffer
550 lines
20 KiB
Protocol Buffer
// ----------------------------------------------------------------------------
|
|
// license_protocol.proto
|
|
// ----------------------------------------------------------------------------
|
|
// Copyright 2013 Google Inc. All Rights Reserved.
|
|
//
|
|
// Description:
|
|
// Definitions of the protocol buffer messages used in the Widevine license
|
|
// exchange protocol.
|
|
|
|
syntax = "proto2";
|
|
|
|
package video_widevine_server.sdk;
|
|
|
|
// need this if we are using libprotobuf-cpp-2.3.0-lite
|
|
option optimize_for = LITE_RUNTIME;
|
|
|
|
enum LicenseType {
|
|
STREAMING = 1;
|
|
OFFLINE = 2;
|
|
}
|
|
|
|
// LicenseIdentification is propagated from LicenseRequest to License,
|
|
// incrementing version with each iteration.
|
|
message LicenseIdentification {
|
|
optional bytes request_id = 1;
|
|
optional bytes session_id = 2;
|
|
optional bytes purchase_id = 3;
|
|
optional LicenseType type = 4;
|
|
optional int32 version = 5;
|
|
optional bytes provider_session_token = 6;
|
|
}
|
|
|
|
message License {
|
|
message Policy {
|
|
// Indicates that playback of the content is allowed.
|
|
optional bool can_play = 1 [default = false];
|
|
|
|
// Indicates that the license may be persisted to non-volatile
|
|
// storage for offline use.
|
|
optional bool can_persist = 2 [default = false];
|
|
|
|
// Indicates that renewal of this license is allowed.
|
|
optional bool can_renew = 3 [default = false];
|
|
|
|
// For the |*duration*| fields, playback must halt when
|
|
// license_start_time (seconds since the epoch (UTC)) +
|
|
// license_duration_seconds is exceeded. A value of 0
|
|
// indicates that there is no limit to the duration.
|
|
|
|
// Indicates the rental window.
|
|
optional int64 rental_duration_seconds = 4 [default = 0];
|
|
|
|
// Indicates the viewing window, once playback has begun.
|
|
optional int64 playback_duration_seconds = 5 [default = 0];
|
|
|
|
// Indicates the time window for this specific license.
|
|
optional int64 license_duration_seconds = 6 [default = 0];
|
|
|
|
// The |renewal*| fields only apply if |can_renew| is true.
|
|
|
|
// The window of time, in which playback is allowed to continue while
|
|
// renewal is attempted, yet unsuccessful due to backend problems with
|
|
// the license server.
|
|
optional int64 renewal_recovery_duration_seconds = 7 [default = 0];
|
|
|
|
// All renewal requests for this license shall be directed to the
|
|
// specified URL.
|
|
optional string renewal_server_url = 8;
|
|
|
|
// How many seconds after license_start_time, before renewal is first
|
|
// attempted.
|
|
optional int64 renewal_delay_seconds = 9 [default = 0];
|
|
|
|
// Specifies the delay in seconds between subsequent license
|
|
// renewal requests, in case of failure.
|
|
optional int64 renewal_retry_interval_seconds = 10 [default = 0];
|
|
|
|
// Indicates that the license shall be sent for renewal when usage is
|
|
// started.
|
|
optional bool renew_with_usage = 11 [default = false];
|
|
|
|
// Indicates to client that license renewal and release requests ought to
|
|
// include ClientIdentification (client_id).
|
|
optional bool renew_with_client_id = 12 [default = false];
|
|
}
|
|
|
|
message KeyContainer {
|
|
enum KeyType {
|
|
// Exactly one key of this type must appear.
|
|
SIGNING = 1;
|
|
CONTENT = 2;
|
|
KEY_CONTROL = 3;
|
|
OPERATOR_SESSION = 4;
|
|
}
|
|
|
|
// The SecurityLevel enumeration allows the server to communicate the level
|
|
// of robustness required by the client, in order to use the key.
|
|
enum SecurityLevel {
|
|
// Software-based whitebox crypto is required.
|
|
SW_SECURE_CRYPTO = 1;
|
|
|
|
// Software crypto and an obfuscated decoder is required.
|
|
SW_SECURE_DECODE = 2;
|
|
|
|
// The key material and crypto operations must be performed within a
|
|
// hardware backed trusted execution environment.
|
|
HW_SECURE_CRYPTO = 3;
|
|
|
|
// The crypto and decoding of content must be performed within a hardware
|
|
// backed trusted execution environment.
|
|
HW_SECURE_DECODE = 4;
|
|
|
|
// The crypto, decoding and all handling of the media (compressed and
|
|
// uncompressed) must be handled within a hardware backed trusted
|
|
// execution environment.
|
|
HW_SECURE_ALL = 5;
|
|
}
|
|
|
|
message KeyControl {
|
|
// If present, the key control must be communicated to the secure
|
|
// environment prior to any usage. This message is automatically generated
|
|
// by the Widevine License Server SDK.
|
|
optional bytes key_control_block = 1;
|
|
optional bytes iv = 2;
|
|
}
|
|
|
|
message OutputProtection {
|
|
// Indicates whether HDCP is required on digital outputs, and which
|
|
// version should be used.
|
|
enum HDCP {
|
|
HDCP_NONE = 0;
|
|
HDCP_V1 = 1;
|
|
HDCP_V2 = 2;
|
|
HDCP_V2_1 = 3;
|
|
HDCP_V2_2 = 4;
|
|
HDCP_NO_DIGITAL_OUTPUT = 0xff;
|
|
}
|
|
optional HDCP hdcp = 1 [default = HDCP_NONE];
|
|
|
|
// Indicate the CGMS setting to be inserted on analog output.
|
|
enum CGMS {
|
|
CGMS_NONE = 42;
|
|
COPY_FREE = 0;
|
|
COPY_ONCE = 2;
|
|
COPY_NEVER = 3;
|
|
}
|
|
optional CGMS cgms_flags = 2 [default = CGMS_NONE];
|
|
}
|
|
|
|
message VideoResolutionConstraint {
|
|
// Minimum and maximum video resolutions in the range (height x width).
|
|
optional uint32 min_resolution_pixels = 1;
|
|
optional uint32 max_resolution_pixels = 2;
|
|
// Optional output protection requirements for this range. If not
|
|
// specified, the OutputProtection in the KeyContainer applies.
|
|
optional OutputProtection required_protection = 3;
|
|
}
|
|
|
|
message OperatorSessionKeyPermissions {
|
|
// Permissions/key usage flags for operator service keys
|
|
// (type = OPERATOR_SESSION).
|
|
optional bool allow_encrypt = 1 [default = false];
|
|
optional bool allow_decrypt = 2 [default = false];
|
|
optional bool allow_sign = 3 [default = false];
|
|
optional bool allow_signature_verify = 4 [default = false];
|
|
}
|
|
|
|
optional bytes id = 1;
|
|
optional bytes iv = 2;
|
|
optional bytes key = 3;
|
|
optional KeyType type = 4;
|
|
optional SecurityLevel level = 5 [default = SW_SECURE_CRYPTO];
|
|
optional OutputProtection required_protection = 6;
|
|
// NOTE: Use of requested_protection is not recommended as it is only
|
|
// supported on a small number of platforms.
|
|
optional OutputProtection requested_protection = 7;
|
|
optional KeyControl key_control = 8;
|
|
optional OperatorSessionKeyPermissions operator_session_key_permissions = 9;
|
|
// Optional video resolution constraints. If the video resolution of the
|
|
// content being decrypted/decoded falls within one of the specified ranges,
|
|
// the optional required_protections may be applied. Otherwise an error will
|
|
// be reported.
|
|
// NOTE: Use of this feature is not recommended, as it is only supported on
|
|
// a small number of platforms.
|
|
repeated VideoResolutionConstraint video_resolution_constraints = 10;
|
|
// Optional flag to indicate the key must only be used if the client
|
|
// supports anti rollback of the user table. Content provider can query the
|
|
// client capabilities to determine if the client support this feature.
|
|
optional bool anti_rollback_usage_table = 11 [default = false];
|
|
}
|
|
|
|
optional LicenseIdentification id = 1;
|
|
optional Policy policy = 2;
|
|
repeated KeyContainer key = 3;
|
|
optional int64 license_start_time = 4;
|
|
optional bool remote_attestation_verified = 5 [default = false];
|
|
// Client token generated by the content provider. Optional.
|
|
optional bytes provider_client_token = 6;
|
|
}
|
|
|
|
enum ProtocolVersion {
|
|
VERSION_2_0 = 20;
|
|
VERSION_2_1 = 21;
|
|
}
|
|
|
|
message LicenseRequest {
|
|
message ContentIdentification {
|
|
message CENC {
|
|
repeated bytes pssh = 1;
|
|
optional LicenseType license_type = 2;
|
|
optional bytes request_id = 3; // Opaque, client-specified.
|
|
}
|
|
|
|
message WebM {
|
|
optional bytes header = 1;
|
|
optional LicenseType license_type = 2;
|
|
optional bytes request_id = 3; // Opaque, client-specified.
|
|
}
|
|
|
|
message ExistingLicense {
|
|
optional LicenseIdentification license_id = 1;
|
|
optional int64 seconds_since_started = 2;
|
|
optional int64 seconds_since_last_played = 3;
|
|
optional bytes session_usage_table_entry = 4;
|
|
}
|
|
|
|
// Exactly one of these must be present.
|
|
optional CENC cenc_id = 1;
|
|
optional WebM webm_id = 2;
|
|
optional ExistingLicense license = 3;
|
|
}
|
|
|
|
enum RequestType {
|
|
NEW = 1;
|
|
RENEWAL = 2;
|
|
RELEASE = 3;
|
|
}
|
|
|
|
// The client_id provides information authenticating the calling device. It
|
|
// contains the Widevine keybox token that was installed on the device at the
|
|
// factory. This field or encrypted_client_id below is required for a valid
|
|
// license request, but both should never be present in the same request.
|
|
optional ClientIdentification client_id = 1;
|
|
optional ContentIdentification content_id = 2;
|
|
optional RequestType type = 3;
|
|
optional int64 request_time = 4;
|
|
// Old-style decimal-encoded string key control nonce.
|
|
optional bytes key_control_nonce_deprecated = 5;
|
|
optional ProtocolVersion protocol_version = 6 [default = VERSION_2_0];
|
|
// New-style uint32 key control nonce, please use instead of
|
|
// key_control_nonce_deprecated.
|
|
optional uint32 key_control_nonce = 7;
|
|
// Encrypted ClientIdentification message, used for privacy purposes.
|
|
optional EncryptedClientIdentification encrypted_client_id = 8;
|
|
}
|
|
|
|
message LicenseError {
|
|
enum Error {
|
|
// The device credentials are invalid. The device must re-provision.
|
|
INVALID_DEVICE_CERTIFICATE = 1;
|
|
// The device credentials have been revoked. Re-provisioning is not
|
|
// possible.
|
|
REVOKED_DEVICE_CERTIFICATE = 2;
|
|
// The service is currently unavailable due to the backend being down
|
|
// or similar circumstances.
|
|
SERVICE_UNAVAILABLE = 3;
|
|
}
|
|
optional Error error_code = 1;
|
|
}
|
|
|
|
message RemoteAttestation {
|
|
// Encrypted ClientIdentification message containing the device remote
|
|
// attestation certificate. Required.
|
|
optional EncryptedClientIdentification certificate = 1;
|
|
// Bytes of salt which were added to the remote attestation challenge prior to
|
|
// signing it. Required.
|
|
optional bytes salt = 2;
|
|
// Signed remote attestation challenge + salt. Required.
|
|
optional bytes signature = 3;
|
|
}
|
|
|
|
message SignedMessage {
|
|
enum MessageType {
|
|
LICENSE_REQUEST = 1;
|
|
LICENSE = 2;
|
|
ERROR_RESPONSE = 3;
|
|
SERVICE_CERTIFICATE_REQUEST = 4;
|
|
SERVICE_CERTIFICATE = 5;
|
|
}
|
|
|
|
optional MessageType type = 1;
|
|
optional bytes msg = 2;
|
|
optional bytes signature = 3;
|
|
optional bytes session_key = 4;
|
|
// Remote attestation data which will be present in the initial license
|
|
// request for ChromeOS client devices operating in verified mode. Remote
|
|
// attestation challenge data is |msg| field above. Optional.
|
|
optional RemoteAttestation remote_attestation = 5;
|
|
}
|
|
|
|
// ----------------------------------------------------------------------------
|
|
// certificate_provisioning.proto
|
|
// ----------------------------------------------------------------------------
|
|
// Copyright 2013 Google Inc. All Rights Reserved.
|
|
//
|
|
// Description:
|
|
// Public protocol buffer definitions for Widevine Device Certificate
|
|
// Provisioning protocol.
|
|
|
|
// ProvisioningOptions specifies the type of certificate to specify and
|
|
// in the case of X509 certificates, the certificate authority to use.
|
|
message ProvisioningOptions {
|
|
enum CertificateType {
|
|
WIDEVINE_DRM = 0; // Default. The original certificate type.
|
|
X509 = 1; // X.509 certificate.
|
|
}
|
|
|
|
optional CertificateType certificate_type = 1;
|
|
|
|
// It is recommended that the certificate_authority specify the X.509
|
|
// Subject of the signing certificate.
|
|
optional string certificate_authority = 2;
|
|
}
|
|
|
|
// Provisioning request sent by client devices to provisioning service.
|
|
message ProvisioningRequest {
|
|
// Device root of trust and other client identification. Required.
|
|
optional ClientIdentification client_id = 1;
|
|
// Nonce value used to prevent replay attacks. Required.
|
|
optional bytes nonce = 2;
|
|
// Options for type of certificate to generate. Optional.
|
|
optional ProvisioningOptions options = 3;
|
|
// Stable identifier, unique for each device + application (or origin).
|
|
// Required if doing per-origin provisioning.
|
|
optional bytes stable_id = 4;
|
|
}
|
|
|
|
// Provisioning response sent by the provisioning server to client devices.
|
|
message ProvisioningResponse {
|
|
// AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
|
|
// Required.
|
|
optional bytes device_rsa_key = 1;
|
|
// Initialization vector used to encrypt device_rsa_key. Required.
|
|
optional bytes device_rsa_key_iv = 2;
|
|
// Serialized SignedDeviceCertificate. Required.
|
|
optional bytes device_certificate = 3;
|
|
// Nonce value matching nonce in ProvisioningRequest. Required.
|
|
optional bytes nonce = 4;
|
|
}
|
|
|
|
// Serialized ProvisioningRequest or ProvisioningResponse signed with
|
|
// The message authentication key.
|
|
message SignedProvisioningMessage {
|
|
// Serialized ProvisioningRequest or ProvisioningResponse. Required.
|
|
optional bytes message = 1;
|
|
// HMAC-SHA256 signature of message. Required.
|
|
optional bytes signature = 2;
|
|
}
|
|
|
|
// ----------------------------------------------------------------------------
|
|
// client_identification.proto
|
|
// ----------------------------------------------------------------------------
|
|
// Copyright 2013 Google Inc. All Rights Reserved.
|
|
//
|
|
// Description:
|
|
// ClientIdentification messages used by provisioning and license protocols.
|
|
|
|
// ClientIdentification message used to authenticate the client device.
|
|
message ClientIdentification {
|
|
enum TokenType {
|
|
KEYBOX = 0;
|
|
DEVICE_CERTIFICATE = 1;
|
|
REMOTE_ATTESTATION_CERTIFICATE = 2;
|
|
}
|
|
|
|
message NameValue {
|
|
optional string name = 1;
|
|
optional string value = 2;
|
|
}
|
|
|
|
// Capabilities which not all clients may support. Used for the license
|
|
// exchange protocol only.
|
|
message ClientCapabilities {
|
|
enum HdcpVersion {
|
|
HDCP_NONE = 0;
|
|
HDCP_V1 = 1;
|
|
HDCP_V2 = 2;
|
|
HDCP_V2_1 = 3;
|
|
HDCP_V2_2 = 4;
|
|
HDCP_NO_DIGITAL_OUTPUT = 0xff;
|
|
}
|
|
|
|
optional bool client_token = 1 [default = false];
|
|
optional bool session_token = 2 [default = false];
|
|
optional bool video_resolution_constraints = 3 [default = false];
|
|
optional HdcpVersion max_hdcp_version = 4 [default = HDCP_NONE];
|
|
optional uint32 oem_crypto_api_version = 5;
|
|
optional bool anti_rollback_usage_table = 6 [default = false];
|
|
}
|
|
|
|
// Type of factory-provisioned device root of trust. Optional.
|
|
optional TokenType type = 1 [default = KEYBOX];
|
|
// Factory-provisioned device root of trust. Required.
|
|
optional bytes token = 2;
|
|
// Optional client information name/value pairs.
|
|
repeated NameValue client_info = 3;
|
|
// Client token generated by the content provider. Optional.
|
|
optional bytes provider_client_token = 4;
|
|
// Number of licenses received by the client to which the token above belongs.
|
|
// Only present if client_token is specified.
|
|
optional uint32 license_counter = 5;
|
|
// List of non-baseline client capabilities.
|
|
optional ClientCapabilities client_capabilities = 6;
|
|
}
|
|
|
|
// EncryptedClientIdentification message used to hold ClientIdentification
|
|
// messages encrypted for privacy purposes.
|
|
message EncryptedClientIdentification {
|
|
// Service ID for which the ClientIdentifcation is encrypted (owner of service
|
|
// certificate).
|
|
optional string service_id = 1;
|
|
// Serial number for the service certificate for which ClientIdentification is
|
|
// encrypted.
|
|
optional bytes service_certificate_serial_number = 2;
|
|
// Serialized ClientIdentification message, encrypted with the privacy key using
|
|
// AES-128-CBC with PKCS#5 padding.
|
|
optional bytes encrypted_client_id = 3;
|
|
// Initialization vector needed to decrypt encrypted_client_id.
|
|
optional bytes encrypted_client_id_iv = 4;
|
|
// AES-128 privacy key, encrytped with the service public public key using
|
|
// RSA-OAEP.
|
|
optional bytes encrypted_privacy_key = 5;
|
|
}
|
|
|
|
// ----------------------------------------------------------------------------
|
|
// device_certificate.proto
|
|
// ----------------------------------------------------------------------------
|
|
// Copyright 2013 Google Inc. All Rights Reserved.
|
|
//
|
|
// Description:
|
|
// Device certificate and certificate status list format definitions.
|
|
|
|
// Certificate definition for user devices, intermediate, service, and root
|
|
// certificates.
|
|
message DeviceCertificate {
|
|
enum CertificateType {
|
|
ROOT = 0;
|
|
INTERMEDIATE = 1;
|
|
USER_DEVICE = 2;
|
|
SERVICE = 3;
|
|
}
|
|
|
|
// Type of certificate. Required.
|
|
optional CertificateType type = 1;
|
|
// 128-bit globally unique serial number of certificate.
|
|
// Value is 0 for root certificate. Required.
|
|
optional bytes serial_number = 2;
|
|
// POSIX time, in seconds, when the certificate was created. Required.
|
|
optional uint32 creation_time_seconds = 3;
|
|
// Device public key. PKCS#1 ASN.1 DER-encoded. Required.
|
|
optional bytes public_key = 4;
|
|
// Widevine system ID for the device. Required for intermediate and
|
|
// user device certificates.
|
|
optional uint32 system_id = 5;
|
|
// Deprecated field, which used to indicate whether the device was a test
|
|
// (non-production) device. The test_device field in ProvisionedDeviceInfo
|
|
// below should be observed instead.
|
|
optional bool test_device_deprecated = 6 [deprecated = true];
|
|
// Service identifier (web origin) for the service which owns the certificate.
|
|
// Required for service certificates.
|
|
optional string service_id = 7;
|
|
}
|
|
|
|
// DeviceCertificate signed with intermediate or root certificate private key.
|
|
message SignedDeviceCertificate {
|
|
// Serialized DeviceCertificate. Required.
|
|
optional bytes device_certificate = 1;
|
|
// Signature of device_certificate. Signed with root or intermediate
|
|
// certificate private key using RSASSA-PSS. Required.
|
|
optional bytes signature = 2;
|
|
// Intermediate signing certificate. Present only for user device
|
|
// certificates. All others signed with root certificate private key.
|
|
optional SignedDeviceCertificate signer = 3;
|
|
}
|
|
|
|
// Contains device model information for a provisioned device.
|
|
message ProvisionedDeviceInfo {
|
|
enum WvSecurityLevel {
|
|
// Defined in "WV Modular DRM Security Integration Guide for
|
|
// Common Encryption (CENC)"
|
|
LEVEL_UNSPECIFIED = 0;
|
|
LEVEL_1 = 1;
|
|
LEVEL_2 = 2;
|
|
LEVEL_3 = 3;
|
|
}
|
|
|
|
// Widevine system ID for the device. Mandatory.
|
|
optional uint32 system_id = 1;
|
|
// Name of system-on-a-chip. Optional.
|
|
optional string soc = 2;
|
|
// Name of manufacturer. Optional.
|
|
optional string manufacturer = 3;
|
|
// Manufacturer's model name. Matches "brand" in device metadata. Optional.
|
|
optional string model = 4;
|
|
// Type of device (Phone, Tablet, TV, etc).
|
|
optional string device_type = 5;
|
|
// Device model year. Optional.
|
|
optional uint32 model_year = 6;
|
|
// Widevine-defined security level. Optional.
|
|
optional WvSecurityLevel security_level = 7 [default = LEVEL_UNSPECIFIED];
|
|
// True if the certificate corresponds to a test (non production) device.
|
|
// Optional.
|
|
optional bool test_device = 8 [default = false];
|
|
}
|
|
|
|
// Contains the status of the root or an intermediate DeviceCertificate.
|
|
message DeviceCertificateStatus {
|
|
enum CertificateStatus {
|
|
VALID = 0;
|
|
REVOKED = 1;
|
|
};
|
|
|
|
// Serial number of the DeviceCertificate to which this message refers.
|
|
// Required.
|
|
optional bytes serial_number = 1;
|
|
// Status of the certificate. Optional.
|
|
optional CertificateStatus status = 2 [default = VALID];
|
|
// Device model information about the device to which the certificate
|
|
// corresponds. Required.
|
|
optional ProvisionedDeviceInfo device_info = 4;
|
|
}
|
|
|
|
// List of DeviceCertificateStatus. Used to propagate certificate revocation and
|
|
// update list.
|
|
message DeviceCertificateStatusList {
|
|
// POSIX time, in seconds, when the list was created. Required.
|
|
optional uint32 creation_time_seconds = 1;
|
|
// DeviceCertificateStatus for each certifificate.
|
|
repeated DeviceCertificateStatus certificate_status = 2;
|
|
}
|
|
|
|
// Signed CertificateStatusList
|
|
message SignedCertificateStatusList {
|
|
// Serialized DeviceCertificateStatusList. Required.
|
|
optional bytes certificate_status_list = 1;
|
|
// Signature of certificate_status_list. Signed with root certificate private
|
|
// key using RSASSA-PSS. Required.
|
|
optional bytes signature = 2;
|
|
}
|