license_protocol.proto

// ----------------------------------------------------------------------------
// license_protocol.proto
// ----------------------------------------------------------------------------
// Copyright 2013 Google Inc. All Rights Reserved.
//
// Description:
//   Definitions of the protocol buffer messages used in the Widevine license
//   exchange protocol.

syntax = "proto2";

package video_widevine_server.sdk;

// need this if we are using libprotobuf-cpp-2.3.0-lite
option optimize_for = LITE_RUNTIME;

enum LicenseType {
  STREAMING = 1;
  OFFLINE = 2;
}

// LicenseIdentification is propagated from LicenseRequest to License,
// incrementing version with each iteration.
message LicenseIdentification {
  optional bytes request_id = 1;
  optional bytes session_id = 2;
  optional bytes purchase_id = 3;
  optional LicenseType type = 4;
  optional int32 version = 5;
  optional bytes provider_session_token = 6;
}

message License {
  message Policy {
    // Indicates that playback of the content is allowed.
    optional bool can_play = 1 [default = false];

    // Indicates that the license may be persisted to non-volatile
    // storage for offline use.
    optional bool can_persist = 2 [default = false];

    // Indicates that renewal of this license is allowed.
    optional bool can_renew = 3 [default = false];

    // For the |*duration*| fields, playback must halt when
    // license_start_time (seconds since the epoch (UTC)) +
    // license_duration_seconds is exceeded. A value of 0
    // indicates that there is no limit to the duration.

    // Indicates the rental window.
    optional int64 rental_duration_seconds = 4 [default = 0];

    // Indicates the viewing window, once playback has begun.
    optional int64 playback_duration_seconds = 5 [default = 0];

    // Indicates the time window for this specific license.
    optional int64 license_duration_seconds = 6 [default = 0];

    // The |renewal*| fields only apply if |can_renew| is true.

    // The window of time, in which playback is allowed to continue while
    // renewal is attempted, yet unsuccessful due to backend problems with
    // the license server.
    optional int64 renewal_recovery_duration_seconds = 7 [default = 0];

    // All renewal requests for this license shall be directed to the
    // specified URL.
    optional string renewal_server_url = 8;

    // How many seconds after license_start_time, before renewal is first
    // attempted.
    optional int64 renewal_delay_seconds = 9 [default = 0];

    // Specifies the delay in seconds between subsequent license
    // renewal requests, in case of failure.
    optional int64 renewal_retry_interval_seconds = 10 [default = 0];

    // Indicates that the license shall be sent for renewal when usage is
    // started.
    optional bool renew_with_usage = 11 [default = false];

    // Indicates to client that license renewal and release requests ought to
    // include ClientIdentification (client_id).
    optional bool renew_with_client_id = 12 [default = false];
  }

  message KeyContainer {
    enum KeyType {
      // Exactly one key of this type must appear.
      SIGNING = 1;
      CONTENT = 2;
      KEY_CONTROL = 3;
      OPERATOR_SESSION = 4;
    }

    // The SecurityLevel enumeration allows the server to communicate the level
    // of robustness required by the client, in order to use the key.
    enum SecurityLevel {
      // Software-based whitebox crypto is required.
      SW_SECURE_CRYPTO = 1;

      // Software crypto and an obfuscated decoder is required.
      SW_SECURE_DECODE = 2;

      // The key material and crypto operations must be performed within a
      // hardware backed trusted execution environment.
      HW_SECURE_CRYPTO = 3;

      // The crypto and decoding of content must be performed within a hardware
      // backed trusted execution environment.
      HW_SECURE_DECODE = 4;

      // The crypto, decoding and all handling of the media (compressed and
      // uncompressed) must be handled within a hardware backed trusted
      // execution environment.
      HW_SECURE_ALL = 5;
    }

    message KeyControl {
      // If present, the key control must be communicated to the secure
      // environment prior to any usage. This message is automatically generated
      // by the Widevine License Server SDK.
      optional bytes key_control_block = 1;
      optional bytes iv = 2;
    }

    message OutputProtection {
      // Indicates whether HDCP is required on digital outputs, and which
      // version should be used.
      enum HDCP {
        HDCP_NONE = 0;
        HDCP_V1 = 1;
        HDCP_V2 = 2;
        HDCP_V2_1 = 3;
        HDCP_V2_2 = 4;
        HDCP_NO_DIGITAL_OUTPUT = 0xff;
      }
      optional HDCP hdcp = 1 [default = HDCP_NONE];

      // Indicate the CGMS setting to be inserted on analog output.
      enum CGMS {
        CGMS_NONE = 42;
        COPY_FREE = 0;
        COPY_ONCE = 2;
        COPY_NEVER = 3;
      }
      optional CGMS cgms_flags = 2 [default = CGMS_NONE];
    }

    message VideoResolutionConstraint {
      // Minimum and maximum video resolutions in the range (height x width).
      optional uint32 min_resolution_pixels = 1;
      optional uint32 max_resolution_pixels = 2;
      // Optional output protection requirements for this range. If not
      // specified, the OutputProtection in the KeyContainer applies.
      optional OutputProtection required_protection = 3;
    }

    message OperatorSessionKeyPermissions {
      // Permissions/key usage flags for operator service keys
      // (type = OPERATOR_SESSION).
      optional bool allow_encrypt = 1 [default = false];
      optional bool allow_decrypt = 2 [default = false];
      optional bool allow_sign = 3 [default = false];
      optional bool allow_signature_verify = 4 [default = false];
    }

    optional bytes id = 1;
    optional bytes iv = 2;
    optional bytes key = 3;
    optional KeyType type = 4;
    optional SecurityLevel level = 5 [default = SW_SECURE_CRYPTO];
    optional OutputProtection required_protection = 6;
    // NOTE: Use of requested_protection is not recommended as it is only
    // supported on a small number of platforms.
    optional OutputProtection requested_protection = 7;
    optional KeyControl key_control = 8;
    optional OperatorSessionKeyPermissions operator_session_key_permissions = 9;
    // Optional video resolution constraints. If the video resolution of the
    // content being decrypted/decoded falls within one of the specified ranges,
    // the optional required_protections may be applied. Otherwise an error will
    // be reported.
    // NOTE: Use of this feature is not recommended, as it is only supported on
    // a small number of platforms.
    repeated VideoResolutionConstraint video_resolution_constraints = 10;
    // Optional flag to indicate the key must only be used if the client
    // supports anti rollback of the user table.  Content provider can query the
    // client capabilities to determine if the client support this feature.
    optional bool anti_rollback_usage_table = 11 [default = false];
  }

  optional LicenseIdentification id = 1;
  optional Policy policy = 2;
  repeated KeyContainer key = 3;
  optional int64 license_start_time = 4;
  optional bool remote_attestation_verified = 5 [default = false];
  // Client token generated by the content provider. Optional.
  optional bytes provider_client_token = 6;
}

enum ProtocolVersion {
  VERSION_2_0 = 20;
  VERSION_2_1 = 21;
}

message LicenseRequest {
  message ContentIdentification {
    message CENC  {
      repeated bytes pssh = 1;
      optional LicenseType license_type = 2;
      optional bytes request_id = 3;  // Opaque, client-specified.
    }

    message WebM {
      optional bytes header = 1;
      optional LicenseType license_type = 2;
      optional bytes request_id = 3;  // Opaque, client-specified.
    }

    message ExistingLicense {
      optional LicenseIdentification license_id = 1;
      optional int64 seconds_since_started = 2;
      optional int64 seconds_since_last_played = 3;
      optional bytes session_usage_table_entry = 4;
    }

    // Exactly one of these must be present.
    optional CENC cenc_id = 1;
    optional WebM webm_id = 2;
    optional ExistingLicense license = 3;
  }

  enum RequestType {
    NEW = 1;
    RENEWAL = 2;
    RELEASE = 3;
  }

  // The client_id provides information authenticating the calling device.  It
  // contains the Widevine keybox token that was installed on the device at the
  // factory.  This field or encrypted_client_id below is required for a valid
  // license request, but both should never be present in the same request.
  optional ClientIdentification client_id = 1;
  optional ContentIdentification content_id = 2;
  optional RequestType type = 3;
  optional int64 request_time = 4;
  // Old-style decimal-encoded string key control nonce.
  optional bytes key_control_nonce_deprecated = 5;
  optional ProtocolVersion protocol_version = 6 [default = VERSION_2_0];
  // New-style uint32 key control nonce, please use instead of
  // key_control_nonce_deprecated.
  optional uint32 key_control_nonce = 7;
  // Encrypted ClientIdentification message, used for privacy purposes.
  optional EncryptedClientIdentification encrypted_client_id = 8;
}

message LicenseError {
  enum Error {
    // The device credentials are invalid. The device must re-provision.
    INVALID_DEVICE_CERTIFICATE = 1;
    // The device credentials have been revoked. Re-provisioning is not
    // possible.
    REVOKED_DEVICE_CERTIFICATE = 2;
    // The service is currently unavailable due to the backend being down
    // or similar circumstances.
    SERVICE_UNAVAILABLE = 3;
  }
  optional Error error_code = 1;
}

message RemoteAttestation {
  // Encrypted ClientIdentification message containing the device remote
  // attestation certificate. Required.
  optional EncryptedClientIdentification certificate = 1;
  // Bytes of salt which were added to the remote attestation challenge prior to
  // signing it. Required.
  optional bytes salt = 2;
  // Signed remote attestation challenge + salt. Required.
  optional bytes signature = 3;
}

message SignedMessage {
  enum MessageType {
    LICENSE_REQUEST = 1;
    LICENSE = 2;
    ERROR_RESPONSE = 3;
    SERVICE_CERTIFICATE_REQUEST = 4;
    SERVICE_CERTIFICATE = 5;
  }

  optional MessageType type = 1;
  optional bytes msg = 2;
  optional bytes signature = 3;
  optional bytes session_key = 4;
  // Remote attestation data which will be present in the initial license
  // request for ChromeOS client devices operating in verified mode. Remote
  // attestation challenge data is |msg| field above. Optional.
  optional RemoteAttestation remote_attestation = 5;
}

// ----------------------------------------------------------------------------
// certificate_provisioning.proto
// ----------------------------------------------------------------------------
// Copyright 2013 Google Inc. All Rights Reserved.
//
// Description:
//   Public protocol buffer definitions for Widevine Device Certificate
//   Provisioning protocol.

// ProvisioningOptions specifies the type of certificate to specify and
// in the case of X509 certificates, the certificate authority to use.
message ProvisioningOptions {
  enum CertificateType {
    WIDEVINE_DRM = 0; // Default.  The original certificate type.
    X509 = 1; // X.509 certificate.
  }

  optional CertificateType certificate_type = 1;

  // It is recommended that the certificate_authority specify the X.509
  // Subject of the signing certificate.
  optional string certificate_authority = 2;
}

// Provisioning request sent by client devices to provisioning service.
message ProvisioningRequest {
  // Device root of trust and other client identification. Required.
  optional ClientIdentification client_id = 1;
  // Nonce value used to prevent replay attacks. Required.
  optional bytes nonce = 2;
  // Options for type of certificate to generate.  Optional.
  optional ProvisioningOptions options = 3;
  // Stable identifier, unique for each device + application (or origin).
  // Required if doing per-origin provisioning.
  optional bytes stable_id = 4;
}

// Provisioning response sent by the provisioning server to client devices.
message ProvisioningResponse {
  // AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
  // Required.
  optional bytes device_rsa_key = 1;
  // Initialization vector used to encrypt device_rsa_key. Required.
  optional bytes device_rsa_key_iv = 2;
  // Serialized SignedDeviceCertificate. Required.
  optional bytes device_certificate = 3;
  // Nonce value matching nonce in ProvisioningRequest. Required.
  optional bytes nonce = 4;
}

// Serialized ProvisioningRequest or ProvisioningResponse signed with
// The message authentication key.
message SignedProvisioningMessage {
  // Serialized ProvisioningRequest or ProvisioningResponse. Required.
  optional bytes message = 1;
  // HMAC-SHA256 signature of message. Required.
  optional bytes signature = 2;
}

// ----------------------------------------------------------------------------
// client_identification.proto
// ----------------------------------------------------------------------------
// Copyright 2013 Google Inc. All Rights Reserved.
//
// Description:
//   ClientIdentification messages used by provisioning and license protocols.

// ClientIdentification message used to authenticate the client device.
message ClientIdentification {
  enum TokenType {
    KEYBOX = 0;
    DEVICE_CERTIFICATE = 1;
    REMOTE_ATTESTATION_CERTIFICATE = 2;
  }

  message NameValue {
    optional string name = 1;
    optional string value = 2;
  }

  // Capabilities which not all clients may support. Used for the license
  // exchange protocol only.
  message ClientCapabilities {
    enum HdcpVersion {
      HDCP_NONE = 0;
      HDCP_V1 = 1;
      HDCP_V2 = 2;
      HDCP_V2_1 = 3;
      HDCP_V2_2 = 4;
      HDCP_NO_DIGITAL_OUTPUT = 0xff;
    }

    optional bool client_token = 1 [default = false];
    optional bool session_token = 2 [default = false];
    optional bool video_resolution_constraints = 3 [default = false];
    optional HdcpVersion max_hdcp_version = 4 [default = HDCP_NONE];
    optional uint32 oem_crypto_api_version = 5;
    optional bool anti_rollback_usage_table = 6 [default = false];
  }

  // Type of factory-provisioned device root of trust. Optional.
  optional TokenType type = 1 [default = KEYBOX];
  // Factory-provisioned device root of trust. Required.
  optional bytes token = 2;
  // Optional client information name/value pairs.
  repeated NameValue client_info = 3;
  // Client token generated by the content provider. Optional.
  optional bytes provider_client_token = 4;
  // Number of licenses received by the client to which the token above belongs.
  // Only present if client_token is specified.
  optional uint32 license_counter = 5;
  // List of non-baseline client capabilities.
  optional ClientCapabilities client_capabilities = 6;
}

// EncryptedClientIdentification message used to hold ClientIdentification
// messages encrypted for privacy purposes.
message EncryptedClientIdentification {
  // Service ID for which the ClientIdentifcation is encrypted (owner of service
  // certificate).
  optional string service_id = 1;
  // Serial number for the service certificate for which ClientIdentification is
  // encrypted.
  optional bytes service_certificate_serial_number = 2;
  // Serialized ClientIdentification message, encrypted with the privacy key using
  // AES-128-CBC with PKCS#5 padding.
  optional bytes encrypted_client_id = 3;
  // Initialization vector needed to decrypt encrypted_client_id.
  optional bytes encrypted_client_id_iv = 4;
  // AES-128 privacy key, encrytped with the service public public key using
  // RSA-OAEP.
  optional bytes encrypted_privacy_key = 5;
}

// ----------------------------------------------------------------------------
// device_certificate.proto
// ----------------------------------------------------------------------------
// Copyright 2013 Google Inc. All Rights Reserved.
//
// Description:
//   Device certificate and certificate status list format definitions.

// Certificate definition for user devices, intermediate, service, and root
// certificates.
message DeviceCertificate {
  enum CertificateType {
    ROOT = 0;
    INTERMEDIATE = 1;
    USER_DEVICE = 2;
    SERVICE = 3;
  }

  // Type of certificate. Required.
  optional CertificateType type = 1;
  // 128-bit globally unique serial number of certificate.
  // Value is 0 for root certificate. Required.
  optional bytes serial_number = 2;
  // POSIX time, in seconds, when the certificate was created. Required.
  optional uint32 creation_time_seconds = 3;
  // Device public key. PKCS#1 ASN.1 DER-encoded. Required.
  optional bytes public_key = 4;
  // Widevine system ID for the device. Required for intermediate and
  // user device certificates.
  optional uint32 system_id = 5;
  // Deprecated field, which used to indicate whether the device was a test
  // (non-production) device. The test_device field in ProvisionedDeviceInfo
  // below should be observed instead.
  optional bool test_device_deprecated = 6 [deprecated = true];
  // Service identifier (web origin) for the service which owns the certificate.
  // Required for service certificates.
  optional string service_id = 7;
}

// DeviceCertificate signed with intermediate or root certificate private key.
message SignedDeviceCertificate {
  // Serialized DeviceCertificate. Required.
  optional bytes device_certificate = 1;
  // Signature of device_certificate. Signed with root or intermediate
  // certificate private key using RSASSA-PSS. Required.
  optional bytes signature = 2;
  // Intermediate signing certificate. Present only for user device
  // certificates. All others signed with root certificate private key.
  optional SignedDeviceCertificate signer = 3;
}

// Contains device model information for a provisioned device.
message ProvisionedDeviceInfo {
  enum WvSecurityLevel {
    // Defined in "WV Modular DRM Security Integration Guide for
    // Common Encryption (CENC)"
    LEVEL_UNSPECIFIED = 0;
    LEVEL_1 = 1;
    LEVEL_2 = 2;
    LEVEL_3 = 3;
  }

  // Widevine system ID for the device. Mandatory.
  optional uint32 system_id = 1;
  // Name of system-on-a-chip. Optional.
  optional string soc = 2;
  // Name of manufacturer. Optional.
  optional string manufacturer = 3;
  // Manufacturer's model name. Matches "brand" in device metadata. Optional.
  optional string model = 4;
  // Type of device (Phone, Tablet, TV, etc).
  optional string device_type = 5;
  // Device model year. Optional.
  optional uint32 model_year = 6;
  // Widevine-defined security level. Optional.
  optional WvSecurityLevel security_level = 7 [default = LEVEL_UNSPECIFIED];
  // True if the certificate corresponds to a test (non production) device.
  // Optional.
  optional bool test_device = 8 [default = false];
}

// Contains the status of the root or an intermediate DeviceCertificate.
message DeviceCertificateStatus {
  enum CertificateStatus {
    VALID = 0;
    REVOKED = 1;
  };

  // Serial number of the DeviceCertificate to which this message refers.
  // Required.
  optional bytes serial_number = 1;
  // Status of the certificate. Optional.
  optional CertificateStatus status = 2 [default = VALID];
  // Device model information about the device to which the certificate
  // corresponds. Required.
  optional ProvisionedDeviceInfo device_info = 4;
}

// List of DeviceCertificateStatus. Used to propagate certificate revocation and
// update list.
message DeviceCertificateStatusList {
  // POSIX time, in seconds, when the list was created. Required.
  optional uint32 creation_time_seconds = 1;
  // DeviceCertificateStatus for each certifificate.
  repeated DeviceCertificateStatus certificate_status = 2;
}

// Signed CertificateStatusList
message SignedCertificateStatusList {
  // Serialized DeviceCertificateStatusList. Required.
  optional bytes certificate_status_list = 1;
  // Signature of certificate_status_list. Signed with root certificate private
  // key using RSASSA-PSS. Required.
  optional bytes signature = 2;
}