package pywidevine_license_protocol

Get desktop application:
View/edit binary Protocol Buffers messages

ClientIdentification message used to authenticate the client device.

Used in: LicenseRequest

• optional ClientIdentification.TokenType type = 1

  Type of factory-provisioned device root of trust. Optional.

• optional bytes token = 2

  Factory-provisioned device root of trust. Required.

• repeated ClientIdentification.NameValue client_info = 3

  Optional client information name/value pairs.

• optional bytes provider_client_token = 4

  Client token generated by the content provider. Optional.

• optional uint32 license_counter = 5

  Number of licenses received by the client to which the token above belongs. Only present if client_token is specified.

• optional ClientIdentification.ClientCapabilities client_capabilities = 6

  List of non-baseline client capabilities.

• optional bytes vmp_data = 7

  Serialized VmpData message. Optional.

• repeated ClientIdentification.ClientCredentials device_credentials = 8

  Optional field that may contain additional provisioning credentials.

Capabilities which not all clients may support. Used for the license exchange protocol only.

Used in: ClientIdentification

• optional bool client_token = 1

• optional bool session_token = 2

• optional bool video_resolution_constraints = 3

• optional ClientCapabilities.HdcpVersion max_hdcp_version = 4

• optional uint32 oem_crypto_api_version = 5

• optional bool anti_rollback_usage_table = 6

  Client has hardware support for protecting the usage table, such as storing the generation number in secure memory. For Details, see: Widevine Modular DRM Security Integration Guide for CENC

• optional uint32 srm_version = 7

  The client shall report |srm_version| if available.

• optional bool can_update_srm = 8

  A device may have SRM data, and report a version, but may not be capable of updating SRM data.

• repeated ClientCapabilities.CertificateKeyType supported_certificate_key_type = 9

• optional ClientCapabilities.AnalogOutputCapabilities analog_output_capabilities = 10

• optional bool can_disable_analog_output = 11

• optional uint32 resource_rating_tier = 12

  Clients can indicate a performance level supported by OEMCrypto. This will allow applications and providers to choose an appropriate quality of content to serve. Currently defined tiers are 1 (low), 2 (medium) and 3 (high). Any other value indicates that the resource rating is unavailable or reporting erroneous values for that device. For details see, Widevine Modular DRM Security Integration Guide for CENC

Used in: ClientCapabilities

• ANALOG_OUTPUT_UNKNOWN = 0

• ANALOG_OUTPUT_NONE = 1

• ANALOG_OUTPUT_SUPPORTED = 2

• ANALOG_OUTPUT_SUPPORTS_CGMS_A = 3

Used in: ClientCapabilities

• RSA_2048 = 0

• RSA_3072 = 1

• ECC_SECP256R1 = 2

• ECC_SECP384R1 = 3

• ECC_SECP521R1 = 4

Used in: ClientCapabilities

• HDCP_NONE = 0

• HDCP_V1 = 1

• HDCP_V2 = 2

• HDCP_V2_1 = 3

• HDCP_V2_2 = 4

• HDCP_V2_3 = 5

• HDCP_NO_DIGITAL_OUTPUT = 255

Used in: ClientIdentification

• optional TokenType type = 1

• optional bytes token = 2

Used in: ClientIdentification

• optional string name = 1

• optional string value = 2

Used in: ClientIdentification, ClientCredentials

• KEYBOX = 0

• DRM_DEVICE_CERTIFICATE = 1

• REMOTE_ATTESTATION_CERTIFICATE = 2

• OEM_DEVICE_CERTIFICATE = 3

DRM certificate definition for user devices, intermediate, service, and root certificates.

• optional DrmCertificate.Type type = 1

  Type of certificate. Required.

• optional bytes serial_number = 2

  128-bit globally unique serial number of certificate. Value is 0 for root certificate. Required.

• optional uint32 creation_time_seconds = 3

  POSIX time, in seconds, when the certificate was created. Required.

• optional uint32 expiration_time_seconds = 12

  POSIX time, in seconds, when the certificate should expire. Value of zero denotes indefinite expiry time. For more information on limited lifespan DRM certificates see (go/limited-lifespan-drm-certificates).

• optional bytes public_key = 4

  Device public key. PKCS#1 ASN.1 DER-encoded. Required.

• optional uint32 system_id = 5

  Widevine system ID for the device. Required for intermediate and user device certificates.

• optional bool test_device_deprecated = 6

  Deprecated field, which used to indicate whether the device was a test (non-production) device. The test_device field in ProvisionedDeviceInfo below should be observed instead.

• optional string provider_id = 7

  Service identifier (web origin) for the provider which owns the certificate. Required for service and provisioner certificates.

• repeated DrmCertificate.ServiceType service_types = 8

  This field is used only when type = SERVICE to specify which SDK uses service certificate. This repeated field is treated as a set. A certificate may be used for the specified service SDK if the appropriate ServiceType is specified in this field.

• optional DrmCertificate.Algorithm algorithm = 9

  Required. The algorithm field contains the curve used to create the |public_key| if algorithm is one of the ECC types. The |algorithm| is used for both to determine the if the certificate is ECC or RSA. The |algorithm| also specifies the parameters that were used to create |public_key| and are used to create an ephemeral session key.

• optional bytes rot_id = 10

  Optional. May be present in DEVICE certificate types. This is the root of trust identifier that holds an encrypted value that identifies the keybox or other root of trust that was used to provision a DEVICE drm certificate.

• optional DrmCertificate.EncryptionKey encryption_key = 11

  Optional. May be present in devices that explicitly support dual keys. When present the |public_key| is used for verification of received license request messages.

Used in: DrmCertificate, EncryptionKey

• UNKNOWN_ALGORITHM = 0

• RSA = 1

• ECC_SECP256R1 = 2

• ECC_SECP384R1 = 3

• ECC_SECP521R1 = 4

Used in: DrmCertificate

• optional bytes public_key = 1

  Device public key. PKCS#1 ASN.1 DER-encoded. Required.

• optional Algorithm algorithm = 2

  Required. The algorithm field contains the curve used to create the |public_key| if algorithm is one of the ECC types. The |algorithm| is used for both to determine the if the certificate is ECC or RSA. The |algorithm| also specifies the parameters that were used to create |public_key| and are used to create an ephemeral session key.

Used in: DrmCertificate

• UNKNOWN_SERVICE_TYPE = 0

• LICENSE_SERVER_SDK = 1

• LICENSE_SERVER_PROXY_SDK = 2

• PROVISIONING_SDK = 3

• CAS_PROXY_SDK = 4

Used in: DrmCertificate

• ROOT = 0

  ProtoBestPractices: ignore.

• DEVICE_MODEL = 1

• DEVICE = 2

• SERVICE = 3

• PROVISIONER = 4

EncryptedClientIdentification message used to hold ClientIdentification messages encrypted for privacy purposes.

Used in: LicenseRequest

• optional string provider_id = 1

  Provider ID for which the ClientIdentifcation is encrypted (owner of service certificate).

• optional bytes service_certificate_serial_number = 2

  Serial number for the service certificate for which ClientIdentification is encrypted.

• optional bytes encrypted_client_id = 3

  Serialized ClientIdentification message, encrypted with the privacy key using AES-128-CBC with PKCS#5 padding.

• optional bytes encrypted_client_id_iv = 4

  Initialization vector needed to decrypt encrypted_client_id.

• optional bytes encrypted_privacy_key = 5

  AES-128 privacy key, encrypted with the service public key using RSA-OAEP.

File Hashes for Verified Media Path (VMP) support.

• optional bytes signer = 1

• repeated FileHashes.Signature signatures = 2

Used in: FileHashes

• optional string filename = 1

• optional bool test_signing = 2

  0 - release, 1 - testing

• optional bytes SHA512Hash = 3

• optional bool main_exe = 4

  0 for dlls, 1 for exe, this is field 3 in file

• optional bytes signature = 5

Used in: SignedDrmCertificate

• HASH_ALGORITHM_UNSPECIFIED = 0

  Unspecified hash algorithm: SHA_256 shall be used for ECC based algorithms and SHA_1 shall be used otherwise.

• HASH_ALGORITHM_SHA_1 = 1

• HASH_ALGORITHM_SHA_256 = 2

• HASH_ALGORITHM_SHA_384 = 3

• optional LicenseIdentification id = 1

• optional License.Policy policy = 2

• repeated License.KeyContainer key = 3

• optional int64 license_start_time = 4

  Time of the request in seconds (UTC) as set in LicenseRequest.request_time. If this time is not set in the request, the local time at the license service is used in this field.

• optional bool remote_attestation_verified = 5

• optional bytes provider_client_token = 6

  Client token generated by the content provider. Optional.

• optional uint32 protection_scheme = 7

  4cc code specifying the CENC protection scheme as defined in the CENC 3.0 specification. Propagated from Widevine PSSH box. Optional.

• optional bytes srm_requirement = 8

  8 byte verification field "HDCPDATA" followed by unsigned 32 bit minimum HDCP SRM version (whether the version is for HDCP1 SRM or HDCP2 SRM depends on client max_hdcp_version). Additional details can be found in Widevine Modular DRM Security Integration Guide for CENC.

• optional bytes srm_update = 9

  If present this contains a signed SRM file (either HDCP1 SRM or HDCP2 SRM depending on client max_hdcp_version) that should be installed on the client device.

• optional PlatformVerificationStatus platform_verification_status = 10

  Indicates the status of any type of platform verification performed by the server.

• repeated bytes group_ids = 11

  IDs of the groups for which keys are delivered in this license, if any.

Used in: License

• optional bytes id = 1

• optional bytes iv = 2

• optional bytes key = 3

• optional KeyContainer.KeyType type = 4

• optional KeyContainer.SecurityLevel level = 5

• optional KeyContainer.OutputProtection required_protection = 6

• optional KeyContainer.OutputProtection requested_protection = 7

  NOTE: Use of requested_protection is not recommended as it is only supported on a small number of platforms.

• optional KeyContainer.KeyControl key_control = 8

• optional KeyContainer.OperatorSessionKeyPermissions operator_session_key_permissions = 9

• repeated KeyContainer.VideoResolutionConstraint video_resolution_constraints = 10

  Optional video resolution constraints. If the video resolution of the content being decrypted/decoded falls within one of the specified ranges, the optional required_protections may be applied. Otherwise an error will be reported. NOTE: Use of this feature is not recommended, as it is only supported on a small number of platforms.

• optional bool anti_rollback_usage_table = 11

  Optional flag to indicate the key must only be used if the client supports anti rollback of the user table. Content provider can query the client capabilities to determine if the client support this feature.

• optional string track_label = 12

  Optional not limited to commonly known track types such as SD, HD. It can be some provider defined label to identify the track.

Used in: KeyContainer

• optional bytes key_control_block = 1

  |key_control| is documented in: Widevine Modular DRM Security Integration Guide for CENC If present, the key control must be communicated to the secure environment prior to any usage. This message is automatically generated by the Widevine License Server SDK.

• optional bytes iv = 2

Used in: KeyContainer

• SIGNING = 1

  Exactly one key of this type must appear.

• CONTENT = 2

  Content key.

• KEY_CONTROL = 3

  Key control block for license renewals. No key.

• OPERATOR_SESSION = 4

  wrapped keys for auxiliary crypto operations.

• ENTITLEMENT = 5

  Entitlement keys.

• OEM_CONTENT = 6

  Partner-specific content key.

Used in: KeyContainer

• optional bool allow_encrypt = 1

  Permissions/key usage flags for operator service keys (type = OPERATOR_SESSION).

• optional bool allow_decrypt = 2

• optional bool allow_sign = 3

• optional bool allow_signature_verify = 4

Used in: KeyContainer, VideoResolutionConstraint

• optional OutputProtection.HDCP hdcp = 1

• optional OutputProtection.CGMS cgms_flags = 2

• optional OutputProtection.HdcpSrmRule hdcp_srm_rule = 3

• optional bool disable_analog_output = 4

  Optional requirement to indicate analog output is not allowed.

• optional bool disable_digital_output = 5

  Optional requirement to indicate digital output is not allowed.

Indicate the CGMS setting to be inserted on analog output.

Used in: OutputProtection

• CGMS_NONE = 42

• COPY_FREE = 0

• COPY_ONCE = 2

• COPY_NEVER = 3

Indicates whether HDCP is required on digital outputs, and which version should be used.

Used in: OutputProtection

• HDCP_NONE = 0

• HDCP_V1 = 1

• HDCP_V2 = 2

• HDCP_V2_1 = 3

• HDCP_V2_2 = 4

• HDCP_V2_3 = 5

• HDCP_NO_DIGITAL_OUTPUT = 255

Used in: OutputProtection

• HDCP_SRM_RULE_NONE = 0

• CURRENT_SRM = 1

  In 'required_protection', this means most current SRM is required. Update the SRM on the device. If update cannot happen, do not allow the key. In 'requested_protection', this means most current SRM is requested. Update the SRM on the device. If update cannot happen, allow use of the key anyway.

The SecurityLevel enumeration allows the server to communicate the level of robustness required by the client, in order to use the key.

Used in: KeyContainer

• SW_SECURE_CRYPTO = 1

  Software-based whitebox crypto is required.

• SW_SECURE_DECODE = 2

  Software crypto and an obfuscated decoder is required.

• HW_SECURE_CRYPTO = 3

  The key material and crypto operations must be performed within a hardware backed trusted execution environment.

• HW_SECURE_DECODE = 4

  The crypto and decoding of content must be performed within a hardware backed trusted execution environment.

• HW_SECURE_ALL = 5

  The crypto, decoding and all handling of the media (compressed and uncompressed) must be handled within a hardware backed trusted execution environment.

Used in: KeyContainer

• optional uint32 min_resolution_pixels = 1

  Minimum and maximum video resolutions in the range (height x width).

• optional uint32 max_resolution_pixels = 2

• optional OutputProtection required_protection = 3

  Optional output protection requirements for this range. If not specified, the OutputProtection in the KeyContainer applies.

Used in: License

• optional bool can_play = 1

  Indicates that playback of the content is allowed.

• optional bool can_persist = 2

  Indicates that the license may be persisted to non-volatile storage for offline use.

• optional bool can_renew = 3

  Indicates that renewal of this license is allowed.

• optional int64 rental_duration_seconds = 4

  Indicates the rental window.

• optional int64 playback_duration_seconds = 5

  Indicates the viewing window, once playback has begun.

• optional int64 license_duration_seconds = 6

  Indicates the time window for this specific license.

• optional int64 renewal_recovery_duration_seconds = 7

  The window of time, in which playback is allowed to continue while renewal is attempted, yet unsuccessful due to backend problems with the license server.

• optional string renewal_server_url = 8

  All renewal requests for this license shall be directed to the specified URL.

• optional int64 renewal_delay_seconds = 9

  How many seconds after license_start_time, before renewal is first attempted.

• optional int64 renewal_retry_interval_seconds = 10

  Specifies the delay in seconds between subsequent license renewal requests, in case of failure.

• optional bool renew_with_usage = 11

  Indicates that the license shall be sent for renewal when usage is started.

• optional bool always_include_client_id = 12

  Indicates to client that license renewal and release requests ought to include ClientIdentification (client_id).

• optional int64 play_start_grace_period_seconds = 13

  Duration of grace period before playback_duration_seconds (short window) goes into effect. Optional.

• optional bool soft_enforce_playback_duration = 14

  Enables "soft enforcement" of playback_duration_seconds, letting the user finish playback even if short window expires. Optional.

• optional bool soft_enforce_rental_duration = 15

  Enables "soft enforcement" of rental_duration_seconds. Initial playback must always start before rental duration expires. In order to allow subsequent playbacks to start after the rental duration expires, soft_enforce_playback_duration must be true. Otherwise, subsequent playbacks will not be allowed once rental duration expires. Optional.

LicenseIdentification is propagated from LicenseRequest to License, incrementing version with each iteration.

Used in: License, LicenseRequest.ContentIdentification.ExistingLicense

• optional bytes request_id = 1

• optional bytes session_id = 2

• optional bytes purchase_id = 3

• optional LicenseType type = 4

• optional int32 version = 5

• optional bytes provider_session_token = 6

• optional ClientIdentification client_id = 1

  The client_id provides information authenticating the calling device. It contains the Widevine keybox token that was installed on the device at the factory. This field or encrypted_client_id below is required for a valid license request, but both should never be present in the same request.

• optional LicenseRequest.ContentIdentification content_id = 2

• optional LicenseRequest.RequestType type = 3

• optional int64 request_time = 4

  Time of the request in seconds (UTC) as set by the client.

• optional bytes key_control_nonce_deprecated = 5

  Old-style decimal-encoded string key control nonce.

• optional ProtocolVersion protocol_version = 6

• optional uint32 key_control_nonce = 7

  New-style uint32 key control nonce, please use instead of key_control_nonce_deprecated.

• optional EncryptedClientIdentification encrypted_client_id = 8

  Encrypted ClientIdentification message, used for privacy purposes.

Used in: LicenseRequest

• oneof content_id_variant

  • ContentIdentification.WidevinePsshData widevine_pssh_data = 1

    Exactly one of these must be present.

  • ContentIdentification.WebmKeyId webm_key_id = 2

  • ContentIdentification.ExistingLicense existing_license = 3

  • ContentIdentification.InitData init_data = 4

Used in: ContentIdentification

• optional LicenseIdentification license_id = 1

• optional int64 seconds_since_started = 2

• optional int64 seconds_since_last_played = 3

• optional bytes session_usage_table_entry = 4

Used in: ContentIdentification

• optional InitData.InitDataType init_data_type = 1

• optional bytes init_data = 2

• optional LicenseType license_type = 3

• optional bytes request_id = 4

Used in: InitData

• CENC = 1

• WEBM = 2

Used in: ContentIdentification

• optional bytes header = 1

• optional LicenseType license_type = 2

• optional bytes request_id = 3

  Opaque, client-specified.

Used in: ContentIdentification

• repeated bytes pssh_data = 1

• optional LicenseType license_type = 2

• optional bytes request_id = 3

  Opaque, client-specified.

Used in: LicenseRequest

• NEW = 1

• RENEWAL = 2

• RELEASE = 3

Used in: LicenseIdentification, LicenseRequest.ContentIdentification.InitData, LicenseRequest.ContentIdentification.WebmKeyId, LicenseRequest.ContentIdentification.WidevinePsshData

• STREAMING = 1

• OFFLINE = 2

• AUTOMATIC = 3

  License type decision is left to provider.

Used in: SignedMessage

• optional string stage_name = 1

  'stage' that is currently processing the SignedMessage. Required.

• repeated MetricData.TypeValue metric_data = 2

  metric and associated value.

Used in: TypeValue

• LATENCY = 1

  The time spent in the 'stage', specified in microseconds.

• TIMESTAMP = 2

  The UNIX epoch timestamp at which the 'stage' was first accessed in microseconds.

Used in: MetricData

• optional MetricType type = 1

• optional int64 value = 2

  The value associated with 'type'. For example if type == LATENCY, the value would be the time in microseconds spent in this 'stage'.

Used in: License

• PLATFORM_UNVERIFIED = 0

  The platform is not verified.

• PLATFORM_TAMPERED = 1

  Tampering detected on the platform.

• PLATFORM_SOFTWARE_VERIFIED = 2

  The platform has been verified by means of software.

• PLATFORM_HARDWARE_VERIFIED = 3

  The platform has been verified by means of hardware (e.g. secure boot).

• PLATFORM_NO_VERIFICATION = 4

  Platform verification was not performed.

• PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED = 5

  Platform and secure storage capability have been verified by means of software.

Used in: LicenseRequest

• VERSION_2_0 = 20

• VERSION_2_1 = 21

• VERSION_2_2 = 22

DrmCertificate signed by a higher (CA) DRM certificate.

• optional bytes drm_certificate = 1

  Serialized certificate. Required.

• optional bytes signature = 2

  Signature of certificate. Signed with root or intermediate certificate specified below. Required.

• optional SignedDrmCertificate signer = 3

  SignedDrmCertificate used to sign this certificate.

• optional HashAlgorithmProto hash_algorithm = 4

  Optional field that indicates the hash algorithm used in signature scheme.

• optional SignedMessage.MessageType type = 1

• optional bytes msg = 2

• optional bytes signature = 3

  Required field that contains the signature of the bytes of msg. For license requests, the signing algorithm is determined by the certificate contained in the request. For license responses, the signing algorithm is HMAC with signing key based on |session_key|.

• optional bytes session_key = 4

  If populated, the contents of this field will be signaled by the |session_key_type| type. If the |session_key_type| is WRAPPED_AES_KEY the key is the bytes of an encrypted AES key. If the |session_key_type| is EPHERMERAL_ECC_PUBLIC_KEY the field contains the bytes of an RFC5208 ASN1 serialized ECC public key.

• optional bytes remote_attestation = 5

  Remote attestation data which will be present in the initial license request for ChromeOS client devices operating in verified mode. Remote attestation challenge data is |msg| field above. Optional.

• repeated MetricData metric_data = 6

• optional VersionInfo service_version_info = 7

  Version information from the SDK and license service. This information is provided in the license response.

• optional SignedMessage.SessionKeyType session_key_type = 8

  Optional field that contains the algorithm type used to generate the session_key and signature in a LICENSE message.

• optional bytes oemcrypto_core_message = 9

  The core message is the simple serialization of fields used by OEMCrypto. This field was introduced in OEMCrypto API v16.

Used in: SignedMessage

• LICENSE_REQUEST = 1

• LICENSE = 2

• ERROR_RESPONSE = 3

• SERVICE_CERTIFICATE_REQUEST = 4

• SERVICE_CERTIFICATE = 5

• SUB_LICENSE = 6

• CAS_LICENSE_REQUEST = 7

• CAS_LICENSE = 8

• EXTERNAL_LICENSE_REQUEST = 9

• EXTERNAL_LICENSE = 10

Used in: SignedMessage

• UNDEFINED = 0

• WRAPPED_AES_KEY = 1

• EPHERMERAL_ECC_PUBLIC_KEY = 2

Used in: SignedMessage

• optional string license_sdk_version = 1

  License SDK version reported by the Widevine License SDK. This field is populated automatically by the SDK.

• optional string license_service_version = 2

  Version of the service hosting the license SDK. This field is optional. It may be provided by the hosting service.

• repeated bytes key_ids = 2

  Entitlement or content key IDs. Can onnly present in SINGLE or ENTITLEMENT PSSHs. May be repeated to facilitate delivery of multiple keys in a single license. Cannot be used in conjunction with content_id or group_ids, which are the preferred mechanism.

• optional bytes content_id = 4

  Content identifier which may map to multiple entitlement or content key IDs to facilitate the delivery of multiple keys in a single license. Cannot be present in conjunction with key_ids, but if used must be in all PSSHs.

• optional uint32 crypto_period_index = 7

  Crypto period index, for media using key rotation. Always corresponds to The content key period. This means that if using entitlement licensing the ENTITLED_KEY PSSHs will have sequential crypto_period_index's, whereas the ENTITELEMENT PSSHs will have gaps in the sequence. Required if doing key rotation.

• optional uint32 protection_scheme = 9

  Protection scheme identifying the encryption algorithm. The protection scheme is represented as a uint32 value. The uint32 contains 4 bytes each representing a single ascii character in one of the 4CC protection scheme values. To be deprecated in favor of signaling from content. 'cenc' (AES-CTR) protection_scheme = 0x63656E63, 'cbc1' (AES-CBC) protection_scheme = 0x63626331, 'cens' (AES-CTR pattern encryption) protection_scheme = 0x63656E73, 'cbcs' (AES-CBC pattern encryption) protection_scheme = 0x63626373.

• optional uint32 crypto_period_seconds = 10

  Optional. For media using key rotation, this represents the duration of each crypto period in seconds.

• optional WidevinePsshData.Type type = 11

  Type of PSSH. Required if not SINGLE.

• optional uint32 key_sequence = 12

  Key sequence for Widevine-managed keys. Optional.

• repeated bytes group_ids = 13

  Group identifiers for all groups to which the content belongs. This can be used to deliver licenses to unlock multiple titles / channels. Optional, and may only be present in ENTITLEMENT and ENTITLED_KEY PSSHs, and not in conjunction with key_ids.

• repeated WidevinePsshData.EntitledKey entitled_keys = 14

  Copy/copies of the content key used to decrypt the media stream in which the PSSH box is embedded, each wrapped with a different entitlement key. May also contain sub-licenses to support devices with OEMCrypto 13 or older. May be repeated if using group entitlement keys. Present only in PSSHs of type ENTITLED_KEY.

• optional string video_feature = 15

  Video feature identifier, which is used in conjunction with |content_id| to determine the set of keys to be returned in the license. Cannot be present in conjunction with |key_ids|. Current values are "HDR".

• optional WidevinePsshData.Algorithm algorithm = 1

• optional string provider = 3

  Content provider name.

• optional string track_type = 5

  Track type. Acceptable values are SD, HD and AUDIO. Used to differentiate content keys used by an asset.

• optional string policy = 6

  The name of a registered policy to be used for this asset.

• optional bytes grouped_license = 8

  Optional protected context for group content. The grouped_license is a serialized SignedMessage.

////////////////////////// Deprecated Fields ////////////////////////////

Used in: WidevinePsshData

• UNENCRYPTED = 0

• AESCTR = 1

Used in: WidevinePsshData

• optional bytes entitlement_key_id = 1

  ID of entitlement key used for wrapping |key|.

• optional bytes key_id = 2

  ID of the entitled key.

• optional bytes key = 3

  Wrapped key. Required.

• optional bytes iv = 4

  IV used for wrapping |key|. Required.

• optional uint32 entitlement_key_size_bytes = 5

  Size of entitlement key used for wrapping |key|.

Used in: WidevinePsshData

• SINGLE = 0

  Single PSSH to be used to retrieve content keys.

• ENTITLEMENT = 1

  Primary PSSH used to retrieve entitlement keys.

• ENTITLED_KEY = 2

  Secondary PSSH containing entitled key(s).