Share via

3.2.5.3 DRM Version 11 Server Message Processing Events and Sequencing Rules

  • Article

The Digital Rights Management (DRM) Version 11 License Response packet is used by the license server to send a license for protected media content to a client.

The version 11 processing sequence is identical to the version 7 license response processing sequence.

Request Validation

A version 11 server MUST validate the request using the rules given for a version 7 server in DRM Version 7 Server Message Processing Events and Sequencing Rules (section 3.2.5.2).

/c:LICENSEREQUEST/CLIENTINFO/MACHINECERTIFICATE MUST be validated according to the following rules:

  1. Validate /c:CertificateCollection

    1. If the /c:CertificateCollection element is missing or does not have a "c:Version", "xmlns:c" attribute, the server MUST return E_FAIL (0x80000008L).

    2. If the "c:Version" attribute value is not "2.0", the server MUST return DRM_E_INVALID_CERTCHAIN_VERSION (0xC0042945L).

    3. If the "xmlns:c" attribute value is not http://schemas.microsoft.com/DRM/2004/02/cert, the server MUST return DRM_E_INVALID_CERTCHAIN_NAMESPACE (0xC0042954L).

    4. There MUST be at least one child c:Certificate element.  If not, the server MUST return E_FAIL (0x80000008L).

  2. Validate /c:CertificateCollection/c:Certificate

    1. If the inner text of this element does not contain either "<c:Data" or "</c:Data>", the server MUST return DRM_E_MACHINE_CERT_DATATAG_MISSING (0xC0042961L).

  3. Validate /c:CertificateCollection/c:Certificate/c:Data/c:PublicKey/KeyValue/RSAKeyValue/Exponent

    1. If this element does not exist, the server MUST return E_FAIL (0x80000008L).

    2. If the value of this element is not "AQAB", the server MUST return DRM_E_INVALID_EXPONENT (0xC0042959L).

  4. Validate /c:CertificateCollection/c:Certificate/c:Data/c:PublicKey/KeyValue/RSAKeyValue/Modulus

    1. If this element does not exist, the server MUST return E_FAIL (0x80000008L).

    2. If the value of this element is blank, the server MUST return DRM_E_INVALID_MODULUS (0xC0042953L).

  5. Validate /c:CertificateCollection/c:Certificate/c:Data/c:SecurityLevel

    1. If this element does not exist, the server MUST return E_FAIL (0x80000008L).

  6. Validate /c:CertificateCollection/c:Certificate/Signature/SignedInfo/CanonicalizationMethod

    1. If this element does not exist or does not have the attribute "Algorithm", the server MUST return E_FAIL (0x80000008L).

  7. Validate /c:CertificateCollection/c:Certificate/Signature/SignedInfo/SignatureMethod

    1. If this element does not exist or does not have the attribute "Algorithm", the server MUST return E_FAIL (0x80000008L).

    2. If the value for the attribute "Algorithm" is not "http://www.w3.org/2000/09/xmldsig#rsa-sha1", then the server MUST return DRM_E_INVALID_SIGNATURE_METHOD_ALG (0xC0042949L).

  8. Validate /c:CertificateCollection/c:Certificate/Signature/SignedInfo/Reference/DigestMethod

    1. If this element does not exist or does not have the attribute "Algorithm", the server MUST return E_FAIL (0x80000008L).

    2. If the value for the attribute "Algorithm" is not "http://www.w3.org/2000/09/xmldsig#sha1", then the server MUST return DRM_E_INVALID_DIGEST_ALG (0xC0042948L).

  9. Validate /c:CertificateCollection/c:Certificate/Signature/SignedInfo/Reference/Transforms/Transform

    1. If there are not exactly two instances of this element, or if either instance does not have the attribute "Algorithm", the server MUST return E_FAIL (0x80000008L).

    2. If the value of the attribute "Algorithm" for the first instance is not "http://www.microsoft.com/DRM/CERT/v2/Data", then the server MUST return DRM_E_INVALID_TRANSFORM_ALG (0xC0042947L).

    3. If the value of the attribute "Algorithm" for the second instance is not "http://www.w3.org/TR/2001/REC-xml-c14n-20010315", then the server MUST return DRM_E_INVALID_TRANSFORM_ALG (0xC0042947L).

  10. Validate /c:CertificaetCollection/c:Certificate/Signature/SignedInfo/Reference/DigestValue

    1. If this element does not exist, the server MUST return E_FAIL (0x80000008L).

    2. If the value of this element does not match the computed digest as described in section 2.2.4.1.1 <MACHINECERTIFICATE>, the server MUST return DRM_E_INVALID_DIGEST (0xC0042958L).

  11. Validate /c:CertificateCollection/c:Certificate/Signature/SignatureValue

    1. If this element does not exist, the server MUST return E_FAIL (0x80000008L).

    2. If the value of this element does not match the computed signature as described in section 2.2.4.1.1 <MACHINECERTIFICATE>, the server MUST return E_FAIL (0x80000008L).

  12. Validate /c:CertificateCollection/c:Certificate/Signature/SignedInfo

    1. If this element does not exist, the server MUST return E_FAIL (0x80000008L).

  13. Validate /c:CertificateCollection/c:Certificate/c:Data/c:ManufacturerData

    1. If this element is present, c:ManufacturerName must be present.  If it is not present, the server MUST return E_FAIL (0x80000008L).

Response Generation

The version 11 license response is generated in the same manner as the version 7 license response.