From df78a77f0063467f17ddbdb0e676d0a33b366107 Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Thu, 26 Feb 2026 11:27:33 +0100 Subject: [PATCH 1/6] Incorrect interface name --- doc/Security.xml | 4 ++-- .../wsdl/advancedsecurity.wsdl | 22 +++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/Security.xml b/doc/Security.xml index cfd8c6535..aca680daf 100644 --- a/doc/Security.xml +++ b/doc/Security.xml @@ -4473,7 +4473,7 @@
- GetAssignedMediaSigningCertificates + GetAssignedMediaSigningCertificationPaths This operation returns the IDs of the certification paths that are assigned for media signing on the device. This operation will always return the factory provisioned certification path and can additionally return a certification path that has been added by @@ -5541,7 +5541,7 @@ MediaSigningSupported - If true, GetAssignedMediaSigningCertificates shall be supported. + If true, GetAssignedMediaSigningCertificationPaths shall be supported. diff --git a/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl b/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl index 163f9eb90..472c21345 100644 --- a/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl +++ b/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl @@ -2463,12 +2463,12 @@ - + - + @@ -2881,11 +2881,11 @@ - - + + - - + + @@ -3563,13 +3563,13 @@ - + This operation returns the IDs of the certification paths that are assigned for media signing on the device. This operation will always return the factory provisioned certification path and can additionally return a certification path that has been added by AddMediaSigningCertificateAssignment.
A device shall support this command if the MediaSigningSupported capability is true. - - + + @@ -4186,8 +4186,8 @@ - - + + From a43629e08e713177544ee9bc37b6c3c359668dd3 Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Thu, 26 Feb 2026 11:47:14 +0100 Subject: [PATCH 2/6] clarify the user and factory provisioned key details --- doc/Security.xml | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/doc/Security.xml b/doc/Security.xml index aca680daf..8222b79be 100644 --- a/doc/Security.xml +++ b/doc/Security.xml @@ -4379,12 +4379,28 @@ Media Signing
Overview - Signing of media that is generated by the device is described in the [Media Signing - Specification]. Media is signed using a private key that is provisioned during factory - production that is stored in a specially protected hardware component (e.g., a trusted - platform module). This private key is associated with a certificate that holds the public - key. In addition to the factory provisioned key one additional private key can be used to - sign media. + Media authenticity data in the form of signatures is generated by the device and + included in the media stream as described in the [Media Signing Specification]. Media is + typically signed using a certificate based on the private key proviosioned in one of the + below listed approaches + + + >Factory Provisioned Key + + Private key provisioned into the device, during factory production, stored in + a specially protected hardware component (e.g., a trusted platform module). This + private key is associated with a certificate that holds the public key. + + + + >User Provisioned Key + + User can provision an additional private key and that private key is + associated with a certificate that holds the public key. + + + +
AddMediaSigningCertificateAssignment From cf861b51769afcb3a1f5cb3c319c5bcb13a70243 Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Thu, 26 Feb 2026 12:01:13 +0100 Subject: [PATCH 3/6] fixed text formatting tags, renders bold in spec for both param and text --- doc/Security.xml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/doc/Security.xml b/doc/Security.xml index 8222b79be..31790199a 100644 --- a/doc/Security.xml +++ b/doc/Security.xml @@ -4418,8 +4418,8 @@ request - CertificationPathID - [tas:CertificationPathID] The ID of the - certification path to assign for media signing. + CertificationPathID - [tas:CertificationPathID] + The ID of the certification path to assign for media signing. @@ -4431,11 +4431,12 @@ faults - env:Sender - ter:InvalidArgVal - ter:CertificationPathID No + env:Sender - ter:InvalidArgVal - ter:CertificationPathID + No certification path is stored in the keystore under the given certification path ID. - env:Sender - ter:InvalidArgVal - ter:NoPrivateKey The key pair that - is associated with the leaf certificate in the certificate chain does not have an + env:Sender - ter:InvalidArgVal - ter:NoPrivateKey + The key pair that is associated with the leaf certificate in the certificate chain does not have an associated private key. @@ -4460,8 +4461,8 @@ request - CertificationPathID - [tas:CertificationPathID] The ID of the - certification path to remove. + CertificationPathID - [tas:CertificationPathID] + The ID of the certification path to remove. @@ -4508,8 +4509,8 @@ CertificationPathID - optional, max 2 [tas:CertificationPathID] List of certification path IDs assigned for media signing. At least - one certification path will be returned, the factory provisioned one. At most two - certification paths will be returned. + one certification path that includes the factory provisioned one shall be returned. + At most two certification paths will be returned. From 50d02290da3e762de3556d9c07fa23fdd5dfaefe Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Thu, 26 Feb 2026 12:54:35 +0100 Subject: [PATCH 4/6] fix typo --- doc/Security.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Security.xml b/doc/Security.xml index 31790199a..8f63ece73 100644 --- a/doc/Security.xml +++ b/doc/Security.xml @@ -4381,7 +4381,7 @@ Overview Media authenticity data in the form of signatures is generated by the device and included in the media stream as described in the [Media Signing Specification]. Media is - typically signed using a certificate based on the private key proviosioned in one of the + typically signed using a certificate based on the private key provisioned in one of the below listed approaches From 9a8e5aefc1265f3333b524171d2acc97ba312ebf Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Thu, 26 Feb 2026 14:51:54 +0100 Subject: [PATCH 5/6] Made a duplicate interface, kept the existing one as ius, just marked deprecated --- doc/Security.xml | 37 +++++++++++++++++ .../wsdl/advancedsecurity.wsdl | 40 +++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/doc/Security.xml b/doc/Security.xml index 8f63ece73..7b904700a 100644 --- a/doc/Security.xml +++ b/doc/Security.xml @@ -4490,6 +4490,43 @@
+ GetAssignedMediaSigningCertificates + This operation returns the IDs of the certification paths that are assigned for media + signing on the device. This operation will always return the factory provisioned + certification path and can additionally return a certification path that has been added by + AddMediaSigningCertificateAssignment. + This interface is deprecated due to the introduction of GetAssignedMediaSigningCertificationPaths. + + + request + + This message is empty. + + + + response + + CertificationPathID - optional, max 2 [tas:CertificationPathID] + List of certification path IDs assigned for media signing. At least + one certification path that includes the factory provisioned one shall be returned. + At most two certification paths will be returned. + + + + faults + + None + + + + access class + + READ_SYSTEM_SECRET + + + +
+
GetAssignedMediaSigningCertificationPaths This operation returns the IDs of the certification paths that are assigned for media signing on the device. This operation will always return the factory provisioned diff --git a/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl b/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl index 472c21345..2a02ea4cc 100644 --- a/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl +++ b/wsdl/ver10/advancedsecurity/wsdl/advancedsecurity.wsdl @@ -2480,6 +2480,23 @@ + + + + + + + + + + + The IDs of all certification paths that are assigned for media signing. + + + + + + @@ -2886,6 +2903,12 @@ + + + + + + @@ -3571,6 +3594,14 @@ + + + This operation returns the IDs of the certification paths that are assigned for media signing on the device. This operation will always return the factory provisioned certification path and can additionally return a certification path that has been added by AddMediaSigningCertificateAssignment.
+ A device shall support this command if the MediaSigningSupported capability is true. + + + + Configuration of external authorization servers. @@ -4194,6 +4225,15 @@ + + + + + + + + + From a8416121ed9fb6b625c4957e3ad18b63f71e9114 Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Thu, 26 Feb 2026 15:19:55 +0100 Subject: [PATCH 6/6] removed a redundant bullet format --- doc/Security.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Security.xml b/doc/Security.xml index 7b904700a..811e57b90 100644 --- a/doc/Security.xml +++ b/doc/Security.xml @@ -4385,7 +4385,7 @@ below listed approaches - >Factory Provisioned Key + Factory Provisioned Key Private key provisioned into the device, during factory production, stored in a specially protected hardware component (e.g., a trusted platform module). This @@ -4393,7 +4393,7 @@ - >User Provisioned Key + User Provisioned Key User can provision an additional private key and that private key is associated with a certificate that holds the public key.