Azure 媒体服务 - 生成用于播放的新 AES 加密令牌
Azure Media Service - generate new AES encryption token for playback
我从 2015 年开始从事开源社区项目 Azure Media Services Upload and Play Videos in MVC。我之前没有使用任何交付加密,所以我开始研究 AES。
在 Azure 媒体服务团队的所有来源 code/samples 中,我注意到在上传内容后立即生成了测试令牌,这在我的案例中也很有效。但是,下次播放时如何生成测试令牌?
我的理解是,每次播放器请求播放时,我们都需要令牌。从技术上讲,播放器向关键服务提供商创建请求并收到更新的令牌。
所以为了获得更新的令牌,我尝试了几种方法都无法解决这个问题,我看到错误 "A ContentKey (Id = '...', Type = 'EnvelopeEncryption') which contains the same type already links to this asset"。
这看起来像是一条有效的错误消息,因为类型 EnvelopeEncryption 的密钥已在上传内容后添加并与资产相关联,并且在再次请求时弹出此消息。
下面给出的代码是copied from here.
public ActionResult Index()
{
var model = new List<VideoViewModel>();
var videos = db.Videos.OrderByDescending(o => o.Id).ToList();
foreach (var video in videos)
{
var viewModel = new VideoViewModel();
viewModel.Id = video.Id;
viewModel.EncodedAssetId = video.EncodedAssetId;
viewModel.IsEncrypted = video.IsEncrypted;
viewModel.LocatorUri = video.LocatorUri;
// If encrypted content, then get token to play
if (video.IsEncrypted)
{
IAsset asset = GetAssetById(video.EncodedAssetId);
IContentKey key = CreateEnvelopeTypeContentKey(asset);
viewModel.Token = GenerateToken(key);
}
model.Add(viewModel);
}
return View(model);
}
以上方法调用媒体服务密钥服务提供者。
我该如何解决这个问题?
你可以看看AMS explorer sources
当您创建限制策略时,您正在做这样的事情:
//Initilizing ContentKeyAuthorizationPolicyRestriction
ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
{
Name = "Authorization Policy with Token Restriction",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = TokenRestrictionTemplateSerializer.Serialize(restrictionTemplate)};
restrictions.Add(restriction);
//Saving IContentKeyAuthorizationPolicyOption on server so it can be associated with IContentKeyAuthorizationPolicy
IContentKeyAuthorizationPolicyOption policyOption = objCloudMediaContext.ContentKeyAuthorizationPolicyOptions.Create("myDynamicEncryptionPolicy", ContentKeyDeliveryType.BaselineHttp, restrictions, String.Empty);
policy.Options.Add(policyOption);
//Saving Policy
policy.UpdateAsync();
这里的关键字段是irements = TokenRestrictionTemplateSerializer.Serialize(restriction.Requirements)};
您需要首先获取您创建的相应资产限制,并用
反序列化 TokenRestriction 模板
TokenRestrictionTemplate tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);
基于您使用的密钥和加密类型
if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey))
{
InMemorySymmetricSecurityKey tokenSigningKey = new InMemorySymmetricSecurityKey((tokenTemplate.PrimaryVerificationKey as SymmetricVerificationKey).KeyValue);
signingcredentials = new SigningCredentials(tokenSigningKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
}
else if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(X509CertTokenVerificationKey))
{
if (signingcredentials == null)
{
X509Certificate2 cert = DynamicEncryption.GetCertificateFromFile(true).Certificate;
if (cert != null) signingcredentials = new X509SigningCredentials(cert);
}
}
JwtSecurityToken token = new JwtSecurityToken(issuer: tokenTemplate.Issuer, audience: tokenTemplate.Audience, notBefore: DateTime.Now.AddMinutes(-5), expires: DateTime.Now.AddMinutes(Properties.Settings.Default.DefaultTokenDuration), signingCredentials: signingcredentials, claims: myclaims);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
string token = handler.WriteToken(token);
我从 2015 年开始从事开源社区项目 Azure Media Services Upload and Play Videos in MVC。我之前没有使用任何交付加密,所以我开始研究 AES。
在 Azure 媒体服务团队的所有来源 code/samples 中,我注意到在上传内容后立即生成了测试令牌,这在我的案例中也很有效。但是,下次播放时如何生成测试令牌?
我的理解是,每次播放器请求播放时,我们都需要令牌。从技术上讲,播放器向关键服务提供商创建请求并收到更新的令牌。
所以为了获得更新的令牌,我尝试了几种方法都无法解决这个问题,我看到错误 "A ContentKey (Id = '...', Type = 'EnvelopeEncryption') which contains the same type already links to this asset"。
这看起来像是一条有效的错误消息,因为类型 EnvelopeEncryption 的密钥已在上传内容后添加并与资产相关联,并且在再次请求时弹出此消息。
下面给出的代码是copied from here.
public ActionResult Index()
{
var model = new List<VideoViewModel>();
var videos = db.Videos.OrderByDescending(o => o.Id).ToList();
foreach (var video in videos)
{
var viewModel = new VideoViewModel();
viewModel.Id = video.Id;
viewModel.EncodedAssetId = video.EncodedAssetId;
viewModel.IsEncrypted = video.IsEncrypted;
viewModel.LocatorUri = video.LocatorUri;
// If encrypted content, then get token to play
if (video.IsEncrypted)
{
IAsset asset = GetAssetById(video.EncodedAssetId);
IContentKey key = CreateEnvelopeTypeContentKey(asset);
viewModel.Token = GenerateToken(key);
}
model.Add(viewModel);
}
return View(model);
}
以上方法调用媒体服务密钥服务提供者。
我该如何解决这个问题?
你可以看看AMS explorer sources
当您创建限制策略时,您正在做这样的事情:
//Initilizing ContentKeyAuthorizationPolicyRestriction
ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
{
Name = "Authorization Policy with Token Restriction",
KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
Requirements = TokenRestrictionTemplateSerializer.Serialize(restrictionTemplate)};
restrictions.Add(restriction);
//Saving IContentKeyAuthorizationPolicyOption on server so it can be associated with IContentKeyAuthorizationPolicy
IContentKeyAuthorizationPolicyOption policyOption = objCloudMediaContext.ContentKeyAuthorizationPolicyOptions.Create("myDynamicEncryptionPolicy", ContentKeyDeliveryType.BaselineHttp, restrictions, String.Empty);
policy.Options.Add(policyOption);
//Saving Policy
policy.UpdateAsync();
这里的关键字段是irements = TokenRestrictionTemplateSerializer.Serialize(restriction.Requirements)};
您需要首先获取您创建的相应资产限制,并用
反序列化 TokenRestriction 模板TokenRestrictionTemplate tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);
基于您使用的密钥和加密类型
if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey))
{
InMemorySymmetricSecurityKey tokenSigningKey = new InMemorySymmetricSecurityKey((tokenTemplate.PrimaryVerificationKey as SymmetricVerificationKey).KeyValue);
signingcredentials = new SigningCredentials(tokenSigningKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
}
else if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(X509CertTokenVerificationKey))
{
if (signingcredentials == null)
{
X509Certificate2 cert = DynamicEncryption.GetCertificateFromFile(true).Certificate;
if (cert != null) signingcredentials = new X509SigningCredentials(cert);
}
}
JwtSecurityToken token = new JwtSecurityToken(issuer: tokenTemplate.Issuer, audience: tokenTemplate.Audience, notBefore: DateTime.Now.AddMinutes(-5), expires: DateTime.Now.AddMinutes(Properties.Settings.Default.DefaultTokenDuration), signingCredentials: signingcredentials, claims: myclaims);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
string token = handler.WriteToken(token);