Merge pull request #1860 from CastagnaIT/ck_cbcs

[ClearKey] Implemented CBCS support

Author: CastagnaIT

plugin.video.isasamples/menu_data.py

@@ -371,6 +371,15 @@
                     'drm': '{"org.w3.clearkey": {"license": {"keyids": {"eb676abbcb345e96bbcf616630f1a3da": "100b6c20940f779a4589152b57d2dacb"}}}}',
                 }
             },
+            'Axiom v9multiFormat [clear key, keys on property]': {
+                SI_ENCRYPT: 'DRMCK,CBCS',
+                SI_FEATURE: 'ADPV',
+                SI_CONFIG: {
+                    'manifest_url': 'https://media.axprod.net/TestVectors/v9-MultiFormat/Encrypted_Cbcs/Manifest.mpd',
+                    'drm_legacy': 'org.w3.clearkey|f8c80c25690f47368132430e5c6994ce:7bc99cb1dd0623cd0b5065056a57a1dd',
+                    'drm': '{"org.w3.clearkey": {"license": {"keyids": {"f8c80c25690f47368132430e5c6994ce": "7bc99cb1dd0623cd0b5065056a57a1dd"}}}}',
+                }
+            },
         },
     },
     'Manifest HLS': {

src/decrypters/clearkey/ClearKeyCencSingleSampleDecrypter.cpp

@@ -40,51 +40,14 @@ CClearKeyCencSingleSampleDecrypter::CClearKeyCencSingleSampleDecrypter(
     return;
   }
 
-  std::string licenseData;
-  std::vector<uint8_t> uriData;
+  // Make license request to get KID/KEY pairs
+  std::vector<uint8_t> licenseData;
 
-  if (URL::GetUriByteData(licenseUri, uriData)) // Provided license data in URI format
+  // Check if provided license data in URI format, otherwise make the license request
+  if (!URL::GetUriByteData(licenseUri, licenseData))
   {
-    licenseData.assign(uriData.begin(), uriData.end());
-  }
-  else // Make the request to the server by using URL
-  {
-    const std::string postData = CreateLicenseRequest(defaultKeyId);
-
-    if (CSrvBroker::GetSettings().IsDebugLicense())
-    {
-      const std::string debugFilePath =
-          FILESYS::PathCombine(m_host->GetLibraryPath(), "ClearKey.init");
-      FILESYS::SaveFile(debugFilePath, postData.c_str(), true);
-    }
-
-    CURL::CUrl curl{std::string(licenseUri), postData};
-    curl.AddHeader("Accept", "application/json");
-    curl.AddHeader("Content-Type", "application/json");
-    curl.AddHeaders(licenseHeaders);
-
-    std::string response;
-    int statusCode = curl.Open();
-    if (statusCode == -1 || statusCode >= 400)
-    {
-      LOG::Log(LOGERROR, "License server returned failure (HTTP error %i)", statusCode);
-      return;
-    }
-
-    if (curl.Read(response) != CURL::ReadStatus::IS_EOF)
-    {
-      LOG::LogF(LOGERROR, "Could not read the license server response");
+    if (!MakeLicenseRequest(std::string(licenseUri), licenseHeaders, defaultKeyId, licenseData))
       return;
-    }
-
-    if (CSrvBroker::GetSettings().IsDebugLicense())
-    {
-      const std::string debugFilePath =
-          FILESYS::PathCombine(m_host->GetLibraryPath(), "ClearKey.response");
-      FILESYS::SaveFile(debugFilePath, response, true);
-    }
-
-    licenseData = response;
   }
 
   if (!ParseLicenseResponse(licenseData))
@@ -93,16 +56,14 @@ CClearKeyCencSingleSampleDecrypter::CClearKeyCencSingleSampleDecrypter(
     return;
   }
 
-  const std::string b64DefaultKeyId = BASE64::Encode(defaultKeyId);
-  if (!STRING::KeyExists(m_keyPairs, b64DefaultKeyId))
+  if (!STRING::KeyExists(m_kidPairs, defaultKeyId))
   {
-    LOG::LogF(LOGERROR, "Key not found on license data");
+    LOG::LogF(LOGERROR, "License data does not have the required KID");
+    m_kidPairs.clear();
     return;
   }
 
-  const std::vector<uint8_t> keyBytes = BASE64::Decode(m_keyPairs[b64DefaultKeyId]);
-
-  InitDecrypter(defaultKeyId, keyBytes);
+  InitDecrypter();
 }
 
 CClearKeyCencSingleSampleDecrypter::CClearKeyCencSingleSampleDecrypter(
@@ -111,62 +72,138 @@ CClearKeyCencSingleSampleDecrypter::CClearKeyCencSingleSampleDecrypter(
     CClearKeyDecrypter* host)
   : m_host(host)
 {
-  std::vector<uint8_t> hexKey;
   // Currently HLS manifest only support this
-  // and the init data should contain only the key
-  hexKey = initData;
+  // the initData should contain only the key
+  m_kidPairs.emplace(defaultKeyId, initData);
 
-  InitDecrypter(defaultKeyId, hexKey);
+  InitDecrypter();
 }
 
-void CClearKeyCencSingleSampleDecrypter::InitDecrypter(const std::vector<uint8_t>& defaultKeyId,
-                                                         const std::vector<uint8_t>& key)
+void CClearKeyCencSingleSampleDecrypter::InitDecrypter()
 {
-  AP4_CencSingleSampleDecrypter::Create(AP4_CENC_CIPHER_AES_128_CTR, key.data(),
-                                        static_cast<AP4_Size>(key.size()), 0, 0, nullptr, false,
-                                        m_singleSampleDecrypter);
   SetParentIsOwner(false);
-  AddSessionKey(defaultKeyId);
 
   // Define a session id
   m_sessionId = "ck_" + std::to_string(g_sessionIdCount++);
 }
 
-void CClearKeyCencSingleSampleDecrypter::AddSessionKey(const std::vector<uint8_t>& keyId)
+bool CClearKeyCencSingleSampleDecrypter::HasKeyId(const std::vector<uint8_t>& keyid)
 {
-  if (std::find(m_keyIds.begin(), m_keyIds.end(), keyId) == m_keyIds.end())
-    m_keyIds.emplace_back(keyId);
+  return STRING::KeyExists(m_kidPairs, keyid);
 }
 
-bool CClearKeyCencSingleSampleDecrypter::HasKeyId(const std::vector<uint8_t>& keyid)
+AP4_UI32 CClearKeyCencSingleSampleDecrypter::AddPool()
 {
-  if (!keyid.empty())
+  const AP4_UI32 poolId = static_cast<AP4_UI32>(m_pool.size());
+
+  m_pool.emplace(poolId, PINFO());
+
+  return poolId;
+}
+
+void CClearKeyCencSingleSampleDecrypter::RemovePool(AP4_UI32 poolId)
+{
+  m_pool.erase(poolId);
+}
+
+AP4_Result CClearKeyCencSingleSampleDecrypter::SetFragmentInfo(AP4_UI32 poolId,
+                                                               const std::vector<uint8_t>& keyId,
+                                                               const AP4_UI08 nalLengthSize,
+                                                               AP4_DataBuffer& annexbSpsPps,
+                                                               AP4_UI32 flags,
+                                                               CryptoInfo cryptoInfo)
+{
+  if (!STRING::KeyExists(m_pool, poolId))
   {
-    for (const std::vector<uint8_t>& key : m_keyIds)
-    {
-      if (key == keyid)
-        return true;
-    }
+    LOG::LogF(LOGERROR, "Cannot set fragment info, the pool id %u dont exist", poolId);
+    return AP4_ERROR_INVALID_PARAMETERS;
   }
-  return false;
+
+  if (cryptoInfo.m_mode != CryptoMode::NONE && cryptoInfo.m_mode != CryptoMode::AES_CTR &&
+      cryptoInfo.m_mode != CryptoMode::AES_CBC)
+  {
+    LOG::LogF(LOGERROR, "Cannot set fragment info, unsupported crypto mode (%i)",
+              static_cast<int>(cryptoInfo.m_mode));
+    return AP4_ERROR_INVALID_PARAMETERS;
+  }
+
+  PINFO& pInfo = m_pool[poolId];
+  FINFO& fInfo = pInfo.fInfo;
+
+  // Compare the encryption info from the previous fragment to see if it has been changed,
+  // if so, the decrypter will have to be recreated
+  pInfo.isChanged = fInfo.kid != keyId || fInfo.cryptoInfo.m_mode != cryptoInfo.m_mode ||
+                    fInfo.cryptoInfo.m_cryptBlocks != cryptoInfo.m_cryptBlocks ||
+                    fInfo.cryptoInfo.m_skipBlocks != cryptoInfo.m_skipBlocks;
+
+  // Update with the current fragment info
+  fInfo.kid = keyId;
+  fInfo.cryptoInfo = cryptoInfo;
+
+  return AP4_SUCCESS;
 }
 
 AP4_Result CClearKeyCencSingleSampleDecrypter::DecryptSampleData(
-    AP4_UI32 pool_id,
-    AP4_DataBuffer& data_in,
-    AP4_DataBuffer& data_out,
+    AP4_UI32 poolId,
+    AP4_DataBuffer& dataIn,
+    AP4_DataBuffer& dataOut,
     const AP4_UI08* iv,
-    unsigned int subsample_count,
-    const AP4_UI16* bytes_of_cleartext_data,
-    const AP4_UI32* bytes_of_encrypted_data)
+    unsigned int subsampleCount,
+    const AP4_UI16* bytesOfCleartextData,
+    const AP4_UI32* bytesOfEncryptedData)
 {
-  if (!m_singleSampleDecrypter)
+  if (m_pool.empty())
+  {
+    LOG::LogF(LOGERROR, "Cannot decrypt data, the pool is empty");
+    return AP4_ERROR_INTERNAL;
+  }
+  if (!STRING::KeyExists(m_pool, poolId))
   {
-    return AP4_FAILURE;
+    LOG::LogF(LOGERROR, "Cannot decrypt data, the pool id %u dont exist", poolId);
+    return AP4_ERROR_INVALID_PARAMETERS;
   }
-  return (m_singleSampleDecrypter)
-      ->DecryptSampleData(data_in, data_out, iv, subsample_count, bytes_of_cleartext_data,
-                          bytes_of_encrypted_data);
+
+  PINFO& pInfo = m_pool[poolId];
+  auto& decrypter = pInfo.decrypter;
+
+  if (!decrypter || pInfo.isChanged)
+  {
+    const auto& fInfo = pInfo.fInfo;
+
+    if (!STRING::KeyExists(m_kidPairs, fInfo.kid))
+    {
+      // In theory when there is a license server url, could be possible to request new KID/KEY pair
+      // making a new HTTP license request e.g. the case of key rotation, but it needs to be tested properly
+      LOG::LogF(LOGERROR, "Cannot decrypt data, due to missing KID/KEY from the license data");
+      return AP4_ERROR_INVALID_STATE;
+    }
+
+    AP4_CencSingleSampleDecrypter* pDecrypter{nullptr};
+    const std::vector<uint8_t>& key = m_kidPairs[fInfo.kid];
+
+    AP4_UI32 cypherType{AP4_CENC_CIPHER_NONE};
+    bool resetIvEachSubsample{false};
+
+    if (fInfo.cryptoInfo.m_mode == CryptoMode::AES_CTR)
+    {
+      cypherType = AP4_CENC_CIPHER_AES_128_CTR;
+    }
+    else if (fInfo.cryptoInfo.m_mode == CryptoMode::AES_CBC)
+    {
+      cypherType = AP4_CENC_CIPHER_AES_128_CBC;
+      // CBCS reset the IV at each subsample, see https://github.com/axiomatic-systems/Bento4/commit/ab07e3acc7befc821554bc5e271df1201681e954
+      resetIvEachSubsample = true;
+    }
+
+    AP4_CencSingleSampleDecrypter::Create(
+        cypherType, key.data(), static_cast<AP4_Size>(key.size()), fInfo.cryptoInfo.m_cryptBlocks,
+        fInfo.cryptoInfo.m_skipBlocks, nullptr, resetIvEachSubsample, pDecrypter);
+
+    decrypter = std::unique_ptr<AP4_CencSingleSampleDecrypter>{std::exchange(pDecrypter, nullptr)};
+  }
+
+  return decrypter->DecryptSampleData(dataIn, dataOut, iv, subsampleCount, bytesOfCleartextData,
+                                      bytesOfEncryptedData);
 }
 
 std::string CClearKeyCencSingleSampleDecrypter::CreateLicenseRequest(
@@ -189,7 +226,54 @@ std::string CClearKeyCencSingleSampleDecrypter::CreateLicenseRequest(
   return jData.dump(-1, ' ', false, njson::error_handler_t::ignore);
 }
 
-bool CClearKeyCencSingleSampleDecrypter::ParseLicenseResponse(std::string data)
+bool CClearKeyCencSingleSampleDecrypter::MakeLicenseRequest(
+    const std::string& url,
+    const std::map<std::string, std::string>& headers,
+    const std::vector<uint8_t>& kid,
+    std::vector<uint8_t>& licenseData)
+{
+  const std::string postData = CreateLicenseRequest(kid);
+
+  if (CSrvBroker::GetSettings().IsDebugLicense())
+  {
+    const std::string debugFilePath =
+        FILESYS::PathCombine(m_host->GetLibraryPath(), "ClearKey.init");
+    FILESYS::SaveFile(debugFilePath, postData.c_str(), true);
+  }
+
+  CURL::CUrl curl{url, postData};
+  curl.AddHeader("Accept", "application/json");
+  curl.AddHeader("Content-Type", "application/json");
+  curl.AddHeaders(headers);
+
+  int statusCode = curl.Open();
+  if (statusCode == -1 || statusCode >= 400)
+  {
+    LOG::Log(LOGERROR, "License server returned failure (HTTP error %i)", statusCode);
+    return false;
+  }
+
+  std::string responseData;
+
+  if (curl.Read(responseData) != CURL::ReadStatus::IS_EOF)
+  {
+    LOG::LogF(LOGERROR, "Could not read the license server response");
+    return false;
+  }
+
+  if (CSrvBroker::GetSettings().IsDebugLicense())
+  {
+    const std::string debugFilePath =
+        FILESYS::PathCombine(m_host->GetLibraryPath(), "ClearKey.response");
+    FILESYS::SaveFile(debugFilePath, responseData, true);
+  }
+
+  licenseData.assign(responseData.begin(), responseData.end());
+
+  return true;
+}
+
+bool CClearKeyCencSingleSampleDecrypter::ParseLicenseResponse(const std::vector<uint8_t>& data)
 {
   /* Expected JSON structure for license response:
    * { "keys": [
@@ -219,36 +303,47 @@ bool CClearKeyCencSingleSampleDecrypter::ParseLicenseResponse(std::string data)
     return false;
   }
 
-  for (const auto& item : jData["keys"]) // Iterate array
+  for (const auto& jwkValue : jData["keys"]) // Iterate array
   {
-    if (!item.is_object())
+    if (!jwkValue.is_object())
     {
       LOG::LogF(LOGERROR, "Unexpected JSON format in the license response");
       continue;
     }
 
+    if (jwkValue.contains("kty") && jwkValue["kty"].is_string() &&
+        jwkValue["kty"].get<std::string>() != "oct")
+    {
+      LOG::LogF(LOGWARNING, "Ignored JWK set, due to unsupported \"%s\" key type",
+                jwkValue["kty"].get<std::string>().c_str());
+      continue;
+    }
+
     std::string b64Key;
     std::string b64KeyId;
 
-    if (item.contains("k") && item["k"].is_string())
-      b64Key = item["k"].get<std::string>();
+    if (jwkValue.contains("k") && jwkValue["k"].is_string())
+      b64Key = jwkValue["k"].get<std::string>();
 
-    if (item.contains("kid") && item["kid"].is_string())
-      b64KeyId = item["kid"].get<std::string>();
-
-    if (b64Key.empty() || b64KeyId.empty())
-    {
-      LOG::LogF(LOGERROR, "Malformed key pair value in the license response");
-      continue;
-    }
+    if (jwkValue.contains("kid") && jwkValue["kid"].is_string())
+      b64KeyId = jwkValue["kid"].get<std::string>();
 
     b64Key = BASE64::UrlSafeDecode(b64Key);
     BASE64::AddPadding(b64Key);
 
     b64KeyId = BASE64::UrlSafeDecode(b64KeyId);
     BASE64::AddPadding(b64KeyId);
 
-    m_keyPairs.emplace(b64KeyId, b64Key);
+    const std::vector<uint8_t> kidBytes = BASE64::Decode(b64KeyId);
+    const std::vector<uint8_t> keyBytes = BASE64::Decode(b64Key);
+
+    if (kidBytes.empty() || keyBytes.empty())
+    {
+      LOG::LogF(LOGERROR, "Malformed key pair value in the license response");
+      continue;
+    }
+
+    m_kidPairs.insert_or_assign(kidBytes, keyBytes);
   }
 
   return true;