Azure媒体服务 - 生成新的AES加密令牌以进行播放

Question

我从2015年开始研究MVC中的开源社区项目Azure Media Services上传和播放视频.我之前没有使用任何交付加密,所以我开始研究AES.

在Azure媒体服务团队的所有源代码/示例中,我注意到在上传内容后正在生成测试令牌,这在我的情况下也很有效.但是,下一次如何生成测试令牌以进行播放？

我的理解是,每次玩家请求播放时我们都需要令牌.从技术上讲,播放器向关键服务提供商创建请求并接收更新的令牌.

因此,为了获得更新的令牌,我尝试了几种无法解决此问题的方法,我看到错误"A ContentKey(Id ='...',Type ='EnvelopeEncryption'),其中包含已链接到此资产的相同类型" .

这看起来像是一个有效的错误消息,因为EnvelopeEncryption类型的密钥已经添加并在上传内容后与资产相关联,并在再次请求此弹出窗口时.

下面给出的代码是从这里复制的.

    public ActionResult Index()
    {
        var model = new List<VideoViewModel>();

        var videos = db.Videos.OrderByDescending(o => o.Id).ToList();
        foreach (var video in videos)
        {
            var viewModel = new VideoViewModel();
            viewModel.Id = video.Id;
            viewModel.EncodedAssetId = video.EncodedAssetId;
            viewModel.IsEncrypted = video.IsEncrypted;
            viewModel.LocatorUri = video.LocatorUri;

            // If encrypted content, then get token to play
            if (video.IsEncrypted)
            {
                IAsset asset = GetAssetById(video.EncodedAssetId);
                IContentKey key = CreateEnvelopeTypeContentKey(asset);
                viewModel.Token = GenerateToken(key);
            }

            model.Add(viewModel);
        }

        return View(model);
   }

上述方法调用媒体服务密钥服务提供商.

我该如何解决？

Answer 1

您可以查看AMS 资源管理器源

当您创建限制策略时，您正在执行以下操作：

//Initilizing ContentKeyAuthorizationPolicyRestriction
  ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction
  {
      Name = "Authorization Policy with Token Restriction",
      KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted,
      Requirements = TokenRestrictionTemplateSerializer.Serialize(restrictionTemplate)};

  restrictions.Add(restriction);

  //Saving IContentKeyAuthorizationPolicyOption on server so it can be associated with IContentKeyAuthorizationPolicy
  IContentKeyAuthorizationPolicyOption policyOption = objCloudMediaContext.ContentKeyAuthorizationPolicyOptions.Create("myDynamicEncryptionPolicy", ContentKeyDeliveryType.BaselineHttp, restrictions, String.Empty);
  policy.Options.Add(policyOption);

  //Saving Policy
  policy.UpdateAsync();

这里的关键字段是 irements = TokenRestrictionTemplateSerializer.Serialize(restriction.Requirements)};

您需要获取您首先创建的相应资产限制，并将 TokenRestriction 模板反序列化回

TokenRestrictionTemplate tokenTemplate = TokenRestrictionTemplateSerializer.Deserialize(tokenTemplateString);

基于您使用的密钥和加密类型

                            if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(SymmetricVerificationKey))
                            {
                                InMemorySymmetricSecurityKey tokenSigningKey = new InMemorySymmetricSecurityKey((tokenTemplate.PrimaryVerificationKey as SymmetricVerificationKey).KeyValue);
                                signingcredentials = new SigningCredentials(tokenSigningKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
                            }
                            else if (tokenTemplate.PrimaryVerificationKey.GetType() == typeof(X509CertTokenVerificationKey))
                            {
                                if (signingcredentials == null)
                                {
                                    X509Certificate2 cert = DynamicEncryption.GetCertificateFromFile(true).Certificate;
                                    if (cert != null) signingcredentials = new X509SigningCredentials(cert);
                                }
                            }
                            JwtSecurityToken token = new JwtSecurityToken(issuer: tokenTemplate.Issuer, audience: tokenTemplate.Audience, notBefore: DateTime.Now.AddMinutes(-5), expires: DateTime.Now.AddMinutes(Properties.Settings.Default.DefaultTokenDuration), signingCredentials: signingcredentials, claims: myclaims);
                            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
                            string token = handler.WriteToken(token);