Use Aws php sdk to decrypt elastictranscode hls content protect key
elastictranscode 的加密問題
用aws elastictranscode 去生成m3u8時, 可以做加密, 但加密選項選擇no store時要把key儲存起來!
但問題是如何再拿出來給m3u8用呢?
翻了AWS文件,都是很模糊的代過!
當用elastictranscode 去 create job 時, 不會拿到key的, 要等job完成才會有key, 這裡aws寫的很模糊!
接著要用 read job api 去讀取job detail 才會有key的出現
大概長得是這樣
read job api return:
//...略
[0] => Array
(
[Format] => HLSv3
[HlsContentProtection] => Array
(
[InitializationVector] => YN7QwmFqpzxItGbGV/zscg==
[Key] => CiB5CwRcL0eOlJgho+ycs4ncAD8QfKcU2GYGWxfFtyC/xhKXAQEBAwB4eQsEXC9HjpSYIaPsnLOJ3AA/EHynFNhmBlsXxbcgv8YAAABuMGwGCSqGSIb3DQEHBqBfMF0CAQAwWAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAynlbHzBXwK+XQir4cCARCAK74rNnkfmi30zjpEPW8aee6O8HXTQk7Zhfssk/5uXS+NSWUrSe96u4z9KS0=
[KeyMd5] => xQiDSQQtXwvlSMgx779Yxw==
[KeyStoragePolicy] => NoStore
[LicenseAcquisitionUrl] => https://example.com/datakey/
[Method] => aes-128
)
[Name] => ntv3ls.m3u8
[OutputKeys] => Array
(
[0] => ntv-
)
[PlayReadyDrm] =>
[Status] => Complete
[StatusDetail] =>
)
//...略
拿到之後看你是要存在那裡!
但問題是要讀取m3u8時要用到這個key
這裡AWS也是模糊帶過!
試了好多種組合, 才找到正確的方式, 尤其EncryptionContext…..卡超久!
文件參考出處:http://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html
<?php
/**
* Short description for file
*
* Long description for file (if any)...
*
* PHP version 5
*
* LICENSE: This source file is subject to version 3.01 of the PHP license
* that is available through the world-wide-web at the following URI:
* http://www.php.net/license/3_01.txt. If you did not receive a copy of
* the PHP License and are unable to obtain it through the web, please
* send a note to license@php.net so we can mail you a copy immediately.
*
* @category AWS
* @package KMS
* @author Frank Wang <frank@imusm.net>
* @copyright 2016 IMUSM Studio
* @license http://www.php.net/license/3_01.txt PHP License 3.01
* @version GIT:
* @link http://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html
* @see AWS, Aws\Kms\KmsClient
* @since File available since Release 0
* @deprecated File deprecated in Release 0
*/
// Include the AWS SDK using the Composer autoloader
require '/var/www/vendor/autoload.php';
// aws config part
define('AWS_KEY', 'xxxxxxxx');
define('AWS_SECRET', 'xxxxxxxx');
use Aws\Kms\KmsClient;
$client = KmsClient::factory(array(
'key' => AWS_KEY,
'secret' => AWS_SECRET,
'region' => 'ap-northeast-1'
));
// this value fetch by transcode read job detail
// if you need to gen a key for m3u8 list
// use the key that transcode read job api give and use base64_decode
$ciphertextBlob = base64_decode('CiB5CwRcL0eOlJgho+ycs4ncAD8QfKcU2GYGWxfFtyC/xhKXAQEBAwB4eQsEXC9HjpSYIaPsnLOJ3AA/EHynFNhmBlsXxbcgv8YAAABuMGwGCSqGSIb3DQEHBqBfMF0CAQAwWAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAynlbHzBXwK+XQir4cCARCAK74rNnkfmi30zjpEPW8aee6O8HXTQk7Zhfssk/5uXS+NSWUrSe96u4z9KS0=');
// the EncryptionContext please FYI http://docs.aws.amazon.com/elastictranscoder/latest/developerguide/encryption.html
$result = $client->decrypt(array(
'CiphertextBlob' => $ciphertextBlob,
'EncryptionContext' => array(
'service' => 'elastictranscoder.amazonaws.com',
),
'KeySpec' => 'AES_128'
));
echo $result['Plaintext'];
When you use aws elastictranscode to generate a hlsv3 m3u8 playlist, if you chose no store the encrypt key, then you responsible to store it!
Now the problem is where to find the key? Aws documemnt doesn’t show it detail. After many work, I find it finally!
The key show up when you use api to create job , and after job complete, use “read job” to get the key.
(or you can find it in transcode job search console)
Then? yes, you got the key, and how to use it? Aws doesn’t show you detail again!
I find and find and find…..
So I try to use the AWS KMS API to decrypt
But the AWS KMS API have some very similar method,
like decrypt, GenerateDataKey…..
I don’t know which one is correct funciton.
Yes , And I try them both!
Then the answer is above!
Thanks!
Wish you have a nice day!