awslabs / speke-reference-server Goto Github PK

Secure Packager and Encoder Key Exchange (SPEKE) is part of the AWS Elemental content encryption protection strategy for media services customers. SPEKE defines the standard for communication between our media services and digital rights management (DRM) system key servers. This project provides the basic framework that partners can specialize and extend to support their specific method of Digital Rights Management while utilizing AWS' video streaming solutions.

Home Page: https://docs.aws.amazon.com/speke/latest/documentation/what-is-speke.html

License: Apache License 2.0

Shell 2.20% Python 97.80%

mediaconnect mediapackage speke drm encryption media video serverless

speke-reference-server's Introduction

SPEKE Reference Server

Secure Packager and Encoder Key Exchange (SPEKE) is part of the AWS Elemental content encryption protection strategy for media services customers. SPEKE defines the standard for communication between AWS Media Services and digital rights management (DRM) system key servers. SPEKE is used to supply keys to encrypt video on demand (VOD) content through AWS Elemental MediaConvert and for live content through AWS Elemental MediaPackage.

Take a look at high-level SPEKE documentation available on the AWS web site.

Setup

Use the provided CloudFormation template to deploy the reference key server into your AWS account. The reference SPEKE implementation provides a key server and key distribution cache for end-to-end segment encyption with HLS and DASH. Use it as an example and starting point when implementing a complete DRM solution with SPEKE.

The CloudFormation template creates an API Gateway, Lambda function, S3 bucket and CloudFront distribution and adds the needed settings for the reference server. Additionally, the template creates IAM policies and roles necessary for API Gateway, Lambda, Secrets Manager, S3 and CloudFront to interact.

The following diagram shows the primary components of the serverless SPEKE solution and the connectivity among the components during runtime. The diagram also shows one possible integration between AWS MediaPackage or AWS MediaConvert and SPEKE.

These sections will guide you through installation, testing and configuration of the SPEKE Reference Server.

Installation - This section includes installation instructions for API Gateway, Lambda deployment and AWS Elemental MediaPackage channel integration.
Test Cases - This page include several unit tests and manual test cases that can be used to verify operation of the SPEKE Reference Server. These test cases do not require integration with additional services.
AWS Elemental MediaPackage - This page documents steps that can be used to verify operation of the SPEKE Reference Server using AWS Elemental MediaPackage.
Contributing - This page includes the guidelines for contributing your enhancements, fixes and documentation to the project.
Code of Conduct - This is what we expect from all people interacting and contributing with the team.

SPEKE Reference Server Installation

The following page guides the user through deployment and configuration of the SPEKE Reference Server.

Prerequisites

An AWS account with administrator rights and access to the AWS console
Note that this solution can be deployed to any region that supports API Gateway, Lambda, and S3. You need to consider the packager or encoder's location relative to the API Gateway endpoint used to create encryption keys. The encoder, packager and SPEKE services should be in the same region or as geographically close as possible to reduce the request/response latency in key generation.

Building Cloudformation template and Lambda locally

Create a virtual environment for this project using python3 using steps outlined here.
Install dependencies within the virtual environment using pip3 install -r requirements.txt.
In zappa_settings.json under src, replace aws_region with the region this lambda will be deployed.
Run local_build.sh. If you are working on Mac/Windows, run the script with REQUIRES_SPEKE_SERVER_LAMBDA_LAYER=true to generate speke-libs lambda layer zip file. Note that Docker is required to build the zip file. See the sidenote below for more details about the lambda layer.
The script will generate required artifacts under build folder.
Create a new bucket in S3 (For example: speke-us-east-1). Create a folder called speke and upload the generated speke-reference lambda zip file. If you build with REQUIRES_SPEKE_SERVER_LAMBDA_LAYER=true, upload the generated speke-libs lambda layer zip file to the same folder too.
In the generated speke_reference.json, replace rodeolabz with the name of your created bucket (speke is used in this example).
Use the speke_reference.json template in CloudFormation to deploy the speke reference server following the instructions below.

Sidenote: Building the lambda on Mac/Windows

AWS Lambda environment is similar to Amazon Linux (AL2) and so a dependency that this reference server needs: cffi does not match the lambda runtime when built on a Windows/ macOS machine. When the reference server is run, it might result in an error: No module named '_cffi_backend'. To resolve this, it is required to create a lambda layer following the steps outlined here and then update the speke reference lambda function to reference this layer. The local_build.sh and speke_reference.json can help you to apply this solution.

Deploy using CloudFormation template

Sign in to the AWS console.
Choose a region such as us-east-1 or us-west-2 to start.
Navigate to the AWS CloudFormation console.
Create a new stack.
On the Select Template page, select Upload a template file and choose the generated speke_reference.json file prepared in the above section.
At the Specify Details pages, provide a stack name, like SPEKE.
Provide a value for the KeyRetentionDays parameter. This is the amount of time to retain a key in the S3 bucket for client playback. Keys older than this amount will be automatically removed by S3. The default is 2 days, which is usually enough for live content across multiple time zones.
Provide a value for the RequiresSPEKEServerLambdaLayer parameter. If you build and upload the speke-libs lambda layer zip file, set true to this parameter to create a lambda layer and associate it with the speke reference lambda function. Otherwise no lambda layer is created by default.
There are some Parameters which contain default values, this is for reference only and it is recommended that users modify this section of the reference server to return values such as playready header and pssh boxes according to their requirements.
The Options page does not require any input, although you can choose to be notified after the template completes.

When the template is complete you will have an operational reference SPEKE server that can be used for HLS encryption. You can review the Resources tab of the template to see what was created or updated, and the Outputs tab for the URL of the SPEKE server and the role ARN that permits MediaPackage access.

Limitations

This solution only supports key creation for the following DRM technologies: Widevine, Playready

This solution will send a blank CPIX response if the Apple Fairplay system ID is used.

For Speke V2.0, this solution works for Widevine, Playready and Fairplay Due to limitations on size of environment variables provided for a lambda, users must implement their own solution to create and send PSSH, ContentProtectionData and HLSSignalingData for the different DRM systems.

This solution only supports the contentProtection method to handle communication between the reference server solution and the Media Services. Users must implement copyProtectionData methods in order to handle client/player request to decrypt content.

speke-reference-server's People

Contributors

Stargazers

Watchers

Forkers

kennethsam kennethsamk erickma arielshad markitodelacruz turneremeato trevmex matt-otis abhimanyoo neoplastic spekulatif1 zcalvelli lucagervasi odadaisuke jmeadnz djunhoo ndinhbang purplepangolin jeremyjohnsonamazon junhuac artylok belalh cinetie chanakabr thmatuza deepakchoudhary lijinshan123 crvinay jaredjstewart jkjarvis jingood2 tabital0 natthaphong amphied yufegao shkw yhzhixin l-law rrobershaw-verimatrix verimatrix mahmoud-abduallah darkpanda08 johndiginee hakai-shin jamiepmullan naxa eddieramirez

speke-reference-server's Issues

Lambda zip for keyserver not updated during stack update

Need to make CloudFormation aware that the keyserver zip has changed and requires an update. Right now CF doesn't know about a code change since only the zip contents change.

CloudFront needs to whitelist Origin

The installation worked fine.

However, I had issues with my player regarding CORS with FireFox and Chrome on MacOS. The issue was that the Origin header wasn’t whitelisted and was causing issues on the client player side because this header was not sent when cached.

The cloudformation template for CloudFront needs to be updated to whitelist the header Origin (see below)

Externalize PSSH and other protection headers

These need to move from the source code to an external location such as:

Dedicated S3 bucket for settings
Environment variables on the Lambda

System ID comparisons must be case insensitive

Check system ID unique IDs with case insensitive comparison.

Zip file not building

When running local_build.sh on a mac with line 6 set to 'REQUIRES_SPEKE_SERVER_LAMBDA_LAYER=true'
the script does not build any file resembling the name " speke-reference lambda zip file."

it does build speke-libs-1694042533.zip

it does build a zip called ' cloudformation-resources-1694042533.zip' which contains three python files

can you update the docs or the script accordingly?

CloudWatch logs, events, metrics for SPEKE

SPEKE lambda currently posts operational messages to the account's CloudWatch service. Can SPEKE server be enhanced to also sent CloudWatch events for runtime problems, and metrics for key generation and client metrics from S3/CloudFront?

I Found redundant processing

ContentProtectionData is defined at here https://github.com/awslabs/speke-reference-server/blob/master/src/key_server_common.py#L93

and removed at here https://github.com/awslabs/speke-reference-server/blob/master/src/key_server_common.py#L96

Widevine( edef8ba9-79d6-4ace-a3c8-27dcd51d21ed ) don't need ContentProtectionData.

PSSH and protection header values as CloudFormation parameters

These are current exposed on the Lambda's environment variables.
Allow operators to override the default via the CloudFormation template parameter input.

Update automated tests to include new services

We should be testing most/all of the cloud resources used in the key generation pipeline.

Generate unique 'key string' for each resource ID encountered

Each resource ID should use a unique 'key string' value.
Store 'key string' with key name of resource ID in an S3 bucket.
Consider using a secured area of the existing key cache bucket, or generate a second private bucket.
If resource ID key name doesn't exist generate a new key string and store.
Expire old resource ID key strings after X (days, weeks, months) and force regeneration.

KID and KEY Override to support DASH + Widevine Test Server.

To support DASH + Widevine with the Test Widevine Server - The SPEKE Server would need to override the KID and KEY returned by the Widevine Test Server to succesfully package the content with the appropriate PSSH values.

Suggested approach is to be able to create additional environment variable fields for wv_key, and wv_kid which can then be used to encrypt the content using Widevine. Users of MediaPackage could configure these fields with values returned by the Widevine Test Server and then be used to validate playback.

is SPEKE mandatory for DRM integration between MediaPackage and DRM provider ?

Hi All,

Do I need to use SPEKE in order to stablish a communication between media Package and DRM provider?

I mean may I fill the key proxy address with my server ? Is it possible to mediapackage retrieves keys directly on my server ?

Or at least may I connect media package to my drm server bypassing speke? just using api gateway ?

Regards

SPEKE key is same for all Segemnts- No key Rotation.

I have created Job in MediaConvert
for Apple HLS AES-128 encryption by following guidance and setup the speke-reference-server.

but when I download the media file, for each segment the key is the same and it's not rotating for every segment.

used SystemId is: 81376844-f976-481e-a84e-cc25d39b0b33
Media File:

#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:13
#EXT-X-MEDIA-SEQUENCE:1
#EXT-X-PLAYLIST-TYPE:VOD
#EXT-X-KEY:METHOD=AES-128,URI="https://d3dmokwem007n8.cloudfront.net/af4672a0-9605-4d2e-8818-60c1f5b1c3f4/66de1985-cc52-4cbe-a86c-38c2515fb3e7",IV=0x00000000000000000000000000000001
#EXTINF:12,
db72c853-97dc-4e22-866e-3909e0f2bd6eTest_01_00001.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://d3dmokwem007n8.cloudfront.net/af4672a0-9605-4d2e-8818-60c1f5b1c3f4/66de1985-cc52-4cbe-a86c-38c2515fb3e7",IV=0x00000000000000000000000000000002
#EXTINF:9,
db72c853-97dc-4e22-866e-3909e0f2bd6eTest_01_00002.ts
#EXT-X-ENDLIST

Need Help
or any suggestion to achieve a separate key for each segment.

Implementing EZDRM with this SPEKE setup

Hi All,

I am quite new to this so apologies.

I am looking to set up a SPEKE server with EZDRM.

I am following this guide for media convert: https://www.ezdrm.com/Documentation/EZDRM%20AWS%20MediaConvert%20v4.pdf

I set up the SPEKE Server using this template with Cloudformation all setup successfully:
https://s3.amazonaws.com/rodeolabz-us-east-1/speke/speke_reference.json

In the PDF document from EZDRM it gives you a zip file to download see: (Step 4: Edit the Key Server files)

In this, it asks you to add your username and password to the key_server_common.py here:

with urllib.request.urlopen('http://cpix.ezdrm.com/aws.aspx?m=' + mst + '&k=' + kid + '&u=<<USERNAME>>&p=<<PASSWORD>>&c=' + content_id) as response:
			html = response.read()
			EM.register_namespace("cpix", "urn:dashif:org:cpix")
			EM.register_namespace("pskc", "urn:ietf:params:xml:ns:keyprov:pskc")
			self.moot = EM.fromstring(html)

Then combine with key_server.py in a zip file called key_server.zip.

You then create use their Cloudformation template: python create_cloud_formation.py

I guess what I am asking is how would you implment this auth (username,password) for EZDRM with your SPEKE setup or do you always need to use the setup from the provider (EZDRM)

Question on SPEKE v2 Test Suite result

Hello.

I've implemented SPEKE v2.0 and working on the tests, though there are some errors occurring.

Two test cases failed, though when checking the assertion failure message, it seems as if there is a problem in the test case program itself.
Below are the pytest results and SPEKE responses for both tests.

test_basic_checks.py::test_sending_same_request_sent_twice_to_keyserver_without_key_rotation

The pattern match has failed, though when I compare both SPEKE responses, they are the same.

<?xml version="1.0" encoding="utf-8"?>
<cpix:CPIX xmlns:speke="urn:aws:amazon:com:speke" xmlns:pkcs="urn:ietf:params:xml:ns:keyprov:pskc" contentId="test_case_generic" version="2.3" xmlns:cpix="urn:dashif:org:cpix">
    <cpix:ContentKeyList>
        <cpix:ContentKey kid="0f083e4e-b831-4a3d-917e-ce78076e54aa" commonEncryptionScheme="cenc">
            <cpix:Data>
                <pkcs:Secret>
                    <pkcs:PlainValue>uhtosRJEKYX8MHJv3ejbPw==</pkcs:PlainValue>
                </pkcs:Secret>
            </cpix:Data>
        </cpix:ContentKey>
        <cpix:ContentKey kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0" commonEncryptionScheme="cenc">
            <cpix:Data>
                <pkcs:Secret>
                    <pkcs:PlainValue>0bqHTLGKxFRW/6G1DQW2Eg==</pkcs:PlainValue>
                </pkcs:Secret>
            </cpix:Data>
        </cpix:ContentKey>
    </cpix:ContentKeyList>
    <cpix:DRMSystemList>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="0f083e4e-b831-4a3d-917e-ce78076e54aa">
            <cpix:PSSH>AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQDwg+TrgxSj2Rfs54B25Uqg==</cpix:PSSH>
            <cpix:ContentProtectionData>PGNlbmM6cHNzaD5BQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFEd2crVHJneFNqMlJmczU0QjI1VXFnPT08L2NlbmM6cHNzaD4=</cpix:ContentProtectionData>
            <cpix:HLSSignalingData playlist="media">I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUyxLRVlJRD0weDRFM0UwODBGMzFCODNENEE5MTdFQ0U3ODA3NkU1NEFBLFVSST0iZGF0YTp0ZXh0L3BsYWluO2Jhc2U2NCxBQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFEd2crVHJneFNqMlJmczU0QjI1VXFnPT0iLEtFWUZPUk1BVD0idXJuOnV1aWQ6ZWRlZjhiYTktNzlkNi00YWNlLWEzYzgtMjdkY2Q1MWQyMWVkIixLRVlGT1JNQVRWRVJTSU9OUz0iMSI=</cpix:HLSSignalingData>
            <cpix:HLSSignalingData playlist="master">I0VYVC1YLVNFU1NJT04tS0VZOk1FVEhPRD1TQU1QTEUtQUVTLEtFWUlEPTB4NEUzRTA4MEYzMUI4M0Q0QTkxN0VDRTc4MDc2RTU0QUEsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFOSEJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQlFJQVJJUUR3ZytUcmd4U2oyUmZzNTRCMjVVcWc9PSIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT05TPSIxIg==</cpix:HLSSignalingData>
        </cpix:DRMSystem>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0">
            <cpix:PSSH>AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQBB/dOn9eSEiny2Xpd1jpoA==</cpix:PSSH>
            <cpix:ContentProtectionData>PGNlbmM6cHNzaD5BQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFCQi9kT245ZVNFaW55MlhwZDFqcG9BPT08L2NlbmM6cHNzaD4=</cpix:ContentProtectionData>
            <cpix:HLSSignalingData playlist="media">I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUyxLRVlJRD0weDNBREQxRjA0NUU3RjQ4NDhBN0NCNjVFOTc3NThFOUEwLFVSST0iZGF0YTp0ZXh0L3BsYWluO2Jhc2U2NCxBQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFCQi9kT245ZVNFaW55MlhwZDFqcG9BPT0iLEtFWUZPUk1BVD0idXJuOnV1aWQ6ZWRlZjhiYTktNzlkNi00YWNlLWEzYzgtMjdkY2Q1MWQyMWVkIixLRVlGT1JNQVRWRVJTSU9OUz0iMSI=</cpix:HLSSignalingData>
            <cpix:HLSSignalingData playlist="master">I0VYVC1YLVNFU1NJT04tS0VZOk1FVEhPRD1TQU1QTEUtQUVTLEtFWUlEPTB4M0FERDFGMDQ1RTdGNDg0OEE3Q0I2NUU5Nzc1OEU5QTAsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFOSEJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQlFJQVJJUUJCL2RPbjllU0VpbnkyWHBkMWpwb0E9PSIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT05TPSIxIg==</cpix:HLSSignalingData>
        </cpix:DRMSystem>
    </cpix:DRMSystemList>
    <cpix:ContentKeyUsageRuleList>
        <cpix:ContentKeyUsageRule kid="0f083e4e-b831-4a3d-917e-ce78076e54aa" intendedTrackType="VIDEO">
            <cpix:VideoFilter />
        </cpix:ContentKeyUsageRule>
        <cpix:ContentKeyUsageRule kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0" intendedTrackType="AUDIO">
            <cpix:AudioFilter />
        </cpix:ContentKeyUsageRule>
    </cpix:ContentKeyUsageRuleList>
</cpix:CPIX>

<?xml version="1.0" encoding="utf-8"?>
<cpix:CPIX xmlns:speke="urn:aws:amazon:com:speke" xmlns:pkcs="urn:ietf:params:xml:ns:keyprov:pskc" contentId="test_case_generic" version="2.3" xmlns:cpix="urn:dashif:org:cpix">
    <cpix:ContentKeyList>
        <cpix:ContentKey kid="0f083e4e-b831-4a3d-917e-ce78076e54aa" commonEncryptionScheme="cenc">
            <cpix:Data>
                <pkcs:Secret>
                    <pkcs:PlainValue>uhtosRJEKYX8MHJv3ejbPw==</pkcs:PlainValue>
                </pkcs:Secret>
            </cpix:Data>
        </cpix:ContentKey>
        <cpix:ContentKey kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0" commonEncryptionScheme="cenc">
            <cpix:Data>
                <pkcs:Secret>
                    <pkcs:PlainValue>0bqHTLGKxFRW/6G1DQW2Eg==</pkcs:PlainValue>
                </pkcs:Secret>
            </cpix:Data>
        </cpix:ContentKey>
    </cpix:ContentKeyList>
    <cpix:DRMSystemList>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="0f083e4e-b831-4a3d-917e-ce78076e54aa">
            <cpix:PSSH>AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQDwg+TrgxSj2Rfs54B25Uqg==</cpix:PSSH>
            <cpix:ContentProtectionData>PGNlbmM6cHNzaD5BQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFEd2crVHJneFNqMlJmczU0QjI1VXFnPT08L2NlbmM6cHNzaD4=</cpix:ContentProtectionData>
            <cpix:HLSSignalingData playlist="media">I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUyxLRVlJRD0weDRFM0UwODBGMzFCODNENEE5MTdFQ0U3ODA3NkU1NEFBLFVSST0iZGF0YTp0ZXh0L3BsYWluO2Jhc2U2NCxBQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFEd2crVHJneFNqMlJmczU0QjI1VXFnPT0iLEtFWUZPUk1BVD0idXJuOnV1aWQ6ZWRlZjhiYTktNzlkNi00YWNlLWEzYzgtMjdkY2Q1MWQyMWVkIixLRVlGT1JNQVRWRVJTSU9OUz0iMSI=</cpix:HLSSignalingData>
            <cpix:HLSSignalingData playlist="master">I0VYVC1YLVNFU1NJT04tS0VZOk1FVEhPRD1TQU1QTEUtQUVTLEtFWUlEPTB4NEUzRTA4MEYzMUI4M0Q0QTkxN0VDRTc4MDc2RTU0QUEsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFOSEJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQlFJQVJJUUR3ZytUcmd4U2oyUmZzNTRCMjVVcWc9PSIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT05TPSIxIg==</cpix:HLSSignalingData>
        </cpix:DRMSystem>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0">
            <cpix:PSSH>AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQBB/dOn9eSEiny2Xpd1jpoA==</cpix:PSSH>
            <cpix:ContentProtectionData>PGNlbmM6cHNzaD5BQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFCQi9kT245ZVNFaW55MlhwZDFqcG9BPT08L2NlbmM6cHNzaD4=</cpix:ContentProtectionData>
            <cpix:HLSSignalingData playlist="media">I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUyxLRVlJRD0weDNBREQxRjA0NUU3RjQ4NDhBN0NCNjVFOTc3NThFOUEwLFVSST0iZGF0YTp0ZXh0L3BsYWluO2Jhc2U2NCxBQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFCQi9kT245ZVNFaW55MlhwZDFqcG9BPT0iLEtFWUZPUk1BVD0idXJuOnV1aWQ6ZWRlZjhiYTktNzlkNi00YWNlLWEzYzgtMjdkY2Q1MWQyMWVkIixLRVlGT1JNQVRWRVJTSU9OUz0iMSI=</cpix:HLSSignalingData>
            <cpix:HLSSignalingData playlist="master">I0VYVC1YLVNFU1NJT04tS0VZOk1FVEhPRD1TQU1QTEUtQUVTLEtFWUlEPTB4M0FERDFGMDQ1RTdGNDg0OEE3Q0I2NUU5Nzc1OEU5QTAsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFOSEJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQlFJQVJJUUJCL2RPbjllU0VpbnkyWHBkMWpwb0E9PSIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT05TPSIxIg==</cpix:HLSSignalingData>
        </cpix:DRMSystem>
    </cpix:DRMSystemList>
    <cpix:ContentKeyUsageRuleList>
        <cpix:ContentKeyUsageRule kid="0f083e4e-b831-4a3d-917e-ce78076e54aa" intendedTrackType="VIDEO">
            <cpix:VideoFilter />
        </cpix:ContentKeyUsageRule>
        <cpix:ContentKeyUsageRule kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0" intendedTrackType="AUDIO">
            <cpix:AudioFilter />
        </cpix:ContentKeyUsageRule>
    </cpix:ContentKeyUsageRuleList>
</cpix:CPIX>

test_check_mandatory_elements.py::test_cpix_root_in_response

The namespace exists in the response, though there is an assertion failure.

<?xml version="1.0" encoding="utf-8"?>
<cpix:CPIX xmlns:speke="urn:aws:amazon:com:speke" xmlns:pkcs="urn:ietf:params:xml:ns:keyprov:pskc" contentId="test_case_generic" version="2.3" xmlns:cpix="urn:dashif:org:cpix">
    <cpix:ContentKeyList>
        <cpix:ContentKey kid="0f083e4e-b831-4a3d-917e-ce78076e54aa" commonEncryptionScheme="cenc">
            <cpix:Data>
                <pkcs:Secret>
                    <pkcs:PlainValue>uhtosRJEKYX8MHJv3ejbPw==</pkcs:PlainValue>
                </pkcs:Secret>
            </cpix:Data>
        </cpix:ContentKey>
        <cpix:ContentKey kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0" commonEncryptionScheme="cenc">
            <cpix:Data>
                <pkcs:Secret>
                    <pkcs:PlainValue>0bqHTLGKxFRW/6G1DQW2Eg==</pkcs:PlainValue>
                </pkcs:Secret>
            </cpix:Data>
        </cpix:ContentKey>
    </cpix:ContentKeyList>
    <cpix:DRMSystemList>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="0f083e4e-b831-4a3d-917e-ce78076e54aa">
            <cpix:PSSH>AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQDwg+TrgxSj2Rfs54B25Uqg==</cpix:PSSH>
            <cpix:ContentProtectionData>PGNlbmM6cHNzaD5BQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFEd2crVHJneFNqMlJmczU0QjI1VXFnPT08L2NlbmM6cHNzaD4=</cpix:ContentProtectionData>
            <cpix:HLSSignalingData playlist="media">I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUyxLRVlJRD0weDRFM0UwODBGMzFCODNENEE5MTdFQ0U3ODA3NkU1NEFBLFVSST0iZGF0YTp0ZXh0L3BsYWluO2Jhc2U2NCxBQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFEd2crVHJneFNqMlJmczU0QjI1VXFnPT0iLEtFWUZPUk1BVD0idXJuOnV1aWQ6ZWRlZjhiYTktNzlkNi00YWNlLWEzYzgtMjdkY2Q1MWQyMWVkIixLRVlGT1JNQVRWRVJTSU9OUz0iMSI=</cpix:HLSSignalingData>
            <cpix:HLSSignalingData playlist="master">I0VYVC1YLVNFU1NJT04tS0VZOk1FVEhPRD1TQU1QTEUtQUVTLEtFWUlEPTB4NEUzRTA4MEYzMUI4M0Q0QTkxN0VDRTc4MDc2RTU0QUEsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFOSEJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQlFJQVJJUUR3ZytUcmd4U2oyUmZzNTRCMjVVcWc9PSIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT05TPSIxIg==</cpix:HLSSignalingData>
        </cpix:DRMSystem>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0">
            <cpix:PSSH>AAAANHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABQIARIQBB/dOn9eSEiny2Xpd1jpoA==</cpix:PSSH>
            <cpix:ContentProtectionData>PGNlbmM6cHNzaD5BQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFCQi9kT245ZVNFaW55MlhwZDFqcG9BPT08L2NlbmM6cHNzaD4=</cpix:ContentProtectionData>
            <cpix:HLSSignalingData playlist="media">I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUyxLRVlJRD0weDNBREQxRjA0NUU3RjQ4NDhBN0NCNjVFOTc3NThFOUEwLFVSST0iZGF0YTp0ZXh0L3BsYWluO2Jhc2U2NCxBQUFBTkhCemMyZ0FBQUFBN2UrTHFYbldTczZqeUNmYzFSMGg3UUFBQUJRSUFSSVFCQi9kT245ZVNFaW55MlhwZDFqcG9BPT0iLEtFWUZPUk1BVD0idXJuOnV1aWQ6ZWRlZjhiYTktNzlkNi00YWNlLWEzYzgtMjdkY2Q1MWQyMWVkIixLRVlGT1JNQVRWRVJTSU9OUz0iMSI=</cpix:HLSSignalingData>
            <cpix:HLSSignalingData playlist="master">I0VYVC1YLVNFU1NJT04tS0VZOk1FVEhPRD1TQU1QTEUtQUVTLEtFWUlEPTB4M0FERDFGMDQ1RTdGNDg0OEE3Q0I2NUU5Nzc1OEU5QTAsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFOSEJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQlFJQVJJUUJCL2RPbjllU0VpbnkyWHBkMWpwb0E9PSIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT05TPSIxIg==</cpix:HLSSignalingData>
        </cpix:DRMSystem>
    </cpix:DRMSystemList>
    <cpix:ContentKeyUsageRuleList>
        <cpix:ContentKeyUsageRule kid="0f083e4e-b831-4a3d-917e-ce78076e54aa" intendedTrackType="VIDEO">
            <cpix:VideoFilter />
        </cpix:ContentKeyUsageRule>
        <cpix:ContentKeyUsageRule kid="041fdd3a-7f5e-4848-a7cb-65e97758e9a0" intendedTrackType="AUDIO">
            <cpix:AudioFilter />
        </cpix:ContentKeyUsageRule>
    </cpix:ContentKeyUsageRuleList>
</cpix:CPIX>

Is there a problem in my implementation or is there a problem in the test case?

Thank you.

Test not working - ValueError: option names {'--speke-url'} already added

I have pulled the latest tests in this repo and done pip install. When running the tests with pipenv run pytest --speke-url "speke-url" in the folder I get the error ValueError: option names {'--speke-url'} already added.

I am running on windows with WSL 2. The previous test suit I was sent via email (I assume from before this repo was created) work fine. Comparing to the test suit I already have there is very little difference between the two.

Full output:

Deleting test case folders (if already present) and recreating them
============================================================================================== test session starts ==============================================================================================
platform linux -- Python 3.9.5, pytest-6.2.4, py-1.10.0, pluggy-0.13.1 -- /home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/bin/python
cachedir: .pytest_cache
metadata: {'Python': '3.9.5', 'Platform': 'Linux-5.10.102.1-microsoft-standard-WSL2-x86_64-with-glibc2.31', 'Packages': {'pytest': '6.2.4', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1'}}
rootdir: /mnt/c/Users/user/work/vudrm-dev-stack/integration-tests/cpix/speke_v2, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1
collected 0 items / 1 error

==================================================================================================== ERRORS =====================================================================================================
_________________________________________________________________________________________ ERROR collecting test session _________________________________________________________________________________________
/home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/lib/python3.9/site-packages/pluggy/manager.py:127: in register
    hook._maybe_apply_history(hookimpl)
/home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/lib/python3.9/site-packages/pluggy/hooks.py:333: in _maybe_apply_history
    res = self._hookexec(self, [method], kwargs)
/home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/lib/python3.9/site-packages/pluggy/manager.py:93: in _hookexec
    return self._inner_hookexec(hook, methods, kwargs)
/home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/lib/python3.9/site-packages/pluggy/manager.py:84: in <lambda>
    self._inner_hookexec = lambda hook, methods, kwargs: hook.multicall(
old/conftest.py:8: in pytest_addoption
    parser.addoption("--speke-url", help="Speke Key provider URL")
/home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/lib/python3.9/site-packages/_pytest/config/argparsing.py:96: in addoption
    self._anonymous.addoption(*opts, **attrs)
/home/user/.local/share/virtualenvs/speke_v2-ovtJjYfD/lib/python3.9/site-packages/_pytest/config/argparsing.py:355: in addoption
    raise ValueError("option names %s already added" % conflict)
E   ValueError: option names {'--speke-url'} already added
------------------------------- generated html file: file:///mnt/c/Users/user/work/vudrm-dev-stack/integration-tests/cpix/speke_v2/reports/test_results_08-12-2022_13-14-47.html -------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
=============================================================================================== 1 error in 0.23s ================================================================================================

Issue with S3 bucket created via CloudFormation Template

Dear All.

If you deploy this solution using the CloudFormation Template, it will create a new S3 bucket from scratch and configure it as CloudFront origin as speke-reference-server-keybucket-xxxxxxxxxx.s3.amazonaws.com.
Now, the issue here is that when you create an S3 bucket from scratch in a specific region, it becomes immediately available as bucketname.s3-region.amazonaws.com, however it takes up to 24h to become available as bucketname.s3.amazonaws.com. Until that happens, a requested to bucketname.s3.amazonaws.com will be redirected by Amazon S3 to bucketname.s3-region.amazonaws.com
The consequence on this solution is that, when a client tries to retrieve a the DRM key via CloudFront, he will receive the following redirect, which will then result in a 403 (unless public read is allowed)

< HTTP/1.1 307 Temporary Redirect
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Connection: keep-alive
< x-amz-bucket-region: region
< Location: https://speke-reference-server-keybucket-xxxxxxxx.s3-region.amazonaws.com/3d4cc049-5a69-4a39-ae5b-a18a3afea187/6a2f99e4-60a3-4c4b-b7f0-ebe8fb60ceb0
< Date: Fri, 31 Dec 2021 05:39:19 GMT
< Server: AmazonS3
< X-Cache: Miss from cloudfront
< Via: 1.1 18973cd357a68e16bd20873be51e8596.cloudfront.net (CloudFront)
< X-Amz-Cf-Pop: SYD62-P1
< X-Amz-Cf-Id: MPHg_smPSH6NMdO9kvKg6sgTMG2fLhaV6XWQhISfpOlevjXSzNF4NQ==

The error will persist until all the S3 information propagates, and a request to bucketname.s3.amazonaws.com stops redirecting to the specific regional endpoint.
To solve this, one just has to configure the CloudFront S3 origin with the regional endpoint, e.g. speke-reference-server-keybucket-xxxxxxxxxx.s3-region.amazonaws.com. instead of speke-reference-server-keybucket-xxxxxxxxxx.s3.amazonaws.com.

Hope this helps

Add access control example to reference server

Configure CloudFront to restrict access based on signed cookies.
Use Cognito with a simple user pool and known user/password.
Build sample playback page that required sign-in before decryptions keys can be accessed.

Failing tests due to missing setup

Hello,

I have followed the steps in the installation guide to create an instance of the SPEKE Reference Server using the hosted template and pre-built binaries.

When I run the manual test for the lambda Server, I get a successful response, but the encoded value in the <pskc:PlainValue element does not match that given in the Readme:

<pskc:PlainValue>IakD9BOe/LWABBMy43GXZw==</pskc:PlainValue>

rather than:

<pskc:PlainValue>ALzP1aOTJvzfqg9I12k2Vw==</pskc:PlainValue>

Similarly, if I run the automated tests, the assertions for the server tests fail:

======================================================================
FAIL: test_server (__main__.TestSPEKELambdas)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "lambda_tests.py", line 107, in test_server
    self.assertEqual(EXPECTED_SERVER_KEY, base64.b64decode(key.text))
AssertionError: b'\x00\xbc\xcf\xd5\xa3\x93&\xfc\xdf\xaa\x0fH\xd7i6W' != b'!\xa9\x03\xf4\x13\x9e\xfc\xb5\x80\x04\x132\xe3q\x97g'

Looking at the code in key_generator.py, it seems that the keys are generated as a function of a secret per contentId and the keyId itself. The secret values are randomly generated rather than set to a known value by the test setup which I think accounts for the different results. I presume that these tests must have either been added/amended after the secrets had been generated in the original environment so will work fine there, but not in a new environment with different generated secrets.

Externalize KEY_STRING in key_server_common

Externalize this string and regenerate for every CloudFormation install. Place this string in a settings bucket or use an environment variable on the Lambda.

Should this string be unique for the keyserver install, or unique for each system ID the keyserver is handling? Unique for each system ID might mean generating this string dynamically as new system IDs are encountered.

Safely modify XML document content inside SPEKE server

Some XML elements may not be present when modifying (removing/adding) XML document structure. Safely check for elements before trying to remove them to prevent failure during document construction.

Example:
drm_system.remove(drm_system.find("{urn:dashif:org:cpix}ContentProtectionData"))
drm_system.remove(drm_system.find("{urn:aws:amazon:com:speke}ProtectionHeader"))

Stuck at `CREATE_IN_PROGRESS` when creating CFn stack.

I can't create CFn stack. CFn just stuck in CREATE_IN_PROGRESS.

Reproduce

I referenced this installtion instruction to setup CFn stack at ap-northeast-1 region. https://github.com/awslabs/speke-reference-server/blob/b19f8ceb0b35135fc8dbe1bf39a41cc5d2f9595e/INSTALL.md

Can you reproduce this issue?

Don't you need to use cfn-response for CFn's lifecycle?

eg(key_server.py)↓

import cfnresponse
...
try:
  if event['RequestType'] == 'Delete' or event['RequestType'] == 'Create': 
    cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
...

Can we use only SPEKE key server without any DRM partner providers for DRM solution

Hello,

I want to build VOD service with DRM. So, can I use SPEKE reference service with AWS MediaConvert and MediaPackage without any DRM third party provider such as Pallycon?

Internal Server Error at the "Module: Digital Rights Management (DRM) and Encryption"

I finished the INSTALL.md, so I step up with the workflow/drm-vod.md, After I did the "Test link", The API returns this:

{
    "message": "Internal server error"
}

Did I do something wrong or I have another step to take before INSTALL.md?

Discussion about potential updates to SPEKE APIs

Hi All,

Not sure if this is the right place for this discussion, but trying here as a first starting point...

I know SPEKE is a proprietary interface created by AWS/Elemental, but also one that tries to be a global standard. As such, I was wondering whether there is a place where users can discuss future roadmap features, as in its current state SPEKE includes some significant constraints and limitations.

If there is a demand for such a discussion, and you think this is the right place for it - please comment on this issue.
If you are aware of a different place, more suitable for such a discussion - please let me know.

Thanks,
M

Run source through PEP8 for style and other conventions

10+ potential violations from previous releases.
Please re-run and review results.
Try pycharm.

Project now building due to dependency on older requests module

When building the project the following error is being raise:
ERROR: requests 2.23.0 has requirement urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1, but you'll have urllib3 1.26.5 which is incompatible.

Updating requirements.txt to use requests 2.25.1 seems to work.

HLS Manifest file doesn't include EXT-X-KEY as documentation

Hi Support Team,

I follow the guidance and setup the speke-reference-server in my AWS account. Then, I configure the copyProtection API for the HLS endpoint of MediaPackage as this doc. When I start the live streaming, the video still plays but I don't see the EXT-X-KEY value in index.m3u8 file. Below is the HLS Manifest . Note that I still use the System ID "81376844-f976-481e-a84e-cc25d39b0b33" . Please help advice on this.

#EXTM3U #EXT-X-VERSION:3 #EXT-X-INDEPENDENT-SEGMENTS #EXT-X-STREAM-INF:BANDWIDTH=788480,AVERAGE-BANDWIDTH=545600,RESOLUTION=512x288,FRAME-RATE=15.000,CODECS="avc1.4D4015,mp4a.40.2" index_5.m3u8 #EXT-X-STREAM-INF:BANDWIDTH=1492480,AVERAGE-BANDWIDTH=985600,RESOLUTION=640x360,FRAME-RATE=30.000,CODECS="avc1.4D401E,mp4a.40.2" index_1.m3u8 #EXT-X-STREAM-INF:BANDWIDTH=2196480,AVERAGE-BANDWIDTH=1425600,RESOLUTION=768x432,FRAME-RATE=30.000,CODECS="avc1.4D401E,mp4a.40.2" index_2.m3u8 #EXT-X-STREAM-INF:BANDWIDTH=3252480,AVERAGE-BANDWIDTH=2085600,RESOLUTION=960x540,FRAME-RATE=30.000,CODECS="avc1.4D401F,mp4a.40.2" index_3.m3u8 #EXT-X-STREAM-INF:BANDWIDTH=4836449,AVERAGE-BANDWIDTH=3075564,RESOLUTION=1280x720,FRAME-RATE=30.000,CODECS="avc1.4D401F,mp4a.40.2" index_4.m3u8

Thanks,
Duc

Regarding mediapackage_speke_endpoint.json Template

Hi, We want to nested this template in my master template. So, when we are trying to run mediapackage_speke_endpoint.json template it's asking for few parameters like channel ID, spekeurl etc which we are getting from speke-reference-server.json. Can you please let me know how can we add those parameter in my master template as we are unable to edit your template

Schedule for key rotation

Hi,
SPEKE only uses the ContentKeyPeriod@index for key rotation and not the start and end attributes. This creates issues to license servers that would like to be aware of key rotation schedule. This is needed for example to enable application to pre-fetch keys at specific times. More generally, this feature can assist license servers to provide licenses with their knowledge of what key needs to be delivered, without waiting for the player to read the keyID from the manifest.

Is there an assumption that the encryptor and not the key server manages the key rotation schedule?
If so, there needs to be a way to query the encryptor's schedule to understand which periodId/index will be applicable at any given time. I know this is out of SPEKE scope, but the issue can be solved within SPEKE.

If the key server would manage the key rotation schedule, it would be able to provide the encryptor with the keys, period index and time to do the key rotation as part of the CPIX response. It would also be able to serve keys with time information to the license server.

Can this be somehow introduced into SPEKE?

Thanks,
M

Add heartbeat API to reference server

https://docs.aws.amazon.com/speke/latest/documentation/heartbeat.html

GET https://[server]/[stage]/heartbeat

Bump Python runtime from 3.6 to >= 3.7

Hi!

I believe you are still using Python 3.6 as runtime for the Lambda function:
https://github.com/awslabs/speke-reference-server/blob/master/cloudformation/speke_reference.json#L249

Do you have any plan to bump Python's runtime from 3.6 to anything from 3.7 onwards?

AWS Lambda is deprecating Python 3.6 fully on Aug 17th, 2022:
https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html

This means that the existing function there won't be updatable (can still invoke is safely.)
Also, creating won't be possible anymore.

Thank you in advance for your answer!

ClientLambdaFunction

HI,

I downloaded the SPEKE reference implementation and setup the server using the template provided. I can't seem to find the ClientLambdaFunction to set the following parameter:

CLIENT_FUNCTION_NAME = "eke-server-EkeClientLambdaFunction-OK9F7TPIWV3L"

I don't see any steps for creating the client lambda function in the template.

Any idea where i can find this.

Thanks,
Teju

Missing Cloudfront cache behavior config for CORS

As per the Cloudfront documentation you need to add the Origin header to the whitelisted Headers on the default cache behavior. Otherwise, the requests will be missing the CORS headers when served from cache.

Example requests :
Hit from cache :

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< content-type: binary/octet-stream
< content-length: 16
< date: Wed, 08 Apr 2020 16:09:54 GMT
< last-modified: Tue, 31 Mar 2020 00:17:31 GMT
< etag: "59493f9fbd62894c3a89cccfee7457c7"
< x-amz-server-side-encryption: AES256
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Hit from cloudfront

Miss from cache:

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< content-type: binary/octet-stream
< content-length: 16
< date: Wed, 08 Apr 2020 16:10:58 GMT
< access-control-allow-origin: *
< access-control-allow-methods: GET
< access-control-max-age: 3000
< last-modified: Tue, 31 Mar 2020 00:17:31 GMT
< etag: "59493f9fbd62894c3a89cccfee7457c7"
< x-amz-server-side-encryption: AES256
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Miss from cloudfront

Hit from cache after whitelisting Origin :

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< content-type: binary/octet-stream
< content-length: 16
< date: Wed, 08 Apr 2020 16:12:32 GMT
< access-control-allow-origin: *
< access-control-allow-methods: GET
< access-control-max-age: 3000
< last-modified: Tue, 31 Mar 2020 00:17:31 GMT
< etag: "59493f9fbd62894c3a89cccfee7457c7"
< x-amz-server-side-encryption: AES256
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Hit from cloudfront

Support all methods of the CPIX transfer protocol

[BaseURL]/copyProtectionData/{{CPIX_ID}}
Where [BaseURL] is the scheme and host(e.g. https://acme-drm-service.com) of the target
resource.
Method: POST
Behaviour: The request to create copyProtectionData for an encryptor.
RequestBody:
Element: //CPIX
Definition: A CPIX element.
ResponseBody:
Element: //CPIX
Definition: A CPIX element.
—
[BaseURL]/copyProtectionData/{{CPIX_ID}}
Where [BaseURL] is the scheme and host(e.g. https://acme-drm-service.com) of the target
resource.
Method: GET
Behaviour: Return copyProtectionData for the referenced CPIX_ID.
RequestBody:
Element: NONE
ResponseBody:
Element: //CPIX
Definition: A CPIX element.
—
[BaseURL]/copyProtectionData/{{CPIX_ID}}
Where [BaseURL] is the scheme and host(e.g. https://acme-drm-service.com) of the target
resource.
Method: PUT
Behaviour: Update copyProtectionData referenced by the CPIX_ID
RequestBody:
Element: //CPIX
Definition: A CPIX element.
ResponseBody:
Element: NONE
—
[BaseURL]/copyProtectionData/{{CPIX_ID}}
Where [BaseURL] is the scheme and host(e.g. https://acme-drm-service.com) of the target
resource.
Method: DELETE
Behaviour: Delete/purge copyProtectionData referenced by the CPIX_ID.
RequestBody:
Element: NONE
ResponseBody:
Element: NONE

Add eu-west-2 to the hosting regions for the install files

Add eu-west-2 to the hosting regions for the install files.

cpix:MacMethod under DeliveryData element

On https://docs.aws.amazon.com/speke/latest/documentation/content-key-encryption-v2.html, the example showed for the response includes a cpix:KeyType element under the cpix:MacMethod element which is of pskc:MACMethodType type. Any reason for using cpix:KeyType there ?
See here the schema.

awslabs / speke-reference-server Goto Github PK

speke-reference-server's Introduction

SPEKE Reference Server

Setup

SPEKE Reference Server Installation

Prerequisites

Building Cloudformation template and Lambda locally

Sidenote: Building the lambda on Mac/Windows

Deploy using CloudFormation template

Limitations

speke-reference-server's People

Contributors

Stargazers

Watchers

Forkers

speke-reference-server's Issues

test_basic_checks.py::test_sending_same_request_sent_twice_to_keyserver_without_key_rotation

test_check_mandatory_elements.py::test_cpix_root_in_response

Reproduce

Recommend Projects

Recommend Topics

Recommend Org