13

Has anyone had any luck getting encrypted streaming to work with Apple's HTTP Live Streaming using openssl? It seems I'm almost there but my video doesn't play but I don't get any errors in Safari either (like "Video is unplayable" or "You don't have permission to play this video" when I got the key wrong).

#bash script:
keyFile="key.txt"
openssl rand 16 > $keyFile
hexKey=$(cat key.txt | hexdump -e '"%x"')
hexIV='0'
openssl aes-128-cbc -e -in $fileName -out $encryptedFileName -p -nosalt -iv ${hexIV}  -K ${hexKey}


#my playlist file:
#EXTM3U
#EXT-X-TARGETDURATION:000020
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="key.txt"
#EXTINF:20, no desc
test.ts.enc
#EXT-X-ENDLIST

I was using these docs as a guide:

https://datatracker.ietf.org/doc/html/draft-pantos-http-live-streaming

Community
  • 1
  • 1
Rob
  • 231
  • 1
  • 2
  • 9
  • You've encrypted the file. Why would you expect Safari to be able to "play" ciphertext? – President James K. Polk Jun 09 '10 at 23:19
  • 1
    For more context on this question: http://developer.apple.com/iphone/library/documentation/networkinginternet/conceptual/streamingmediaguide/introduction/introduction.html http://tools.ietf.org/html/draft-pantos-http-live-streaming – Rob Jun 09 '10 at 23:24
  • Hmmm... looks like you did everything right. The spec does not specify the padding, but that shouldn't hurt you until the very end if at all. – President James K. Polk Jun 10 '10 at 00:53
  • In newer version of openssl (>= 1.1.1) `-iv` is required if `-K` is given – Ham Oct 10 '22 at 08:16

4 Answers4

10

Okay, I figured it out... My hexdump command was wrong. It should be:

hexKey=$(cat key.txt | hexdump -e '16/1 "%02x"')
Rob
  • 231
  • 1
  • 2
  • 9
7

Also keep in mind the following, if you have more than 1 TS "chunk", and you're looking for a bit-exact replacement for the Apple encryption pipeline. By default, the Apple encryption tool updates the IV (initialization vector) parameter for each of the chunks, which "increases the strength of the cipher," according to the Pantos spec.

Implementing this just means that the sequence number needs to be encoded in hex and passed as the -iv parameter to openssl:

#!/bin/bash
keyFile="key.txt"
openssl rand 16 > $keyFile
hexKey=$(cat key.txt | hexdump -e '"%x"')
# hexIV='0'
for i in {0..number_of_TS_chunks}
do
    hexIV=`printf '%032x' $i`
    openssl aes-128-cbc -e -in $fileName -out $encryptedFileName -p -nosalt -iv ${hexIV} -K ${hexKey}
done
nburger
  • 71
  • 2
4

Combining information from three of the above (the OP, the fix for hexdump and the IV information) yielded a working solution for us. Namely:

openssl rand 16 > static.key

key_as_hex=$(cat static.key | hexdump -e '16/1 "%02x"')

for i in {0..9}; do
    init_vector=`printf '%032x' $i`
    openssl aes-128-cbc -e -in video_low_$(($i+1)).ts -out video_low_enc_$(($i+1)).ts -p -nosalt -iv $init_vector -K $key_as_hex
done
barryo
  • 41
  • 2
0

Unfortunately I don't have the tools to experiment with this. It looks like you carefully followed the spec. One thing I would do is sniff the network do make sure the key.txt file is getting downloaded to Safari. I would also try explicitly picking the IV using the IV attribute of the EXT-X-KEY tag, e.g. 

#EXT-X-KEY:METHOD=AES-128,URI="key.txt",IV=0x00000000000000000000000000000000
President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
  • Yea, I tried setting the IV explicitly but I got the same result. I can confirm that the key.txt is being fetched, and I've also got real errors from the video element by changing some bytes in key.txt ("You are not authorized to open this file"). – Rob Jun 10 '10 at 17:17