SK..R1 Integrity failure in KSM

Hi,


I have a question regarding encrypted content playback on Safari(9.1)/Yosemite(10.10.5) with FPS. I already have KSM with DFunction implmentation and a valid FPS certificate. I also have ran into those test vectors from DFunction and verified that they are all working. However, if I use sample Javascript code provided as part of SDK, I am getting a kDRMSKDServerIntegrityErr=-42589 inside SDKServerProcessEncrypted_SK_R1 function in KSM. I also tried setting those rental related values (from the other forum post), but it still doesn't work yet. My KSM works fine alone with sample SPC.bin, test pem and hard-coded DAsk, but I get that integrity error when using proper DFunction + Ask + FPS cert + private key + Sample Javascript code. It seems that SPC is properly generated via EME process, but SPC doesn't seem to pass the integrity test. For some reasons, verify_ckc doesn't seem to spit out anything when I test EME generated SPC (base64EncodeUint8Array(event,message). I have tried with provided encrypted muxed and non-muxed test contents, but it doesn't seem to work on both. Please let me know if I am missing anything or there is anything else to try.


Thanks,

Brandon

Up vote post of progmize Down vote post of progmize
1.7k views
Posted by
progmize
Reply
Add a Comment

Replies

Probably not the same issue and maybe an obvious thing to have confirmed already, but just in case :-).

The content type of the license request is "application/x-www-form-urlencoded", but the FPS sample doesn't URI encode the SPC message.

The HTTP framework we used on the KSM side automatically URI decoded the received parameters.

Because of that invalid data was passed to the KSM.

To fix we use encodeURIComponent() on the SPC message before sending.

Posted by
anders.u
Up vote reply of anders.u Down vote reply of anders.u
Add a Comment

Thank you for the reply.


I have already incorporated what you are mentioning because the same decoding issue happened to me earlier in the process.

It looks like the request goes all the way up to SDKServerProcessEncrypted_SK_R1(.). This means SPC parsing and decryption were all done, but it doesn't seem like the decrypted SK...R1 integrity value doesn't match with the SK..R1 in TLLV block. This seems to be a bit odd, and I am sure where else I should look for.

Posted by
progmize
Up vote reply of progmize Down vote reply of progmize
Add a Comment

Hi progmize,

We are having the same issue, did you find the answer?

Any help will be appreciated.

thanks

Posted by
dvidal
Up vote reply of dvidal Down vote reply of dvidal
Add a Comment

If the integrity check is failing then your DFunction implmentation could be the issue still - the test vectors dont cover the whole implementation, you can only confirm that you have generated the correct C_r value I beleive.


Two things to check here:


1.)Is the Ask value you are using paried with the client certificate used to generate the SPC? (These should have been provisioned at the same time)

2.)Are you using AES-ECB cipher mode + no padding to encrypt the C_r value in order to generate the final DAsk?

Posted by
karlg_arris
Up vote reply of karlg_arris Down vote reply of karlg_arris
Add a Comment

Hi dvidal

We are facing the same issue did u come across any solution?

Posted by
abhi88
Up vote reply of abhi88 Down vote reply of abhi88
Add a Comment