What is the error about?
MSPR_E_NO_DECRYPTOR_AVAILABLE: Failure occurred when attempting to find a correct PlayReady decryptor object - no decryptor was found. [0x8004B896]
What is PlayReady decryptor object? Is this WRMHEADER or what?
I'm trying to play PlayReady/DASH video in dash.js player. I can see that manifest has been loaded, PlayReady license request-response are happened and correct, EME reports content key is added to media session. But playback not starts but shows the error above.
I can decrypt the content manually by the content key. PlayReady header object is parsable both in manifest and in init segments. Content key checksum is correct.
You are attempting to play back content for which you do not have a valid content key. This is very likely due to including license policy that the current machine cannot fulfill. You should ensure that the policy you have in the license can be fulfilled.
Related
I can streami '~/test/test.mp4' file while set secure token is 'Do NOT use SecureToken'.
But I can't stream '~/test/test.mp4' file while secure token is 'Protect all protocols using hash (SecureToken version 2)'.
Also, I can stream '~/test.mp4' file while secure token is 'Protect all protocols using hash (SecureToken version 2)'.
Example:
Do NOT use SecureToken
success
rtmp://example.com:1935/vod/_definst_/mp4:test/test.mp4
success
rtmp://example.com:1935/vod/mp4:test.mp4
Protect all protocols using hash (SecureToken version 2)
fail
rtmp://jungslab.com:1935/vod/_definst_/mp4:test/test.mp4?wowzatokenendtime=1461729940&wowzatokenstarttime=1461719140&wowzatokenhash=nB0hdUG-U60WAQ-wV5lIRD0e3tbCCXk3tBWrLXxb90M=
success
rtmp://example.com:1935/vod/mp4:test.mp4?wowzatokenendtime=1461729868&wowzatokenstarttime=1461719068&wowzatokenhash=KpioKfCCQQoeVT4lwLUnwC2xhDG-HOS2kRtAx5PEHhY=
How access a subdirectory file in wowza that uses secure token.
The problem with Wowza here seems to be with parsing query string. If you can't change the content directory in you vod/Application.xml (or you don't want to do so) to the test subdirectory (or any other mount) you may try moving the query string right after the instance specification app/(definst?qs=/file) or use plugin to obey the directory structure completely.
Address to try for your file could be:
rtmp://jungslab.com:1935/vod/_definst_?wowzatokenendtime=1461729940&wowzatokenstarttime=1461719140&wowzatokenhash=nB0hdUG-U60WAQ-wV5lIRD0e3tbCCXk3tBWrLXxb90M=/mp4:test/test.mp4
(adjust your token info for valid)
Depending on the version/build that you have, there was a previous bug found (on 4.3.0.01 and earlier) where subdirectories were not parsed correctly with Secure Token enabled. You should try:
rtmp://jungslab.com:1935/vod/mp4:_definst_/test/test.mp4?wowzatokenendtime=1461729940&wowzatokenstarttime=1461719140&wowzatokenhash=nB0hdUG-U60WAQ-wV5lIRD0e3tbCCXk3tBWrLXxb90M=
You will need to re-generate your hash since your stream path has changed.
Alternatively, you can install the latest build from Wowza, since the fix should be in the latest available patch.
As a troubleshooting tool, you can add the Boolean properties securityDebugLogRejections and securityDebugLogDetails to your conf/appName/Application.xml file to output additional debug information to your logs/wowzastreamingengine_access.log file. In particular, you can see what string the server is using to generate the hash, and why the received hash was rejected.
I've created and signed a new executable file (the file is signed with double signature SHA1 and SHA256 and timestamped).
Since 1/1/2016 if I try to download it from Internet Explorer (or Microsoft Edge) I get an error (saying the signature is corrupted).
Smartscreen also tells that the file is not signed.
If I look at the file from the properties, it has the two signatures.
Can you help me out understanding what's the problem?
Here's the link for the download PhraseExpander setup file
Thanks.
This is what I wrote here:
valid certificate is corrupt with IE
I still doesn't have a solution, because I am not able to request a SHA-2 certificate. But you can't download any application from web with a SHA-1 certificate, anymore.
Class 3 certificates are a step above the Class 2. Class 2 does not require “Extended Validation”. However the “EV” code signing certificates combine all of the regular benefits of digitally-signed code with a rigorous extended validation process. They represent the gold standard for authentication and security in code signing certificates. EV code signing certificates adhere to strict validation standards from the CA/Browser Forum and to Microsoft specifications. Enhanced authentication is provided via an encrypted token containing the private key.
Sporadically I had UnauthorizedException when requesting the documents from DocumentDB. The issue looks similar to Azure DocumentDB - The MAC signature found in the HTTP request is not the same as the computed signature, so I believe that problem is not solved.
Microsoft.Azure.Documents.UnauthorizedException :
Message: "The MAC signature found in the HTTP request is not the same as the computed signature.
Request URI: rntbd://db5prdddc01-docdb-1.documents.azure.com:14245/apps/35e0fabb-e03e-48d4-90ad-7b91b63c0153/services/9bb95f7b-9ad6-4128-a66a-de68279d5124/partitions/44a24d42-a85c-42cc-98c4-fc8a733245ac/replicas/130953283548138839p/
UPDATE: The issue was fixed, special thanks to Andrew Liu!
Happy to hear you are no longer experiencing this issue :)
Posting here for everyone else's benefit...
If you see an issue like this, it means that there is an authentication header mismatch between the application and database. This can be a result of many things... including an incorrect auth key, system clocks out of sync, or an issue with how the auth header is generated.
First-Party DocumentDB SDKs
If you are using one of DocumentDB's 1st party client SDKs - it's most likely an incorrect auth key or a system clock issue...
If those look good, than there is a bug on DocumentDB's end. If you are experiencing issues - please contact me (askcosmosdb {at} microsoft.com) with a few activity ids + timestamps + stacktrace, and I can help you look in to the issue.
Rest API
The header is rather tricky to put together... Here are some tips for constructing the auth header:
All parameters (verbs, resource type, date, etc.) must be lower case prior to signing EXCEPT when using id-based routing.
For id-based routing, you will need to sign the full path to the resource (e.g. dbs/MyDatabase/colls/MyCollection/docs/MyDocument); not just the resource's id (e.g. MyDocument). Please note that the path is case-sensitive... while, all the other parameters should be lower case.
The key is Base64 encoded.
The text to be signed should be utf-8 encoded.
The generated auth token is a SHA256 HMAC and should be Base64 encoded.
As with all HTTP headers, the signature (including the signed token) should be URL encoded (e.g. + needs to be encoded as %2B).
Full documentation and sample code, see: https://msdn.microsoft.com/en-US/library/azure/dn783368.aspx
Check for static client method. Is possible that you are using a client with a Read-only Key by mistake.
Trying to write using a Read-only Key throws that exception.
I faced the same problem while I used the primary connection string, when I changed the connection string to secondary, it worked for me.
We could able to resolve the issue with below workaround :
In Azure Portal -> Azure Cosmos DB for MongoDB -> -> Connection strings, there will be
Read-write Keys
Read-only Keys
if getting error while reading add use PRIMARY CONNECTION STRING in Read-only Keys.
if getting error while writing add use PRIMARY CONNECTION STRING in Read-write Keys.
use it based on what your application are doing
Second bind()call failed with license expire for Non persistence license in Play ready,
I am working to support one service:
Play back sequence of service is below:
do WI.
Call Bind()--> failed with License not found
do LA (Acquire License).
call Bind() -- success
call commit -- success
call Manifest URL
Player tries to play the content.
found its encrypted.
Bind()--> failed with License expired.
My Question:
why second Bind() is failed with License expired?
License type from service provider is Non persistence.
Is there any other reason behind this for License expire?
On what bases microsoft playready will give license expired for non persistance license type?
Please help me regarding this.
Nonpersistent licenses are only usable for one playback, not until the application is restarted. As far as the PlayReady Device Porting Kit is concerned, one playback is equal to one Drm_Reader_Bind() call. This is why your second call fails.
While the information about license persistence is public, any more in-depth information is NDA-protected and I cannot discuss it on a public website. If you need further help and can prove that you work for a PlayReady licensee, feel free to contact me for a one-on-one chat via saares#axinom.com.
So I came across this new tag in HTML5, <keygen>. I can't quite figure out what it is for, how it is applied, and how it might affect browser behavior.
I understand that this tag is for form encryption, but what is the difference between <keygen> and having a SSL certificate for your domain. Also, what is the challenge attribute?
I'm not planning on using it as it is far from implemented in an acceptable range of browsers, but I am curious as to what EXACTLY this tag does. All I can find is vague cookie-cutter documentation with no real examples of usage.
Edit:
I have found a VERY informative document, here. This runs through both client-side and server-side implementation of the keygen tag.
I am still curious as to what the benefit of this over a domain SSL certificate would be.
SSL is about "server identification" or "server AND client authentication (mutual authentication)".
In most cases only the server presents its server-certificate during the SSL handshake so that you could make sure that this really is the server you expect to connect to. In some cases the server also wants to verify that you really are the person you pretend to be. For this you need a client-certificate.
The <keygen> tag generates a public/private key pair and then creates a certificate request. This certificate request will be sent to a Certificate Authority (CA). The CA creates a certificate and sends it back to the browser. Now you are able to use this certificate for user authentication.
You're missing some history. keygen was first supported by Netscape when it was still a relevant browser. IE, OTOH, supported the same use cases through its ActiveX APIs. Opera and WebKit (or even KHTML), unwilling to reverse-engineer the entire Win32 API, reverse-engineered keygen instead.
It was specified in Web Forms 2.0 (which has now been merged into the HTML specification), in order to improve interoperability between the browsers that implemented it.
Since then, the IE team has reiterated their refusal to implement keygen, and the specification (in order to avoid turning into dry science fiction) has been changed to not require an actual implementation:
Note: This specification does not
specify what key types user agents are
to support — it is possible for a user
agent to not support any key types at
all.
In short, this is not a new element, and unless you can ignore IE, it's probably not what you want.
If you're looking for "exactly" then I'd recommend reading the RFC.
The keygen element is for creating a key for authentication of the user while SSL is concerned about privacy of communication and the authentication of the server. Quoting from the RFC:
This specification does not specify how the private key generated is to be used. It is expected that after receiving the SignedPublicKeyAndChallenge (SPKAC) structure, the server will generate a client certificate and offer it back to the user for download; this certificate, once downloaded and stored in the key store along with the private key, can then be used to authenticate to services that use TLS and certificate authentication.
Deprecated
This feature has been removed from the Web standards. Though some
browsers may still support it, it is in the process of being dropped.
Avoid using it and update existing code if possible. Be aware that
this feature may cease to work at any time.
Source
The doc is useful to elaborate on what is the keygen element. Its requirement arises in WebID that maybe understood to be part of Semantic Web of Linked Data as seen at https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html#creating-a-certificate 2.1.1
This might be useful for websites that provide services, where people need to pay for the service, like video on demand, or news website for professionals like Bloomberg. With this keys people can only watch the content in their computer and not in simultaneous computers! You decide how data is stored and processed. you can specify a .asp or .php file that will receive the variables and your file will store that key in the user profile. This way your users will not be able to log in from a different computer if you want. You may force them to check their email to authorize that new computer, just like steam does. Basically it allows to individualize service access, if your licensing model is per machine, like Operating System.
You can check the specs here:
http://www.w3.org/TR/html-markup/keygen.html