如何进行HLS的加密与播放

本文提供了创建HLS标准加密工作流到播放加密视频的一个完整步骤。

操作步骤

HLS标准加密架构,请参见HLS的加密与播放

  1. 创建HLS加密工作流。

    控制台方式创建HLS加密工作流,请参见阿里云私有加密

    接口方式创建HLS加密工作流,DEMO代码,请参见创建HLS标准加密工作流

    说明

    创建HLS标准工作流时,为了测试,参数HLS_KEY_URI值填http://127.0.0.1:8888。播放时,播放器会在该地址请求密钥,媒体处理会在本地启动服务,进行分发密钥。

  2. 上传及加密视频。

    在控制台的媒体库中,上传视频,选择工作流时,选择刚刚创建的HLS标准加密工作流,上传完成后,会自动触发加密转码。待状态为发布时,进行下一步。

  3. 开启本地鉴权服务。

    搭建一个本地HTTP服务,作为播放HLS标准加密视频的鉴权服务,颁发及验证MtsHlsUriToken令牌。

    Java示例代码依赖:

    Java SDK Core

    Java SDK KMS

    Base64解密示例:

  4. import com.sun.net.httpserver.*;
    import com.sun.net.httpserver.spi.HttpServerProvider;
    
    import java.io.IOException;
    import java.io.OutputStream;
    import java.net.HttpURLConnection;
    import java.net.InetSocketAddress;
    
    /**
     * *****   使用须知     ******
     * 本demo Base64方式解密服务代码示例
     * demo中端口号为8888, 请注意与KeyUri解密服务端口保持一致
     * 如果您需要额外的Token令牌校验, 请参考kms方式解密服务的实现逻辑
     *
     * *****   逻辑概述     ******
     * 1、接收解密请求,获取密文密钥
     * 2、将明文密钥base64decode返回
     */
    public class Base64DecryptServer {
    
        public static void main(String[] args) throws IOException {
            Base64DecryptServer server = new Base64DecryptServer();
            server.startService();
        }
    
        public class Base64DecryptHandler implements HttpHandler {
            /**
             * 处理解密请求
             * @param httpExchange
             * @throws IOException
             */
            public void handle(HttpExchange httpExchange) throws IOException {
                String requestMethod = httpExchange.getRequestMethod();
                if ("GET".equalsIgnoreCase(requestMethod)) {
                    // 此处的解密密钥需要和加密时候的密钥一致
                    byte[] key = "encryptionkey128".getBytes();
                    // 设置header
                    setHeader(httpExchange, key);
                    // 返回base64decode之后的密钥
                    OutputStream responseBody = httpExchange.getResponseBody();
                    System.out.println(new String(key));
                    responseBody.write(key);
                    responseBody.close();
                }
            }
            private void setHeader(HttpExchange httpExchange, byte[] key) throws IOException {
                Headers responseHeaders = httpExchange.getResponseHeaders();
                responseHeaders.set("Access-Control-Allow-Origin", "*");
                httpExchange.sendResponseHeaders(HttpURLConnection.HTTP_OK, key.length);
            }
        }
        /**
         * 服务启动
         * @throws IOException
         */
        private void startService() throws IOException {
            HttpServerProvider provider = HttpServerProvider.provider();
            //监听端口8888,能同时接受30个请求
            HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(8888), 30);
            httpserver.createContext("/", new Base64DecryptHandler());
            httpserver.start();
            System.out.println("base64 hls decrypt server started");
        }
    
    }

KMS解密示例:

import com.aliyun.mps.sdk.utils.InitClient;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.kms.model.v20160120.DecryptRequest;
import com.aliyuncs.kms.model.v20160120.DecryptResponse;
import com.sun.net.httpserver.*;
import com.sun.net.httpserver.spi.HttpServerProvider;
import org.apache.commons.codec.binary.Base64;

import java.io.IOException;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.URI;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * *****   使用须知     ******
 * 本demo 为未开启标准加密改写时的kms方式解密服务代码示例, 不包含MtsHlsUriToken的校验逻辑
 * 什么是标准加密改写 以及 MtsHlsUriToken如何生成  参考  xxxxxxxxxxxx
 * demo中端口号为8888, 请注意与KeyUri解密服务端口保持一致
 *
 * *****   逻辑概述     ******
 * 1、接收解密请求,获取密文密钥
 * 2、调用KMS decrypt接口通过Ciphertext获取明文密钥 
 * 3、将明文密钥base64decode返回
 */
public class HlsDecryptServerNoToken {

    private static DefaultAcsClient client;
    static {
        try{
            client = InitClient.initMpsClient();
        }catch (Exception e){
            e.printStackTrace();
        }
    }

    public static void main(String[] args) throws IOException {
        HlsDecryptServerNoToken server = new HlsDecryptServerNoToken();
        server.startService();
    }

    public class HlsDecryptHandler implements HttpHandler {
        public void handle(HttpExchange httpExchange) throws IOException {
            String requestMethod = httpExchange.getRequestMethod();
            if(requestMethod.equalsIgnoreCase("GET")){
                //从URL中取得密文密钥
                String ciphertext = getCiphertext(httpExchange);
                System.out.println(ciphertext);
                if (null == ciphertext)
                    return;
                //从KMS中解密出来,并Base64 decode
                byte[] key = decrypt(ciphertext);
                //设置header
                setHeader(httpExchange, key);
                //返回密钥
                OutputStream responseBody = httpExchange.getResponseBody();
                responseBody.write(key);
                responseBody.close();
            }
        }

        private void setHeader(HttpExchange httpExchange, byte[] key) throws IOException {
            Headers responseHeaders = httpExchange.getResponseHeaders();
            responseHeaders.set("Access-Control-Allow-Origin", "*");
            httpExchange.sendResponseHeaders(HttpURLConnection.HTTP_OK, key.length);
        }

        private byte[] decrypt(String ciphertext) {
            DecryptRequest request = new DecryptRequest();
            request.setCiphertextBlob(ciphertext);
            request.setProtocol(ProtocolType.HTTPS);
            try {
                DecryptResponse response = client.getAcsResponse(request);
                String plaintext = response.getPlaintext();
                //注意:需要base64 decode
                return Base64.decodeBase64(plaintext);
            } catch (ClientException e) {
                e.printStackTrace();
                return null;
            }
        }
        private String getCiphertext(HttpExchange httpExchange) {
            URI uri = httpExchange.getRequestURI();
            String queryString = uri.getQuery();
            String pattern = "Ciphertext=(\\w*)";
            Pattern r = Pattern.compile(pattern);
            Matcher m = r.matcher(queryString);
            if (m.find())
                return m.group(1);
            else {
                System.out.println("Not Found Ciphertext");
                return null;
            }
        }
    }

    /**
     * 服务启动
     *
     * @throws IOException
     */
    private void startService() throws IOException {
        HttpServerProvider provider = HttpServerProvider.provider();
        //监听端口8888,能同时接受30个请求, 可自行更改端口
        HttpServer httpserver = provider.createHttpServer(new InetSocketAddress(8888), 30);
        httpserver.createContext("/", new HlsDecryptHandler());
        httpserver.start();
        System.out.println("no token hls decrypt server started");
    }

}

  1. Python示例代码依赖:

pip install aliyun-python-sdk-core

pip install aliyun-python-sdk-kms

pip install aliyun-python-sdk-mts

# -*- coding: UTF-8 -*- 
from BaseHTTPServer import BaseHTTPRequestHandler
from aliyunsdkcore.client import AcsClient
from aliyunsdkkms.request.v20160120 import DecryptRequest
import cgi
import json
import base64
import urlparse
client = AcsClient("","","");
class AuthorizationHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.check()
self.set_header()
cipertext = self.get_cihpertext()
plaintext = self.decrypt_cihpertext(cipertext)
print plaintext
key = base64.b64decode(plaintext)
print key
self.wfile.write(key)
def do_POST(self):
pass
def check(self):
#check MtsHlsUriToken, etc.
pass
def set_header(self):
self.send_response(200)
#cors
self.send_header('Access-Control-Allow-Origin', '*')
self.end_headers()
def get_cihpertext(self):
path = urlparse.urlparse(self.path)
query = urlparse.parse_qs(path.query)
return query.get('Ciphertext')[0]
def decrypt_cihpertext(self, cipertext):
request = DecryptRequest.DecryptRequest()
request.set_CiphertextBlob(cipertext)
response = client.do_action_with_exception(request)
jsonResp = json.loads(response)
return jsonResp["Plaintext"]
if __name__ == '__main__':
# Start a simple server, and loop forever
from BaseHTTPServer import HTTPServer
print "Starting server, use  to stop"
server = HTTPServer(('127.0.0.1', 8888), AuthorizationHandler)
server.serve_forever()
  1. 可通过查询媒体接口,获取播放地址。请参见查询媒体-使用媒体ID

  2. 播放视频。

    借助一个在线播放器,测试HLS加密视频的播放。更多详情,请参见阿里云播放器用户诊断工具

    将获取的播放地址,如图填入对话框中,单击视频播放

    说明

    通过浏览器DEBUG,可以看到播放器自动请求了鉴权服务器,获取解密密钥,并进行解密播放。