从现有策略获取签名密钥Get a signing key from the existing policy

媒体服务徽标 v3media services logo v3


备注

Google Widevine 内容保护服务目前在 Azure 中国区域不可用。Google Widevine content protection services are currently unavailable in the Azure China regions.

V3 API 的主要设计原则之一是使 API 更安全。One of the key design principles of the v3 API is to make the API more secure. v3 API 不会在 GetList 操作中返回机密或凭据。v3 APIs do not return secrets or credentials on Get or List operations. 请参阅此处的详细说明:有关详细信息,请参阅 RBAC 和媒体服务帐户See the detailed explanation here: For more information, see RBAC and Media Services accounts

本文中的示例演示如何使用 .NET 从现有策略中获取签名密钥。The example in this article shows how to use .NET to get a signing key from the existing policy.

下载Download

使用以下命令将包含完整 .NET 示例的 GitHub 存储库克隆到计算机:Clone a GitHub repository that contains the full .NET sample to your machine using the following command:

git clone https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials.git

带有机密的 ContentKeyPolicy 示例位于 EncryptWithDRM 文件夹中。The ContentKeyPolicy with secrets example is located in the EncryptWithDRM folder.

获取带有机密的 ContentKeyPolicyGet ContentKeyPolicy with secrets

若要访问密钥,请使用 GetPolicyPropertiesWithSecretsAsync,如下例所示。To get to the key, use GetPolicyPropertiesWithSecretsAsync, as shown in the example below.

private static async Task<ContentKeyPolicy> GetOrCreateContentKeyPolicyAsync(
    IAzureMediaServicesClient client,
    string resourceGroupName,
    string accountName,
    string contentKeyPolicyName,
    byte[] tokenSigningKey)
{
    ContentKeyPolicy policy = await client.ContentKeyPolicies.GetAsync(resourceGroupName, accountName, contentKeyPolicyName);

    if (policy == null)
    {
        ContentKeyPolicySymmetricTokenKey primaryKey = new ContentKeyPolicySymmetricTokenKey(tokenSigningKey);
        List<ContentKeyPolicyTokenClaim> requiredClaims = new List<ContentKeyPolicyTokenClaim>()
        {
            ContentKeyPolicyTokenClaim.ContentKeyIdentifierClaim
        };
        List<ContentKeyPolicyRestrictionTokenKey> alternateKeys = null;
        ContentKeyPolicyTokenRestriction restriction 
            = new ContentKeyPolicyTokenRestriction(Issuer, Audience, primaryKey, ContentKeyPolicyRestrictionTokenType.Jwt, alternateKeys, requiredClaims);

        ContentKeyPolicyPlayReadyConfiguration playReadyConfig = ConfigurePlayReadyLicenseTemplate();
        // ContentKeyPolicyFairPlayConfiguration fairplayConfig = ConfigureFairPlayPolicyOptions();

        List<ContentKeyPolicyOption> options = new List<ContentKeyPolicyOption>();

        options.Add(
            new ContentKeyPolicyOption()
            {
                Configuration = playReadyConfig,
                // If you want to set an open restriction, use
                // Restriction = new ContentKeyPolicyOpenRestriction()
                Restriction = restriction
            });

     // add CBCS ContentKeyPolicyOption into the list
     //   options.Add(
     //       new ContentKeyPolicyOption()
     //       {
     //           Configuration = fairplayConfig,
     //           Restriction = restriction,
     //           Name = "ContentKeyPolicyOption_CBCS"
     //       });

        policy = await client.ContentKeyPolicies.CreateOrUpdateAsync(resourceGroupName, accountName, contentKeyPolicyName, options);
    }
    else
    {
        // Get the signing key from the existing policy.
        var policyProperties = await client.ContentKeyPolicies.GetPolicyPropertiesWithSecretsAsync(resourceGroupName, accountName, contentKeyPolicyName);
        var restriction = policyProperties.Options[0].Restriction as ContentKeyPolicyTokenRestriction;
        if (restriction != null)
        {
            var signingKey = restriction.PrimaryVerificationKey as ContentKeyPolicySymmetricTokenKey;
            if (signingKey != null)
            {
                TokenSigningKey = signingKey.KeyValue;
            }
        }
    }
    return policy;
}

后续步骤Next steps

设计带访问控制的多 DRM 内容保护系统Design of a multi-DRM content protection system with access control