使用 REST 创建内容密钥Create content keys with REST

媒体服务允许传送加密的资产。Media Services enables you to deliver encrypted assets. ContentKey 提供对资产的安全访问。A ContentKey provides secure access to your Assets.

创建新资产时(例如,上传文件之前),可以指定以下加密选项:StorageEncryptedCommonEncryptionProtectedEnvelopeEncryptionProtectedWhen you create a new asset (for example, before you upload files), you can specify the following encryption options: StorageEncrypted, CommonEncryptionProtected, or EnvelopeEncryptionProtected.

将资产传送到客户端时,可以使用以下两个加密选项之一将资产配置为动态加密DynamicEnvelopeEncryptionDynamicCommonEncryptionWhen you deliver assets to your clients, you can configure for assets to be dynamically encrypted with one of the following two encryptions: DynamicEnvelopeEncryption or DynamicCommonEncryption.

加密的资产必须与 ContentKey 关联。Encrypted assets have to be associated with ContentKeys. 本文介绍如何创建内容密钥。This article describes how to create a content key.

以下是用于生成内容密钥的常规步骤,你会将这些内容密钥与想要进行加密的资产关联。The following are general steps for generating content keys that you associate with assets that you want to be encrypted.

  1. 随机生成一个 16 字节 AES 密钥(用于常规和信封加密)或 32 字节 AES 密钥(用于存储加密)。Randomly generate a 16-byte AES key (for common and envelope encryption) or a 32-byte AES key (for storage encryption).

    这会成为资产的内容密钥,这意味着该资产的所有关联文件在解密过程中需要使用同一内容密钥。This is the content key for your asset, which means all files associated with that asset need to use the same content key during decryption.

  2. 调用 GetProtectionKeyIdGetProtectionKey 方法来获取正确的 X.509 证书,必须使用该证书加密内容密钥。Call the GetProtectionKeyId and GetProtectionKey methods to get the correct X.509 Certificate that must be used to encrypt your content key.

  3. 使用 X.509 证书的公钥来加密内容密钥。Encrypt your content key with the public key of the X.509 Certificate.

    媒体服务 .NET SDK 在加密时使用 RSA 和 OAEP。Media Services .NET SDK uses RSA with OAEP when doing the encryption. 可以参阅 EncryptSymmetricKeyData 函数中的示例。You can see an example in the EncryptSymmetricKeyData function.

  4. 创建一个使用密钥标识符和内容密钥计算得出的校验和值(基于 PlayReady AES 密钥校验和算法)。Create a checksum value (based on the PlayReady AES key checksum algorithm) calculated using the key identifier and content key. 有关详细信息,请参阅位于此处的 PlayReady 标头对象文档的“PlayReady AES 密钥校验和算法”部分。For more information, see the “PlayReady AES Key Checksum Algorithm” section of the PlayReady Header Object document located here.

    下面的 .NET 示例将使用密钥标识符和明文内容密钥的 GUID 部分计算校验和。The following .NET example calculates the checksum using the GUID part of the key identifier and the clear content key.

     public static string CalculateChecksum(byte[] contentKey, Guid keyId)
      {
    
          byte[] array = null;
          using (AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider())
          {
              aesCryptoServiceProvider.Mode = CipherMode.ECB;
              aesCryptoServiceProvider.Key = contentKey;
              aesCryptoServiceProvider.Padding = PaddingMode.None;
              ICryptoTransform cryptoTransform = aesCryptoServiceProvider.CreateEncryptor();
              array = new byte[16];
              cryptoTransform.TransformBlock(keyId.ToByteArray(), 0, 16, array, 0);
          }
          byte[] array2 = new byte[8];
          Array.Copy(array, array2, 8);
          return Convert.ToBase64String(array2);
      }
    
  5. 使用前面步骤中收到的 EncryptedContentKey(转换为 base64 编码的字符串)、ProtectionKeyIdProtectionKeyTypeContentKeyTypeChecksum 值创建内容密钥。Create the Content key with the EncryptedContentKey (converted to base64-encoded string), ProtectionKeyId, ProtectionKeyType, ContentKeyType, and Checksum values you have received in previous steps.

  6. 通过 $links 操作将 ContentKey 实体与资产实体相关联。Associate the ContentKey entity with your Asset entity through the $links operation.

本文中未说明如何生成 AES 密钥、加密密钥以及计算校验和。This article does not show how to generate an AES key, encrypt the key, and calculate the checksum.

Note

访问媒体服务中的实体时,必须在 HTTP 请求中设置特定标头字段和值。When accessing entities in Media Services, you must set specific header fields and values in your HTTP requests. 有关详细信息,请参阅媒体服务 REST API 开发的设置For more information, see Setup for Media Services REST API Development.

连接到媒体服务Connect to Media Services

若要了解如何连接到 AMS API,请参阅通过 Azure AD 身份验证访问 Azure 媒体服务 APIFor information on how to connect to the AMS API, see Access the Azure Media Services API with Azure AD authentication.

检索 ProtectionKeyIdRetrieve the ProtectionKeyId

以下示例演示了如何检索证书的证书指纹 ProtectionKeyId,在加密内容密钥时必须使用此指纹。The following example shows how to retrieve the ProtectionKeyId, a certificate thumbprint, for the certificate you must use when encrypting your content key. 执行此步骤以确保计算机已具备适当的证书。Do this step to make sure that you already have the appropriate certificate on your machine.

请求:Request:

GET https://media.chinacloudapp.cn/api/GetProtectionKeyId?contentKeyType=0 HTTP/1.1
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
User-Agent: Microsoft ADO.NET Data Services
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
Host: media.chinacloudapp.cn

响应:Response:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 139
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Server: Microsoft-IIS/8.5
request-id: 2b6aa7a4-3a09-4b08-b581-26b55667f817
x-ms-request-id: 2b6aa7a4-3a09-4b08-b581-26b55667f817
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 04 Feb 2015 02:42:52 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#Edm.String","value":"7D9BB04D9D0A4A24800CADBFEF232689E048F69C"}

检索 ProtectionKeyId 的 ProtectionKeyRetrieve the ProtectionKey for the ProtectionKeyId

以下示例演示如何使用在上一步中收到的 ProtectionKeyId 来检索 X.509 证书。The following example shows how to retrieve the X.509 certificate using the ProtectionKeyId you received in the previous step.

请求:Request:

GET https://media.chinacloudapp.cn/api/GetProtectionKey?ProtectionKeyId='7D9BB04D9D0A4A24800CADBFEF232689E048F69C' HTTP/1.1
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
User-Agent: Microsoft ADO.NET Data Services
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: 78d1247a-58d7-40e5-96cc-70ff0dfa7382
Host: media.chinacloudapp.cn

响应:Response:

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 1227
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Server: Microsoft-IIS/8.5
x-ms-client-request-id: 78d1247a-58d7-40e5-96cc-70ff0dfa7382
request-id: 1523e8f3-8ed2-40fe-8a9a-5d81eb572cc8
x-ms-request-id: 1523e8f3-8ed2-40fe-8a9a-5d81eb572cc8
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 05 Feb 2015 07:52:30 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#Edm.String",
"value":"MIIDSTCCAjGgAwIBAgIQqf92wku/HLJGCbMAU8GEnDANBgkqhkiG9w0BAQQFADAuMSwwKgYDVQQDEyN3YW1zYmx1cmVnMDAxZW5jcnlwdGFsbHNlY3JldHMtY2VydDAeFw0xMjA1MjkwNzAwMDBaFw0zMjA1MjkwNzAwMDBaMC4xLDAqBgNVBAMTI3dhbXNibHVyZWcwMDFlbmNyeXB0YWxsc2VjcmV0cy1jZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzR0SEbXefvUjb9wCUfkEiKtGQ5Gc328qFPrhMjSo+YHe0AVviZ9YaxPPb0m1AaaRV4dqWpST2+JtDhLOmGpWmmA60tbATJDdmRzKi2eYAyhhE76MgJgL3myCQLP42jDusWXWSMabui3/tMDQs+zfi1sJ4Ch/lm5EvksYsu6o8sCv29VRwxfDLJPBy2NlbV4GbWz5Qxp2tAmHoROnfaRhwp6WIbquk69tEtu2U50CpPN2goLAqx2PpXAqA+prxCZYGTHqfmFJEKtZHhizVBTFPGS3ncfnQC9QIEwFbPw6E5PO5yNaB68radWsp5uvDg33G1i8IT39GstMW6zaaG7cNQIDAQABo2MwYTBfBgNVHQEEWDBWgBCOGT2hPhsvQioZimw8M+jOoTAwLjEsMCoGA1UEAxMjd2Ftc2JsdXJlZzAwMWVuY3J5cHRhbGxzZWNyZXRzLWNlcnSCEKn/dsJLvxyyRgmzAFPBhJwwDQYJKoZIhvcNAQEEBQADggEBABcrQPma2ekNS3Wc5wGXL/aHyQaQRwFGymnUJ+VR8jVUZaC/U/f6lR98eTlwycjVwRL7D15BfClGEHw66QdHejaViJCjbEIJJ3p2c9fzBKhjLhzB3VVNiLIaH6RSI1bMPd2eddSCqhDIn3VBN605GcYXMzhYp+YA6g9+YMNeS1b+LxX3fqixMQIxSHOLFZ1G/H2xfNawv0VikH3djNui3EKT1w/8aRkUv/AAV0b3rYkP/jA1I0CPn0XFk7STYoiJ3gJoKq9EMXhit+Iwfz0sMkfhWG12/XO+TAWqsK1ZxEjuC9OzrY7pFnNxs4Mu4S8iinehduSpY+9mDd3dHynNwT4="}

创建 ContentKeyCreate the ContentKey

检索到 X.509 证书并使用其公钥加密内容密钥后,可创建 ContentKey 实体并设置相应属性值。After you have retrieved the X.509 certificate and used its public key to encrypt your content key, create a ContentKey entity and set its property values accordingly.

创建内容密钥时必须设置的值之一是内容密钥类型。One of the values that you must set when create the content key is the type. 选择以下值之一:Choose from one of the following values:

public enum ContentKeyType
{
    /// <summary>
    /// Specifies a content key for common encryption.
    /// </summary>
    /// <remarks>This is the default value.</remarks>
    CommonEncryption = 0,

    /// <summary>
    /// Specifies a content key for storage encryption.
    /// </summary>
    StorageEncryption = 1,

    /// <summary>
    /// Specifies a content key for configuration encryption.
    /// </summary>
    ConfigurationEncryption = 2,

    /// <summary>
    /// Specifies a content key for Envelope encryption.  Only used internally.
    /// </summary>
    EnvelopeEncryption = 4
}

以下示例演示了如何创建 ContentKey,其中 ContentKeyType 设置为存储加密(“1”)且 ProtectionKeyType 设置为“0”,以指示保护密钥 ID 是 X.509 证书指纹。The following example shows how to create a ContentKey with a ContentKeyType set for storage encryption ("1") and the ProtectionKeyType set to "0" to indicate that the protection key ID is the X.509 certificate thumbprint.

请求Request

POST https://media.chinacloudapp.cn/api/ContentKeys HTTP/1.1
Content-Type: application/json
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
User-Agent: Microsoft ADO.NET Data Services
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
Host: media.chinacloudapp.cn
{
"Name":"ContentKey",
"ProtectionKeyId":"7D9BB04D9D0A4A24800CADBFEF232689E048F69C", 
"ContentKeyType":"1", 
"ProtectionKeyType":"0",
"EncryptedContentKey":"your encrypted content key",
"Checksum":"calculated checksum"
}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 777
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://media.chinacloudapp.cn/api/ContentKeys('nb%3Akid%3AUUID%3A9c8ea9c6-52bd-4232-8a43-8e43d8564a99')
Server: Microsoft-IIS/8.5
request-id: 76e85e0f-5cf1-44cb-b689-b3455888682c
x-ms-request-id: 76e85e0f-5cf1-44cb-b689-b3455888682c
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 04 Feb 2015 02:37:46 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeys/@Element",
"Id":"nb:kid:UUID:9c8ea9c6-52bd-4232-8a43-8e43d8564a99","Created":"2015-02-04T02:37:46.9684379Z",
"LastModified":"2015-02-04T02:37:46.9684379Z",
"ContentKeyType":1,
"EncryptedContentKey":"your encrypted content key",
"Name":"ContentKey",
"ProtectionKeyId":"7D9BB04D9D0A4A24800CADBFEF232689E048F69C",
"ProtectionKeyType":0,
"Checksum":"calculated checksum"}

将 ContentKey 与资产关联Associate the ContentKey with an Asset

创建 ContentKey 后,使用 $links 操作将其与资产关联,如以下示例所示:After creating the ContentKey, associate it with your Asset using the $links operation, as shown in the following example:

请求:Request:

POST https://media.chinacloudapp.cn/api/Assets('nb%3Acid%3AUUID%3Afbd7ce05-1087-401b-aaae-29f16383c801')/$links/ContentKeys HTTP/1.1
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Content-Type: application/json
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
Host: media.chinacloudapp.cn


{"uri":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeys('nb%3Akid%3AUUID%3A01e6ea36-2285-4562-91f1-82c45736047c')"}

响应:Response:

HTTP/1.1 204 No Content 

媒体服务学习路径Media Services learning paths

媒体服务 v3(最新版本)Media Services v3 (latest)

查看最新版本的 Azure 媒体服务!Check out the latest version of Azure Media Services!

媒体服务 v2(旧版)Media Services v2 (legacy)