The VideoLAN Forums

Hello everybody,

First of all, I have to say that I quite new to VLC.

Even though I am new to VLC I have already played with the code of VLC at the module level.

What I am trying to do is to extract from a server some crypto keys in order to decrypt a Transport Stream ( MPEG_TS module modules/demux/ts.c).
I have already modified the module to perform the decryption with fixed keys and it works ok.

What I do not know is where and how to perform the key acquisition.

Let's say that the url that points to the server has the following form <my_own_url_prefix>://<server_address>.

Should I modify the MPEG_TS module in order to support the shortcut <my_own_url_prefix> and then perform the acquisition of the keys in the Open procedure ?

From my point of view, a better approach is to define a new module where the acquisition is performed and then "pass" the keys to the MPEG_TS module. My problem is that I do not understand
how the modules interact between them. I have been looking at the zip and rar modules (stream filter) in order to learn how the modules interact. I can envisage how they are linked but I do not fully understand the process and I do not know how to apply that to my problem.

What type of module should I write ? access , stream_filter , if so how will I "call" or induce the load of the MPEG_TS module and pass the keys to that module ?

I have been thinking about the possibility of writing a lua script for extracting the keys in lua scripts but I do not know if it is the best place.I need to establish a secure HTTPS connection and I do not know how to do it in lua.

Sorry for any missconceptions about VLC, I will be very grateful to someone that can guide me to a better design of the solution.

Best Regards

Fernando Gomez

Is the stream encrypted at the file level? Access level? Inside the file (DVB-CSA like) ?

First, many thanks for your answer.

Yes, it is, in fact what I have done is to follow the CSA code and use it as a guide.

If you need further detail, please tell me.

Sorry, I think my previous answer is not clear.

It is encrypted inside the file DVB-CSA like.

So, you need to do the decryption inside the TS demuxer.

Either you do another thread in the TS demuxer that gets the key regularly like a DVB-CMM, or you do another module with control capability and you request it from your DVB module.

An access module provides a byte stream from an location string (MRL). It's used for transport-specific decryption, such as TLS (HTTP), or DVB-CI (DVB).
A stream filter module converts a byte stream into another byte stream. It could be used for file or byte stream decryption, as it is already used for decompression (gzip, Bzip2, XZ).
A demux module parses a byte stream and splits it into elementary streams. They tend to be intricate and adding decryption makes things worse.
Then there are packetizers and decoders.

Also access_demux module combine the functionality access and demux (and bypass any stream filters), splitting elementary streams directly from a location string. It's used where the bytestream abstraction is inadequate, e.g. (Secure) RTP.

Thanks very much for you answer. I have not replied earlier since I have been busy trying to implement it.

I think I have not explained very well what are the actions to be performed in order to decrypt the TS stream.
They are the following in chronological order:

1)Contact a web server securely (using HTTPS) and get a file that contains 2 infos:

a) the location of the TS stream using a url. For example:

rtp://<multicast address> if it is sent using rtp or
http://<web server>/<path_to>/file.ts
file:///<path_to>/file.ts

b) the AES encryption key is composed of two values: key and iv) . The keys are not dynamic, they are fixed for the specifc TS stream

2) Set the encryption key value in the corresponding variables of the ts module.
The ts module includes already the AES functionality and I have defined a couple of variables: ts-aes-ck and ts-aes-iv.
I have checked it and is working with a TS file encrypted using AES.

3) "Call" or "Activate" the ts demux module. My first problem comes from the fact that stream could be served via http/rtp /file .
So it seems that the access module to be "called/activated" should be the corresponding module htt/rtp/file and then it should pass the data to the ts demux module.

I have tried to define a stream_filter module that perform the above steps, but I have not been able to achieve it. I see how the Open/Peek/Read/Control/Close functions are called but I do not know how to proceed.

Thanks again for your support.

Indeed, if your encryption scheme is independent of the transport protocol, you do not want to implement the deciphering in an access module.

First, thanks for your reply.

You are right, I would like to isolate the steps that compose the decyphering process in my case:

1) the obtention of the keys and the location of the stream.
2) accesing the TS stream (using either rtp/http/file)
3) performing the decryption of the TS stream. This is already implemented.

I currently can perform steps 2) and 3), with a fixed key and specifying the location of the stream.

I can perform the step 1), but what I am not able to do is to set the keys and location of the stream and to fire up steps 2) and 3)

What I am not able to do is to perform do not My problem comes from

Sorry, I forgot to delete the last sentence in my last post

There are roughly two ways that's typically done: a service discovery plugin that creates playlist items when enabled, or implement an access plugin that generates the byte stream of a playlist file on the fly.

Is there any other access module that does generate the playlist? I have seen the zip and rar modules but they are stream_filter modules.

I think I am able to generate the playlist but once it is generated how do I "start" the corresponding access module (xpsf I guess) that should process it ? any other module that does a similar thing ?

Many thanks

The only example I know is the DVB input scan.

I have not found where the dvb scan builds a xpsf playlist.

However it seems the directory module could be a good candidate for it. It seems it is an access module that creates a playlist. Do you agree?

Ah yes that one too.