initial services

2026-03-30 10:46:39 +07:00
commit 2d97c3d34a
28 changed files with 78273 additions and 0 deletions
--- a/NF/MSL/schemes/EntityAuthentication.py
+++ b/NF/MSL/schemes/EntityAuthentication.py
@@ -0,0 +1,59 @@
+from .. import EntityAuthenticationSchemes
+from ..MSLObject import MSLObject
+
+
+# noinspection PyPep8Naming
+class EntityAuthentication(MSLObject):
+    def __init__(self, scheme, authdata):
+        """
+        Data used to identify and authenticate the entity associated with a message.
+        https://github.com/Netflix/msl/wiki/Entity-Authentication-%28Configuration%29
+
+        :param scheme: Entity Authentication Scheme identifier
+        :param authdata: Entity Authentication data
+        """
+        self.scheme = str(scheme)
+        self.authdata = authdata
+
+    @classmethod
+    def Unauthenticated(cls, identity):
+        """
+        The unauthenticated entity authentication scheme does not provide encryption or authentication and only
+        identifies the entity. Therefore entity identities can be harvested and spoofed. The benefit of this
+        authentication scheme is that the entity has control over its identity. This may be useful if the identity is
+        derived from or related to other data, or if retaining the identity is desired across state resets or in the
+        event of MSL errors requiring entity re-authentication.
+        """
+        return cls(
+            scheme=EntityAuthenticationSchemes.Unauthenticated,
+            authdata={"identity": identity}
+        )
+
+    @classmethod
+    def Widevine(cls, devtype, keyrequest):
+        """
+        The Widevine entity authentication scheme is used by devices with the Widevine CDM. It does not provide
+        encryption or authentication and only identifies the entity. Therefore entity identities can be harvested
+        and spoofed. The entity identity is composed from the provided device type and Widevine key request data. The
+        Widevine CDM properties can be extracted from the key request data.
+
+        When coupled with the Widevine key exchange scheme, the entity identity can be cryptographically validated by
+        comparing the entity authentication key request data against the key exchange key request data.
+
+        Note that the local entity will not know its entity identity when using this scheme.
+
+        > Devtype
+
+        An arbitrary value identifying the device type the local entity wishes to assume. The data inside the Widevine
+        key request may be optionally used to validate the claimed device type.
+
+        :param devtype: Local entity device type
+        :param keyrequest: Widevine key request
+        """
+        return cls(
+            scheme=EntityAuthenticationSchemes.Widevine,
+            authdata={
+                "devtype": devtype,
+                "keyrequest": keyrequest
+            }
+        )
--- a/NF/MSL/schemes/KeyExchangeRequest.py
+++ b/NF/MSL/schemes/KeyExchangeRequest.py
@@ -0,0 +1,80 @@
+import base64
+
+from .. import KeyExchangeSchemes
+from ..MSLObject import MSLObject
+
+
+# noinspection PyPep8Naming
+class KeyExchangeRequest(MSLObject):
+    def __init__(self, scheme, keydata):
+        """
+        Session key exchange data from a requesting entity.
+        https://github.com/Netflix/msl/wiki/Key-Exchange-%28Configuration%29
+
+        :param scheme: Key Exchange Scheme identifier
+        :param keydata: Key Request data
+        """
+        self.scheme = str(scheme)
+        self.keydata = keydata
+
+    @classmethod
+    def AsymmetricWrapped(cls, keypairid, mechanism, publickey):
+        """
+        Asymmetric wrapped key exchange uses a generated ephemeral asymmetric key pair for key exchange. It will
+        typically be used when there is no other data or keys from which to base secure key exchange.
+
+        This mechanism provides perfect forward secrecy but does not guarantee that session keys will only be available
+        to the requesting entity if the requesting MSL stack has been modified to perform the operation on behalf of a
+        third party.
+
+        > Key Pair ID
+
+        The key pair ID is included as a sanity check.
+
+        > Mechanism & Public Key
+
+        The following mechanisms are associated public key formats are currently supported.
+
+            Field 	    Public  Key Format 	Description
+            RSA 	    SPKI 	RSA-OAEP    encrypt/decrypt
+            ECC 	    SPKI 	ECIES       encrypt/decrypt
+            JWEJS_RSA 	SPKI 	RSA-OAEP    JSON Web Encryption JSON Serialization
+            JWE_RSA 	SPKI 	RSA-OAEP    JSON Web Encryption Compact Serialization
+            JWK_RSA 	SPKI 	RSA-OAEP    JSON Web Key
+            JWK_RSAES 	SPKI 	RSA PKCS#1  JSON Web Key
+
+        :param keypairid: key pair ID
+        :param mechanism: asymmetric key type
+        :param publickey: public key
+        """
+        return cls(
+            scheme=KeyExchangeSchemes.AsymmetricWrapped,
+            keydata={
+                "keypairid": keypairid,
+                "mechanism": mechanism,
+                "publickey": base64.b64encode(publickey).decode("utf-8")
+            }
+        )
+
+    @classmethod
+    def Widevine(cls, keyrequest):
+        """
+        Google Widevine provides a secure key exchange mechanism. When requested the Widevine component will issue a
+        one-time use key request. The Widevine server library can be used to authenticate the request and return
+        randomly generated symmetric keys in a protected key response bound to the request and Widevine client library.
+        The key response also specifies the key identities, types and their permitted usage.
+
+        The Widevine key request also contains a model identifier and a unique device identifier with an expectation of
+        long-term persistence. These values are available from the Widevine client library and can be retrieved from
+        the key request by the Widevine server library.
+
+        The Widevine client library will protect the returned keys from inspection or misuse.
+
+        :param keyrequest: Base64-encoded Widevine CDM license challenge (PSSH: b'\x0A\x7A\x00\x6C\x38\x2B')
+        """
+        if not isinstance(keyrequest, str):
+            keyrequest = base64.b64encode(keyrequest).decode()
+        return cls(
+            scheme=KeyExchangeSchemes.Widevine,
+            keydata={"keyrequest": keyrequest}
+        )
--- a/NF/MSL/schemes/UserAuthentication.py
+++ b/NF/MSL/schemes/UserAuthentication.py
@@ -0,0 +1,59 @@
+from ..MSLObject import MSLObject
+from . import UserAuthenticationSchemes
+
+
+# noinspection PyPep8Naming
+class UserAuthentication(MSLObject):
+    def __init__(self, scheme, authdata):
+        """
+        Data used to identify and authenticate the user associated with a message.
+        https://github.com/Netflix/msl/wiki/User-Authentication-%28Configuration%29
+
+        :param scheme: User Authentication Scheme identifier
+        :param authdata: User Authentication data
+        """
+        self.scheme = str(scheme)
+        self.authdata = authdata
+
+    @classmethod
+    def EmailPassword(cls, email, password):
+        """
+        Email and password is a standard user authentication scheme in wide use.
+
+        :param email: user email address
+        :param password: user password
+        """
+        return cls(
+            scheme=UserAuthenticationSchemes.EmailPassword,
+            authdata={
+                "email": email,
+                "password": password
+            }
+        )
+
+    @classmethod
+    def NetflixIDCookies(cls, netflixid, securenetflixid):
+        """
+        Netflix ID HTTP cookies are used when the user has previously logged in to a web site. Possession of the
+        cookies serves as proof of user identity, in the same manner as they do when communicating with the web site.
+
+        The Netflix ID cookie and Secure Netflix ID cookie are HTTP cookies issued by the Netflix web site after
+        subscriber login. The Netflix ID cookie is encrypted and identifies the subscriber and analogous to a
+        subscriber’s username. The Secure Netflix ID cookie is tied to a Netflix ID cookie and only sent over HTTPS
+        and analogous to a subscriber’s password.
+
+        In some cases the Netflix ID and Secure Netflix ID cookies will be unavailable to the MSL stack or application.
+        If either or both of the Netflix ID or Secure Netflix ID cookies are absent in the above data structure the
+        HTTP cookie headers will be queried for it; this is only acceptable when HTTPS is used as the underlying
+        transport protocol.
+
+        :param netflixid: Netflix ID cookie
+        :param securenetflixid: Secure Netflix ID cookie
+        """
+        return cls(
+            scheme=UserAuthenticationSchemes.NetflixIDCookies,
+            authdata={
+                "netflixid": netflixid,
+                "securenetflixid": securenetflixid
+            }
+        )
--- a/NF/MSL/schemes/init.py
+++ b/NF/MSL/schemes/init.py
@@ -0,0 +1,24 @@
+from enum import Enum
+
+
+class Scheme(Enum):
+    def __str__(self):
+        return str(self.value)
+
+
+class EntityAuthenticationSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/Entity-Authentication-%28Configuration%29"""
+    Unauthenticated = "NONE"
+    Widevine = "WIDEVINE"
+
+
+class UserAuthenticationSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/User-Authentication-%28Configuration%29"""
+    EmailPassword = "EMAIL_PASSWORD"
+    NetflixIDCookies = "NETFLIXID"
+
+
+class KeyExchangeSchemes(Scheme):
+    """https://github.com/Netflix/msl/wiki/Key-Exchange-%28Configuration%29"""
+    AsymmetricWrapped = "ASYMMETRIC_WRAPPED"
+    Widevine = "WIDEVINE"