You are not logged in.

#1 2016-06-04 11:28:33

Wild Penguin
Member
Registered: 2015-03-19
Posts: 261

libaacs can not retrieve VUKs automatically

Hi,

The current libaacs is broken if a VUK is not known for a particular BR disk, even though the required keys are in place (processing keys). Symptoms: aacs_info fails with the errors below ("Missing item in object"). Any program trying to decrypt the disc using libaacs, will fail with similar errors. The discs are playable if the VUK is known, or VUK is figured out manually with aacskeys and pasted into KEYDB.cfg. The point of this post is the lack of automation.

I'm posting here instead of making a bug report, since I want to rule out the fact I may have something broken in my config. Can anyone here reproduce this? I'm quite certain that this worked before. If this is not a configuration error, I will file the appropriate bug report.

I believe this may have something to do with an incompatible gcrypt library, according to some google results, but that is just a guess and I haven't investigated further (and I'm not sure how to debug this further).

To reproduce: Make sure you are decrypting a disk for which the VUK is not known. You can reproduce the conditions for the bug for any disc, by removing the VUK from libaacs cache files. In any case, if you can decrypt a particular bluray disc, follow these steps to make sure you have not cached the VUK:

If you are lazy,  aacs_info fails regardless if you have the VUK cached or not (I believe it is the same issue, that is facing any program using libaacs).

  1. Run 'aacskey /run/media/USERNAME/MOUNTPOINT' and note the VUK

  2. Check that the VUK is not cached in ~/.cache/aacs/vuk/*

  3. Check that the VUK is not cached in ~/.config/aacs/KEYDB.cfg

  4. Re-run aacskey with -v, note MKBv of the particular disc

  5. Make sure you have the processing key required for the MKBv in ~/.config/aacs/KEYDB.cfg

(grep for the VUK in steps 2. and 3. and (temporarily) delete it.

No libaacs-using program (mpv, mplayer, kodi) works automatically, as they should be able to (but aacskeys still works and can retrieve the VUK if you have the correct processing key - libaacs should be able to do the same).

$ aacs_info /[MY_DISC_MOUNTPOINT]
Opening /[MY_DISC_MOUNTPOINT] using libaacs 0.8.1 ...
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
aacs.c:160: invalid drl signature, not using it
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
aacs.c:160: invalid hrl signature, not using it
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
mmc.c:654: Drive does not support reading drive certificate
aacs.c:883: Unable to read drive certificate
libaacs open failed: No valid certificates in configuration file(s)
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
aacs.c:1164: aacs_get_vid() failed
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
Disc ID: 36A8CE3A1A65FC870CA3DA6EF7DB03E9626A1758
VID    : ???
MKBv   : 28
PMSN   : ???
Bus encryption:
  Device support:   no
  Enabled in media: no
Device binding ID:  CF45F685C62A211067B13A784D804417
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
aacs.c:1243: invalid signature in cached hrl
Host Revocation List  (MKB version 0):
  (empty)
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
aacs.c:1243: invalid signature in cached drl
Drive Revocation List  (MKB version 0):
  (empty)
$ mpv bd://
Playing: bd://
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
crypto.c:516: _aacs_verify: gcry_pk_verify failed. error was: Missing item in object
mmc.c:654: Drive does not support reading drive certificate
aacs.c:883: Unable to read drive certificate
dec.c:208: aacs_open() failed!
[bd] AACS error: no valid certificate
No protocol handler found to open URL bd://
The protocol is either unsupported, or was disabled at compile-time.


Exiting... (Errors when loading file)
$ LANG=C pacaur -Qi libaacs  && LANG=C pacaur -Qi libgcrypt
Name            : libaacs
Version         : 0.8.1-1
Description     : Advanced Access Content System
Architecture    : x86_64
URL             : http://www.videolan.org/developers/libaacs.html
Licenses        : LGPL
Groups          : None
Provides        : None
Depends On      : libgcrypt
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 128.00 KiB
Packager        : Martin Wimpress <code@flexion.org>
Build Date      : Mon Jun 8 18:38:56 2015
Install Date    : Wed Mar 2 20:42:09 2016
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Name            : libgcrypt
Version         : 1.7.0-2
Description     : General purpose cryptographic library based on the code from GnuPG
Architecture    : x86_64
URL             : http://www.gnupg.org
Licenses        : LGPL
Groups          : None
Provides        : None
Depends On      : libgpg-error>=1.10-2
Optional Deps   : None
Required By     : afpfs-ng  chromium  cryptsetup  gcr  gnome-vfs  gnupg  gwenhywfar  kwallet-pam  lib32-libgcrypt
                  libaacs  libgnome-keyring  libmicrohttpd  libotr  libsecret  libsystemd  libxslt  mesa  smbclient
                  systemd  telegram-purple  xorg-server  xorg-server-xephyr
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 1316.00 KiB
Packager        : Andreas Radke <andyrtr@archlinux.org>
Build Date      : Wed Apr 27 22:08:13 2016
Install Date    : Sun May 1 16:52:34 2016
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

EDIT: Some typos and minor wording clarifications

Last edited by Wild Penguin (2016-06-04 11:33:25)

Offline

#2 2016-06-04 15:51:55

Wild Penguin
Member
Registered: 2015-03-19
Posts: 261

Re: libaacs can not retrieve VUKs automatically

Just FYI, if someone is in the same boat: I installed makemkv-libaacs, as I noticed that some had success with it in this other thread that is somewhat old, though. It seems that is a slightly different libaacs version, that does not seem to cache any VUK's in ~/.cache/aacs nor ~/.config/aacs. That version seemed to work with mplayer on the thread, but it seems it does not work with mplayer nor mpv anymore (they report libaacs is not initialized), but it does work with kodi.

There still a problem with the community/libaacs, so unless there's someone with more insight, I think the behaviour is a real a bug.

Last edited by Wild Penguin (2016-06-04 15:53:21)

Offline

#3 2016-06-05 07:50:12

Wild Penguin
Member
Registered: 2015-03-19
Posts: 261

Re: libaacs can not retrieve VUKs automatically

Bug report added (into Arch bugzilla as I believe this may be an incompatibility with some library shipped in Arch).

Offline

Board footer

Powered by FluxBB