Revoking Applications By Using Revocation Lists

banner art

Previous Next

Revoking Applications By Using Revocation Lists

To ensure that players known to be damaged or corrupted cannot access packaged files, Microsoft posts revocation data that you must install on each licensing server. This data is stored in a revocation information structure, and it includes a revocation information version (RIV) and the current revocation lists that contain all the application or device certificates of those players known to be damaged or corrupted.

To install the latest revocation data on a licensing server, go to the Microsoft Web site https://licenseserver.windowsmedia.com/ from that computer, and then click Download the Latest License Server Information. It is recommended that you automate this process. For more information about how often this process is required to occur, see your license agreement with Microsoft.

When a client application or device requests a license, the license challenge includes the client's revocation information structure, which contains an RIV and the revocation lists that the client supports. To determine whether the client revocation information is current, the license server compares its RIV to the client RIV.

  • If the client RIV is older than that of the license server, the license server determines which of the client's revocation lists are out of date, and then adds updated versions to the license.
  • If the client did not include any revocation information, the license server assumes the request is from an older client (based on version 10 or earlier of Windows Media technology) and includes the legacy revocation lists.
  • If the client RIV is current or newer than that of the license server, the license server does not add any revocation information to the license.

Then, whenever a consumer plays a packaged Windows Media file , the player is checked against its local revocation lists. If the application or device certificate of that player is revoked, the player cannot play that packaged file or any other packaged files.

Note Your privacy statement should mention that revocation lists are stored on consumers' computers in addition to licenses. See your license agreement with Microsoft for more information.

Updating the client revocation information requires the following steps.

  1. After receiving the license challenge from the client and populating the WMRMChallenge object, retrieve the revocation information using the WMRMChallenge.RevInfo and WMRMChallenge.RevInfoPresent properties.

  2. Retrieve the types of revocation lists that are supported by the client using the WMRMLicGen.SupportedCRLS property.

  3. When adding a license with the WMRMResponse object, use the WMRMResponse.AddRevocationData method to add updated revocations lists to the license if needed. If the client's revocation data was current, this method does not add anything to the license.

    Note   You must explicitly call this method to add revocation data to the license response. If you do not add this information, an error could be displayed to the end user.

The following Visual Basic Scripting Edition (VBScript) code examples show how to issue a license for a Windows Media file.

VBScript Example

<%
Response.Buffer = True
Response.Expires = 0

' Declare variables and objects.
Dim seed, contentowner_publickey, silent
Dim strLicenseRequested, varHeader
Dim kid, lResult, varKey, sRights
Dim varLicense, LicenseResponse
Dim strRevinfo, ContainsRevinfo, strClientCRLs
Dim ChallengeObj, HeaderObj, KeysObj
Dim RightsObj, LicGenObj, ResponseObj

do

' Replace XXX with your own values. In real practice, you would
' retrieve these values from a database.
seed = "XXX"  ' License key seed used by the packaging server.
contentowner_publickey = "XXX"  ' Public signing key for the
                                ' packaging server.

' Create objects.
Set ChallengeObj = Server.CreateObject("WMRMobjs.WMRMChallenge")
Set HeaderObj = Server.CreateObject("WMRMobjs.WMRMHeader")
Set KeysObj = Server.CreateObject("WMRMobjs.WMRMKeys")
Set RightsObj = Server.CreateObject("WMRMobjs.WMRMRights")
Set LicGenObj = Server.CreateObject("WMRMobjs.WMRMLicGen")
Set ResponseObj = Server.CreateObject("WMRMobjs.WMRMResponse")

' Find out whether the request is for silent or non-silent delivery.
silent = true
if (request.Form("nonsilent") <> "") then
    silent = false
end if

' Put the license request (challenge) into the Challenge object, and then
' extract the content header and client information from it.
strLicenseRequested = Request.Form("challenge")
ChallengeObj.Challenge = strLicenseRequested
varHeader = ChallengeObj.Header

' Check for revocation information.
strRevinfo = ChallengeObj.RevInfo
ContainsRevinfo = ChallengeObj.RevInfoPresent

' Put the content header into the Header object. Using the public key,
' verify that the content header has not been tampered with. The header
' is valid if the result equals 0.
HeaderObj.Header = varHeader
lResult = HeaderObj.Verify(contentowner_publickey)
if (lResult = 0) then
    ' TODO: Process for a corrupted or modified header.
end if

' Put the required individualization version from the content header
' into the WMRMLicGen object.
indiversion = HeaderObj.IndividualizedVersion
LicGenObj.IndividualizedVersion = indiversion

' Extract the key ID from the content header. Put the key ID and
' license key seed into the Keys object, and then generate the key.
kid = HeaderObj.KeyID
KeysObj.KeyID = kid
KeysObj.Seed = seed
varKey = KeysObj.GenerateKey()

' Get the certificate revocation lists that are supported by the client.
strClientCRLs = LicGenObj.SupportedCRLS

' Set the rights.
RightsObj.MinimumSecurityLevel = 1000
RightsObj.BeginDate = "#20050101Z #"
RightsObj.ExpirationDate =  "#20051231Z #"
RightsObj.AllowBackupRestore = true
RightsObj.AllowCopy = false
RightsObj.AllowTransferToSDMI = false
RightsObj.AllowTransferToNonSDMI = false
RightsObj.DeleteOnClockRollback = false
RightsObj.DisableOnClockRollback = true
SRights = RightsObj.GetAllRights

' Put the license information into the License Generator object.
' Including the following attributes is recommended.
LicGenObj.KeyID = kid
LicGenObj.SetKey "", varKey
LicGenObj.Rights = sRights
LicGenObj.Priority = 10
LicGenObj.Attribute("Copyright") = "copyright statement"
LicGenObj.Attribute("ContentType") = "audio or video"
LicGenObj.Attribute("Author") = "artist name"
LicGenObj.Attribute("ArtistURL") = "https://artist_web_site"
LicGenObj.Attribute("Title") = "title"
LicGenObj.Attribute("LicenseDistributor") = "license issuer"
LicGenObj.Attribute("LicenseDistributorURL") = "https://license_issuer_web_site"
LicGenObj.Attribute("ContentDistributor") = "content distributor"
LicGenObj.Attribute("Rating") = "rating"
LicGenObj.Attribute("Description") = "description"

' Bind the license to the public key, and then generate the license.
' GetLicenseToDeliver fails if the client has been revoked.
LicGenObj.BindToPubKey = contentowner_publickey
varLicense = LicGenObj.GetLicenseToDeliver()

' Use the Response object to deliver the license. If the client does
' not allow silent license delivery, display a page (Silent_ns.asp)
' saying that a license has been delivered.
call ResponseObj.AddLicense("2.0.0.0", varLicense)
call ResponseObj.AddRevocationData(strRevinfo, strClientCRLs, ContainsRevinfo)

if (silent = true) then
    LicenseResponse = ResponseObj.GetLicenseResponse()
    Response.Write LicenseResponse
else
'  ResponseObj.ReplaceQuotesWith = """"""    ' For VBScript
   ResponseObj.ReplaceQuotesWith = "\"""     ' For JavaScript
   LicenseResponse = ResponseObj.GetLicenseResponse()
%>
<!-- #include file="Silent_ns.asp" -->
<%
end if
%>

The following page is used when licenses cannot be issued silently.

Silent_ns.asp

<html>
<head>
<script Language="JavaScript">
function Storev71License(hr)
{
   LicenseObj.StoreLicense( "<%= LicenseResponse %>" );
}
</script>
</head>
<body onload="Storev71License()">
<object classid="clsid:A9FC132B-096D-460B-B7D5-1DB0FAE0C062" height="0"
id="LicenseObj" width="0">
  <embed mayscript type="application/x-drm-v2" hidden="true">
</object>
You have received a license for this song. Click Play.
</body>
</html>

See Also

Previous Next

© 2007 Microsoft Corporation. All rights reserved.