View Full Version : Programmatically detecting B&N DRM in books


chrisridd
02-06-2012, 01:23 PM
The ePub QuickLook generator for Macs at https://github.com/jaketmp/ePub-quicklook has some (currently unreleased) code which tries a few heuristics to guess the DRM being used in a given book.

It works reasonably well so far for Adobe, Apple and Kobo DRM - the only examples I've got. The heuristics are currently in the code at https://github.com/jaketmp/ePub-quicklook/blob/master/epub/JTPepub.m#L495 for anyone interested. I'm certain it isn't perfect...

According to the wiki here, B&N have another DRM scheme. It'd be nice to be able to detect that DRM too, but B&N don't sell to the UK so I can't see what they do.

Can anyone offer any suggestions (or sample books!) showing what B&N's DRM looks like? We don't have to/want to decrypt it, just work out that it is from B&N.

DiapDealer
02-06-2012, 03:10 PM
According to the wiki here, B&N have another DRM scheme. It'd be nice to be able to detect that DRM too, but B&N don't sell to the UK so I can't see what they do.

Can anyone offer any suggestions (or sample books!) showing what B&N's DRM looks like? We don't have to/want to decrypt it, just work out that it is from B&N.
B&N's DRM is a bastardized version of the Adobe Adept DRM, so depending on how/what you're using to identify Adobe's DRM, your program is probably already lumping B&N DRM'ed books in with the rest of the Adobe DRMed stuff.

Distinguishing between the two may prove difficult programmatically. Possibly take a look at the "operatorUrl" element of the rights.xml file (which they both have—and it's in the same format). I can't swear that all B&N books have the exact same url listed for that element, but barnesandnoble.com seems to be somewhere in there in the examples I have. I know the regular Adobe epubs can have all kinds different fulfillment urls in that "operatorURL" element.

Good luck!

EDIT: Taking a quick peek at your code... yes.... you're currently including B&N books right along with the rest of the Adept DRM, since both will match:
// Adobe Adept DRM has "META-INF/rights.xml", containing <licenseURL> with an adobe.com URL.

chrisridd
02-06-2012, 03:38 PM
B&N's DRM is a bastardized version of the Adobe Adept DRM, so depending on how/what you're using to identify Adobe's DRM, your program is probably already lumping B&N DRM'ed books in with the rest of the Adobe DRMed stuff.

Distinguishing between the two may prove difficult programmatically. Possibly take a look at the "operatorUrl" element of the rights.xml file (which they both have—and it's in the same format). I can't swear that all B&N books have the exact same url listed for that element, but barnesandnoble.com seems to be somewhere in there in the examples I have. I know the regular Adobe epubs can have all kinds different fulfillment urls in that "operatorURL" element.

Good luck!

EDIT: Taking a quick peek at your code... yes. You're currently identifying B&N books right along with the rest of the Adept DRM, since both will match:
// Adobe Adept DRM has "META-INF/rights.xml", containing <licenseURL> with an adobe.com URL.

Thanks! I'll try switching to looking for operatorURL instead, and see if the URL contains barnesandnoble.

DiapDealer
02-06-2012, 03:56 PM
Thanks! I'll try switching to looking for operatorURL instead, and see if the URL contains barnesandnoble.
Like I said... I don't know if that is (or will remain) consistent enough to rely upon. Instead of switching outright, I would probably consider adding it as an additional check.

If the licenseURL contains "adobe.com", it's definitely ADEPT encryption. AND if the operatorURL contains "barnsandnoble.com", it's more than likely a B&N DRMed book. I'd be very hesitant to rely on any of that straight across the board, though.

chrisridd
02-06-2012, 04:28 PM
Like I said... I don't know if that is (or will remain) consistent enough to rely upon. Instead of switching outright, I would probably consider adding it as an additional check.

If the licenseURL contains "adobe.com", it's definitely ADEPT encryption. AND if the operatorURL contains "barnsandnoble.com", it's more than likely a B&N DRMed book. I'd be very hesitant to rely on any of that straight across the board, though.

Yeah, it is all lovely and undocumented :)

A book I bought that's definitely Adept has:

<licenseURL>https://nasigningservice.adobe.com/licensesign</licenseURL>
<operatorURL>http://acs4.shortcovers.com:8080/fulfillment</operatorURL>

If we've got something with operatorURL in the adobe namespace, the odds are that it is either B&N or Adobe. (Or someone I haven't heard of yet.) So I think just checking for barnesandnoble may be "good enough" at least for now.

Hm. I wonder what Overdrive books look like...

Jim Lester
02-06-2012, 07:44 PM
DRM is always undocumented.... jeez :) We use a particular variant of Adobe DRM ('Passhash') that nobody else has picked up... yet.

If you want to know which variant of Adobe DRM then:

rights->licenseToken->user will not exist with Passhash based DRM (that we use for Trade), but will with ACS4 Classic licenses (that we use for Education).


If you want to know where you got the book from then operatorURL is your best bet f, but if the back end server is in a middle man role this won't work as well. For instance a book that I get from the San Jose Public Library will have an Overdrive or NetLibrary operatorURL, and not a San Jose Public Library URL. (There are similar arrangements for purchasing).

DiapDealer
02-06-2012, 07:44 PM
Hm. I wonder what Overdrive books look like...
Overdrive uses Adobe ADEPT as far as I know

chrisridd
02-07-2012, 02:52 AM
DRM is always undocumented.... jeez :) We use a particular variant of Adobe DRM ('Passhash') that nobody else has picked up... yet.

Fair enough. I was expecting something more documented in the same way that crypto algorithms (etc) are documented.

If you want to know which variant of Adobe DRM then:

rights->licenseToken->user will not exist with Passhash based DRM (that we use for Trade), but will with ACS4 Classic licenses (that we use for Education).


If you want to know where you got the book from then operatorURL is your best bet f, but if the back end server is in a middle man role this won't work as well. For instance a book that I get from the San Jose Public Library will have an Overdrive or NetLibrary operatorURL, and not a San Jose Public Library URL. (There are similar arrangements for purchasing).

Terrific stuff, thanks Jim! The books I've just checked do all have rights>licenseToken>user so must all be ACS4-ish "Classic" licenses.

Another thought. Do the adept:certificate elements in B&N books still have an X.509 certificate? The ones in the Adept DRMed books I've got here all seem to, and have a subject name of "cn=https://nasigningservice.adobe.com/licenses,ou=Digital Publishing,o=Adobe Systems Incorporated,c=US"

I just grabbed a book from our local (Overdrive) library and it had:

<licenseURL>https://nasigningservice.adobe.com/licensesign</licenseURL> <operatorURL>http://acsepub.contentreserve.com/fulfillment</operatorURL>

(and the same Adobe X.509 certificate)

Nothing really useful there... But the permissions>display>loan/until elements might be another interesting thing to display.

DiapDealer
02-07-2012, 08:07 AM
DRM is always undocumented.... jeez :) We use a particular variant of Adobe DRM ('Passhash') that nobody else has picked up... yet.

If you want to know which variant of Adobe DRM then:

rights->licenseToken->user will not exist with Passhash based DRM (that we use for Trade), but will with ACS4 Classic licenses (that we use for Education).


If you want to know where you got the book from then operatorURL is your best bet f, but if the back end server is in a middle man role this won't work as well. For instance a book that I get from the San Jose Public Library will have an Overdrive or NetLibrary operatorURL, and not a San Jose Public Library URL. (There are similar arrangements for purchasing).
Interesting. Thanks for the info. :)

Jim Lester
02-07-2012, 01:06 PM
Fair enough. I was expecting something more documented in the same way that crypto algorithms (etc) are documented.

...

Nothing really useful there... But the permissions>display>loan/until elements might be another interesting thing to display.

Some documentation is provided to those that Adobe thinks has a need to know (ACS4/RMSDK customers). I can't give you a copy, since they are provided (to me at least) under NDA. There may be people who are either less fastidious than me about their NDAs, or who didn't get the documentation under the same agreements, so good luck on your search.

chrisridd
02-09-2012, 03:24 PM
Some documentation is provided to those that Adobe thinks has a need to know (ACS4/RMSDK customers). I can't give you a copy, since they are provided (to me at least) under NDA. There may be people who are either less fastidious than me about their NDAs, or who didn't get the documentation under the same agreements, so good luck on your search.

Oh, I didn't expect there'd be an NDA covering all this. I certainly don't want anyone to break it.

Thanks greatly for the snippets you've mentioned in this thread!

Jim Lester
02-10-2012, 10:38 AM
Oh, I didn't expect there'd be an NDA covering all this. I certainly don't want anyone to break it.

Thanks greatly for the snippets you've mentioned in this thread!

Not a problem, glad to help.

regarding an earlier question.


Another thought. Do the adept:certificate elements in B&N books still have an X.509 certificate? The ones in the Adept DRMed books I've got here all seem to, and have a subject name of "cn=https://nasigningservice.adobe.com/licenses,ou=Digital Publishing,o=Adobe Systems Incorporated,c=US"


All content that uses Adobe DRM, will have a license signed by Adobe.

/JOKE: However, please don't take my word for it. I suggest you go buy as much content as possible from Barnes & Noble to make sure I'm right /JOKE.

chrisridd
02-11-2012, 02:12 PM
All content that uses Adobe DRM, will have a license signed by Adobe.

/JOKE: However, please don't take my word for it. I suggest you go buy as much content as possible from Barnes & Noble to make sure I'm right /JOKE.

When are Barnes & Noble going to sell to UK readers? ;)

Jim Lester
02-14-2012, 01:10 AM
When are Barnes & Noble going to sell to UK readers? ;)

Well that all depends upon the tea (http://paidcontent.org/article/419-barnes-nobles-nook-will-likely-launch-in-uk-in-2012/) leaves (http://www.thebookseller.com/news/bn-developing-partnership-waterstones-over-nook.html) that you read (http://reviews.cnet.com/8301-33198_7-57368010-286/report-new-nook-coming-this-spring/?part=rss&subj=latest-news&tag=title).

I of course don't pay any heed to rumors, so I wouldn't know.