A brief look at ACSM files

by @edent | , ,

Adobe's accursed eBook DRM is just the worst. Not only does it lock up books that you have purchased - but it's impossible to use sensibly on Linux.

Sure, you can futz around with Docker, WINE, and old versions of Python - and if you're lucky, you might get a book out of it.

I wasn't quite so lucky. I wanted to see if I could download an ePub without using Adobe Digital Editions. Spoilers! I couldn't. But this is what I found.

The First ACSM file

When you buy an eBook, the vendor sends you a .acsm file. Adobe Content Server Message is a simple XML file. This is what it looks like and what each line means:

<fulfillmentToken fulfillmentType="buy" auth="user" xmlns="http://ns.adobe.com/adept">
  <distributor>urn:uuid:b479af7f-09bf-48f5-a6c6-...</distributor>
  <operatorURL>http://drm.firebrandtech.com/fulfillment</operatorURL>
  <transaction>67809895895d46aab...</transaction>
  <expiration>2021-07-19T18:55:59-04:00</expiration>

This state's I've purchased the book, who distributes it, where the download server is, and some metadata

Next, metadata about the book:

  <resourceItemInfo>
    <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>
    <resourceItem>0</resourceItem>
    <metadata>
      <dc:title xmlns:dc="http://purl.org/dc/elements/1.1/">The End of Bias</dc:title>
      <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Jessica Nordell</dc:creator>
      <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">Granta Publications</dc:publisher>
      <dc:identifier xmlns:dc="http://purl.org/dc/elements/1.1/">urn:ean:9781846276774</dc:identifier>
      <dc:format xmlns:dc="http://purl.org/dc/elements/1.1/">application/pdf</dc:format>
    </metadata>
    <licenseToken>
      <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>
      <permissions>
        <display/>
        <excerpt/>
        <print/>
        <play/>
      </permissions>
    </licenseToken>
  </resourceItemInfo>

Finally, a digital signature:

  <hmac>rL4Ttn7ASp16Y4...=</hmac>
</fulfillmentToken>

The Second ACSM file

When you open the .acsm file in Adobe Digital Editions (ADE), the software creates a new .acsm file. This one is signed with the key that Adobe generates when you register with it. This is what the file looks like and what each line means:

First, information about me as a user, and my device:

<fulfill xmlns="http://ns.adobe.com/adept">
  <user>urn:uuid:99b1e32d-5b39-4968-8ef6-c5cb6a739ec8</user>
  <device>urn:uuid:ac790662-5da0-4075-aee2-99b3c4592619</device>
  <deviceType>standalone</deviceType>

Then a repeat of the original .acsm:

  <fulfillmentToken fulfillmentType="buy" auth="user">
    <distributor>urn:uuid:b479af7f-09bf-48f5-a6c6-...</distributor>
    <operatorURL>http://drm.firebrandtech.com/fulfillment</operatorURL>
    <transaction>67809895895d46...</transaction>
    <expiration>2021-07-19T18:55:59-04:00</expiration>
    <resourceItemInfo>
      <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>
      <resourceItem>0</resourceItem>
      <metadata>
        <dc:title xmlns:dc="http://purl.org/dc/elements/1.1/">The End of Bias</dc:title>
        <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Jessica Nordell</dc:creator>
        <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">Granta Publications</dc:publisher>
        <dc:identifier xmlns:dc="http://purl.org/dc/elements/1.1/">urn:ean:9781846276774</dc:identifier>
        <dc:format xmlns:dc="http://purl.org/dc/elements/1.1/">application/pdf</dc:format>
      </metadata>
      <licenseToken>
        <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>
        <permissions>
          <display/>
          <excerpt/>
          <print/>
          <play/>
        </permissions>
      </licenseToken>
    </resourceItemInfo>

Then, a different HMAC:

    <hmac>rL4Ttn7ASp16...=</hmac>
  </fulfillmentToken>

And, finally, another digital signature

  <signature>znoLnR2A4wG1uE85oXPYzSZjTRNo76ctgfR8COY8nlNTCcPge9O6VeB5UY...=</signature>
</fulfill>

POSTING the file

Digital Editions then posts the new .acsm file to the DRM server mentioned. It replies with a location where the file can be downloaded from. In this case:

http://drm.firebrandtech.com/media/77d79621-0e96-4f4f-8fee-....pdf

That's literally just the resource's UUID as the filename. It can be downloaded and opened in ADE.

Signing the file yourself

So, if you've downloaded the first .acsm file and have your encryption keys extracted from ADE you can sign it yourself, right?

I dunno. I'm no good at reverse engineering binaries. I suspect so. ADE is a Shockwave / Flash app - so I doubt it has anything too taxing in there - but it is beyond my skillset.

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *