Implements support for signing multiple GOPs (#429)

Through the API signed_video_set_signing_frequency(...) the user
can specify how often GOPs should be signed. Unsigned GOPs will
still produce SEIs, but without signatures. These SEIs are
hashed like normal frames and eventually signed with the final
SEI.

A test has been added for signing multiple GOPs.

Author: bjornvolcker

lib/src/includes/signed_video_sign.h

@@ -332,6 +332,25 @@ SignedVideoReturnCode
 signed_video_set_authenticity_level(signed_video_t *self,
     SignedVideoAuthenticityLevel authenticity_level);
 
+/**
+ * @brief Sets the signing frequency for this Signed Video session
+ *
+ * The default behavior of the Signed Video library is to sign and generate a SEI/OBU
+ * Metadata every GOP (Group Of Pictures). Due to hardware resource limitations and GOP
+ * length settings, signing every GOP can become infeasible in real-time. For example,
+ * when multiple streams are signed or if the GOP length is very short.
+ *
+ * This API allows the user to change the signing frequency at anytime during a session.
+ * The signing frequency is measured in number of GOPs.
+ *
+ * @param self              Pointer to the Signed Video session.
+ * @param signing_frequency Number of GOPs between signatures (default 1)
+ *
+ * @returns A Signed Video Return Code.
+ */
+SignedVideoReturnCode
+signed_video_set_signing_frequency(signed_video_t *self, unsigned signing_frequency);
+
 /**
  * @brief Sets the average recurrence interval for the signed video session in frames
  *

lib/src/sv_common.c

@@ -371,7 +371,7 @@ static void
 remove_epb_from_sei_payload(bu_info_t *bu)
 {
   assert(bu);
-  if (!bu->is_hashable || !bu->is_sv_sei || (bu->is_valid <= 0)) return;
+  if (!bu->is_sv_sei || (bu->is_valid <= 0)) return;
 
   // The UUID (16 bytes) has by definition no emulation prevention bytes. Hence, read the
   // |reserved_byte| and point to the start of the TLV part.
@@ -560,6 +560,16 @@ parse_bu_info(const uint8_t *bu_data,
     }
 
     remove_epb_from_sei_payload(&bu);
+    if (bu.emulation_prevention_bytes >= 0 && (bu.hashable_data_size > bu.tlv_size)) {
+      // Check if a signature TLV tag exists. If number of computed emulation prevention
+      // bytes is negative, either the SEI is currupt or incomplete. Or if there is enough
+      // TLV data.
+      const uint8_t *signature_tag =
+          sv_tlv_find_tag(bu.tlv_data, bu.tlv_size, SIGNATURE_TAG, false);
+      bu.is_signed = (signature_tag != NULL);
+    }
+    // Update |is_hashable| w.r.t. signed or not.
+    bu.is_hashable |= bu.is_sv_sei && !bu.is_signed;
   }
 
   return bu;
@@ -968,6 +978,7 @@ signed_video_create(SignedVideoCodec codec)
     // Signing plugin is setup when the private key is set.
     self->authenticity_level = DEFAULT_AUTHENTICITY_LEVEL;
     self->signing_frequency = 1;
+    self->num_gops_until_signing = self->signing_frequency;
     self->recurrence = RECURRENCE_ALWAYS;
     self->add_public_key_to_sei = true;
     self->sei_epb = codec != SV_CODEC_AV1;
@@ -1022,6 +1033,7 @@ signed_video_reset(signed_video_t *self)
     if (self->onvif) {
       SV_THROW(msrc_to_svrc(onvif_media_signing_reset(self->onvif)));
     }
+    self->num_gops_until_signing = self->signing_frequency;
     self->signing_started = false;
     self->sei_generation_enabled = false;
     gop_info_reset(self->gop_info);

lib/src/sv_internal.h

@@ -147,6 +147,7 @@ typedef struct {
   bool is_last_bu_part;  // True if the |bu_data| includes the last part
   bool with_epb;  // Hashable data may include emulation prevention bytes
   bool is_golden_sei;
+  bool is_signed;  // True if the SEI is signed, i.e., has a signature
 } bu_info_t;
 
 /**
@@ -285,6 +286,7 @@ struct _signed_video_t {
   SignedVideoAuthenticityLevel authenticity_level;
   size_t max_sei_payload_size;  // Default 0 = unlimited
   unsigned signing_frequency;  // Number of GOPs per signature (default 1)
+  unsigned num_gops_until_signing;  // Counter to track |signing_frequency|
   unsigned recurrence;
   unsigned max_signing_frames;
 

lib/src/sv_sign.c

@@ -148,13 +148,14 @@ shift_sei_buffer_at_index(signed_video_t *self, int index)
  * any Bitstream Unit (BU) hash and added to the gop_hash. For SV_AUTHENTICITY_LEVEL_FRAME we sign
  * this hash instead of the gop_hash, which is the traditional principle of signing. */
 static svrc_t
-generate_sei_and_add_to_buffer(signed_video_t *self, bool ATTR_UNUSED force_signature)
+generate_sei_and_add_to_buffer(signed_video_t *self, bool force_signature)
 {
   sign_or_verify_data_t *sign_data = self->sign_data;
   const size_t hash_size = sign_data->hash_size;
   size_t num_optional_tags = 0;
   size_t num_mandatory_tags = 0;
   uint8_t *sei = NULL;
+  bool sign_this_sei = (self->num_gops_until_signing == 0) || force_signature;
 
   const sv_tlv_tag_t *optional_tags = sv_get_optional_tags(&num_optional_tags);
   const sv_tlv_tag_t *mandatory_tags = sv_get_mandatory_tags(&num_mandatory_tags);
@@ -182,6 +183,9 @@ generate_sei_and_add_to_buffer(signed_video_t *self, bool ATTR_UNUSED force_sign
         sv_tlv_list_encode_or_get_size(self, mandatory_tags, num_mandatory_tags, NULL);
     if (self->is_golden_sei) mandatory_tags_size = 0;
     signature_size = sv_tlv_list_encode_or_get_size(self, &signature_tag, 1, NULL);
+    if (!sign_this_sei) {
+      signature_size = 0;
+    }
 
     payload_size = signature_size + optional_tags_size + mandatory_tags_size;
     payload_size += UUID_LEN;  // UUID
@@ -308,7 +312,7 @@ generate_sei_and_add_to_buffer(signed_video_t *self, bool ATTR_UNUSED force_sign
     // payload we need to hash the BU as it is so far and update the |gop_hash|. Parse a fake BU
     // with the data so far and we will automatically get the pointers to the |hashable_data| and
     // the size of it. Then we can use the sv_hash_and_add() function.
-    {
+    if (sign_this_sei) {
       size_t fake_payload_size = (sei_ptr - sei);
       // Force SEI to be hashable.
       bu_info_t bu_without_signature_data =
@@ -340,7 +344,12 @@ generate_sei_and_add_to_buffer(signed_video_t *self, bool ATTR_UNUSED force_sign
     // Reset the timestamp to avoid including a duplicate in the next SEI.
     gop_info->has_timestamp = false;
 
-    SV_THROW(sv_signing_plugin_sign(self->plugin_handle, sign_data->hash, sign_data->hash_size));
+    if (sign_this_sei) {
+      SV_THROW(sv_signing_plugin_sign(self->plugin_handle, sign_data->hash, sign_data->hash_size));
+    } else {
+      // If unsigned SEI, complete by adding Stop bit.
+      sv_write_byte(last_two_bytes, &sei_ptr, 0x80, false);
+    }
   SV_CATCH()
   {
     DEBUG_LOG("Failed to generate the SEI");
@@ -352,7 +361,7 @@ generate_sei_and_add_to_buffer(signed_video_t *self, bool ATTR_UNUSED force_sign
 
   // Add |sei| to buffer. Will be picked up again when the signature has been generated.
   // If the SEI is not signed mark it as complete at once.
-  add_sei_to_buffer(self, sei, sei_ptr, false);
+  add_sei_to_buffer(self, sei, sei_ptr, !sign_this_sei);
 
   return status;
 }
@@ -657,7 +666,14 @@ signed_video_add_nalu_part_for_signing_with_timestamp(signed_video_t *self,
         SV_THROW(sv_openssl_finalize_hash(self->crypto_handle, gop_info->computed_gop_hash, true));
         // The previous GOP is now completed. The gop_hash was reset right after signing and
         // adding it to the SEI.
-        SV_THROW(generate_sei_and_add_to_buffer(self, true));
+        SV_THROW(generate_sei_and_add_to_buffer(self, trigger_signing));
+        if (new_gop && (self->num_gops_until_signing == 0)) {
+          // Reset signing counter only upon new GOPs
+          self->num_gops_until_signing = self->signing_frequency;
+        }
+      }
+      if (new_gop) {
+        self->num_gops_until_signing--;
       }
       self->sei_generation_enabled = true;
     }
@@ -954,6 +970,20 @@ signed_video_set_authenticity_level(signed_video_t *self,
   return status;
 }
 
+SignedVideoReturnCode
+signed_video_set_signing_frequency(signed_video_t *self, unsigned signing_frequency)
+{
+  if (!self || signing_frequency == 0) {
+    return SV_INVALID_PARAMETER;
+  }
+  self->signing_frequency = signing_frequency;
+  if (!self->signing_started) {
+    self->num_gops_until_signing = signing_frequency;
+  }
+
+  return SV_OK;
+}
+
 SignedVideoReturnCode
 signed_video_set_recurrence_interval_frames(signed_video_t *self, unsigned recurrence)
 {

tests/check/check_signed_video_sign.c

@@ -19,6 +19,7 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 #include <check.h>
+#include <stdbool.h>
 #include <stdint.h>  // uint8_t
 #ifdef PRINT_DECODED_SEI
 #include <stdio.h>
@@ -58,18 +59,26 @@ verify_seis(test_stream_t *list, struct sv_setting setting)
     return;
   }
 
+  bool is_first_signed_sei = true;
+  bool is_first_unsigned_sei = true;
   int num_seis = 0;
-  size_t sei_size = 0;
+  size_t sei_size_signed = 0;
+  size_t sei_size_unsigned = 0;
   test_stream_item_t *item = list->first_item;
   while (item) {
     bu_info_t bu = parse_bu_info(item->data, item->data_size, list->codec, false, true);
     if (bu.is_sv_sei) {
-      if (num_seis == 0) {
+      if (bu.is_signed && is_first_signed_sei) {
+        // Set the SEI size for the first detected SEI.
+        sei_size_signed = item->data_size;
+        is_first_signed_sei = false;
+      }
+      if (!bu.is_signed && is_first_unsigned_sei) {
         // Set the SEI size for the first detected SEI.
-        sei_size = item->data_size;
+        sei_size_unsigned = item->data_size;
+        is_first_unsigned_sei = false;
       }
       num_seis++;
-      const bool has_signature = tag_is_present(item, list->codec, SIGNATURE_TAG);
       const bool has_hash_list = tag_is_present(item, list->codec, HASH_LIST_TAG);
       const bool has_axis_tag = tag_is_present(item, list->codec, VENDOR_AXIS_COMMUNICATIONS_TAG);
       const bool has_public_key_tag = tag_is_present(item, list->codec, PUBLIC_KEY_TAG);
@@ -80,12 +89,12 @@ verify_seis(test_stream_t *list, struct sv_setting setting)
       // Verify SEI sizes if emulation prevention is turned off.
       if (setting.auth_level == SV_AUTHENTICITY_LEVEL_GOP && !setting.ep_before_signing) {
         // For GOP level authenticity, all SEIs should have the same size
-        ck_assert(item->data_size == sei_size);
+        ck_assert(item->data_size == (bu.is_signed ? sei_size_signed : sei_size_unsigned));
       }
       // Verify that SEI sizes increase over time.
       if (setting.increased_sei_size) {
-        ck_assert_int_ge(item->data_size, sei_size);
-        sei_size = item->data_size;
+        ck_assert_int_ge(item->data_size, sei_size_signed);
+        sei_size_signed = item->data_size;
       }
       if (setting.max_sei_payload_size > 0) {
         // Verify the SEI size. This overrides the authenticity level.
@@ -111,14 +120,14 @@ verify_seis(test_stream_t *list, struct sv_setting setting)
         ck_assert(has_optional_tags);
         // Verify that signatures follow the signing_frequency.
         if (num_seis % setting.signing_frequency == 0) {
-          ck_assert(has_signature);
+          ck_assert(bu.is_signed);
         } else {
-          ck_assert(!has_signature);
+          ck_assert(!bu.is_signed);
         }
       }
       // Verify that a golden SEI has a signature.
       if (bu.is_golden_sei) {
-        ck_assert(has_signature);
+        ck_assert(bu.is_signed);
       }
       // Verify that Axis vendor tag is present.
       ck_assert(!((setting.vendor_axis_mode > 0) ^ has_axis_tag));
@@ -198,6 +207,13 @@ START_TEST(api_inputs)
   sv_rc = signed_video_set_private_key(sv, private_key, private_key_size);
   ck_assert_int_eq(sv_rc, SV_OK);
 
+  // Check setting signing_frequency
+  sv_rc = signed_video_set_signing_frequency(NULL, 1);
+  ck_assert_int_eq(sv_rc, SV_INVALID_PARAMETER);
+  sv_rc = signed_video_set_signing_frequency(sv, 0);
+  ck_assert_int_eq(sv_rc, SV_INVALID_PARAMETER);
+  sv_rc = signed_video_set_signing_frequency(sv, 2);
+  ck_assert_int_eq(sv_rc, SV_OK);
   // Check setting recurrence
   sv_rc = signed_video_set_recurrence_interval_frames(NULL, 1);
   ck_assert_int_eq(sv_rc, SV_INVALID_PARAMETER);
@@ -884,6 +900,22 @@ START_TEST(limited_sei_payload_size)
 }
 END_TEST
 
+/* Test description
+ * Verifies the signing frequency setter, that is, signing multiple GOPs. */
+START_TEST(signing_multiple_gops)
+{
+  struct sv_setting setting = settings[_i];
+  // Select a signing frequency longer than every GOP.
+  const unsigned signing_frequency = 2;
+  setting.signing_frequency = signing_frequency;
+  test_stream_t *list = create_signed_stream("IPPIPPIPPIPPIP", setting);
+  test_stream_check_types(list, "IPPIsPPISPPIsPPISP");
+  verify_seis(list, setting);
+
+  test_stream_free(list);
+}
+END_TEST
+
 /* Test description
  * Verifies the setter for maximum Bitstream Units before signing, that is, triggers
  * signing partial GOPs. */
@@ -951,6 +983,7 @@ signed_video_suite(void)
   tcase_add_loop_test(tc, golden_sei_created, s, e);
   tcase_add_loop_test(tc, w_wo_emulation_prevention_bytes, s, e);
   tcase_add_loop_test(tc, limited_sei_payload_size, s, e);
+  tcase_add_loop_test(tc, signing_multiple_gops, s, e);
   tcase_add_loop_test(tc, signing_partial_gops, s, e);
   tcase_add_loop_test(tc, signing_mulitslice_stream_partial_gops, s, e);
 

tests/check/test_helpers.c

@@ -506,6 +506,7 @@ get_initialized_signed_video(struct sv_setting settings, bool new_private_key)
   ck_assert_int_eq(signed_video_set_authenticity_level(sv, settings.auth_level), SV_OK);
   ck_assert_int_eq(signed_video_set_max_sei_payload_size(sv, settings.max_sei_payload_size), SV_OK);
   ck_assert_int_eq(signed_viedo_set_max_signing_frames(sv, settings.max_signing_frames), SV_OK);
+  ck_assert_int_eq(signed_video_set_signing_frequency(sv, settings.signing_frequency), SV_OK);
   ck_assert_int_eq(signed_video_set_hash_algo(sv, settings.hash_algo_name), SV_OK);
   if (settings.codec != SV_CODEC_AV1) {
     ck_assert_int_eq(signed_video_set_sei_epb(sv, settings.ep_before_signing), SV_OK);

tests/check/test_stream.c

@@ -127,8 +127,10 @@ get_type_char(const uint8_t *data, size_t data_size, SignedVideoCodec codec)
         type = 'Z';
       else if (bu.is_golden_sei)
         type = 'G';
-      else
+      else if (bu.is_signed)
         type = 'S';
+      else
+        type = 's';
       break;
     }
     default: