Photo of Terence Eden. He has a beard and is smiling.

A brief look at ACSM files

· 950 words · read ~729 times.

Adobe's accursed eBook DRM is just the worst. Not only does it lock up books that you have purchased - but it's impossible to use sensibly on Linux.

Sure, you can futz around with Docker, WINE, and old versions of Python - and if you're lucky, you might get a book out of it.

I wasn't quite so lucky. I wanted to see if I could download an ePub without using Adobe Digital Editions. Spoilers! I couldn't. But this is what I found.

The First ACSM file

When you buy an eBook, the vendor sends you a .acsm file. Adobe Content Server Message is a simple XML file. This is what it looks like and what each line means:

 XML<fulfillmentToken fulfillmentType="buy" auth="user" xmlns="http://ns.adobe.com/adept">

  <distributor>urn:uuid:b479af7f-09bf-48f5-a6c6-...</distributor>

  <operatorURL>http://drm.firebrandtech.com/fulfillment</operatorURL>

  <transaction>67809895895d46aab...</transaction>

  <expiration>2021-07-19T18:55:59-04:00</expiration>

This states I've purchased the book, who distributes it, where the download server is, and some metadata

Next, metadata about the book:

 XML  <resourceItemInfo>

    <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>

    <resourceItem>0</resourceItem>

    <metadata>

      <dc:title xmlns:dc="http://purl.org/dc/elements/1.1/">The End of Bias</dc:title>

      <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Jessica Nordell</dc:creator>

      <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">Granta Publications</dc:publisher>

      <dc:identifier xmlns:dc="http://purl.org/dc/elements/1.1/">urn:ean:9781846276774</dc:identifier>

      <dc:format xmlns:dc="http://purl.org/dc/elements/1.1/">application/pdf</dc:format>

    </metadata>

    <licenseToken>

      <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>

      <permissions>

        <display/>

        <excerpt/>

        <print/>

        <play/>

      </permissions>

    </licenseToken>

  </resourceItemInfo>

Finally, a digital signature:

 XML  <hmac>rL4Ttn7ASp16Y4...=</hmac>

</fulfillmentToken>

The Second ACSM file

When you open the .acsm file in Adobe Digital Editions (ADE), the software creates a new .acsm file. This one is signed with the key that Adobe generates when you register with it. This is what the file looks like and what each line means:

First, information about me as a user, and my device:

 XML<fulfill xmlns="http://ns.adobe.com/adept">

  <user>urn:uuid:99b1e32d-5b39-4968-8ef6-c5cb6a739ec8</user>

  <device>urn:uuid:ac790662-5da0-4075-aee2-99b3c4592619</device>

  <deviceType>standalone</deviceType>

Then a repeat of the original .acsm:

 XML  <fulfillmentToken fulfillmentType="buy" auth="user">

    <distributor>urn:uuid:b479af7f-09bf-48f5-a6c6-...</distributor>

    <operatorURL>http://drm.firebrandtech.com/fulfillment</operatorURL>

    <transaction>67809895895d46...</transaction>

    <expiration>2021-07-19T18:55:59-04:00</expiration>

    <resourceItemInfo>

      <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>

      <resourceItem>0</resourceItem>

      <metadata>

        <dc:title xmlns:dc="http://purl.org/dc/elements/1.1/">The End of Bias</dc:title>

        <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">Jessica Nordell</dc:creator>

        <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">Granta Publications</dc:publisher>

        <dc:identifier xmlns:dc="http://purl.org/dc/elements/1.1/">urn:ean:9781846276774</dc:identifier>

        <dc:format xmlns:dc="http://purl.org/dc/elements/1.1/">application/pdf</dc:format>

      </metadata>

      <licenseToken>

        <resource>urn:uuid:77d79621-0e96-4f4f-8fee-...</resource>

        <permissions>

          <display/>

          <excerpt/>

          <print/>

          <play/>

        </permissions>

      </licenseToken>

    </resourceItemInfo>

Then, a different HMAC:

 XML    <hmac>rL4Ttn7ASp16...=</hmac>

  </fulfillmentToken>

And, finally, another digital signature

 XML  <signature>znoLnR2A4wG1uE85oXPYzSZjTRNo76ctgfR8COY8nlNTCcPge9O6VeB5UY...=</signature>

</fulfill>

POSTING the file

Digital Editions then posts the new .acsm file to the DRM server mentioned. It replies with a location where the file can be downloaded from. In this case:

 TXThttp://drm.firebrandtech.com/media/77d79621-0e96-4f4f-8fee-....pdf

That's literally just the resource's UUID as the filename. It can be downloaded and opened in ADE.

Signing the file yourself

So, if you've downloaded the first .acsm file and have your encryption keys extracted from ADE you can sign it yourself, right?

I dunno. I'm no good at reverse engineering binaries. I suspect so. ADE is a Shockwave / Flash app - so I doubt it has anything too taxing in there - but it is beyond my skillset.

Further Reading

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">