Command-line options for specifying CPIX document URLs

CPIX encryption options

As the title states, this section discusses the use of CPIX document URLs for server manifest creation, with the examples below all using files - but off course actual URLS using HTTP(S) may be used too (as long as they resolve to a valid, relevant CPIX document).

Note

When packaging for HLS the CPIX document must be used when creating the CMFV/A or TS files. See for instance the Multi-DRM protected HLS and DASH from a shared CMAF source outline for an example.

--iss.cpix, --hds.cpix, --hls.cpix, --mpd.cpix

These options specify the URL of the CPIX document that controls encryption for a specific playout format. For example, the following command line generates a manifest file that uses tears-of-steel_hls.cpix when HTTP Live Streaming (HLS) is requested:

#!/bin/bash

mp4split -o tears-of-steel.ism \
  --hls.cpix=tears-of-steel_hls.cpix \
  tears-of-steel-aac-128k.mp4 \
  tears-of-steel-avc1-750k.mp4 \
  tears-of-steel-avc1-1500k.mp4

--cpix

This option specifies the CPIX document that controls encryption when no format-specific CPIX document was specified for the requested playout format. For example, the following command line generates a manifest file that uses tears-of-steel_hls.cpix when HTTP Live Streaming (HLS) is requested, tears-of-steel_iss.cpix when HTTP Smooth Streaming (HSS) is requested, and tears-of-steel_fallback.cpix for the other playout formats:

#!/bin/bash

mp4split -o tears-of-steel.ism \
  --hls.cpix=tears-of-steel_hls.cpix \
  --iss.cpix=tears-of-steel_iss.cpix \
  --cpix=tears-of-steel_fallback.cpix \
  tears-of-steel-aac-128k.mp4 \
  tears-of-steel-avc1-750k.mp4 \
  tears-of-steel-avc1-1500k.mp4

Note

To prevent unintenional playout in the clear, the use of any of the --iss.cpix, --hds.cpix, --hls.cpix, or --mpd.cpix options disables playout for formats for which no CPIX document URL has been specified. To explicitly enable playout in the clear, an empty CPIX document (without any <ContentKey> elements) may be used.

--allow-unencrypted

In some cases, the Content key selection algorithm may not find any suitable content key for a particular (part of a) track. By default, to avoid unintentional playout in the clear, this will lead to an error. The --allow-unencrypted option overrides this behavior.

In the following example, we provide a CPIX document leading-clear.cpix that uses a <KeyPeriodFilter> to exclude the first 30 seconds of playout from encryption:

#!/bin/bash

mp4split -o tears-of-steel.ism \
  --allow-unencrypted \
  --cpix=leading-clear.cpix \
  tears-of-steel-aac-128k.mp4 \
  tears-of-steel-avc1-750k.mp4 \
  tears-of-steel-avc1-1500k.mp4

CPIX decryption option

--decrypt_cpix

Content can be pre-encrypted in which case decryption information is necessary to play the content out in the clear or to play it out using a different DRM system.

The following example shows pre-encrypted content on disk that will be played in the clear with decryption information from "decrypt.cpix".

#!/bin/bash

mp4split -o tears-of-steel.ism \
  --decrypt_cpix=decrypt.cpix \
  enc-tears-of-steel-aac-128k.ismv \
  enc-tears-of-steel-avc1-750k.ismv \
  enc-tears-of-steel-avc1-1500k.ismv

The provided CPIX document "decrypt.cpix" only has a <ContentKeyList>:

<?xml version="1.0" encoding="utf-8"?>
<CPIX xmlns="urn:dashif:org:cpix"
  xsi:schemaLocation="urn:dashif:org:cpix cpix.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc">
  <ContentKeyList>
    <ContentKey kid="10000000-1000-1000-1000-100000000001">
      <Data>
        <pskc:Secret>
          <pskc:PlainValue>OiobaN0r2bLusl6ExHdmaA==</pskc:PlainValue>
        </pskc:Secret>
      </Data>
    </ContentKey>
  </ContentKeyList>
</CPIX>

Creating a CPIX document from a manifest

A CPIX document can be created in mp4split using a manifest as input

#!/bin/bash

mp4split -o tears-of-steel.cpix tears-of-steel.ism[l]