HTTP Smooth Streaming (HSS)
Adding PlayReady DRM
USP supports PlayReady DRM. The encryption is applied on-the-fly, so there is no preprocessing involved. The options for enabling encryptions are stored in the server manifest file.
Demo streams can be found in the Unified Streaming Demo.
Options for PlayReady
You can enable PlayReady encryption by providing the following options while creating the server manifest.
--iss.key
The 128 bits Key ID (KID) and 128 bits Content Encryption Key (CEK) are passed
with the --iss.key option where KID and CEK are separated by a colon,
e.g. --iss.key=KID:CEK
The KID uniquely identifies the content. The CEK is the Content Encryption Key. Note this is NOT the PlayReady Key Seed, but the actual content encryption key.
Both KID and CEK must be coded in hex (base16).
Note
The KID from a PlayReady License server may be formatted as a little-endian GUID. In that case you have to change the endianess as we always use a big-endian UUID representation of the KID.
--iss.key_iv
The 64 bit AES Initialization Vector (IV). This is a random 64 bit value.
The key_iv is used 'as-is', so you must make sure to guarantee that it is unique when encrypting multiple tracks (the key_iv may be used only once with a certain CEK).
When no key_iv is provided one will be generated.
--iss.license_server_url
The URL used by the player to retrieve the key.
--iss.drm_specific_data
Generally this option is not needed for PlayReady as the software will generate a PlayReady Header Object from the given key information.
The --iss.drm_specific_data parameter specifies the (complete) PlayReady header object (PRO) as a Base64 string.
Normally, if drm_specific_data is necessary, that information is created by the DRM provider.
The optional CUSTOMATTRIBUTES element is part of the WRMHEADER comprising the PRO.
In order to add a custom attribute or extension, it is required to first create a well-formed UTF16 WRMHEADER file (see: https://www.microsoft.com/playready/documents/)
You would then pass the complete PRO in --iss.drm_specific_data as a Base64 encoded string.
Note
This simply replaces the pssh box in the mp4s init segment (which by default would be synthesized from other drm parameters). For details about the WRMHEADER syntax, please refer to Microsoft's documentation.
Use the Webserver for on-the-fly PlayReady
VOD Example
The following command creates a VOD server manifest file with the key information embedded:
#!/bin/bash
KID=10000000100010001000100000000001
CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
KID_UUID=10000000-1000-1000-1000-100000000001 #UUID representation of KID
CEK_B64="OiobaN0r2bLusl6ExHdmaA==" #Base64 byte array representation of CEK
LAURL="https://test.playready.microsoft.com/service/rightsmanager.asmx?cfg=(kid:${KID_UUID},contentkey:${CEK_B64},ckt:aesctr)"
mp4split -o video.ism \
--iss.key=$KID:$CEK
--iss.license_server_url=$LAURL
video.ismv
Live Example
The following command creates a Live server manifest file with the key information embedded:
#!/bin/bash
KID=10000000100010001000100000000001
CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
KID_UUID=10000000-1000-1000-1000-100000000001 #UUID representation of KID
CEK_B64="OiobaN0r2bLusl6ExHdmaA==" #Base64 byte array representation of CEK
LAURL="https://test.playready.microsoft.com/service/rightsmanager.asmx?cfg=(kid:${KID_UUID},contentkey:${CEK_B64},ckt:aesctr)"
mp4split -o channel1.isml \
--iss.key=$KID:$CEK
--iss.license_server_url=$LAURL
Please note the different extension for the Live server manifest: '.isml'
Generating a ContentKey from a KeyId and KeySeed
If your license server does not give you a ContentKey, but only a KeyId and KeySeed then you may have to generate the ContentKey yourself. The ContentKey is derived from the KeyId and KeySeed and more information may be available in the technical specification 'PlayReady Header Object' document.