Insys Cloud DRM
Using CPIX
The Cloud DRM service from Insys Video Technologies allows you to generate a CPIX document via its API, simplifying the encryption setup process.
The API request is using a CPIX document, the response is a CPIX document as well, containing the requested encryption keys.
The method described in this section generates a CPIX version 2.3 document.
An example API call:
#!/bin/bash
curl 'https://drm-demo-4.api.drm.cloud/kms/cpix?tenantId=<YOUR_TENANT_ID>' \
-v \
-H 'Authorization: Basic <CREDENTIALS>' \
-H "Content-Type: application/xml" \
--data "@request.cpix" \
> response.cpix
The basic auth credentials are formed by base64 encoding the string
login:password which can be found in the service console.
The example request for Widevine in above example looks as follows:
<?xml version="1.0" encoding="utf-8"?>
<CPIX xmlns="urn:dashif:org:cpix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
xsi:schemaLocation="urn:dashif:org:cpix cpix.xsd"
contentId="content01-dash" version="2.3">
<ContentKeyList>
<ContentKey kid="d691fcbc-9c16-434b-8459-f4c68af39b66" commonEncryptionScheme="cenc" />
</ContentKeyList>
<DRMSystemList>
<DRMSystem kid="d691fcbc-9c16-434b-8459-f4c68af39b66" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" />
</DRMSystemList>
<ContentKeyUsageRuleList>
<ContentKeyUsageRule intendedTrackType="ANY" kid="d691fcbc-9c16-434b-8459-f4c68af39b66" />
</ContentKeyUsageRuleList>
</CPIX>
Other DRM systems as for intance Fairplay for HLS or PlayReady can be added as
well by adding kid and systemId to the <ContentKeyList>,
<DRMSystemList> and <ContentKeyUsageRuleList>.
An example response document, response.cpix in above call example looks as
follows:
<cpix:CPIX
xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
xmlns:speke="urn:aws:amazon:com:speke" contentId="content01-dash" version="2.3"
xmlns:cpix="urn:dashif:org:cpix">
<cpix:ContentKeyList>
<cpix:ContentKey commonEncryptionScheme="cenc" kid="d691fcbc-9c16-434b-8459-f4c68af39b66">
<cpix:Data>
<pskc:Secret>
<pskc:PlainValue>1bxPh2/PtpfM1Hmv8CY2dQ==</pskc:PlainValue>
</pskc:Secret>
</cpix:Data>
</cpix:ContentKey>
</cpix:ContentKeyList>
<cpix:DRMSystemList>
<cpix:DRMSystem kid="d691fcbc-9c16-434b-8459-f4c68af39b66" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
<cpix:PSSH>AAAAaHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAAEgIARIQ1pH8vJwWQ0uEWfTGivObZhoFaW5zeXMiJGQ2OTFmY2JjLTljMTYtNDM0Yi04NDU5LWY0YzY4YWYzOWI2NioDQU5ZMgA=</cpix:PSSH>
</cpix:DRMSystem>
</cpix:DRMSystemList>
<cpix:ContentKeyUsageRuleList>
<cpix:ContentKeyUsageRule kid="d691fcbc-9c16-434b-8459-f4c68af39b66" intendedTrackType="ANY" />
</cpix:ContentKeyUsageRuleList>
</cpix:CPIX>
The PSSH information in the response is carried over in the DASH init segment.
Important
In case the manifest also need to signal the specific <ContentProtection>
element then the /kms/speke2/ needs to be used. It will add specific
signalling to the manifest that for Widevine for instance looks like below.
<!-- Widevine -->
<ContentProtection
schemeIdUri="urn:uuid:EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED">
<cenc:pssh>AAAAaHBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAAEgIARIQ1pH8vJwWQ0uEWfTGivObZhoFaW5zeXMiJGQ2OTFmY2JjLTljMTYtNDM0Yi04NDU5LWY0YzY4YWYzOWI2NioDQU5ZMgA=</cenc:pssh>
</ContentProtection>
The resulting CPIX document then can be used as outlined in Content Protection Information eXchange (CPIX), for instance:
#!/bin/bash
mp4split -o tears-of-steel-drmdemo2.ism \
--mpd.cpix=response.cpix \
--hls.cpix=response.cpix \
tears-of-steel-aac-128k.mp4 \
tears-of-steel-ac3-448k.mp4 \
tears-of-steel-avc1-750k.mp4 \
tears-of-steel-avc1-1000k.mp4 \
tears-of-steel-avc1-1500k.mp4 \
tears-of-steel-en.cmft
The example above is for VOD using mp4split directly, but Docker can be used
as well. Also, creating a server manifest for Live is done similarly.