Verimatrix

The Verimatrix VCAS Common Encoder Interface (CEI) has two interfaces:

Native
CPIX

Both are supported.

Using CPIX 

The CEI CPIX interface supports the DASH-IF CPIX v2.0 and v2.1 specifications. It protects content with Verimatrix Internet TV, Microsoft PlayReady, Google Widevine, and Apple FairPlay Streaming digital rights management (DRM) schemes. It also supports key rotation using multiple keys per content item.

The CEI CPIX interface returns DRM-specific protection data based on the list of system IDs (systemIds) passed in the request payload. For Common Encryption, you can list multiple DrmSystem elements (containing systemIds) in the DrmSystemList element of the CPIX document.

To use key rotation, provide the index/position in the contentKeyPeriod attribute of the request body. If you do not provide the index/position, the system considers the content item to be VOD and creates a key for position 0.

The following example requeats VOD encryption keys for Microsoft PlayReady, Google Widevine, Verimatrix ITV HLS, and Apple FairPlay:

#!/bin/bash

curl -v -X POST -H 'Content-Type: application/xml' 'http://localhost:8058/cpix/v1.1' -d
'<?xml version="1.0"?>
<cpix:CPIX
    xmlns:cpix="urn:dashif:org:cpix"
    xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" contentId="test_vod">
    <cpix:ContentKeyList>
        <cpix:ContentKey kid="54f7d90a-bc2f-bc9b-08d4-bbeac4ccf08b"></cpix:ContentKey>
    </cpix:ContentKeyList>
    <cpix:DRMSystemList>
        <cpix:DRMSystem systemId="9a04f079-9840-4286-ab92-e65be0885f95" kid="54f7d90a-bc2f-bc9b-08d4-bbeac4ccf08b">
            <!-- PlayReady -->
            <cpix:PSSH/>
            <cpix:ContentProtectionData/>
        </cpix:DRMSystem>
        <cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="54f7d90a-bc2f-bc9b-08d4-bbeac4ccf08b">
            <!-- Widevine -->
            <cpix:PSSH/>
            <cpix:ContentProtectionData/>
        </cpix:DRMSystem>
        <cpix:DRMSystem systemId="9a27dd82-fde2-4725-8cbc-4234aa06ec09" kid="54f7d90a-bc2f-bc9b-08d4-bbeac4ccf08b">
            <!-- Verimatrix ITV HLS -->
            <cpix:PSSH/>
            <cpix:ContentProtectionData/>
        </cpix:DRMSystem>
        <cpix:DRMSystem systemId="94ce86fb-07ff-4f43-adb8-93d2fa968ca2" kid="54f7d90a-bc2f-bc9b-08d4-bbeac4ccf08b">
            <!-- FairPlayStreaming -->
            <cpix:PSSH/>
            <cpix:ContentProtectionData/>
        </cpix:DRMSystem>
    </cpix:DRMSystemList>
</cpix:CPIX>'

The response is a CPIX document containing content keys, pssh boxes and HLSSignalingData as defined by the CPIX specification. Please consult the Verimatrix manual for your specific use case.

Using the Native API 

You need to fetch a content key with the VCAS API and pass it on the commandline when creating the server manifest. Obtaining a key from the VCAS license server is a two step process.

The first step is to create a key, for instance:

# create 1 key (c=1)
curl -v \
 -X POST \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&c=1'

the HTTP verb used is POST
the c parameter is used to indicate the number of keys to create

The second step is to get the created key:

# get the key (p=0)
binary_key=$(curl -v \
 -X GET \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&p=0')

the HTTP verb used is GET
the p parameter is used to indicate which key should be returned

The return of the second call is a binary key, which should be converted to hex (base16) before it can be used with mp4split.

Creating a server manifest with Verimatrix VCAS

The following command creates a server manifest file with the key information embedded:

#!/bin/bash

curl -v \
 -X POST \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&c=1'

binary_key=$(curl -v \
 -X GET \
 'http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&p=0')

key_hex16=$(echo -n $binary_key | hexdump -e '16/1 "%02x"')

mp4split -o video.ism \
  --hls.key=:${key_hex16}
  --hls.license_server_url="http://VERIMATRIX_URL/CAB/keyfile?r=YOUR_USER_ID&t=VOD&p=0"
  video.ismv

Please note that in the above example some dummy values are used:

you need to provide values for r, t, c and p (see the Verimatrix documentation)

VERIMATRIX_URL should be replaced with the URL provided by Verimatrix

YOUR_USER_ID should be replaced with your customer id, provided by Verimatrix

VOD can also be another type (see the Verimatrix documentation)

Adding AES-128 Encryption

--hls.key

The key id (KID) and content encryption key (CEK) are passed with the --hls.key option where KID and CEK are separated by a colon, e.g. --hls.key=KID:CEK

As no KID is used for AES-128, this can be left empty. The CEK is a (random) 128 bit value and must be coded in hex (base61).

--hls.license_server_url

The URL used by the player to retrieve the key.

Adding PlayReady Envelope DRM

New in version 1.6.9.

USP supports adding 'Playready Envelope' (PRE) encryption to presentations played out to for instance the Inside Secure player. The encryption is applied on-the-fly, so there is no preprocessing involved. The options for enabling encryptions are stored in the server manifest file.

For PlayReady Envelope encryption a KID:CEK and a license acquisition URL is needed.

--iss.key

The 128 bits Key ID (KID) and 128 bits Content Encryption Key (CEK) are passed with the --iss.key option where KID and CEK are separated by a colon, e.g. --iss.key=KID:CEK

Both KID and CEK must be coded in base16 (hex).

Note

The KID from a PlayReady License server may be formatted as a little-endian GUID. In that case you have to change the endianness as we always use a big-endian UUID representation of the KID.

--iss.license_server_url

The URL of the license server used.

--hls.playout

The string 'playready_envelope' indicating PRE.

Example