Viaccess Orca

New in version 1.9.0.

Adding VO DRM

The options for enabling encryption are stored in the server manifest file. For ViaccessOrca encryption a content encryption key (CEK) and key id (KID) are required. You need to provide the following options:

--vodrm.key

The KID and CEK are passed with the --vodrm.key option where KID and CEK are separated by a colon, e.g. --vodrm.key=KID:CEK

Both KID and CEK must be coded in hex (base16).

--vodrm.drm_specific_data

The DRM specific data. This is the full "pssh" version 1 box. Can either be a Base64 string or a file with the decoded Base64 data. The file name must include a '.'

The box must contain a KID that refers to the previously provided --vodrm.key option.

Example

#!/bin/bash

KID=000102030405060708090a0b0c0d0e0f
CEK=000102030405060708090a0b0c0d0e0f

mp4spit -o video.ism \
  --vodrm.key=$(KID):$(CEK) \
  --vodrm.drm_specific_data=pssh.bin \
  video.ismv

Adding Viaccess-Orca (Discretix) PlayReady for HLS

This option supports PlayReady HLS using Viaccess-Orca (Discretix).

The webserver adds protection to the HLS audio and video streams on-the-fly with Discretix PlayReady HLS.

USP provides the following options for Viaccess-Orca (Discretix) PlayReady HLS protection:

--dxdrm.key

The 128 bits Key ID (KID) and 128 bits Content Encryption Key (CEK) are passed with the --dxdrm.key option where KID and CEK are separated by a colon, e.g. --dxdrm.key=KID:CEK

Both KID and CEK must be coded in hex (base16).

Note

The KID from a PlayReady License server may be formatted as a little-endian GUID. In that case you have to change the endianness as we always use a big-endian UUID representation of the KID.

--dxdrm.key_iv

Specifies the initialization vector (64 bits).

--dxdrm.license_server_url

The URL of the license server(s) used.

The following example creates a VOD server manifest with MP4Split and will embed the key information in the server manifest.

Example for generating a server manifest with Discretix Playready DRM:

mp4split -o discretix.ism  \
  --dxdrm.key=7C9AA2B68306466F882D75BED922CD25:27eb4cef2afa2afe8fe5d2c374cd60e \
  --dxdrm.license_server_url="http://test.playready.microsoft.com/service/rightsmanager.asmx?PlayRight=1&UseSimpleNonPersistentLicense=1"  \
video.ismv

Once you generate server manifest file, as seen in the example above, all the key information is embedded in the server manifest.

When a client requests an .m3u8 playlist the webserver module will automatically insert the proper tag (#EXT-X-DXDRMINFO:KEYREF) and requests for the MPEG-TS fragments are encrypted on-the-fly.

An example .m3u8 playlist:

#EXTM3U
#EXT-X-VERSION:1
#EXT-X-DXDRM:VERSION=3.0,MECHANISM=PLAYREADY
#EXT-X-DXDRMINFO:KEYREF="x-keyref://playready?KID=tqKafAaDb0aILXW+2SLNJQ==",
HEADER="PABXAFIATQBIAEUAQQBEAEUAUgAgAHgAbQBsAG4AcwA9ACIAaAB0AHQAcAA6AC8ALwBzAGMAaABlAG0AYQBzAC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEQAUgBNAC8AMgAwADAANwAvADAAMwAvAFAAbABhAHkAUgBlAGEAZAB5AEgAZQBhAGQAZQByACIAIAB2AGUAcgBzAGkAbwBuAD0AIgA0AC4AMAAuADAALgAwACIAPgA8AEQAQQBUAEEAPgA8AFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBFAFkATABFAE4APgAxADYAPAAvAEsARQBZAEwARQBOAD4APABBAEwARwBJAEQAPgBBAEUAUwBDAFQAUgA8AC8AQQBMAEcASQBEAD4APAAvAFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBJAEQAPgB0AHEASwBhAGYAQQBhAEQAYgAwAGEASQBMAFgAVwArADIAUwBMAE4ASgBRAD0APQA8AC8ASwBJAEQAPgA8AEMASABFAEMASwBTAFUATQA+AGEAUABSAEsAaABjAEwAcQBxAGEAQQA9ADwALwBDAEgARQBDAEsAUwBVAE0APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcAA6AC8ALwBwAGwAYQB5AHIAZQBhAGQAeQAuAGQAaQByAGUAYwB0AHQAYQBwAHMALgBuAGUAdAAvAHAAcgAvAHMAdgBjAC8AcgBpAGcAaAB0AHMAbQBhAG4AYQBnAGUAcgAuAGEAcwBtAHgAPwBQAGwAYQB5AFIAaQBnAGgAdAA9ADEAJgBhAG0AcAA7AFUAcwBlAFMAaQBtAHAAbABlAE4AbwBuAFAAZQByAHMAaQBzAHQAZQBuAHQATABpAGMAZQBuAHMAZQA9ADEAPAAvAEwAQQBfAFUAUgBMAD4APAAvAEQAQQBUAEEAPgA8AC8AVwBSAE0ASABFAEEARABFAFIAPgA="
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=319060,CODECS="mp4a.40.2,avc1.66.30",RESOLUTION=304x128
dxdrm-audio=65000-video=236000.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=68900,CODECS="mp4a.40.2"
dxdrm-audio=65000.m3u8