search

shaka-project / shaka-packager

A media packaging and development framework for VOD and Live DASH and HLS applications, supporting Common Encryption for Widevine and other DRM Systems.
https://shaka-project.github.io/shaka-packager/
Other
1.99k stars 509 forks source link

FairPlay key rotation feature #540

Open Jason239 opened 5 years ago

Jason239 commented 5 years ago

Could you add the FairPlay key rotation feature if it doesn't supported now?

kqyang commented 5 years ago

Related to https://github.com/google/shaka-packager/issues/537#issuecomment-453260987.

@Jason239 Do you have a FairPlay license server set up already? Do you have a sample FairPlay license server url?

Jason239 commented 5 years ago

Yes, but does it relate to license server url and Key rotation packaging?

kqyang commented 5 years ago

@Jason239 Yes, that is main issue for FairPlay key rotation support. A common pattern for the FairPlay license server url is https://?key_id=. Does your license server url also have this pattern?

Jason239 commented 5 years ago

We have in-house format to communicate with the FPS license server. The server issues a license if the player sends a license request by sending data with our format. Do you need to know that format?

kqyang commented 5 years ago

@Jason239 As far as I know, the message format is defined by Apple as Server Playback Context (SPC) message. The only field in SPC payload the client can control is "Asset ID" which is a third-party ID value that tells the key server which content needs to be decrypted. For your in-house format, are you talking about the format of your "Asset ID"?

Anyway, to support key rotation for FairPlay, the stream needs to be encrypted with different keys. The easiest option to tell the FairPlay server to return with different keys is to encode the key id in HLS key uri. That is why I am asking what is the format of your FairPlay key server.

Jason239 commented 5 years ago

Yes, you are right. We set HLS key uri field to our format(content id + period index) as Asset ID. Then the player can use different keys that are created with content id and period index in our server. So I mean, our key server makes different keys by using content id and period index, not key id

We also have KMS server. And when it comes to KMS server, we are using this API.

kqyang commented 5 years ago

We set HLS key uri field to our format(content id + period index) as Asset ID.

Ok, so for the same content, 'content id' is static and 'period index' will be different for different crypto periods. Do you have a sample URL on how it looks like? It will help us decide how we support the generation of these key uris.

Jason239 commented 5 years ago

Does it mean the playable stream URL ?

kqyang commented 5 years ago

No, I mean the HLS key uri, which needs to be generated by packager and inserted into the playlists.

Jason239 commented 5 years ago

Okay, this is the sample. 'Cid0000000000005a00' The period index at the back is an 8 bytes hexadecimal.

kqyang commented 5 years ago

Cid0000000000005a00

This is not a FairPlay key uri. It should be something like: 'skd://fairplay.license.com/streaming/getckc?CrmId=&AccountId=&ContentId=&KeyId='.

Jason239 commented 5 years ago

We create and issue it directly from our server according to the FPS license format. If the player sends SPC data containing the key uri to our server, then we issue it directly.

Jason239 commented 5 years ago

like this,

                                                             our fps license
player                                                            server
┌─┐                 request                                 ┌─────────────────┐
│ │-------------------------------------------------------> │check spc(get    │
│ │Add a header that our license server requires(user info).│asset id) and    │
│ │  + spc(in assetId:(skd://Cid0000000000005a00)).         │check user info  │
│ │                                                         │in header.       │
│ │<------------------------------------------------------- │generate license.│
└─┘                 response license(ckc)                   └─────────────────┘
Jason239 commented 5 years ago

And as I mentioned before, the package request API is different from requesting a license. The picture above is for a license request.

kqyang commented 5 years ago

@Jason239 I am not sure if I completely understand design. I don't really care what is sent in the SPC payload. I am interested in the URI field.

So if I understand correctly, the URI is set to "skd://Cid0000000000005a00", i.e. something like this in HLS playlist:

#EXT-X-KEY:METHOD=SAMPLE-AES,URI="skd://Cid0000000000005a00",KEYFORMATVERSIONS="1",KEYFORMAT="com.
apple.streamingkeydelivery"

Is that correct? What does 'Cid0000000000005a00' mean? Is it the same for every crypto periods?

Jason239 commented 5 years ago

Right. It's correct. But it is different for each crypto periods as you said before.

Ok, so for the same content, 'content id' is static and 'period index' will be different for different crypto periods.

It is created as <content id>+<period index(4 bytes hex)> format. For e.g.

cid + 23040 = cid0000005a00
cid + 23041 = cid0000005a01
...

And it is used for issuing different keys in our license server.

kqyang commented 5 years ago

I see. Thanks for the clarification.