Irdeto
Using CPIX
Irdeto Control supports CPIX, it provides two CPIX endpoints distinguished by a version number (v1, v2) in the URL (see the example below).
Attention
Irdeto recommends to use the 'v2' API version.
The CPIX v2 endpoint supports the following CENC schemes for the
commonEncryptionScheme attribute in the ContentKey element: cenc,
cbc1, cens, and cbcs.
Once you account has been setup and content registered with Irdeto Control (please see the Irdeto Control documentation or consult your Irdeto representative) you can make requests for the following DRM / protection systems:
HLS AES-128
IrdetoProtection
Fairplay
PlayReady
Widevine
API requests are made over HTTP for the desired response by sending the API a CPIX document.
An example request looks like the following (please note that YOUR_LOCATION and YOUR_PATH should be changed to the values created when setting up the account with Irdeto:
#!/bin/bash
curl --location --request POST 'https://${YOUR_LOCATION}/tkm/v2/${YOUR_PATH}/contents/multi-track-big-buck-bunny/copyProtectionData' \
--header 'Content-Type: text/xml' \
--header 'Authorization: Basic ${YOUR_TOKEN}' \
--data-raw '<?xml version="1.0" encoding="utf-8"?>
<cpix:CPIX contentId="multi-track-big-buck-bunny" xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke">
<cpix:ContentKeyList>
<cpix:ContentKey kid="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"></cpix:ContentKey>
</cpix:ContentKeyList>
<cpix:DRMSystemList>
<cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
</cpix:DRMSystem>
</cpix:DRMSystemList>
</cpix:CPIX>'
An example response looks like the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cpix:CPIX xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:cpix="urn:dashif:org:cpix" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" contentId="multi-track-big-buck-bunny" version="2.3">
<cpix:ContentKeyList>
<cpix:ContentKey kid="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
<cpix:Data>
<pskc:Secret>
<pskc:PlainValue>GX8m9XLIZNIzizrl0RTqnA==</pskc:PlainValue>
</pskc:Secret>
</cpix:Data>
</cpix:ContentKey>
</cpix:ContentKeyList>
<cpix:DRMSystemList>
<cpix:DRMSystem systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" kid="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
<cpix:PSSH>AAAAMnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABISEO3vi6l51krOo8gn3NUdIe0=</cpix:PSSH>
<cpix:ContentProtectionData>PGNlbmM6cHNzaCB4bWxuczpjZW5jPSJ1cm46bXBlZzpjZW5jOjIwMTMiPkFBQUFNbkJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQklTRU8zdmk2bDUxa3JPbzhnbjNOVWRJZTA9PC9jZW5jOnBzc2g+</cpix:ContentProtectionData>
<cpix:HLSSignalingData>I0VYVC1YLUtFWTpNRVRIT0Q9U0FNUExFLUFFUy1DVFIsVVJJPSJkYXRhOnRleHQvcGxhaW47YmFzZTY0LEFBQUFNbkJ6YzJnQUFBQUE3ZStMcVhuV1NzNmp5Q2ZjMVIwaDdRQUFBQklTRU8zdmk2bDUxa3JPbzhnbjNOVWRJZTA9IixLRVlJRD0iMHhlZGVmOGJhOTc5ZDY0YWNlYTNjODI3ZGNkNTFkMjFlZCIsS0VZRk9STUFUPSJ1cm46dXVpZDplZGVmOGJhOS03OWQ2LTRhY2UtYTNjOC0yN2RjZDUxZDIxZWQiLEtFWUZPUk1BVFZFUlNJT049IjEi</cpix:HLSSignalingData>
</cpix:DRMSystem>
</cpix:DRMSystemList>
</cpix:CPIX>
The resulting CPIX document then can be used as outlined in Content Protection Information eXchange (CPIX).
Note
The following section outlines the pre-CPIX APIs.
Adding Common Encryption
New in version 1.7.18.
Irdeto provides CENC support (see Common Encryption (CENC)) for MPEG-DASH using the 'Irdeto Protection System'.
Options for Irdeto Protection
The options for enabling encryption are stored in the server manifest file. For IrdetoProtection DASH encryption a key id (KID), content encryption key (CEK) and key iv (IV) are required. You need to provide the following options:
--irdeto_cenc.key
The KID and CEK are passed with the --irdeto_cenc.key option where KID and
CEK are separated by a colon, e.g. --irdeto_cenc.key=KID:CEK
Both KID and CEK must be coded in hex (base16).
--irdeto_cenc.key_iv
A key iv can be specified by passing the option --irdeto_cenc.key_iv=IV
The key iv must similarly be coded in hex (base16)
--irdeto_cenc.drm_specific_data
The drm specific data used for IrdetoProtection DRM, in the case of MPEG-DASH this will be used for the "pssh" box. Can either be a Base64 string or a file with the decoded Base64 data. The file name must include a '.'
Example
#!/bin/bash
KID=000102030405060708090a0b0c0d0e0f
CEK=000102030405060708090a0b0c0d0e0f
IV=000102030405060708090a0b0c0d0e0f
mp4spit -o video.ism \
--irdeto_cenc.key=$(KID):$(CEK) \
--irdeto_cenc.key_iv=$(IV) \
--irdeto_cenc.drm_specific_data=pssh.bin \
video.ismv
Adding PlayReady for HLS
New in version 1.7.4.
For PlayReady the same GetSettings - GenerateKeys-sequence applies:
GetPlayreadySettings
GeneratePlayreadyKeys
You can download both calls as scripts and corresponding XML below:
To use HLS playout with Irdeto's PlayReady signaling (Irdeto Active Cloak), pass
the irdeto_playready option (rather than irdeto or hls).
This will add the necessary #X-IRDETO-* attributes to playlists.
The get-pr-settings and generate-pr-keys scripts can be combined as follows to
get the parameters mp4split needs:
#!/bin/bash
url=$(./get-pr-settings.sh)
IFS=' ' read args cek kid <<< $(./generate-pr-keys.sh)
# the API returns a GUID, so convert it to UUID
kid16=`echo -n $kid | python3 -c 'import base64,uuid,sys; kid="".join(sys.stdin.readlines()); print(base64.b16encode(uuid.UUID(bytes_le=uuid.UUID(kid).bytes).bytes).decode("utf-8"))'`
# convert the base64 CEK to hex
cek16=`echo -n $cek | python3 -c 'import base64,uuid,sys; cek="".join(sys.stdin.readlines()); print(base64.b16encode(base64.b64decode(cek)).decode("utf-8"))'`
iv=08090a0b0c0d0e0f0001020304050607
la_url="$url$args"
MP4SPLIT_OPTIONS=
MP4SPLIT_OPTIONS+=--irdeto_playready.key=${kid16}:${cek16}
MP4SPLIT_OPTIONS+=--irdeto_playready.key_iv=${iv}
MP4SPLIT_OPTIONS+=--irdeto_playready.license_server_url=${la_url}
mp4split -o $1 $MP4SPLIT_OPTIONS $2