PIFF and CENC (Multi DRM)¶
When your content is stored protected on disk in 'PIFF' (Protected Interoperable File Format) format (E.g. it is fragmented-MP4 protected with PlayReady) the Origin converts it on-the-fly to DASH with 'CENC' (Common Encryption (CENC)). This allows for playout in both the Smooth Streaming format and DASH. (Please read about the background as well.)
Possible playouts using PIFF as ingest format include:
- Silverlight (HTTP Smooth Streaming with PlayReady).
- IE11 / Win8.1 (MPEG-DASH with PlayReady)
- Chrome (MPEG-DASH with Widevine)
- Android (MPEG-DASH with Marlin)
This setup is special since Unified Origin uses the encryption information stored in the server manifest file to synthesize the required "pssh" boxes for DASH playout.
Supporting multiple DRM systems is a feature of CENC and requires that the different DRM systems share a common KID (Key ID) and CEK (Content Encryption Key). You have to align the PlayReady license server and Widevine license server to make sure that they use the same KID:CEK combination.
There is no need to re-encode or repackage your existing catalog.
You may need to create or update the USP server manifest file, but only when it is missing the key information. If it has been created with a recent version then it is already present.
Protection System Specific Header box¶
If the content contains the signaling for PlayReady and/or Widevine (the "pssh" boxes) then they are used for signaling of the DRM systems.
The CENC signaling is added to all output formats it applies to (PlayReady, Widevine and Marlin).
When a "pssh" box is not present for a DRM system then the Origin synthesizes one just-in-time.
The "pssh" box for Widevine is synthesized according to the following rules:
- The key_id field is set to the KID as specified in the "tenc" box.
- The provider field is set to 'usp-cenc'.
- The content_id field is copied from the key_id field (in base64).
- The track_type is left empty.
- The policy is left empty.
Marlin doesn't use a "pssh" box, and only uses the signaling in the MPD.
After creation of the server manifest, e.g.:
#!/bin/bash mp4split -o piff2cenc.ism \ piff-encrypted-smooth-content.ismv
playout of HSS with PlayReady is still possible as it would 'normally'. No further commandline triggers are needed, the player can fetch the /Manifest as it would normally.
When your content is 'clear' (not encrypted) it is still possible to synthesize the "pssh" box, provided you pass key_id, content_key (and optionally the license_server_url).
In this case you do not pass the
drm_specific_data as mentioned under
Widevine Modular DRM (and thus cannot make use of track_type or policy).
Playready license server¶
MUST have CORS headers setup properly. Most notably it needs "soapaction" added to the Access-Control-Allow-Headers.
In order to have playout on Chrome, you have to make sure that the Media and
Encryption extensions are enabled. You can see the flags when going to the
- Disable Media Source API: Disable
- Enable Encrypted Media Extensions: Enable
- Disable prefixed Encrypted Media Extensions: Disable
- Media Source API uitschakelen: Uitschakelen
- Gecodeerde Media-extensies inschakelen: Inschakelen
- Vooraf gecodeerde media-extensies uitschakelen: Uitschakelen
CENC based content can also be used as source and then PIFF based content is created from it. For this the correct --brand use is important
Both brands "iso6" and "piff" need to be specified so the files:
- have a "sidx" and "mfra" index.
- have a "pssh" and "uuid" box.
- have "saiz"/"saio"/"senc" and "uuid" box in the movie fragments.
- the timescale for all tracks is set to 10MHz.
The following example creates a server manifest after packaging and encrypting and MP4 to MPEG-DASH content. This content then can be used with the origin to dynamically create HSS (Smooth) with PlayReady or MPEG-DASH with Widevine/PlayReady.
#!/bin/bash NAME=cenc2piff KID=10000000100010001000100000000001 CEK=3a2a1b68dd2bd9b2eeb25e84c4776668 LAURL="http://http://test.playready.microsoft.com/service/rightsmanager.asmx?PlayRight=1&UseSimpleNonPersistentLicense=1" IV=0d0aafc8eda6cbbe PR_OPTIONS= PR_OPTIONS+=--iss.key=$(KID):$(CEK) PR_OPTIONS+=--iss.license_server_url=$(LAURL) PR_OPTIONS+=--iss.key_iv=$(IV) MP4SPLIT=mp4split --license-key=/path/your-license.key MP4SPLIT_OPTIONS= MP4SPLIT_OPTIONS+=--package-mpd MP4SPLIT_OPTIONS+=--brand=iso6 MP4SPLIT_OPTIONS+=--brand=piff $MP4SPLIT -o oceans-64k-pr.mp4 \ $MP4SPLIT_OPTIONS \ $PR_OPTIONS \ oceans-64k-250k.mp4 --track_type=audio --track_language=eng $MP4SPLIT -o oceans-250k-pr.mp4 \ $MP4SPLIT_OPTIONS \ $PR_OPTIONS \ oceans-64k-250k-pr.mp4 --track_type=video $MP4SPLIT -o $NAME.ism \ oceans-64k-pr.mp4 oceans-250k-pr.mp4
Typically manifest are created and store keys in the manifest alongside the content. This is the most common case.
However, for security reasons or other it might not be feasible to store manifests locally. There are various options to work with manifests that are stored remotely or created dynamically. See for instance the HTTP Proxy page:
- Re-stream content from any domain using IsmProxyPass
- Playback content from other domains using a SMIL generator
1.7.25 and later scan all metadata so nothing extra is needed to stream HSS(Smooth)+PR or DASH+PR using dynamic manifests:
There are two approaches to achieve this, namely 1) using the proxy approach or 2) use different manifests / a manifest creation process.
The following example creates a client manifest with PR blob, without any DRM parameters in a manifest using the first method:
#!/bin/bash curl -v http://demo.unified-streaming.com/direct/demo.unified-streaming.com/video/tears-of-steel/tears-of-steel-pr.ismv/Manifest
The following example uses the second method:
#!/bin/bash curl -v http://demo.unified-streaming.com/ism2/CACHE_ID.ism/Manifest?url=http%3A%2F%2Fdemo.unified-streaming.com%2Fvideo%2Ftears-of-steel%2Ftears-of-steel-pr.ismv
But the SMIL generator must match the file, all tracks with track id. The
following php file does that for the content referenced in the example:
The apache config required for this is the following:
<Directory "/var/www/usp/ism2"> IsmProxyPass http://demo.unified-streaming.com/smil2.php/ </Directory>