Hello everybody,
Here is some intro. Currently we deliver Widevine and PlayReady protected content to our customers, with Apple devices playing Widevine content. In order to achieve better level of protection on Apple-devices we're exploring options to provide HLS/FairPlay to customers with Apple devices. We use Microsoft Azure Media Services as license key delivery servers, with media content being encrypted/packaged on our servers.
I was trying to find something in the Azure Media Service documentation describing how to to properly create Widevine/PlayReady/FairPlay bundles (preferrable using the same MP4 media files), but failed to do so. Here is what I tried:
- Packaged the media content with Shaka packager (this is the packager that we already use).
After adding FairPlay
to the list of protection_systems --enable_raw_key_encryption --protection_systems Widevine,PlayReady,FairPlay
and passing other hls-output related parameters, I got the directory with encrypted media files and HLS-playlists.
- Loged into Azure portal and added FairPlay content key policy option to the existing content key authorization policy (that was previously created together with the content key that was used to encrypt the files), which also seemed to work.
- Then I tried to obtain key delivery url via REST API, but got the error:
'CommonEncryption' is an invalid ContentKeyType for 'FairPlay' KeyDeliveryType
Looked at the REST API docs at https://learn.microsoft.com/en-us/rest/api/media/operations/contentkey
and tried to find other than "CommonEncryption" content key type, none of other 3 listed seemed to be related to MPEG-DASH/HLS.
Thereafter, found the .NET documentation https://learn.microsoft.com/en-us/dotnet/api/microsoft.windowsazure.mediaservices.client.contentkeytype?view=azure-dotnet where the ContentKeyType accpets any of 8 values, one of which was CommonEncryptionCbcs(6) that looked like what I need.
- Proceeding further, I attempted to create a content with
ContentKeyType=6
binding it with my existing authorization policy (that is linked to Widevine, PlayReady and FairPlay policy options), which again failed with the error: CommonEncryptionCbcs content key cannot be associated with policy having Widevine option.
And after removing Widevine, again with: CommonEncryptionCbcs content key cannot be associated with policy having PlayReadyLicense option.
- Kept only FairPlay policy option the content key was finally created.
Now with this new key, the GetKeyDeliveryUrl
method returned the FairPlay key delivery URL.
I haven't yet tried to implement key acquisition and playback of this FairPlay protected media, but assuming it will also work fine, there is still one drawback with this approach:
it requires 2 different keys (in case of a single key used to encrypt all streams) or set of keys (if different keys used for different streams), and hence there will be 2 bundles (one for Widevine+PlayReady and another for FairPlay) which is less desirable as requiring more disk space to create and store those bundles, and also makes the caching on the edge delivery servers less optimal.
So my question is: are there working ways to create hybrid-DRM (Widevine/PlayReady/FairPlay) package, while still keeping the Azure Media Services as the DRM license key server?