FairPlay + Media Services v2 key delivery URL returns HTTP 500

Question

FairPlay + Media Services v2 key delivery URL returns HTTP 500

Mika 66

Hello everybody,

We are trying to implement HLS/FairPlay streams. We have the Apple FPS deployment package, followed all instruction to generate PFX certificate.
Content key with content key policy and options were created successfully via REST API, although REST API requires to include Content Key Initialization Vector in the KeyDeliveryConfiguration of the ContentKeyAuthorizationPolicyOption. This is quite strange, because when using UI on portal.azure.com the IV is not shown, and if policy is updated via UI, the initialization vector is lost, so next time key delivery URL is requested, the Media Services API returns error "FairPlay ContentEncryptionIv is not set.".

Nevertheless, when initialization vector is set, the request from Safari browser (if it matters, we use CastLabs PrestoPlay SDK for browsers) to the key delivery URL with SCP payload and correct Authorization header results in HTTP 500 with the following payload

{  
  "Error": {  
    "Message": "",  
    "Code": "ServerException"  
  }  
}

I tried to troubleshoot the issue by enabling diagnostics for out Media Services account, but unfortunately the generated log also lacks the details. The log message looks as follows (with some sensitive fields removed):

{  
  "time": "2022-11-18T17:37:49.9668506Z",  
  "operationName": "MICROSOFT.MEDIA/MEDIASERVICES/CONTENTKEYS/READ",  
  "category": "KeyDeliveryRequests",  
  "resultType": "Failed",  
  "resultSignature": "InternalServerError",  
  "durationMs": 107,  
  "level": "Error",  
  "location": "germanywestcentral",  
  "properties": {  
    "requestId": "bc4e7a52-b64f-473e-bd8d-a211ccc22cb7",  
    "statusMessage": "Server Error"  
  }  
}

Would it be possible someone from MS team check the issue?

sanjid 166 Reputation points Microsoft Employee

2022-11-29T18:47:23.663+00:00

In addition to John's comments below, I also looked into the specific failure for the request ID you shared and it is because the content IV is malformed. This may be because you are mixing V2 and V3 usage (portal uses V3 API). If you use V2 only please ensure that your IV is a hex string.
Mika 66 Reputation points

2022-11-30T12:34:30.68+00:00

Hi,

Thank you so much for the hint. The problem was indeed caused by IV not being in hex.
Once I've updated shaka-packager command with explicit HLS key url option: --hls_key_uri skd://<ck_id_in_hex>:<ck_iv_in_hex>, created content key policy option with KeyDeliveryConfiguration that also has IV in hex, files can be played fine.
John Deutscher (MSFT) 2,126 Reputation points

2022-11-30T20:23:44.917+00:00

Awesome, do you want to post your own answer or mark one below as correct?

Accepted answer

0 additional answers

Your answer

sanjid 166 Reputation points Microsoft Employee

2022-11-29T18:47:23.663+00:00

In addition to John's comments below, I also looked into the specific failure for the request ID you shared and it is because the content IV is malformed. This may be because you are mixing V2 and V3 usage (portal uses V3 API). If you use V2 only please ensure that your IV is a hex string.
Mika 66 Reputation points

2022-11-30T12:34:30.68+00:00

Hi,

Thank you so much for the hint. The problem was indeed caused by IV not being in hex.
Once I've updated shaka-packager command with explicit HLS key url option: --hls_key_uri skd://<ck_id_in_hex>:<ck_iv_in_hex>, created content key policy option with KeyDeliveryConfiguration that also has IV in hex, files can be played fine.
John Deutscher (MSFT) 2,126 Reputation points

2022-11-30T20:23:44.917+00:00

Awesome, do you want to post your own answer or mark one below as correct?

Answer 1

Couple of concerns - You are using the old legacy v2 REST API which is on the deprecation path. That will only be supported until Feb 29th 2024 and then shuts off completely.
If you are building a new solution, switch to the v3 API.

The v3 API should be used from one of our supported client language SDKS and not via REST directly if you can avoid it.

In v3, there is now only contentKeyPolicies and StreamingPolicies
https://learn.microsoft.com/en-us/azure/media-services/latest/drm-content-key-policy-concep t
https://learn.microsoft.com/en-us/azure/media-services/latest/stream-streaming-policy-concept

https://learn.microsoft.com/en-us/azure/media-services/latest/drm-fairplay-license-overview

There are two ways for protecting a content in v3:

Simpler but less flexible approach: use AMS v3 internally generated content key, and AMS built-in StreamingPolicy. This approach does not allow us to use our “pre-specified” content key with IV. So you may not be able to use this approach.
More flexible approach: Use a custom StreamingPolicy and StreamingLocator so that you can use our “pre-specified” content key. You might need to use this approach. This does require more code since you need to use the specified content key.

Create IV for each content key.
The content key can be generated in any way you prefer: with or without key seed, if with key seed: either fixed or random. After a content key is created, you specify its IV in the following way:

IV = GetIVFromKIDString(keyId.ToString())

public static byte[] StringToByteArray(string hex)
{
int numberChars = hex.Length;
byte[] bytes = new byte[numberChars / 2];
for (int i = 0; i < numberChars; i += 2)
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
return bytes;
}

//currently IV=KID and is not exposed via API
public static string GetIVFromKIDString(string kid)
{
Guid guid = Guid.Parse(kid);
return Convert.ToBase64String(StringToByteArray(guid.ToString().Replace("-", string.Empty)));
}

Couple more things..

The CustomLicenseAcquisitionUrlTemplate API allows you to define the custom LA_URL template instead of actual value. The template variable is {ContentKeyId} for content key ID. For example: http://use2-2.api.microsoftstream.come/videos/video01/ProtectionKey?kid={ContentKeyId}. In this way, you can use a single StreamingPolicy for many assets instead of one for each asset. Therefore you do not need to increase the quota on your account if you have a lot of assets.
In general, you should use a single set of ContentKeyPolicy and StreamingPolicy for many assets (a type of assets) for better scalability. So that ContentKeyPolicy and StreamingPolicy are cached and reused across many assets.

UPDATED: Finally, I think this was your solution:
We looked into the specific failure for the request ID you shared and it is because the content IV is malformed. This may be because you are mixing V2 and V3 usage (portal uses V3 API). If you use V2 only please ensure that your IV is a hex string.

Mika 66 Reputation points

2022-11-18T21:22:19.39+00:00

You are using the old legacy v2 REST API which is on the deprecation path.

Yes, the use of v2 is intentional. We know about its deprecation, however there are 15 months to go, and claimed functionality should be working till then, I hope.

If you are building a new solution

It's not entirely a new solution, we already have Widevine/PlayReady support with Media Services.
We evaluated the possibility to migrate to Media Services v3 in the past, but that can't be easily done, because v3 doesn't allow to encrypt content outside of Azure, which we need to because our media stored in Google Cloud Storage, and final DRM bundles are also delivered from Google, and as far as I know there is no lowe-cost interconnection between Azure and GCP.

Share via

FairPlay + Media Services v2 key delivery URL returns HTTP 500

0 additional answers

Your answer