FairPlay - general license acquisition example
When using FairPlay, typically, the player will use the license URL that is specified in the stream M3U8 file. For example, we use the HLS stream encrypted with FairPlay: https://e09f957480c8b1e479a1edb0fabc72d8.egress.mediapackage-vod.eu-west-1.amazonaws.com/out/v1/6f12444e793e4206ad363f810cb2aead/9ea4e8148b794c8ba2c6295b824e5ad5/46a61bf2c081464bb9476f2a55a06f48/index.m3u8
The player first has to download the Apple Fairplay Certificate. This certificate is issued by Apple. You should request this certificate from the Apple Developer Console. For testing purposes, we use a certificate issued for Insys VT, but for production uses you have to obtain your own certificate and send it to us.
The temporary test certificate for your tenant can be found at web console. Please navigate to DRM -> Configuration -> License acquisition -> Fairplay Certificate.
The player has to attach four custom HTTP headers to the license request:
- BrandGuid - for testing, we use a sandbox value
- UserToken - for example, the token from the previous example
- KID - KeyID identifying KeySecret for particular video asset
- (optional) IV - the initialization vector (IV) has a unique value per encryption, and it is transported along with the content key.
Please go to FairPlay additional information to see where from take KID and IV.
You can test the example on Safari on a Mac computer with simple reference web players.
JWPlayer Link to the test player: https://developer-tools.jwplayer.com/stream-tester/ File URL: https://e09f957480c8b1e479a1edb0fabc72d8.egress.mediapackage-vod.eu-west-1.amazonaws.com/out/v1/6f12444e79macdf3e4206ad363f810cb2aead/9ea4e8148b794c8ba2c6295b824e5ad5/46a61bf2c081464bb9476f2a55a06f48/index.m3u8 Certificate URL: https://customer-tests.la.drm.cloud/certificate/fairplay?BrandGuid=5a96a0d0-d13f-42b0-ab2b-ba8cfc4aa0a0 Process SPC URL: https://customer-tests.la.drm.cloud/acquire-license/fairplay?KID=4376a4b3-d8ef-4f21-9a6b-faa81a2e59e3&brandguid=5a96a0d0-d13f-42b0-ab2b-ba8cfc4aa0a0&usertoken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzU2ODk2MDAsImRybVRva2VuSW5mbyI6eyJleHAiOiIyMDI1LTEyLTA3VDE1OjMwOjA5LjU5MDgxMjUrMDE6MDAiLCJraWQiOlsiKiJdLCJwIjp7InBlcnMiOnRydWUsImVkIjoiMjAyNS0xMi0wN1QxNTozMDowOS41OTExMzA1KzAxOjAwIn19fQ.xEToUttAk9AVFgP3bHyDlcvm6BR-8_hsl8V3n-jrDwM
ShakaPlayer Link to the test player: https://shaka-player-demo.appspot.com/demo/ To use the player:
- turn off all Ad blockers
- select tab “CUSTOM CONTENT” from top menu
- on the new page, click the blue plus button in the botton right corner
- in modal, set the values specified below:
Main => Name DEMO
DRM => Custom License Certificate URL https://customer-tests.la.drm.cloud/certificate/fairplay?BrandGuid=5a96a0d0-d13f-42b0-ab2b-ba8cfc4aa0a0
Fairplay addditional information
When using Apple FairPlay, the license URL should contain an additional KID parameter containing the Key ID of a content Key as GUID. With HLS, the exact license URL is included in the M3U8 chunklist in the #EXT-X-KEY:METHOD tag of the URI field, for example:
#EXTM3U
#EXT-X-VERSION:5
#EXT-X-TARGETDURATION:6
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=SAMPLE-AES,URI="skd://drm.cloud.insysvt.com/acquire-license/fairplay?KID=4376a4b3-d8ef-4f21-9a6b-faa81a2e59e3",KEYFORMAT="com.apple.streamingkeydelivery",KEYFORMATVERSIONS="1",IV=0x1F3A1D7CE87A4CD3846038FCF4D05F82
#EXTINF:5.905,
../../../34acf801498f4c989fe48e6379c74b4a/f13c4c18d3564defbf2446ff05587b69/index_1_0.ts
#EXTINF:5.905,
../../../34acf801498f4c989fe48e6379c74b4a/f13c4c18d3564defbf2446ff05587b69/index_1_1.ts
The player should use the URI from the chunklist and replace the “skd://” with “https://”. In the example above, the license can be obtained from this link: https://drm.cloud.insysvt.com/acquire-license/fairplay?KID=4376a4b3-d8ef-4f21-9a6b-faa81a2e59e3
The BrandGuid and UserToken can be passed as querystring parameters or HTTP Headers as described above. The FairPlay player has to send the payload (or SPC, according to the Apple FairPlay glossary) in the license acquisition POST request. The license acquisition request can use the following content types headers:
- Content-Type: application/x-www-form-urlencoded - the body of the request must contain the SPC field (
spc=<encoded body>) - Content-Type: multipart/form-data - the body of the request must contain the SPC field.
- Content-Type: application/octet-stream - the body of the request must contain binary SPC data Depending on the Accept header of the request, the server returns the license (or CKC, according to the Apple FairPlay glossary) in different formats:
If the Accept header contains an application/json, the JSON with the CKC field containing base64 encoded CKC will be returned as follows: {“ckc” : <base64>}. Content-Type of the response will be set to “application/json”
In other cases, the response will be of the “application/octet-stream” type and the body will contain binary CKC data.