Using CPIX
==========
Shaka Packager supports fetching encryption keys from CPIX (`DASH-IF Content
Protection Information Exchange
`_) documents, as served by
CPIX conformant key servers. Content keys, DRM signaling (PSSH) and the key
to stream mapping are all read from the document.
Synopsis
--------
::
$ packager ... \
--enable_cpix_encryption \
--cpix \
[--cpix_headers ] \
[--cpix_request_file ] \
[--cpix_private_key ] \
[Other options, e.g. DASH options, HLS options]
*--cpix* accepts a local path or an HTTP(S) URL. URLs are fetched with GET,
unless *--cpix_request_file* provides a CPIX request document, in which case
the request document is POSTed to the URL and the response is used as the
CPIX document (SPEKE style request/response exchange). *--cpix_headers* adds
HTTP headers, e.g. for authentication.
Key to stream mapping
---------------------
Keys are mapped to streams through the document's *ContentKeyUsageRuleList*:
* A rule with an *intendedTrackType* attribute maps its key to streams whose
DRM label matches the attribute value (e.g. AUDIO, SD, HD, UHD1, UHD2).
* A rule with an *AudioFilter* maps its key to audio streams.
* A rule with *VideoFilter* pixel ranges maps its key to the SD/HD/UHD1/UHD2
video labels covered by the range, as determined by the *--max_sd_pixels*,
*--max_hd_pixels* and *--max_uhd1_pixels* thresholds. The filter boundaries
must align with these thresholds.
* If *intendedTrackType* and a filter are both present, the stream must match
both constraints.
* A rule with no filters, or a document with a single key and no usage rules,
maps the key to all streams.
* A key that is not referenced by any usage rule is ignored, e.g. keys
intended for other workflows or for track types not packaged in the run.
DRM signaling comes from the document's *DRMSystemList* and is authoritative:
no default protection system is generated. *--protection_systems* may still
be used to generate signaling for additional protection systems.
Key rotation (*--crypto_period_duration*) is not supported with CPIX.
Encrypted documents
-------------------
CPIX documents with encrypted content keys are supported. Provide the
recipient RSA private key with *--cpix_private_key*; the document key and MAC
key are unwrapped from the document's *DeliveryData* and each content key
value's MAC is verified before use.
Examples
--------
The examples below use the H264 streams created in :doc:`encoding`.
* Example with a local, clear-text CPIX document::
$ packager \
in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
--enable_cpix_encryption \
--cpix keys.cpix \
--mpd_output h264.mpd
* Example fetching an encrypted document from a CPIX endpoint::
$ packager \
in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
--enable_cpix_encryption \
--cpix "https://key-server.example.com/cpix/?signaling=cenc" \
--cpix_private_key recipient_key.pem \
--mpd_output h264.mpd
* Example decrypting content with keys from a CPIX document::
$ packager \
input=encrypted_content.mp4,stream=video,output=decrypted_video.mp4 \
--enable_cpix_decryption \
--cpix keys.cpix
Refer to the `CPIX specification `_
for the document format, and to :doc:`/options/cpix_encryption_options` for
the complete list of options.