Using Widevine Key Server

The easiest way to generate Widevine protected content is to use Widevine Cloud Service.

Shaka Packager can talk to Widevine Cloud Service or any key server that implements Common Encryption API for Widevine DRM to fetch encryption keys.

Synopsis

Widevine Common Encryption API supports request validation using either AES or RSA.

AES signing:

$ packager <stream_descriptor> ... \
  --enable_widevine_encryption \
  --key_server_url <key_server_url> \
  --content_id <content_id> \
  --signer <signer> --aes_signing_key <aes_signing_key> \
  --aes_signing_iv <aes_signing_iv> \
  [Other options, e.g. DASH options, HLS options]

RSA signing:

$ packager <stream_descriptor> ... \
  --enable_widevine_encryption \
  --key_server_url <key_server_url> \
  --content_id <content_id> \
  --signer <signer> --rsa_signing_key_path <rsa_signing_key_path> \
  [Other options, e.g. DASH options, HLS options]

Examples

The examples below use the H264 streams created in Media Encoding.

  • Example with both DASH and HLS output:

    $ packager \
      in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
      in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
      in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
      in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
      in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
      --enable_widevine_encryption \
      --key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
      --content_id 7465737420636f6e74656e74206964 \
      --signer widevine_test \
      --aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
      --aes_signing_iv d58ce954203b7c9a9a9d467f59839249 \
      --mpd_output h264.mpd \
      --hls_master_playlist_output h264_master.m3u8
    
  • Another example using ‘cbcs’ protection scheme:

    $ packager \
      in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
      in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
      in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
      in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
      in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
      --protection_scheme cbcs \
      --enable_widevine_encryption \
      --key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
      --content_id 7465737420636f6e74656e74206964 \
      --signer widevine_test \
      --aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
      --aes_signing_iv d58ce954203b7c9a9a9d467f59839249 \
      --mpd_output h264.mpd \
      --hls_master_playlist_output h264_master.m3u8
    

The examples above generate Widevine protection system by default. It can be extended to support multi-drm with –protection_systems flag.

  • Example with multi-drm (Widevine and PlayReady):

    $ packager \
      in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
      in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
      in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
      in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
      in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
      --enable_widevine_encryption \
      --key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
      --content_id 7465737420636f6e74656e74206964 \
      --signer widevine_test \
      --aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
      --aes_signing_iv d58ce954203b7c9a9a9d467f59839249 \
      --protection_systems Widevine,PlayReady
      --mpd_output h264.mpd
    

Note

Users are responsible for setting up the license servers and managing keys there unless they are using a cloud service provided by the DRM provider or third_parties.

Refer to player setup on how to config the DRM in Shaka Player.

Widevine test credential

Here is the test crendential used in this tutorial.

key_server_url:

https://license.uat.widevine.com/cenc/getcontentkey/widevine_test

signer:

widevine_test

aes_signing_key:

1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9

aes_signing_iv:

d58ce954203b7c9a9a9d467f59839249

Note

The test credential is only meant for development. Please reach out to Widevine if you need something for production use.

Configuration options

General encryption options

--protection_scheme <scheme>

Specify a protection scheme, ‘cenc’ or ‘cbc1’ or pattern-based protection schemes ‘cens’ or ‘cbcs’.

--crypt_byte_block

Specify the count of the encrypted blocks in the protection pattern, where block is of size 16-bytes.

There are three common patterns (crypt_byte_block:skip_byte_block): 1:9 (default), 5:5, 10:0.

Apply to video streams with ‘cbcs’ and ‘cens’ protection schemes only; ignored otherwise.

--skip_byte_block

Specify the count of the unencrypted blocks in the protection pattern.

Apply to video streams with ‘cbcs’ and ‘cens’ protection schemes only; ignored otherwise.

--vp9_subsample_encryption, --novp9_subsample_encryption

Enable / disable VP9 subsample encryption. Enabled by default.

--clear_lead <seconds>

Clear lead in seconds if encryption is enabled. Shaka Packager does not support partial encrypted segments, all the segments including the partial segment overlapping with the initial ‘clear_lead’ seconds are not encrypted, with all the following segments encrypted. If segment_duration is greater than ‘clear_lead’, then only the first segment is not encrypted. Default: 5

--protection_systems

Protection systems to be generated. Supported protection systems include Widevine, PlayReady, FairPlay, Marlin, and CommonSystem.

--playready_extra_header_data <string>

Extra XML data to add to PlayReady PSSH data. Can be specified even if using another key source.

Widevine encryption options

--enable_widevine_encryption

Enable encryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path). This generates Widevine protection system if –protection_systems is not specified. Use –protection_systems to generate multiple protection systems.

--enable_entitlement_license

Enable entitlement license in the Widevine encryption request.

--enable_widevine_decryption

Enable decryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path).

--key_server_url <url>

Key server url. Required for Widevine encryption and decryption.

--content_id <hex>

Content identifier that uniquely identifies the content.

--policy <policy>

The name of a stored policy, which specifies DRM content rights.

--max_sd_pixels <pixels>

The video track is considered SD if its max pixels per frame is no higher than max_sd_pixels. Default: 442368 (768 x 576).

--max_hd_pixels <pixels>

The video track is considered HD if its max pixels per frame is higher than max_sd_pixels, but no higher than max_hd_pixels. Default: 2073600 (1920 x 1080).

--max_uhd1_pixels <pixels>

The video track is considered UHD1 if its max pixels per frame is higher than max_hd_pixels, but no higher than max_uhd1_pixels. Otherwise it is UHD2. Default: 8847360 (4096 x 2160).

--signer <signer>

The name of the signer.

--aes_signing_key <hex>

AES signing key in hex string. aes_signing_iv is required if aes_signing_key is specified. This option is exclusive with rsa_signing_key_path.

--aes_signing_iv <hex>

AES signing iv in hex string.

--rsa_signing_key_path <file path>

Path to the file containing PKCS#1 RSA private key for request signing. This option is exclusive with aes_signing_key.

--crypto_period_duration <seconds>

Defines how often key rotates. If it is non-zero, key rotation is enabled.

--group_id <hex>

Identifier for a group of licenses.