Prerequisites
Before you implement offline DRM for FairPlay on an iOS 10+ device:
- Read Apple FairPlay license requirements and configuration
- Obtain the FPS SDK from the Apple Developer Network. The FPS SDK contains two components:
- The FPS Server SDK, which contains the Key Security Module (KSM), client samples, a specification, and a set of test vectors.
- The FPS Deployment Pack, which contains the D function specification, along with instructions about how to generate the FPS Certificate customer-specific private key, and Application Secret Key. Apple issues the FPS Deployment Pack only to licensed content providers.
- The .der/.cer certificate files you receive as part of the generation of the FPS certificate contain a public key and can be made available to the client. The private key (.pfx) should be secured in Azure Key Vault or another secure location.
Store a FairPlay Private Key (.pfx) in Azure Key Vault
The private key (.pfx) that you receive from Apple should be treated as a secure certificate and can be stored in the Azure Key Vault.
- The .pfx certificate file should first be converted to base 64 text file by the admin
- Once converted, this file can be stored in Azure DevOps Services as a secure text file.
- The string can then be stored in Azure KeyVault manually as a "secret object", or as part of a deployment/build script for your solution. An example of storing the FairPlay private certificate in Azure KeyVault can be seen in the Gridwich project sample code
- Optionally, store the password for the .pfx file as a secret in the key vault.
Example CLI script
To copy the base64 encoded private key file to the Azure KeyVault:
set -eu
echo key vault : $SHARED_KV_NAME
echo "Copying FairPlay certificate to key vault as secret"
az keyvault secret set --vault-name $SHARED_KV_NAME -n ams-fairPlay-certificate-b64 -f $(FairPlayCertificate.secureFilePath) --output none
Clone the sample
Clone the Media Services .Net samples.
git clone https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials.git
Modify the code
Modify the code in Encrypt with DRM using .NET to add FairPlay configurations.
Note
Widevine is not available in the GovCloud region.
Prerequisites
Before implementing offline DRM for Widevine on Android devices, you should first:
Enable offline mode
To enable offline mode for Widevine licenses, configure the Widevine license template. In the policy_overrides object, set the can_persist property to true, as shown in ConfigureWidevineLicenseTemplate.
The easiest way to develop a native player app for Android devices is to use the Google ExoPlayer SDK, an open-source video player SDK. ExoPlayer supports features not currently supported by Android's native MediaPlayer API, including MPEG-DASH and Microsoft Smooth Streaming delivery protocols.
ExoPlayer version 2.6 and higher includes many classes that support offline Widevine DRM playback. In particular, the OfflineLicenseHelper class provides utility functions to facilitate the use of the DefaultDrmSessionManager for downloading, renewing, and releasing offline licenses. The classes provided in the SDK folder library/core/src/main/java/com/google/android/exoplayer2/offline/ support offline video content downloading.
The following list of classes facilitates offline mode in the ExoPlayer SDK for Android:
library/core/src/main/java/com/google/android/exoplayer2/drm/OfflineLicenseHelper.javalibrary/core/src/main/java/com/google/android/exoplayer2/drm/DefaultDrmSession.javalibrary/core/src/main/java/com/google/android/exoplayer2/drm/DefaultDrmSessionManager.javalibrary/core/src/main/java/com/google/android/exoplayer2/drm/DrmSession.javalibrary/core/src/main/java/com/google/android/exoplayer2/drm/ErrorStateDrmSession.javalibrary/core/src/main/java/com/google/android/exoplayer2/drm/ExoMediaDrm.javalibrary/core/src/main/java/com/google/android/exoplayer2/offline/SegmentDownloader.javalibrary/core/src/main/java/com/google/android/exoplayer2/offline/DownloaderConstructorHelper.javalibrary/core/src/main/java/com/google/android/exoplayer2/offline/Downloader.javalibrary/dash/src/main/java/com/google/android/exoplayer2/source/dash/offline/DashDownloader.java
Developers should reference the ExoPlayer Developer Guide and the corresponding Developer Blog during development of an application.
Working with older Android devices
For some older Android devices, you must set values for the following policy_overrides properties (defined in Widevine license template: rental_duration_seconds, playback_duration_seconds, and license_duration_seconds. Alternatively, you can set them to 0, which means there is no time restriction.
Warning
The values must be set to avoid an integer overflow bug. For more explanation about the issue, see https://github.com/google/ExoPlayer/issues/3150 and https://github.com/google/ExoPlayer/issues/3112.
If you do not set the values explicitly, very large values for PlaybackDurationRemaining and LicenseDurationRemaining will be assigned, (for example, 9223372036854775807, which is the maximum positive value for a 64-bit integer). As a result, the Widevine license appears expired and hence the decryption will not happen.
This issue does not occur on Android 5.0 Lollipop or later since Android 5.0 is the first Android version, which has been designed to fully support ARMv8 (Advanced RISC Machine) and 64-bit platforms, while Android 4.4 KitKat was originally designed to support ARMv7 and 32-bit platforms as with other older Android versions.
Use Xamarin to build an Android playback app
You can find Xamarin bindings for ExoPlayer using the following links:
Also, see the following thread: Xamarin binding.
Chrome player apps for Android
Starting with the release of Chrome for Android v. 62, persistent license in EME is supported. Widevine L1 is now also supported in Chrome for Android. This allows you to create offline playback applications in Chrome if your end users have this (or higher) version of Chrome.
In addition, Google has produced a Progressive Web App (PWA) sample:
If you upgrade your mobile Chrome browser to v62 (or higher) on an Android phone and test the above hosted sample app, you will see that both online streaming and offline playback work.
The above open-source PWA app is authored in Node.js. If you want to host your own version on an Ubuntu server, keep in mind the following common encountered issues that can prevent playback:
- CORS issue: The sample video in the sample app is hosted in https://storage.googleapis.com/biograf-video-files/videos/. Google has set up CORS for all their test samples hosted in Google Cloud Storage bucket. They are served with CORS headers, specifying explicitly the CORS entry:
https://biograf-155113.appspot.com (the domain in which google hosts their sample) preventing access by any other sites. If you try, you will see the following HTTP error: Failed to load https://storage.googleapis.com/biograf-video-files/videos/poly-sizzle-2015/mp4/dash.mpd: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https:\//13.85.80.81:8080' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
- Certificate issue: Starting from Chrome v 58, EME for Widevine requires HTTPS. Therefore, you need to host the sample app over HTTPS with an X509 certificate. A usual test certificate does not work due to the following requirements: You need to obtain a certificate meeting the following minimum requirements:
- Chrome and Firefox require SAN-Subject Alternative Name setting to exist in the certificate
- The certificate must have trusted CA and a self-signed development certificate does not work
- The certificate must have a CN matching the DNS name of the web server or gateway
The smooth streaming (PIFF) file format with H264/AAC has a binding with PlayReady (AES-128 CTR). The smooth streaming .ismv file, assuming audio is muxed in video, is itself an fMP4 and can be used for playback. If smooth streaming content goes through PlayReady encryption, each .ismv file becomes a PlayReady protected MP4 fragment. You can choose an .ismv file with the preferred bitrate and rename it as .mp4 for download.
There are two options for hosting the PlayReady protected MP4 for progressive download:
- You can put the MP4 in the same container/media service asset and use Azure Media Services streaming endpoint for progressive download.
- You can use the SAS URL for progressive download directly from Azure Storage.
You can use two types of PlayReady license delivery:
- PlayReady license delivery service in Azure Media Services
- PlayReady license servers hosted anywhere.
To obtain a PlayReady license with the AMS delivery service, see the Media Services v3 with PlayReady license template.
For playback testing, you can use a Universal Windows Application on Windows 10. In Windows 10 Universal samples, there is a basic player sample called Adaptive Streaming Sample. Add the code for choosing the downloaded video and use it as the source, instead of the adaptive streaming source.
