Content Key Usage Policies

Allows to specify a list of content key usage policies or the rules that can be applied individually to each content key. You can set the rules under the content_key_usage_policies section of the entitlment service. A content key usage policy with matching name must be provided for all content keys that reference a specific policy. Unreferenced policies are ignored.

note

In case a content key usage policy is not supported by a specific playback client, then the associated keys are not included in the license; if this results in all keys being ineligible, the license is denied.

The structure of a Content Key Usage Policies object is defined as follows.

entitlement_message.content_key_usage_policies example (note that the GUIDs shown below are random example values)

"content_key_usage_policies":
[
    {
        "name": "Policy A",

        "fairplay":
        {
            "hdcp": "TYPE0",
            "allow_airplay": true,
            "allow_av_adapter": true
        },

        "widevine":
        {
            "device_security_level": "SW_SECURE_DECODE",
            "cgms-a": "once",
            "hdcp": "2.0"
        },

        "playready":
        {
            "min_device_security_level": 2000,

            "analog_video_opl": 100,

            "compressed_digital_audio_opl": 200,
            "uncompressed_digital_audio_opl": 300,
            "compressed_digital_video_opl": 400,
            "uncompressed_digital_video_opl": 500,

            "source_id": "<value>",

            "play_enablers":
            [
                "<value1>",
                "<value2>"
            ],

            "analog_video_output_protections":
            [
                {
                    "id": "<value>",
                    "config_data": "6BA/7HbTQB6r/IEvWN8Zog=="
                }
            ],

            "digital_video_output_protections":
            [
                {
                    "id": "<value>",
                    "config_data": "b3J+qoMeT5mcgykqXzBeIQ=="
                }
            ],

            "digital_audio_output_protections":
            [
                {
                    "id": "<value>",
                    "config_data": "cgmHUW9WSbawcgKzXLpq6Q=="
                }
            ]
        }
    }
]

Default	No custom usage policies are defined.
Supported values	Any array of valid Content Key Usage policy objects (see below).

The Content Key Usage Policy object consists of the following properties:

name

The name of the content key usage policy. This policy is associated with all content keys that have a matching name in their "usage_policy" property. Multiple policies with the same name are not allowed.

Required	Yes
Supported values	Any non-empty string, for example: "Policy A".

FairPlay

Allows to specify a list of FairPlay-specific content key usage policies. These policies only have an effect if FairPlay DRM is used.

Default	Settings in this section will have their default behaviour.
Supported values	Any array of valid FairPlay Content Key Usage Policy objects (see below).

hdcp

Allows to specify the HDCP rule clients enforce when playing back protected media. If the client can’t enforce a particular rule then the video stream to the uncompliant output will be blocked.

Note that some FairPlay clients (likely limited to older clients) do not support HDCP rule configuration and always enforce HDCP Type 0, which is the default for all FairPlay clients. In case of such clients, if a more restrictive HDCP rule than Type 0 is strictly required, license service can be instructed to deny the license (see the "_STRICT" option below).

Default	"TYPE0"
Supported values	"NONE" - HDCP is not enforced. If a client doesn’t support the HDCP configuration feature, it falls back to enforcing HDCP Type 0. "TYPE0" - HDCP Type 0 (HDCP v1.x, v2.x) is enforced. This is the default behaviour of FairPlay clients and it is supported by all clients. "TYPE1" - HDCP Type 1 (HDCP v2.2+) is enforced. If a client doesn’t support the HDCP configuration feature, it falls back to enforcing HDCP Type 0. "TYPE1_STRICT" - HDCP Type 1 is enforced. If a client doesn’t support the HDCP configuration feature, then the license will be denied.
Availability	Axinom DRM FairPlay API v6.16.0+

allow_airplay

Specifies whether to allow license acquisition when the client has engaged AirPlay streaming. If AirPlay is not allowed and the client switches to AirPlay mode, triggering a new license request, the license will be denied.

Default	true
Supported values	true - streaming content via AirPlay is allowed. false - license acquisition will be denied when AirPlay is active.
Availability	Axinom DRM FairPlay API v6.21.0+

allow_av_adapter

Specifies whether to allow license acquisition when the client is streaming content over an Apple AV Adapter. If using AV Adapter is not allowed and the client switches to using one, the license will be denied.

Default	true
Supported values	true - streaming content via an Apple AV Adapter is allowed. false - license acquisition will be denied when an Apple AV Adapter is used.
Availability	Axinom DRM FairPlay API v6.21.0+

PlayReady

Allows to specify a list of PlayReady-specific content key usage policies. These policies only have an effect if the PlayReady DRM is used.

tip

For the full list of available PlayReady-settings and their impact see PlayReady Compliance Rules.

Default	Settings in this section will have their default behaviour.
Supported values	Any array of valid PlayReady Content Key Usage Policy objects (see below).

The PlayReady Content Key Usage Policy object consists of the following properties:

min_device_security_level

Allows to specify the minimum security level that the playback client must have to use the license. If the minimum security level specified for a content key is higher than what is supported by the client, then this key is not included in the license. Note: the maximum security level for PlayReady 2 and older clients is 2000. You can find a list of security level mappings here.

Default	2000
Supported values	150 - software-based security, which is the least secure and is intended for testing purposes only. 2000 - software-based security, which is secure and is intended for production purposes. 3000 - hardware-based security, which is the most secure and is intended for production purposes.

analog_video_opl

Allows to specify the output protection level for analog video content. The client must have protection technology equal to or greater than the specified level to play the content.

Default	0
Supported values	0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

compressed_digital_audio_opl

Allows to specify the output protection level for compressed digital audio content. The client must have protection technology equal to or greater than the specified level to play the content.

Default	0
Supported values	0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

uncompressed_digital_audio_opl

Allows to specify the output protection level for uncompressed digital audio content. The client must have protection technology equal to or greater than the specified level to play the content.

Default	0
Supported values	0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

compressed_digital_video_opl

Allows to specify the output protection level for compressed digital video content. The client must have protection technology equal to or greater than the specified level to play the content.

Default	0
Supported values	0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

uncompressed_digital_video_opl

Allows to specify the output protection level for uncompressed digital video content. The client must have protection technology equal to or greater than the specified level to play the content.

Default	0
Supported values	0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

source_id

Allows to specify the identifier of the source content protection system. Some protection systems (for example: CGMS-A, DTCP, etc.) require the source ID to be present in the license.

Default	0 (meaning that the source ID isn’t added to the license).
Supported values	0 to 65535. Allowed values are listed below. See the PlayReady Compliance Rules for more information.

Never set 265 if effective resolution > 520 000 px. Otherwise you must use the correct numeric code from the table below when the content originates from a recognised ecosystem:

Source / ecosystem	Allowed Value
Macrovision	1
CGMS-A	2
OpenCable Unidirectional Receiver (OCUR)	4
CPRM, CPPM	257
DTCP	258
OMA/CMLA	259
AACS (pre-recorded)	262
AACS (recordable)	263
DTCP at no greater than 520,000 pixels per frame	265
ISDB	266
UltraViolet™ Download	267
UltraViolet™ Streaming	268
WideVine	269
FairPlay Server	270
FairPlay Local	271

If the source is not listed here, the source ID should not be set.

Indirect Content Providers are required to set a Source Id field.  Contact Microsoft to have one added before releasing any license creation through indirect means.

play_enablers

Allows to set a list of GUID IDs of the technologies to which protected content is allowed to flow. For example: AirPlay, DTCP, etc.

A PlayReady Product must not pass the video to an Unknown Output if the associated minimum License Security Level is 3000.

Default	No play enablers are added to the license.
Supported values	Any array of strings that represent valid GUIDs in the "00000000-0000-0000-0000-000000000000" format. See the PlayReady Compliance Rules for valid values and their meaning. For example: [ "7d9ae684-bd6a-4234-b1d5-910d1b4bed62", "81b6f874-7614-47b5-b79d-8193630ce358" ]

Some frequently used values:

Name	Value
Helix	002F9772-38A0-43E5-9F79-0F6361DCC62A
HDCP / WiVu	1B4542E3-B5CF-4C99-B3BA-829AF46C92F8
HDCP / Miracast	A340C256-0941-4D4C-AD1D-0B6735C0CB24
AirPlay	5ABF0F0D-DC29-4B82-9982-FD8E57525BFC
DTCP	D685030B-0F4F-43A6-BBAD-356F1EA0049A

note

In case the playback output is unknown (e.g. if the playback is attempted in a virtual machine), a play enabler may have to be added to avoid problems.

• Playback to unknown outputs can be enabled by adding the "786627D8-C2A6-44BE-8F88-08AE255B01A7" play enabler.
• Playback to unknown outputs under resolution constraint can be enabled by adding the "B621D91F-EDCC-4035-8D4B-DC71760D43E9" play enabler.

See the PlayReady Compliance Rules (section 3.9) for details.

analog_video_output_protections

Allows to specify output protections that are allowed to play protected analog video content. For example, CGMS-A.

Default	No analog video output protections are added to the license.
Supported values	An array of Output Protection objects (see the example for details), which contain: "id" - any valid GUID in the 00000000-0000-0000-0000-000000000000 format, which represents the ID of the output protection technology. "config_data" - any binary data encoded using base64 encoding, which conforms to RFC 4846. See the PlayReady Compliance Rules for valid values and their meaning.

Some frequently used values:

Name	Value	Binary Configuration
AGC and Color Stripe	C3FD11C6-F8B7-4D20-B008-1DB17D61F2DA	0,1,2,3
Hard analog-TV restriction	2098DE8D-7DDD-4BAB-96C6-32EBB6FABEA3	0,1,2,3
“Best-effort” analog-TV restriction	225CD36F-F132-49EF-BA8C-C91EA28E4369	0,1,2,3
520k-pixel cap for component video	811C5110-46C8-4C6E-8163-C0482A15D47E	<520000
520k-pixel cap for VGA/RGB	D783A191-E083-4BAF-B2DA-E69F910B3772	<520000
“Digital video only” – blocks all analog outputs	760AE755-682A-41E0-B1B3-DCDF836A7306	0

APSTB Values for Automatic Gain Control and Color Stripe:

Binary Configuration Data Value	APSTB Value
0	00b
1	01b
2	10b
3	11b

digital_video_output_protections

Allows to specify output protections that are allowed to play protected digital video content. For example, HDCP.

note

This feature is not supported by PlayReady 2 and older clients; for those clients, keys for which this feature is specified are not included in the license.

Default	No digital video output protections are added to the license.
Data type	Array of Output Protection objects (see the example for details).
Supported values	An array of Output Protection objects (see the example for details), which contain: "id" - any valid GUID in the 00000000-0000-0000-0000-000000000000 format, which represents the ID of the output protection technology. "config_data" - any binary data encoded using base64 encoding, which conforms to RFC 4846. See the PlayReady Compliance Rules for valid values and their meaning.

Allowed values:

Name	Value	Binary Configuration
Maximum Effective Resolution Decode Size	9645E831-E01D-4FFF-8342-0A720E3E028F	Two, 32-bit Big Indian values → Maximum Frame Width in Pixels, Maximum Frame Height in Pixels
Require HDCP 2.x (only legal when Uncompressed Digital Video OPL ≥ 300)	ABB2C6F1-E663-4625-A945-972D17B231E7	1 as a 32 bit value in Big Endian format
Internal Video Output Only	2076ECD5-044F-4047-BFCF-7A75D0E4E269	a single byte that takes the value 1
Watemarking	6CDA453D-BFBB-45d1-AEB7-37287B2403AE	Multi Byte field

Multi Byte Field:

Binary Config
If the first byte of the Binary Configuration Data field is set to 0	No additional bytes may be specified.	it must disengage Watermarking.
If the first byte is 1	At least 19 total bytes must be specified. It must engage the Watermarking system in the Fourth through the Nineteenth Bytes.	It must engage watermarking
If the first byte is 2	No additional bytes may be specified.	If watermarking is available, the device will drop watermarking before it pass the decrypted content to the digital output. If watermarking is not available or the device is not able to drop it, decrypted content will be passed to the digital output.
If the first byte is 3	At least 19 total bytes must be specified. It must engage the Watermarking system in the Fourth through the Nineteenth Bytes.	If watermarking is available, the device will engage the watermarking. If Watermarking cannot be engaged, the device will Pass the decrypted video to Digital Outputs.
If the second of third Byte is 2000	Value must be specified as a WORD in big-endian format	The decypted video will pass to the digital output only if 6CDA453D-BFBB-45d1-AEB7-37287B2403AE is specified inside or outside of Playready TEE
If the second of third Byte is 3000	Value must be specified as a WORD in big-endian format	The decypted video will pass to the digital output only if 6CDA453D-BFBB-45d1-AEB7-37287B2403AE is specified inside of Playready TEE
Fourth through Nineteenth Bytes	A GUID	GUIDs for watermarking providers
Remaining Bytes	A Watermarking Vendor may require additional data to engage or attempt to engage Watermarking using its technology. If so, the license must specify these bytes according to information obtained from the Watermarking Vendor.

digital_audio_output_protections

Allows to specify output protections that are allowed to play protected digital audio content. For example, SCMS.

Default	No digital audio output protections are added to the license.
Data type	Array of Output Protection objects (see the example for details).
Supported values	An array of Output Protection objects (see the example for details), which contain: "id" - any valid GUID in the 00000000-0000-0000-0000-000000000000 format, which represents the ID of the output protection technology. "config_data" - any binary data encoded using base64 encoding, which conforms to RFC 4846. See the PlayReady Compliance Rules for valid values and their meaning.

The only permitted Audio Output Protection ID is:

Name	Value	Binary Configuration
SCMS copy-bits (see following table)	6D5CFA59-C250-4426-930E-FAC72C8FCFA6	00, 01, 10, 11

Binary Configuration Data Value	Cp-bit (bit 2)	L-bit (bit 15)
00	0	No Indication
01	0	Original or Commercial Prerecorded
11	1	No Indication

This object is typically used to force SCMS when outputting compressed audio over S/PDIF.

Widevine

Allows to specify a list of Widevine-specific content key usage policies. These policies only have an effect if the Widevine DRM is used.

Default	The settings in this section have their default behaviour.
Supported values	Any array of valid Widevine Content Key Usage Policy objects (see below).

The Widevine Content Key Usage Policy object consists of the following properties:

device_security_level

Allows to specify the minimum security level that the device must have in order to acquire the license. If the device doesn’t meet the security requirements, playback is not allowed.

Default

"SW_SECURE_CRYPTO".

Supported values

"SW_SECURE_CRYPTO" - software-based whitebox crypto is required. "SW_SECURE_DECODE" - software crypto and an obfuscated decoder are required. "HW_SECURE_CRYPTO" - the key material and crypto operations must be performed within a hardware-backed trusted execution environment. "HW_SECURE_DECODE" - the crypto and decoding of content must be performed within a hardware-backed trusted execution environment. "HW_SECURE_ALL" - the crypto, decoding, and all handling of the media (compressed and uncompressed) must be handled within a hardware-backed trusted execution environment.

You can read more about setting the security levels with Axinom DRM from here.

cgms-a

Allows to specify the CGMS-A rule that must be used by the device while playing the protected media. CGMS-A doesn’t affect playback. It only affects the possibility of recording (copying) protected media.

Default	CGMS-A isn’t enforced.
Supported values	free - unlimited number of copies may be made. once - only one generation of copies may be made. never - no copying permitted.

hdcp

Allows to specify the HDCP rule that must be used in order to play protected media. If the specified HDCP rule is not supported by the device, playback is not allowed.

Default	HDCP is not enforced.
Supported values	1.0 2.0 2.1 2.2 2.3 (Axinom DRM Widevine API v6.22.0+) NO_DIGITAL_OUTPUT

disable_analog_output

Allows to specify whether analog output shall be disallowed.

Default	false
Supported values	false - analog output is allowed. true - analog output is not allowed.