Skip to main content

Content Key Usage Policies

Allows to specify a list of content key usage policies or the rules that can be applied individually to each content key. You can set the rules under the content_key_usage_policies section of the entitlment service. A content key usage policy with matching name must be provided for all content keys that reference a specific policy. Unreferenced policies are ignored.

note

In case a content key usage policy is not supported by a specific playback client, then the associated keys are not included in the license; if this results in all keys being ineligible, the license is denied.

The structure of a Content Key Usage Policies object is defined as follows.

entitlement_message.content_key_usage_policies example (note that the GUIDs shown below are random example values)
"content_key_usage_policies":
[
{
"name": "Policy A",

"fairplay":
{
"hdcp": "TYPE0",
"allow_airplay": true,
"allow_av_adapter": true
},

"widevine":
{
"device_security_level": "SW_SECURE_DECODE",
"cgms-a": "once",
"hdcp": "2.0"
},

"playready":
{
"min_device_security_level": 2000,

"analog_video_opl": 100,

"compressed_digital_audio_opl": 200,
"uncompressed_digital_audio_opl": 300,
"compressed_digital_video_opl": 400,
"uncompressed_digital_video_opl": 500,

"source_id": "<value>",

"play_enablers":
[
"<value1>",
"<value2>"
],

"analog_video_output_protections":
[
{
"id": "<value>",
"config_data": "6BA/7HbTQB6r/IEvWN8Zog=="
}
],

"digital_video_output_protections":
[
{
"id": "<value>",
"config_data": "b3J+qoMeT5mcgykqXzBeIQ=="
}
],

"digital_audio_output_protections":
[
{
"id": "<value>",
"config_data": "cgmHUW9WSbawcgKzXLpq6Q=="
}
]
}
}
]
DefaultNo custom usage policies are defined.
Supported valuesAny array of valid Content Key Usage policy objects (see below).

The Content Key Usage Policy object consists of the following properties:

name​

The name of the content key usage policy. This policy is associated with all content keys that have a matching name in their "usage_policy" property. Multiple policies with the same name are not allowed.

RequiredYes
Supported valuesAny non-empty string, for example: "Policy A".

FairPlay​

Allows to specify a list of FairPlay-specific content key usage policies. These policies only have an effect if FairPlay DRM is used.

DefaultSettings in this section will have their default behaviour.
Supported valuesAny array of valid FairPlay Content Key Usage Policy objects (see below).

hdcp​

Allows to specify the HDCP rule clients enforce when playing back protected media. If the client can’t enforce a particular rule then the video stream to the uncompliant output will be blocked.

Note that some FairPlay clients (likely limited to older clients) do not support HDCP rule configuration and always enforce HDCP Type 0, which is the default for all FairPlay clients. In case of such clients, if a more restrictive HDCP rule than Type 0 is strictly required, license service can be instructed to deny the license (see the "_STRICT" option below).

Default

"TYPE0"

Supported values

  • "NONE" - HDCP is not enforced. If a client doesn’t support the HDCP configuration feature, it falls back to enforcing HDCP Type 0.
  • "TYPE0" - HDCP Type 0 (HDCP v1.x, v2.x) is enforced. This is the default behaviour of FairPlay clients and it is supported by all clients.
  • "TYPE1" - HDCP Type 1 (HDCP v2.2+) is enforced. If a client doesn’t support the HDCP configuration feature, it falls back to enforcing HDCP Type 0.
  • "TYPE1_STRICT" - HDCP Type 1 is enforced. If a client doesn’t support the HDCP configuration feature, then the license will be denied.

Availability

Axinom DRM FairPlay API v6.16.0+

allow_airplay​

Specifies whether to allow license acquisition when the client has engaged AirPlay streaming. If AirPlay is not allowed and the client switches to AirPlay mode, triggering a new license request, the license will be denied.

Default

true

Supported values

  • true - streaming content via AirPlay is allowed.
  • false - license acquisition will be denied when AirPlay is active.

Availability

Axinom DRM FairPlay API v6.21.0+

allow_av_adapter​

Specifies whether to allow license acquisition when the client is streaming content over an Apple AV Adapter. If using AV Adapter is not allowed and the client switches to using one, the license will be denied.

Default

true

Supported values

  • true - streaming content via an Apple AV Adapter is allowed.
  • false - license acquisition will be denied when an Apple AV Adapter is used.

Availability

Axinom DRM FairPlay API v6.21.0+

PlayReady​

Allows to specify a list of PlayReady-specific content key usage policies. These policies only have an effect if the PlayReady DRM is used.

tip

For the full list of available PlayReady-settings and their impact see PlayReady Compliance Rules.

DefaultSettings in this section will have their default behaviour.
Supported valuesAny array of valid PlayReady Content Key Usage Policy objects (see below).

The PlayReady Content Key Usage Policy object consists of the following properties:

min_device_security_level​

Allows to specify the minimum security level that the playback client must have to use the license. If the minimum security level specified for a content key is higher than what is supported by the client, then this key is not included in the license. Note: the maximum security level for PlayReady 2 and older clients is 2000. You can find a list of security level mappings here.

Default

2000

Supported values

  • 150 - software-based security, which is the least secure and is intended for testing purposes only.
  • 2000 - software-based security, which is secure and is intended for production purposes.
  • 3000 - hardware-based security, which is the most secure and is intended for production purposes.

analog_video_opl​

Allows to specify the output protection level for analog video content. The client must have protection technology equal to or greater than the specified level to play the content.

Default0
Supported values0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

compressed_digital_audio_opl​

Allows to specify the output protection level for compressed digital audio content. The client must have protection technology equal to or greater than the specified level to play the content.

Default0
Supported values0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

uncompressed_digital_audio_opl​

Allows to specify the output protection level for uncompressed digital audio content. The client must have protection technology equal to or greater than the specified level to play the content.

Default0
Supported values0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

compressed_digital_video_opl​

Allows to specify the output protection level for compressed digital video content. The client must have protection technology equal to or greater than the specified level to play the content.

Default0
Supported values0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

uncompressed_digital_video_opl​

Allows to specify the output protection level for uncompressed digital video content. The client must have protection technology equal to or greater than the specified level to play the content.

Default0
Supported values0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning.

source_id​

Allows to specify the identifier of the source content protection system. Some protection systems (for example: CGMS-A, DTCP, etc.) require the source ID to be present in the license.

Default0 (meaning that the source ID isn’t added to the license).
Supported values0 to 65535. Allowed values are listed below. See the PlayReady Compliance Rules for more information.

Never set 265 if effective resolution > 520 000 px. Otherwise you must use the correct numeric code from the table below when the content originates from a recognised ecosystem:

Source / ecosystemAllowed Value
Macrovision1
CGMS-A2
OpenCable Unidirectional Receiver (OCUR)4
CPRM, CPPM257
DTCP258
OMA/CMLA259
AACS (pre-recorded)262
AACS (recordable)263
DTCP at no greater than 520,000 pixels per frame265
ISDB266
UltraViolet™ Download267
UltraViolet™ Streaming268
WideVine269
FairPlay Server270
FairPlay Local271

If the source is not listed here, the source ID should not be set.

Indirect Content Providers are required to set a Source Id field.  Contact Microsoft to have one added before releasing any license creation through indirect means.

play_enablers​

Allows to set a list of GUID IDs of the technologies to which protected content is allowed to flow. For example: AirPlay, DTCP, etc.

A PlayReady Product must not pass the video to an Unknown Output if the associated minimum License Security Level is 3000.

DefaultNo play enablers are added to the license.
Supported valuesAny array of strings that represent valid GUIDs in the "00000000-0000-0000-0000-000000000000" format. See the PlayReady Compliance Rules for valid values and their meaning. For example: [ "7d9ae684-bd6a-4234-b1d5-910d1b4bed62", "81b6f874-7614-47b5-b79d-8193630ce358" ]

Some frequently used values:

NameValue
Helix002F9772-38A0-43E5-9F79-0F6361DCC62A
HDCP / WiVu1B4542E3-B5CF-4C99-B3BA-829AF46C92F8
HDCP / MiracastA340C256-0941-4D4C-AD1D-0B6735C0CB24
AirPlay5ABF0F0D-DC29-4B82-9982-FD8E57525BFC
DTCPD685030B-0F4F-43A6-BBAD-356F1EA0049A
note

In case the playback output is unknown (e.g. if the playback is attempted in a virtual machine), a play enabler may have to be added to avoid problems.

  • Playback to unknown outputs can be enabled by adding the "786627D8-C2A6-44BE-8F88-08AE255B01A7" play enabler.
  • Playback to unknown outputs under resolution constraint can be enabled by adding the "B621D91F-EDCC-4035-8D4B-DC71760D43E9" play enabler.

See the PlayReady Compliance Rules (section 3.9) for details.

analog_video_output_protections​

Allows to specify output protections that are allowed to play protected analog video content. For example, CGMS-A.

Default

No analog video output protections are added to the license.

Supported values

An array of Output Protection objects (see the example for details), which contain:

  • "id" - any valid GUID in the 00000000-0000-0000-0000-000000000000 format, which represents the ID of the output protection technology.
  • "config_data" - any binary data encoded using base64 encoding, which conforms to RFC 4846. See the PlayReady Compliance Rules for valid values and their meaning.

Some frequently used values:

NameValueBinary Configuration
AGC and Color StripeC3FD11C6-F8B7-4D20-B008-1DB17D61F2DA0,1,2,3
Hard analog-TV restriction2098DE8D-7DDD-4BAB-96C6-32EBB6FABEA30,1,2,3
“Best-effort” analog-TV restriction225CD36F-F132-49EF-BA8C-C91EA28E43690,1,2,3
520k-pixel cap for component video811C5110-46C8-4C6E-8163-C0482A15D47E<520000
520k-pixel cap for VGA/RGBD783A191-E083-4BAF-B2DA-E69F910B3772<520000
“Digital video only” – blocks all analog outputs760AE755-682A-41E0-B1B3-DCDF836A73060

APSTB Values for Automatic Gain Control and Color Stripe:

Binary Configuration Data ValueAPSTB Value
000b
101b
210b
311b

digital_video_output_protections​

Allows to specify output protections that are allowed to play protected digital video content. For example, HDCP.

note

This feature is not supported by PlayReady 2 and older clients; for those clients, keys for which this feature is specified are not included in the license.

Default

No digital video output protections are added to the license.

Data type

Array of Output Protection objects (see the example for details).

Supported values

An array of Output Protection objects (see the example for details), which contain:

  • "id" - any valid GUID in the 00000000-0000-0000-0000-000000000000 format, which represents the ID of the output protection technology.
  • "config_data" - any binary data encoded using base64 encoding, which conforms to RFC 4846. See the PlayReady Compliance Rules for valid values and their meaning.

Allowed values:

NameValueBinary Configuration
Maximum Effective Resolution Decode Size9645E831-E01D-4FFF-8342-0A720E3E028FTwo, 32-bit Big Indian values → Maximum Frame Width in Pixels, Maximum Frame Height in Pixels
Require HDCP 2.x (only legal when Uncompressed Digital Video OPL ≥ 300)ABB2C6F1-E663-4625-A945-972D17B231E71 as a 32 bit value in Big Endian format
Internal Video Output Only2076ECD5-044F-4047-BFCF-7A75D0E4E269a single byte that takes the value 1
Watemarking6CDA453D-BFBB-45d1-AEB7-37287B2403AEMulti Byte field

Multi Byte Field:

Binary Config
If the first byte of the Binary Configuration Data field is set to 0No additional bytes may be specified.it must disengage Watermarking.
If the first byte is 1At least 19 total bytes must be specified. It must engage the Watermarking system in the Fourth through the Nineteenth Bytes.It must engage watermarking
If the first byte is 2No additional bytes may be specified.If watermarking is available, the device will drop watermarking before it pass the decrypted content to the digital output. If watermarking is not available or the device is not able to drop it, decrypted content will be passed to the digital output.
If the first byte is 3At least 19 total bytes must be specified. It must engage the Watermarking system in the Fourth through the Nineteenth Bytes.If watermarking is available, the device will engage the watermarking. If Watermarking cannot be engaged, the device will Pass the decrypted video to Digital Outputs.
If the second of third Byte is 2000Value must be specified as a WORD in big-endian formatThe decypted video will pass to the digital output only if 6CDA453D-BFBB-45d1-AEB7-37287B2403AE is specified inside or outside of Playready TEE
If the second of third Byte is 3000Value must be specified as a WORD in big-endian formatThe decypted video will pass to the digital output only if 6CDA453D-BFBB-45d1-AEB7-37287B2403AE is specified inside of Playready TEE
Fourth through Nineteenth BytesA GUIDGUIDs for watermarking providers
Remaining BytesA Watermarking Vendor may require additional data to engage or attempt to engage Watermarking using its technology. If so, the license must specify these bytes according to information obtained from the Watermarking Vendor.

digital_audio_output_protections​

Allows to specify output protections that are allowed to play protected digital audio content. For example, SCMS.

Default

No digital audio output protections are added to the license.

Data type

Array of Output Protection objects (see the example for details).

Supported values

An array of Output Protection objects (see the example for details), which contain:

  • "id" - any valid GUID in the 00000000-0000-0000-0000-000000000000 format, which represents the ID of the output protection technology.
  • "config_data" - any binary data encoded using base64 encoding, which conforms to RFC 4846. See the PlayReady Compliance Rules for valid values and their meaning.

The only permitted Audio Output Protection ID is:

NameValueBinary Configuration
SCMS copy-bits (see following table)6D5CFA59-C250-4426-930E-FAC72C8FCFA600, 01, 10, 11
Binary Configuration Data ValueCp-bit (bit 2)L-bit (bit 15)
000No Indication
010Original or Commercial Prerecorded
111No Indication

This object is typically used to force SCMS when outputting compressed audio over S/PDIF.

Widevine​

Allows to specify a list of Widevine-specific content key usage policies. These policies only have an effect if the Widevine DRM is used.

DefaultThe settings in this section have their default behaviour.
Supported valuesAny array of valid Widevine Content Key Usage Policy objects (see below).

The Widevine Content Key Usage Policy object consists of the following properties:

device_security_level​

Allows to specify the minimum security level that the device must have in order to acquire the license. If the device doesn’t meet the security requirements, playback is not allowed.

Default

"SW_SECURE_CRYPTO".

Supported values

  • "SW_SECURE_CRYPTO" - software-based whitebox crypto is required.
  • "SW_SECURE_DECODE" - software crypto and an obfuscated decoder are required.
  • "HW_SECURE_CRYPTO" - the key material and crypto operations must be performed within a hardware-backed trusted execution environment.
  • "HW_SECURE_DECODE" - the crypto and decoding of content must be performed within a hardware-backed trusted execution environment.
  • "HW_SECURE_ALL" - the crypto, decoding, and all handling of the media (compressed and uncompressed) must be handled within a hardware-backed trusted execution environment.

You can read more about setting the security levels with Axinom DRM from here.

cgms-a​

Allows to specify the CGMS-A rule that must be used by the device while playing the protected media. CGMS-A doesn’t affect playback. It only affects the possibility of recording (copying) protected media.

Default

CGMS-A isn’t enforced.

Supported values

  • free - unlimited number of copies may be made.
  • once - only one generation of copies may be made.
  • never - no copying permitted.

hdcp​

Allows to specify the HDCP rule that must be used in order to play protected media. If the specified HDCP rule is not supported by the device, playback is not allowed.

Default

HDCP is not enforced.

Supported values

  • 1.0
  • 2.0
  • 2.1
  • 2.2
  • 2.3 (Axinom DRM Widevine API v6.22.0+)
  • NO_DIGITAL_OUTPUT

disable_analog_output​

Allows to specify whether analog output shall be disallowed.

Default

false

Supported values

  • false - analog output is allowed.
  • true - analog output is not allowed.