Content Key Usage Policies
Allows to specify a list of content key usage policies or the rules that can be applied individually to each content key. You can set the rules under the content_key_usage_policies section of the entitlment service. A content key usage policy with matching name must be provided for all content keys that reference a specific policy. Unreferenced policies are ignored.
In case a content key usage policy is not supported by a specific playback client, then the associated keys are not included in the license; if this results in all keys being ineligible, the license is denied.
The structure of a Content Key Usage Policies object is defined as follows.
"content_key_usage_policies":
[
{
"name": "Policy A",
"fairplay":
{
"hdcp": "TYPE0",
"allow_airplay": true,
"allow_av_adapter": true
},
"widevine":
{
"device_security_level": "SW_SECURE_DECODE",
"cgms-a": "once",
"hdcp": "2.0"
},
"playready":
{
"min_device_security_level": 2000,
"analog_video_opl": 100,
"compressed_digital_audio_opl": 200,
"uncompressed_digital_audio_opl": 300,
"compressed_digital_video_opl": 400,
"uncompressed_digital_video_opl": 500,
"source_id": "<value>",
"play_enablers":
[
"<value1>",
"<value2>"
],
"analog_video_output_protections":
[
{
"id": "<value>",
"config_data": "6BA/7HbTQB6r/IEvWN8Zog=="
}
],
"digital_video_output_protections":
[
{
"id": "<value>",
"config_data": "b3J+qoMeT5mcgykqXzBeIQ=="
}
],
"digital_audio_output_protections":
[
{
"id": "<value>",
"config_data": "cgmHUW9WSbawcgKzXLpq6Q=="
}
]
}
}
]
Default | No custom usage policies are defined. |
Supported values | Any array of valid Content Key Usage policy objects (see below). |
The Content Key Usage Policy object consists of the following properties:
name​
The name of the content key usage policy. This policy is associated with all content keys that have a matching name in their "usage_policy" property. Multiple policies with the same name are not allowed.
Required | Yes |
Supported values | Any non-empty string, for example: "Policy A". |
FairPlay​
Allows to specify a list of FairPlay-specific content key usage policies. These policies only have an effect if FairPlay DRM is used.
Default | Settings in this section will have their default behaviour. |
Supported values | Any array of valid FairPlay Content Key Usage Policy objects (see below). |
hdcp​
Allows to specify the HDCP rule clients enforce when playing back protected media. If the client can’t enforce a particular rule then the video stream to the uncompliant output will be blocked.
Note that some FairPlay clients (likely limited to older clients) do not support HDCP rule configuration and always enforce HDCP Type 0, which is the default for all FairPlay clients. In case of such clients, if a more restrictive HDCP rule than Type 0 is strictly required, license service can be instructed to deny the license (see the "_STRICT" option below).
Default |
"TYPE0" |
Supported values |
|
Availability |
Axinom DRM FairPlay API v6.16.0+ |
allow_airplay​
Specifies whether to allow license acquisition when the client has engaged AirPlay streaming. If AirPlay is not allowed and the client switches to AirPlay mode, triggering a new license request, the license will be denied.
Default |
true |
Supported values |
|
Availability |
Axinom DRM FairPlay API v6.21.0+ |
allow_av_adapter​
Specifies whether to allow license acquisition when the client is streaming content over an Apple AV Adapter. If using AV Adapter is not allowed and the client switches to using one, the license will be denied.
Default |
true |
Supported values |
|
Availability |
Axinom DRM FairPlay API v6.21.0+ |
PlayReady​
Allows to specify a list of PlayReady-specific content key usage policies. These policies only have an effect if the PlayReady DRM is used.
For the full list of available PlayReady-settings and their impact see PlayReady Compliance Rules.
Default | Settings in this section will have their default behaviour. |
Supported values | Any array of valid PlayReady Content Key Usage Policy objects (see below). |
The PlayReady Content Key Usage Policy object consists of the following properties:
min_device_security_level​
Allows to specify the minimum security level that the playback client must have to use the license. If the minimum security level specified for a content key is higher than what is supported by the client, then this key is not included in the license. Note: the maximum security level for PlayReady 2 and older clients is 2000. You can find a list of security level mappings here.
Default |
2000 |
Supported values |
|
analog_video_opl​
Allows to specify the output protection level for analog video content. The client must have protection technology equal to or greater than the specified level to play the content.
Default | 0 |
Supported values | 0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning. |
compressed_digital_audio_opl​
Allows to specify the output protection level for compressed digital audio content. The client must have protection technology equal to or greater than the specified level to play the content.
Default | 0 |
Supported values | 0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning. |
uncompressed_digital_audio_opl​
Allows to specify the output protection level for uncompressed digital audio content. The client must have protection technology equal to or greater than the specified level to play the content.
Default | 0 |
Supported values | 0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning. |
compressed_digital_video_opl​
Allows to specify the output protection level for compressed digital video content. The client must have protection technology equal to or greater than the specified level to play the content.
Default | 0 |
Supported values | 0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning. |
uncompressed_digital_video_opl​
Allows to specify the output protection level for uncompressed digital video content. The client must have protection technology equal to or greater than the specified level to play the content.
Default | 0 |
Supported values | 0 to 65535. See the PlayReady Output Protection Levels for the list of valid values and their meaning. |
source_id​
Allows to specify the identifier of the source content protection system. Some protection systems (for example: CGMS-A, DTCP, etc.) require the source ID to be present in the license.
Default | 0 (meaning that the source ID isn’t added to the license). |
Supported values | 0 to 65535. Allowed values are listed below. See the PlayReady Compliance Rules for more information. |
Never set 265 if effective resolution > 520 000 px. Otherwise you must use the correct numeric code from the table below when the content originates from a recognised ecosystem:
Source / ecosystem | Allowed Value |
---|---|
Macrovision | 1 |
CGMS-A | 2 |
OpenCable Unidirectional Receiver (OCUR) | 4 |
CPRM, CPPM | 257 |
DTCP | 258 |
OMA/CMLA | 259 |
AACS (pre-recorded) | 262 |
AACS (recordable) | 263 |
DTCP at no greater than 520,000 pixels per frame | 265 |
ISDB | 266 |
UltraViolet™ Download | 267 |
UltraViolet™ Streaming | 268 |
WideVine | 269 |
FairPlay Server | 270 |
FairPlay Local | 271 |
If the source is not listed here, the source ID should not be set.
Indirect Content Providers are required to set a Source Id field. Contact Microsoft to have one added before releasing any license creation through indirect means.
play_enablers​
Allows to set a list of GUID IDs of the technologies to which protected content is allowed to flow. For example: AirPlay, DTCP, etc.
A PlayReady Product must not pass the video to an Unknown Output if the associated minimum License Security Level is 3000.
Default | No play enablers are added to the license. |
Supported values | Any array of strings that represent valid GUIDs in the "00000000-0000-0000-0000-000000000000" format. See the PlayReady Compliance Rules for valid values and their meaning. For example: [ "7d9ae684-bd6a-4234-b1d5-910d1b4bed62", "81b6f874-7614-47b5-b79d-8193630ce358" ] |
Some frequently used values:
Name | Value |
---|---|
Helix | 002F9772-38A0-43E5-9F79-0F6361DCC62A |
HDCP / WiVu | 1B4542E3-B5CF-4C99-B3BA-829AF46C92F8 |
HDCP / Miracast | A340C256-0941-4D4C-AD1D-0B6735C0CB24 |
AirPlay | 5ABF0F0D-DC29-4B82-9982-FD8E57525BFC |
DTCP | D685030B-0F4F-43A6-BBAD-356F1EA0049A |
In case the playback output is unknown (e.g. if the playback is attempted in a virtual machine), a play enabler may have to be added to avoid problems.
- Playback to unknown outputs can be enabled by adding the "786627D8-C2A6-44BE-8F88-08AE255B01A7" play enabler.
- Playback to unknown outputs under resolution constraint can be enabled by adding the "B621D91F-EDCC-4035-8D4B-DC71760D43E9" play enabler.
See the PlayReady Compliance Rules (section 3.9) for details.
analog_video_output_protections​
Allows to specify output protections that are allowed to play protected analog video content. For example, CGMS-A.
Default |
No analog video output protections are added to the license. |
Supported values |
An array of Output Protection objects (see the example for details), which contain:
|
Some frequently used values:
Name | Value | Binary Configuration |
---|---|---|
AGC and Color Stripe | C3FD11C6-F8B7-4D20-B008-1DB17D61F2DA | 0,1,2,3 |
Hard analog-TV restriction | 2098DE8D-7DDD-4BAB-96C6-32EBB6FABEA3 | 0,1,2,3 |
“Best-effort” analog-TV restriction | 225CD36F-F132-49EF-BA8C-C91EA28E4369 | 0,1,2,3 |
520k-pixel cap for component video | 811C5110-46C8-4C6E-8163-C0482A15D47E | <520000 |
520k-pixel cap for VGA/RGB | D783A191-E083-4BAF-B2DA-E69F910B3772 | <520000 |
“Digital video only” – blocks all analog outputs | 760AE755-682A-41E0-B1B3-DCDF836A7306 | 0 |
APSTB Values for Automatic Gain Control and Color Stripe:
Binary Configuration Data Value | APSTB Value |
---|---|
0 | 00b |
1 | 01b |
2 | 10b |
3 | 11b |
digital_video_output_protections​
Allows to specify output protections that are allowed to play protected digital video content. For example, HDCP.
This feature is not supported by PlayReady 2 and older clients; for those clients, keys for which this feature is specified are not included in the license.
Default |
No digital video output protections are added to the license. |
Data type |
Array of Output Protection objects (see the example for details). |
Supported values |
An array of Output Protection objects (see the example for details), which contain:
|
Allowed values:
Name | Value | Binary Configuration |
---|---|---|
Maximum Effective Resolution Decode Size | 9645E831-E01D-4FFF-8342-0A720E3E028F | Two, 32-bit Big Indian values → Maximum Frame Width in Pixels, Maximum Frame Height in Pixels |
Require HDCP 2.x (only legal when Uncompressed Digital Video OPL ≥ 300) | ABB2C6F1-E663-4625-A945-972D17B231E7 | 1 as a 32 bit value in Big Endian format |
Internal Video Output Only | 2076ECD5-044F-4047-BFCF-7A75D0E4E269 | a single byte that takes the value 1 |
Watemarking | 6CDA453D-BFBB-45d1-AEB7-37287B2403AE | Multi Byte field |
Multi Byte Field:
Binary Config | ||
---|---|---|
If the first byte of the Binary Configuration Data field is set to 0 | No additional bytes may be specified. | it must disengage Watermarking. |
If the first byte is 1 | At least 19 total bytes must be specified. It must engage the Watermarking system in the Fourth through the Nineteenth Bytes. | It must engage watermarking |
If the first byte is 2 | No additional bytes may be specified. | If watermarking is available, the device will drop watermarking before it pass the decrypted content to the digital output. If watermarking is not available or the device is not able to drop it, decrypted content will be passed to the digital output. |
If the first byte is 3 | At least 19 total bytes must be specified. It must engage the Watermarking system in the Fourth through the Nineteenth Bytes. | If watermarking is available, the device will engage the watermarking. If Watermarking cannot be engaged, the device will Pass the decrypted video to Digital Outputs. |
If the second of third Byte is 2000 | Value must be specified as a WORD in big-endian format | The decypted video will pass to the digital output only if 6CDA453D-BFBB-45d1-AEB7-37287B2403AE is specified inside or outside of Playready TEE |
If the second of third Byte is 3000 | Value must be specified as a WORD in big-endian format | The decypted video will pass to the digital output only if 6CDA453D-BFBB-45d1-AEB7-37287B2403AE is specified inside of Playready TEE |
Fourth through Nineteenth Bytes | A GUID | GUIDs for watermarking providers |
Remaining Bytes | A Watermarking Vendor may require additional data to engage or attempt to engage Watermarking using its technology. If so, the license must specify these bytes according to information obtained from the Watermarking Vendor. |
digital_audio_output_protections​
Allows to specify output protections that are allowed to play protected digital audio content. For example, SCMS.
Default |
No digital audio output protections are added to the license. |
Data type |
Array of Output Protection objects (see the example for details). |
Supported values |
An array of Output Protection objects (see the example for details), which contain:
|
The only permitted Audio Output Protection ID is:
Name | Value | Binary Configuration |
---|---|---|
SCMS copy-bits (see following table) | 6D5CFA59-C250-4426-930E-FAC72C8FCFA6 | 00, 01, 10, 11 |
Binary Configuration Data Value | Cp-bit (bit 2) | L-bit (bit 15) |
---|---|---|
00 | 0 | No Indication |
01 | 0 | Original or Commercial Prerecorded |
11 | 1 | No Indication |
This object is typically used to force SCMS when outputting compressed audio over S/PDIF.
Widevine​
Allows to specify a list of Widevine-specific content key usage policies. These policies only have an effect if the Widevine DRM is used.
Default | The settings in this section have their default behaviour. |
Supported values | Any array of valid Widevine Content Key Usage Policy objects (see below). |
The Widevine Content Key Usage Policy object consists of the following properties:
device_security_level​
Allows to specify the minimum security level that the device must have in order to acquire the license. If the device doesn’t meet the security requirements, playback is not allowed.
Default |
"SW_SECURE_CRYPTO". |
Supported values |
|
You can read more about setting the security levels with Axinom DRM from here.
cgms-a​
Allows to specify the CGMS-A rule that must be used by the device while playing the protected media. CGMS-A doesn’t affect playback. It only affects the possibility of recording (copying) protected media.
Default |
CGMS-A isn’t enforced. |
Supported values |
|
hdcp​
Allows to specify the HDCP rule that must be used in order to play protected media. If the specified HDCP rule is not supported by the device, playback is not allowed.
Default |
HDCP is not enforced. |
Supported values |
|
disable_analog_output​
Allows to specify whether analog output shall be disallowed.
Default |
false |
Supported values |
|