2 Replies
      Latest reply on Dec 3, 2019 8:18 AM by 3ZS
      diegofer Level 1 Level 1 (0 points)



        We are developing a propietary KSM for our company. We have already access to our FairPlay certificate and ASK but we would like to not use production credentials in development process. We have found a development certificate (Common Name: Partner2) in "FairPlay_Streaming_Server_SDK_v4.2.0" but we have not found the associated ASK for that certificate.


        Where can we found the ASK?



        • Re: ASK for Development Credentials
          CarcharodonCarcharias Level 1 Level 1 (10 points)

          I don't think there is a "development" ASK. I have used the ASK from the deployment package to do the KSM testing.

            • Re: ASK for Development Credentials
              3ZS Apple Staff Apple Staff (80 points)

              There isn't an ASk to use for development testing, only a derived dASk.  You should only change to your deployment credentials once you are ready to deply and for final testing, the Key Server Module (KSM) can only be tested with the development credentials.


              With only a development KSM you can and should test most of your KSM and content before requesting the FPS Deployment Package. The only thing you won’t be able to test is the final step of the Key Server Module (KSM) securely providing the content keys to the FPS client app or webpage for playback, but this path is tested using the verify_ckc tool as described below.


              1) First, test your KSM with the verify_ckc tool and test vectors as instructed in the FairPlay Streaming Programing Guide. This is how you are supposed to test your KSM before deploying it and these tests are designed to test the entire development KSM. Note: The testing with the verify_ckc tool and test vectors will only work with the provided development credentials and will fail if the testing is done with deployment credentials.


              2) Test your content using the identity key type as described in the FPS Programing Guide. The identity key type allows the content to play back without requesting a key from a FPS key server.


              The following shows an example of how you can change an m3u8 file to use the identity key type for testing. Don’t use a file with these changes for production as it avoids the use of the FPS Key Server.


              • In the m3u8 playlist, set the KEYFORMAT attribute under the EXT-X-KEY tag to value of “identity” instead of “com.apple.streamingkeydelivery”. You can also remove the KEYFORMAT attribute since its absence indicates an implicit value of “identity”. For example the following:



              Would become:



              • Remove the KEYFORMATVERSIONS attribute from the EXT-X-KEY tag:



              • Add the initialization vector (IV) associated with the content key of the test content as an additional attribute called IV under the EXT-X-KEY tag:



              • Make the 16 byte content key associated with the test content available on your web server as a file that can be accessed and update the URI attribute under the EXT-X-KEY tag to point to the content key file:



              • Attempt to playback the content using the updated playlist.


              Performing the above steps allows your client to receive the same content, but instead of decrypting it with FPS, the media framework decrypts it with a clear text AES key.


              Important: You should only use the identity key type for testing and you should not deploy your playlists after making the above changes in production as it will not use FPS.


              If the content does not play after making the changes for the key type, the issue is most likely related to how the content was authored, encrypted or a bad key.